Kembali ke berandaDkelola

Privacy Policy

Terakhir diperbarui: May 13, 2026

This Privacy Policy describes how Dkelola ("Dkelola", "we", "us", or "our"), operated by PT Aivora Institute Indonesia, collects, uses, stores, shares, and protects information about you when you use dkelola.com and associated services (collectively, the "Service").

This Policy is designed to comply with Law No. 27 of 2022 on Personal Data Protection (UU PDP) and Law No. 11 of 2008 on Electronic Information and Transactions (UU ITE), as amended, together with their implementing regulations. By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy.

Where any term of this Policy conflicts with our Terms of Service with respect to the handling of personal data, this Policy controls.

1. About Dkelola

Dkelola is a cloud-based business management platform serving Independent Businesses in Indonesia. The Service includes bookkeeping, cash flow management, inventory and asset tracking, payroll computation, financial reporting, multi-business administration, and an AI Assistant for data queries.

For the purposes of UU PDP, Dkelola acts as a Personal Data Processor (Pengendali Data Pribadi) with respect to account holder personal data, and as a Personal Data Processor on behalf of the User (Prosesor Data Pribadi) with respect to data the User enters about their business' customers, employees, and vendors.

2. Scope and Definitions

  • "Personal Data" means any information about an identified or identifiable natural person, as defined under UU PDP Article 1.
  • "Sensitive Personal Data" means data that requires heightened protection under UU PDP Article 4(2), including health data, biometric data, genetic data, criminal records, children's data, financial data, and similar categories.
  • "Data Subject" means the natural person to whom Personal Data relates.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, transmission, alteration, and deletion.
  • "User" means any individual who accesses the Service with a registered Account.

3. Information We Collect

3.1 Account Data

When you create an Account directly or via Google Sign-In, we collect:

  • Full name
  • Email address
  • WhatsApp / telephone number
  • Password hash (we use the bcrypt algorithm; the plaintext password is never stored on our infrastructure)
  • Profile photo URL (if provided via Google Sign-In)
  • Account role (owner, manager, finance, staff, investor)

3.2 Business Data

Information about the Business you manage within the Service, including:

  • Business name, URL slug, type, and address
  • Owner contact details
  • Operational data you enter: transactions, invoices, receipts, cash positions, inventory counts, asset records, rental agreements, employee records, payroll figures, and uploaded documents

Business Data may include Personal Data of third parties (e.g. your customers, employees, vendors). For such data, you act as the Personal Data Controller and Dkelola acts as the Processor, meaning you are responsible for ensuring you have lawful basis under UU PDP to collect and process that data and for honoring the rights of those Data Subjects.

3.3 Technical Data

  • IP address and approximate geographic location
  • Browser type, version, and user agent
  • Operating system and device type
  • Login timestamps and session duration
  • Pages visited and features used within the Service
  • Referrer URLs and links clicked
  • Error and crash diagnostics

3.4 Payment Data

We do not store complete payment card numbers or full payment credentials on our infrastructure. Payment data is collected and processed directly by our payment service provider, Midtrans, under its own privacy policy. Dkelola receives only the following from payment transactions:

  • Transaction status, amount, currency, and timestamp
  • Payment method category (e.g. credit card, QRIS, virtual account)
  • Bank name or e-wallet name (where applicable)
  • Last four digits of card numbers, when relevant
  • Midtrans transaction identifier

3.5 AI Assistant Queries

When you use the AI Assistant feature, your queries and the aggregated business context we send to the underlying language model provider are processed by that provider in accordance with its own privacy practices. See Section 7 for details.

3.6 Cookies and Local Storage

We use first-party cookies and browser local storage for:

  • Authentication session management
  • Cross-site request forgery (CSRF) protection
  • User preferences (sidebar collapse state, theme, onboarding tour progress)

We do not use third-party tracking cookies for advertising, profiling, or cross-site behavioral analysis.

4. How We Collect Information

  • Directly from you — when you register, enter business data, upload files, or contact support;
  • Automatically — when you interact with the Service (technical data, usage logs);
  • From third parties — when you sign in via Google OAuth, Google provides your name, email, and profile photo subject to your Google account permissions;
  • From your collaborators — when another User invites you to a Business or assigns you to a role.

