1. Introduction
This Privacy Policy applies to personal data collected through Markin by Duluin (the “Service”), operated by PT Rasa Aksata Nusantara, and is governed by Indonesian Law No. 27 of 2022 on Personal Data Protection (UU PDP), as well as other applicable data protection regulations.
We act as a Data Controller for personal data you provide directly to us, and as a Data Processor for documents and data belonging to your organization that are processed through the Service on your behalf.
By using the Service, you acknowledge that you have read and understood this Privacy Policy.
2. Information We Collect
2.1 Information You Provide Directly
- Account Information: Full name, email address, phone number, profile photo, and organizational affiliation provided during registration;
- Identity Verification Data: National ID number (NIK), KTP/passport image, and facial biometrics collected for digital certificate issuance and identity verification (eKYC);
- Documents: Files and documents you upload, sign, or transmit through the Service;
- Payment Information: Billing details and transaction records (processed through PCI DSS-compliant payment processors; we do not store raw card data);
- Communications: Support tickets, feedback, and correspondence with our team.
2.2 Information Collected Automatically
- Usage Data: Pages visited, features used, click patterns, timestamps, and session duration;
- Device and Technical Data: IP address, browser type, operating system, device identifiers, and screen resolution;
- Audit Trail Data: Signature events, document access logs, and authentication records required for legal validity of electronic signatures;
- Cookies and Similar Technologies: As described in Section 9.
2.3 Information from Third Parties
- Identity data from our Single Sign-On (SSO) provider (Duluin Launchpad) when you authenticate using your Duluin account;
- Identity verification results from accredited eKYC providers;
- Digital certificate data from licensed Certification Authorities (BSrE or equivalent).
3. How We Use Your Information
We use the information we collect for the following purposes:
- Service Delivery: To create and manage your account, process electronic signatures, issue digital certificates, and deliver core platform functionality;
- Identity Verification: To verify your identity as required for certified electronic signatures under Indonesian law;
- Legal Compliance: To maintain audit trails, comply with e-signature regulations, respond to legal obligations, and fulfill regulatory reporting requirements;
- Security: To detect fraud, unauthorized access, and malicious activity; to protect the integrity of signed documents;
- Communication: To send transactional emails (e.g., signature requests, notifications), security alerts, and service updates;
- Improvement: To analyze usage patterns and improve platform performance, usability, and features;
- Billing: To process payments and manage subscriptions;
- Support: To respond to inquiries and resolve issues.
4. Legal Basis for Processing
Under UU PDP and applicable regulations, we process your personal data on the following legal bases:
- Contract Performance: Processing necessary to provide the Service as agreed in our Terms of Service;
- Legal Obligation: Processing required to comply with Indonesian laws and regulations (e.g., audit trail retention for e-signature validity);
- Legitimate Interests: Processing for fraud prevention, security, and platform improvement, where our interests do not override your rights;
- Consent: For identity verification (eKYC) and marketing communications, we will request your explicit consent. You may withdraw consent at any time without affecting the lawfulness of prior processing.
5. Information Sharing and Disclosure
We do not sell your personal data. We may share your information with:
5.1 Service Providers
Trusted third-party vendors who assist in providing the Service, including cloud infrastructure providers, eKYC providers, Certification Authorities (CAs), payment processors, and email delivery services. These providers are bound by data processing agreements and are only permitted to use your data to perform services on our behalf.
5.2 Signing Counterparties
When you initiate a signing workflow, the counterparty will receive your name, email address, and signed document as necessary to complete the transaction.
5.3 Legal and Regulatory Disclosure
We may disclose your information to law enforcement, courts, or regulatory authorities when required by applicable law, court order, or to protect the rights and safety of our users or the public.
5.4 Business Transfers
In the event of a merger, acquisition, or sale of all or substantially all of our assets, your information may be transferred to the successor entity, subject to equivalent data protection commitments.
6. Data Security
We implement comprehensive technical and organizational security measures to protect your personal data, including:
- Encryption: AES-256 encryption at rest and TLS 1.2+ in transit;
- Access Controls: Role-based access control (RBAC) and principle of least privilege;
- Authentication: Multi-factor authentication (MFA) options and secure session management;
- Infrastructure: Hosted on ISO 27001-certified cloud data centers;
- Monitoring: Continuous security monitoring, intrusion detection systems, and regular vulnerability assessments;
- Incident Response: Defined procedures for detecting, containing, and reporting data breaches.
