Privacy Policy.

PT ShopTopia Indonesia ("ShopTopia", "we") acts as the Personal Data Controller for data you submit when using the ShopTopia Platform. This Policy explains the data we process, its legal basis, retention, and your rights as a Data Subject.

For your store’s customer data (e.g. Buyer WA numbers, shipping addresses), ShopTopia acts as a Data Processor, you, the Seller, are the Controller. This relationship is governed by the Terms of Service.

We collect the following data categories:

Identity & contact data

WhatsApp number, email address, Seller name, store name, store city/location.

Authentication data

OTP codes sent to your WhatsApp (retained briefly for verification only).

Store & product data

Store content, product list, photos, prices, stock, variants, and display settings.

Order & transaction data

Order IDs, payment status, amounts, and references to payment-provider transaction IDs. We do not store card numbers.

Subscription & billing data

Active tier, billing history, and Xendit invoice references.

Technical & log data

IP address, user-agent, basic device fingerprint, access logs, and audit trail of significant account changes.

Communication data

Support ticket contents, WhatsApp messages to our team, and emails you send us.

• Provide, operate, and maintain the Service (core operations).
• Verify identity and secure accounts (OTP, anomaly detection).
• Process subscription payments and issue invoices.
• Comply with legal obligations (tax, AML, lawful authority requests).
• Communicate about the service, policy changes, or operational disruptions.
• Send limited marketing communications, only if you opt in, revocable any time.
• Improve the product through aggregate, anonymized analytics (no individual profiling).

Per UU PDP Article 20, we process data under the following legal bases:

Contract performance

Processing identity, store, order, and billing data to deliver the Service you subscribe to.

Legal obligation

Retaining transaction data for tax/audit compliance; disclosing data to lawful authorities.

Legitimate interest

Securing the Platform, preventing fraud, measuring service performance in aggregate.

Explicit consent

Processing for marketing communications, optional analytics cookies, and new features you opt into.

We only share data with third parties under one of these bases: service delivery, legal compliance, or your consent. Currently relevant third parties:

Payment providers

Xendit (Indonesia) and Stripe (international), process online payment transactions. Their privacy policies apply separately.

Infrastructure

Supabase (database, auth, storage) and Vercel (hosting & CDN) as sub-processors.

WhatsApp messaging

WhatsApp Business API via authorized provider (e.g. Fonnte) to send notifications and OTPs.

Lawful authorities

Law enforcement, tax authorities, or regulators with valid and binding requests.

We do not sell or rent your personal data to third parties for advertising purposes.

Some of our providers operate outside Indonesia. Currently, data may be processed and stored on servers in Asia Tenggara (termasuk Singapura). For transfers outside Indonesia, we ensure equivalent protection via data processing contracts with standard clauses (Standard Contractual Clauses) or other mechanisms recognized by Indonesian regulation.

• Account & store data: for the life of the account, plus 90 days post-termination to allow reactivation.
• Transaction & invoice data: at least 10 years per the Company Documents Law and tax rules.
• Security & audit logs: 12 months, then anonymized unless under investigation.
• Support communication data: 24 months after ticket resolution.
• OTPs & ephemeral tokens: deleted upon verification or within ≤ 24 hours.

We apply reasonable technical and organizational controls to protect data, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256 by infrastructure providers).
• Multi-factor authentication for internal admin access.
• Role-based access control, least-privilege principle, auditable access logs.
• Daily automated backups and disaster-recovery procedures.
• Regular vulnerability reviews of dependencies and application code.

No system is perfect. If a security incident materially affects your data, we will notify affected Data Subjects and the competent authority per UU PDP Article 46, no later than 3×24 hours after the incident is identified.

Per UU PDP Articles 5–13, you have the right to:

• Receive clear information about how your data is processed.
• Access and obtain a copy of your personal data.
• Correct or update inaccurate data.
• Erase data ("right to be forgotten") within legal limits.
• Restrict processing for specific purposes.
• Withdraw consent at any time for consent-based processing.
• Data portability in a structured, machine-readable format (CSV).
• Object to processing based on legitimate interest or automated profiling.
• Lodge a complaint with the designated Indonesian data protection authority.

To exercise these rights, send a request to privacy@shoptopia.id. We will respond within 30 business days per UU PDP. Identity verification will be required before data is released.

We use cookies in the following categories:

Essential

Required for core functions (login, sessions, language preference). Cannot be disabled.

Analytics

Measure performance and usage in aggregate. Enabled based on consent, can be disabled.

Third-party (limited)

WhatsApp/Maps embeds on specific pages. Not used for targeted advertising.

You can manage cookies via your browser settings. Blocking essential cookies will disable login.

The Platform is intended for Users aged 17 and above. We do not knowingly collect data from children under that age without parental/guardian consent. If you become aware of an account created without consent, contact us for immediate removal.

We only send marketing emails or messages if you opt in. Every message includes a link/instruction to unsubscribe. Transactional communications (billing notifications, policy changes, outages) are not marketing and are sent on a contractual basis.

For your store’s Buyer data, you are the Data Controller under UU PDP. Your obligations include: providing appropriate notice to Buyers, collecting data only for lawful purposes, responding to Buyer access/deletion requests, and managing your own marketing consents. ShopTopia processes such data as a Processor on your instructions.

We may update this Policy from time to time. For material changes, we will notify you by email or on the Platform at least 14 days before they take effect. The "Effective" date above always reflects the current version.

For all privacy questions or Data Subject right requests, write to privacy@shoptopia.id or the Data Protection Officer at dpo@shoptopia.id. If you feel your privacy rights have not been addressed, you have the right to file a complaint with the competent Indonesian data protection authority under UU PDP.