5. How We Use Your Information

We use your Personal Data to:

  • Provide, operate, and maintain the Service;
  • Authenticate Users and manage Accounts;
  • Process Subscription payments and invoicing;
  • Generate reports, dashboards, and AI Assistant responses you request;
  • Send transactional communications (receipts, security alerts, service updates);
  • Provide customer support and respond to your inquiries;
  • Detect, investigate, and prevent fraud, security incidents, and abuse;
  • Comply with legal obligations, including tax records, accounting, and government information requests;
  • Improve and develop the Service through aggregated, anonymized analytics.

We do not sell your Personal Data to third parties. We do not use your Personal Data for targeted advertising.

6. Legal Bases for Processing

Under UU PDP Article 20, we process Personal Data on one or more of the following legal bases:

  • Consent — for processing that requires your explicit consent (e.g. marketing communications you opt into);
  • Contract Performance — to provide the Service you have signed up for;
  • Legal Obligation — to comply with applicable Indonesian law;
  • Vital Interest — to protect the life or physical safety of a Data Subject;
  • Legitimate Interest — for purposes such as fraud prevention, service security, and product improvement, balanced against your fundamental rights and freedoms.

7. AI Assistant and Data Processing

The AI Assistant feature is powered by third-party large language model providers, currently Google Gemini. To produce responses, we send the following to the model provider:

  • Your query text;
  • An aggregated, abbreviated snapshot of your Business data relevant to the query (e.g. summary totals, recent transactions, current cash positions) — never raw transaction tables or third-party Personal Data fields beyond what is necessary;
  • The conversation history within the current AI session.

The model provider processes this data under its own privacy policy and data-handling commitments. We choose providers that commit to not training their general models on Service data absent your explicit opt-in.

You may decline to use the AI Assistant, in which case no AI provider receives your data.

8. Sharing and Disclosure of Information

We disclose Personal Data only in the following circumstances:

8.1 Within Your Business

Other Users with appropriate roles within your Business will see the Business data relevant to their permissions. The role configuration is controlled by the Business Owner.

8.2 Service Providers (Data Processors)

We engage carefully selected third parties to process data on our behalf under written data processing agreements that require equivalent confidentiality and security commitments. See Section 9 for the current list.

8.3 Legal Compliance and Protection

We may disclose Personal Data if required by:

  • Valid court orders, subpoenas, or government requests under Indonesian law;
  • Tax authorities (Direktorat Jenderal Pajak) where applicable;
  • Law enforcement investigations of fraud, money laundering, or other crimes;
  • Enforcement of our Terms of Service or protection of our legal rights.

Wherever permitted by law, we will notify affected Users in advance of any such disclosure.

8.4 Business Transfers

In the event of a merger, acquisition, corporate reorganization, or sale of all or substantially all of our assets, Personal Data may be transferred to the acquiring entity, subject to protections equivalent to those in this Policy.

9. Third-Party Data Processors

We currently use the following processors. Each is bound by a data processing agreement and operates under its own published privacy policy:

ProcessorPurposeData Categories
Hosting and infrastructure providerApplication and database hostingAll data stored within the Service
Google (Sign-In)OAuth-based account authenticationName, email, profile photo
Google (Gemini AI)Power the AI Assistant featureQuery text and aggregated business context (not raw transactions)
Midtrans (PT Midtrans Solusi Pembayaran)Subscription payment processingPayer name, email, phone, payment details
Cloud storage providerStoring uploaded receipts and documentsFiles you upload through the Service
Email and messaging providersTransactional email and WhatsApp notificationsEmail address, phone number, message contents
Error monitoring serviceDetect and diagnose application errorsTechnical data, stack traces, anonymized user IDs

The list above may change as the Service evolves. Material changes to our processor list will be reflected in updates to this Policy.

10. International Data Transfers

Personal Data may be stored or processed in countries outside Indonesia where our infrastructure providers or processors operate (typically Singapore, the United States, or the European Union). In such transfers, we implement safeguards consistent with UU PDP Article 56, including:

  • Transfers only to jurisdictions with an adequate level of data protection, or with appropriate contractual safeguards;
  • Data processing agreements with cross-border processors that impose equivalent protection obligations;
  • Encryption of data in transit using industry-standard TLS.

11. Cookies and Similar Technologies

We use only strictly-necessary first-party cookies for authentication and CSRF protection, and browser local storage for User preferences. No third-party advertising or behavioral tracking cookies are set by the Service.

