Privacy Policy

Effective Date: 13 April 2026
Last Updated: 13 April 2026

Lotform is a web-based product operated by PT PERARE TECHNOLOGIES INDONESIA (“Company,” “we,” “us,” or “our”). This Privacy Policy explains how we collect, use, store, disclose, and otherwise process personal data in connection with the Lotform website, related services, generated outputs, communications, and associated tools (collectively, the “Service”).

By accessing or using the Service, submitting information through the Service, or completing a transaction through the Service, you acknowledge that your personal data may be processed as described in this Privacy Policy, subject to applicable law.

1. Scope

This Privacy Policy applies to personal data processed in connection with:

visits to the Lotform website;
parcel search and pack generation requests;
transactions and payment-related flows;
communications with us;
analytics, diagnostics, and service improvement activities;
delivery of generated outputs by screen, email, or other supported methods.

This Privacy Policy does not govern third-party websites, products, or services that may be linked to or integrated with the Service, including payment providers, analytics providers, map or infrastructure services, email delivery services, and other third-party tools, each of which may be subject to its own terms and privacy practices.

2. Data Controller

The controller of personal data processed through the Service is:

PT PERARE TECHNOLOGIES INDONESIA
District 8 SCBD, Revenue Tower, Jl. Jend. Sudirman kav 52-53 No.Lot 13, Senayan, Kec. Kby. Baru, Kota Jakarta Selatan, Daerah Khusus Ibukota Jakarta 12190
Email: [email protected] or [email protected]

If the Service is operated, supported, or fulfilled in part by an affiliate, contractor, or service provider, such party will process data only as permitted under applicable arrangements and law.

3. Personal Data We May Collect

Depending on how you use the Service, we may collect and process the following categories of data:

A. Information you provide directly

email address;
name or contact details, if submitted;
billing or transaction-related information you provide during checkout;
customer support messages, inquiries, or other communications;
any content, coordinates, parcel references, or other information you choose to submit through the Service.

B. Service request and order data

coordinates, parcel-related inputs, map selections, or search parameters;
selected pack type, order details, timestamps, delivery status, and fulfillment records;
acceptance records relating to Privacy Policy, Terms and Conditions, or other legal notices;
user/session identifiers, order identifiers, and associated logs.

C. Payment and transaction data

Payments are processed through third-party payment providers, including Xendit, and we may receive limited payment-related data such as payment status, payment reference, payment method type, transaction amount, currency, fraud/risk indicators, and other metadata required to confirm, reconcile, investigate, or support the transaction. We do not represent that we store full payment card data unless expressly stated otherwise. Xendit processes certain data under its own privacy terms.

D. Technical, device, and usage data

IP address;
browser type, device type, operating system, language, and approximate technical environment;
log data, access times, referral URLs, clickstream data, and interaction events;
cookie, pixel, analytics, and similar identifiers;
crash reports, diagnostic data, and performance metrics.

E. Derived and operational data

We may generate internal records, delivery logs, anti-fraud signals, support notes, operational classifications, and other metadata derived from your use of the Service for security, compliance, service administration, business analytics, and product improvement.

4. Sources of Personal Data

We may collect personal data from:

you directly;
your device and browser when you access the Service;
payment providers and payment infrastructure;
analytics, hosting, infrastructure, email, security, and other service providers;
affiliates, contractors, and vendors supporting the Service;
publicly available or lawfully available sources, where permitted.

5. How We Use Personal Data

We may use personal data for the following purposes:

to operate, provide, maintain, and improve the Service;
to identify parcel-related requests and generate requested outputs;
to process, confirm, reconcile, support, and investigate transactions;
to deliver generated packs by screen, email, or other available channels;
to authenticate requests, maintain logs, and enforce records of consent and acceptance;
to detect, prevent, investigate, and address fraud, abuse, unauthorized access, chargeback risk, payment disputes, and other harmful or unlawful activity;
to administer the website, infrastructure, analytics, diagnostics, and performance monitoring;
to communicate with users regarding orders, service status, support, updates, legal notices, and operational matters;
to send product, service, promotional, or marketing communications where permitted by applicable law;
to conduct internal research, reporting, testing, auditing, quality control, and service development;
to protect our rights, property, systems, personnel, users, and business interests;
to comply with legal, regulatory, tax, accounting, audit, enforcement, and dispute-resolution obligations;
to establish, exercise, or defend legal claims.

Under Indonesia’s PDP framework, personal data processing is regulated and data subjects are granted specific rights; controllers are also required to protect personal data and be accountable for the processing they conduct.

6. Legal Basis / Grounds for Processing

Where required by applicable law, we process personal data based on one or more valid grounds, including:

your consent;
steps necessary to provide the Service requested by you;
compliance with legal obligations;
our legitimate and reasonable interests in operating, securing, supporting, improving, and protecting the Service and our business, provided such interests are not overridden by mandatory legal protections.

If consent is required for a specific processing activity, you may withdraw that consent in accordance with applicable law, subject to legal and operational limitations.

7. Disclosure of Personal Data

We may disclose personal data to the following categories of recipients where reasonably necessary for the purposes described in this Privacy Policy:

affiliates and group companies;
payment providers and transaction processing partners, including Xendit;
hosting, cloud, storage, security, communications, analytics, email, and infrastructure providers;
contractors, advisors, auditors, and professional service providers;
customer support and operational service providers;
law enforcement, regulators, courts, governmental authorities, or other parties where disclosure is required or appropriate under applicable law;
actual or prospective acquirers, investors, lenders, counterparties, or other parties involved in a merger, acquisition, financing, restructuring, reorganization, dissolution, asset sale, or similar corporate transaction;
other parties at your direction or with your authorization.