In the event of a data breach that poses a risk to your rights, we will notify you and relevant authorities within the timeframes required by UU PDP.
7. Data Retention
We retain your personal data for the following periods:
- Account Data: For the duration of your account plus 3 years after account deletion, to comply with legal obligations;
- Signed Documents and Audit Trails: Minimum 10 years from the date of signing, as required for legal evidentiary purposes under Indonesian e-signature regulations;
- Identity Verification Data (eKYC): As required by the issuing CA's Certificate Policy and applicable regulations;
- Usage Logs: Up to 12 months for security and operational purposes;
- Payment Records: 5 years as required by Indonesian tax regulations.
Upon expiry of the applicable retention period, we securely delete or anonymize your data.
8. Your Rights as a Data Subject
Under UU PDP and applicable regulations, you have the following rights regarding your personal data:
- Right to Access: Request a copy of the personal data we hold about you;
- Right to Rectification: Request correction of inaccurate or incomplete data;
- Right to Erasure: Request deletion of your data, subject to our legal retention obligations;
- Right to Restrict Processing: Request that we limit how we use your data in certain circumstances;
- Right to Data Portability: Receive your data in a structured, commonly used, machine-readable format;
- Right to Object: Object to processing based on legitimate interests or for direct marketing;
- Right to Withdraw Consent: Withdraw previously given consent at any time without affecting prior processing.
To exercise your rights, please contact our Data Protection Officer at [email protected]. We will respond within 14 (fourteen) business days. We may require identity verification before processing your request.
If you believe your rights have been violated, you may lodge a complaint with the relevant Indonesian data protection authority (KPPI — Komite Perlindungan Privasi Indonesia).
9. Cookies and Tracking Technologies
We use cookies and similar technologies to operate and improve the Service. The types of cookies we use include:
- Essential Cookies: Required for the Service to function (e.g., authentication session tokens, security cookies). These cannot be disabled.
- Functional Cookies: Remember your preferences such as language and theme settings.
- Analytics Cookies: Help us understand how users interact with the platform (e.g., page views, feature usage). Used in aggregate and anonymized form.
You can manage cookie preferences through your browser settings. Disabling non-essential cookies will not affect your ability to use core Service features.
10. Third-Party Services
Markin by Duluin integrates with and relies on the following categories of third-party services:
- Cloud Infrastructure: Data hosting and storage;
- eKYC Providers: Identity document verification and biometric checks;
- Certification Authorities (CAs): Digital certificate issuance (BSrE and approved third-party CAs);
- Payment Processors: Secure payment transactions;
- Analytics Services: Platform usage analytics (data is anonymized or pseudonymized where applicable);
- Email Delivery: Transactional email notifications.
Each third-party service operates under its own privacy policy. We carefully vet our vendors and ensure appropriate data protection agreements are in place.
11. International Data Transfers
Your data is primarily processed and stored within the territory of the Republic of Indonesia. Where data is transferred internationally (e.g., to cloud providers with global infrastructure), we ensure that adequate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) or equivalent mechanisms;
- Transfers only to countries deemed to provide adequate data protection;
- Contractual commitments to comply with Indonesian data protection standards.
12. Children’s Privacy
Markin by Duluin is not directed to or intended for use by individuals under the age of 18 years. We do not knowingly collect personal data from minors. If we become aware that we have inadvertently collected data from a person under 18, we will promptly delete such data.
If you believe a minor has provided us with personal data, please contact us at [email protected].
13. Changes to This Policy
We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or the features of the Service. When we make material changes, we will:
- Update the “Last Updated” date at the top of this Policy;
- Send an email notification to registered users;
- Display a prominent notice within the Service for at least 14 days before the revised policy takes effect.
Your continued use of the Service after the effective date of the revised Policy constitutes your acceptance of the changes.
14. Contact and Data Protection Officer
For questions, concerns, or to exercise your data subject rights, please contact:
Data Protection Officer (DPO)
PT Rasa Aksata Nusantara
Email: [email protected]
General Inquiries: [email protected]
Website: https://duluin.com
We are committed to resolving privacy-related concerns promptly and transparently.