You may control or block cookies through your browser settings, but doing so will prevent you from signing in or using core features of the Service.

12. Data Retention

  • Account Data — retained for as long as your Account is active, plus a 90-day grace period after deletion to support reactivation, after which it is permanently deleted unless retention is required by law.
  • Business Data — retained for the lifetime of the Business within the Service. Upon Business deletion, retained for 90 days then permanently deleted.
  • Financial Records — transaction and invoice records may be retained for up to ten (10) years after deletion to comply with Indonesian tax and accounting law (Law No. 28 of 2007 on General Provisions of Taxation).
  • Audit Logs — retained for two (2) years for security and compliance purposes.
  • Backups — automated backups are retained for up to 30 days and overwritten on a rolling basis.

13. Data Security

We implement technical and organizational measures appropriate to the risk of processing, including:

  • TLS encryption for all data in transit;
  • Encryption at rest for databases and stored files;
  • Bcrypt password hashing with per-user salt; plaintext passwords are never stored;
  • Role-based access control with the principle of least privilege;
  • Server-side input validation and parameterized database queries;
  • Automated security patching of infrastructure components;
  • Regular backups with off-site replication;
  • Audit logging of administrative actions;
  • Background screening and confidentiality agreements for personnel with privileged access.

No method of transmission over the internet or method of electronic storage is 100% secure. Notwithstanding our safeguards, we cannot guarantee absolute security and you acknowledge that you transmit and store data at your own risk, consistent with the limitations of liability in our Terms of Service.

14. Your Rights Under UU PDP

Under UU PDP Articles 5–13, you have the following rights with respect to your Personal Data:

  • Right to Information — to know what Personal Data we hold about you and how it is processed.
  • Right of Access — to obtain a copy of your Personal Data we hold.
  • Right to Rectification — to correct inaccurate or incomplete Personal Data.
  • Right to Erasure — to request deletion of your Personal Data, subject to retention obligations under applicable law.
  • Right to Withdraw Consent — to withdraw consent for processing based on consent, without affecting the lawfulness of processing carried out before withdrawal.
  • Right to Object — to object to processing based on our legitimate interest.
  • Right to Restrict Processing — to limit processing in specific circumstances.
  • Right to Data Portability — to receive your Personal Data in a structured, commonly used, machine-readable format (Excel export is available within the Service).
  • Right Not to Be Subject to Automated Decisions — we do not make automated decisions that produce legal effects about you.
  • Right to Complain — to lodge a complaint with the relevant supervisory authority in Indonesia.

15. Exercising Your Rights

You can exercise most rights directly through the Service — update your profile, change Account settings, export your data to Excel, or request Account deletion from the Pengaturan (Settings) page.

For requests that cannot be self-served, contact us at privasi@dkelola.com with the subject line "Data Subject Request". We will respond within fourteen (14) business days. We may request proof of identity to protect against fraudulent requests.

If you are dissatisfied with our response, you may submit a complaint to the Indonesian supervisory authority responsible for personal data protection under UU PDP.

16. Children's Privacy

The Service is intended for users 18 years of age and older. We do not knowingly collect Personal Data from children under 18. If we discover that we have collected Personal Data from a child without verifiable parental consent, we will delete that data promptly. If you believe a child has provided us with Personal Data, please contact us at privasi@dkelola.com.

17. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will, in compliance with UU PDP Article 46:

  • Notify the relevant supervisory authority no later than 3 × 24 hours after becoming aware of the breach;
  • Notify affected Data Subjects without undue delay where the breach is likely to result in a high risk;
  • Document the facts, effects, and remedial action taken with respect to the breach.

18. Changes to This Privacy Policy

We may update this Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. The "Last updated" date at the top of the page indicates the current version. Material changes will be communicated through in-product notification or email at least thirty (30) days prior to the effective date.

Continued use of the Service after the effective date of a revised Policy constitutes your acceptance of the revised Policy.

19. Contact Us

For questions, complaints, or requests regarding this Privacy Policy or your Personal Data, please contact:

Email: privasi@dkelola.com
Subject line: [Privacy] – [Topic]
Operating entity: PT Aivora Institute Indonesia
Jurisdiction: Republic of Indonesia

We are committed to responding to all privacy inquiries within fourteen (14) business days.

By using Dkelola, you acknowledge that you have read and understood this Privacy Policy in its entirety.