We may also disclose information where we determine in good faith that disclosure is necessary to investigate misuse of the Service, enforce our rights, prevent harm, respond to claims, reduce chargeback or fraud risk, or protect the Company, users, or third parties.

We do not undertake to disclose the identity of every vendor or technical provider used in connection with the Service, and may change such providers from time to time without individual notice, unless otherwise required by law.

8. International Transfer of Data

Your personal data may be stored, accessed, processed, or transferred in Indonesia and other jurisdictions where we, our affiliates, or our service providers operate. Where cross-border transfer occurs, we will take steps required by applicable law and use legally appropriate safeguards as necessary. Indonesia’s PDP law expressly regulates transfer of personal data and controller obligations in connection with such processing.

9. Data Retention

We retain personal data for as long as reasonably necessary for the purposes described in this Privacy Policy, including:

providing the Service and delivering outputs;
maintaining business and transactional records;
documenting consent, acceptance, and service history;
preventing fraud, abuse, and repeated misuse;
handling complaints, disputes, investigations, audits, chargebacks, and enforcement matters;
complying with legal, tax, accounting, and regulatory obligations.

Retention periods may vary depending on the nature of the data, the sensitivity of the data, the purpose of processing, the operational need, and applicable legal requirements. We may retain certain information for a longer period where necessary to protect the Company’s legal and business interests, to preserve evidence, or to comply with law.

Applicable Indonesian rules also address retention, deletion, destruction, and notification duties in certain cases.

10. Security

We implement reasonable administrative, technical, and organizational measures designed to protect personal data against unauthorized access, unlawful disclosure, alteration, misuse, and destruction. However, no method of transmission over the internet or method of electronic storage is fully secure, and we do not guarantee absolute security.

You are responsible for using the Service in a secure manner, including safeguarding access to your devices, email account, and any credentials or links associated with your order.

Under Indonesia’s PDP law, controllers are required to protect personal data and, in the event of a personal data protection failure, provide notice within the legally required timeframe.

11. Your Rights

Subject to applicable law, you may have the right to request access to your personal data, correction of inaccurate data, completion of incomplete data, withdrawal of consent, restriction or delay of certain processing, deletion, destruction, or other rights available under law. Indonesia’s PDP law sets out rights of data subjects in Articles 5 through 13.

To exercise a request, contact us at: [email protected]

We may:

require sufficient information to verify your identity and authority;
refuse, limit, or defer requests where permitted by law;
retain information as necessary for legal compliance, fraud prevention, evidence preservation, dispute handling, defense of claims, or other lawful purposes;
charge or decline where requests are manifestly unfounded, excessive, repetitive, technically disproportionate, or otherwise not required to be fulfilled under applicable law.

The exercise of data rights does not automatically affect the validity of prior processing undertaken lawfully before such request.

12. Cookies, Analytics, and Similar Technologies

We may use cookies, SDKs, pixels, logs, and similar technologies to:

operate the website and core features;
remember technical preferences;
measure traffic, performance, and engagement;
understand usage patterns;
improve service quality, security, and conversion performance;
support analytics, diagnostics, attribution, and business reporting.

Some third-party analytics and advertising-related tools may collect technical information automatically. Where required by applicable law, we will seek relevant consent or provide relevant controls.

13. Email Communications

We may use your email address to:

send transactional messages and delivery notifications;
send service updates, support responses, and legal or policy notices;
send follow-up communications relating to your request, order, or incomplete transaction;
send marketing or promotional communications, where permitted by law.

You may opt out of non-essential promotional communications by using the unsubscribe mechanism where available or by contacting us. We may still send non-promotional and service-related communications where necessary.

14. Children

The Service is not directed to children and is not intended for persons who are not legally permitted to enter into relevant transactions under applicable law. If we become aware that personal data has been collected in a manner inconsistent with applicable law, we may delete it or take other appropriate action.

15. Third-Party Services

The Service may rely on or interoperate with third-party services, including payment gateways, hosting services, analytics tools, mapping technologies, email infrastructure, and technical vendors. We are not responsible for the privacy practices, content, or security of third-party services that are not controlled by us. Your use of such services may also be governed by separate terms and privacy notices.

16. Business Transfers and Corporate Events

We may transfer or disclose personal data as part of an actual or contemplated merger, acquisition, investment, financing, due diligence review, asset sale, restructuring, insolvency process, or similar corporate transaction, subject to applicable law and confidentiality protections where appropriate.

Indonesia’s PDP law also contemplates notification duties in connection with certain corporate changes affecting personal data control or transfer.

17. Changes to This Privacy Policy

We may amend or update this Privacy Policy from time to time at our discretion. The updated version becomes effective when posted, unless otherwise stated. Your continued use of the Service after the updated version becomes effective constitutes acknowledgment of the updated Privacy Policy to the extent permitted by law.

Where required by applicable law, we will provide additional notice or obtain additional consent.

18. Contact Us

For privacy-related questions or requests, contact:

PT PERARE TECHNOLOGIES INDONESIA
Email: [email protected]
Address: Registered Address