Privacy Policy

1. Introduction

PT Amanah Sewa Nanjaya ("Arental", "we") is committed to protecting the privacy of your personal data. This Privacy Policy explains how we collect, use, store, and protect the information you provide when using our services, including the arental.co.id website and all digital device rental services.

2. Legal Basis for Processing

Personal data processing by Arental is governed by the following Indonesian regulations:

• Law No. 27 of 2022 on Personal Data Protection (UU PDP) — the primary framework defining data subject rights and Data Controller obligations.
• Law No. 11 of 2008 as amended by Law No. 19 of 2016 on Information and Electronic Transactions (UU ITE) — governing electronic transactions and the liability of electronic system operators.
• Government Regulation No. 71 of 2019 on Electronic System and Transaction Operation (PSTE) — registration and compliance obligations for electronic system providers.
• MOCI Regulation No. 20 of 2016 on Personal Data Protection in Electronic Systems — technical standards for processing and data security.

3. Data We Collect

We may collect the following data:

• Identity information: full name, job title, and company name.
• Contact information: email address, phone number, and office address.
• Company information: industry sector, company size, and device requirements.
• Technical data: IP address, browser type, access device, and website analytics data.
• Transaction information: rental history, contract details, invoices, and payment records.
• Communication data: WhatsApp/email conversation records with the sales and helpdesk teams for service quality and dispute resolution.

4. How We Use Your Data

Your personal data is used to:

• Process and manage device rental contracts.
• Provide technical support and after-sales service.
• Send offers, product information, and service updates.
• Improve service quality and website user experience.
• Comply with applicable legal obligations, tax audits, and regulations.
• Detect and prevent fraud, service misuse, and maintain system security.

5. Data Protection

We implement the following technical and organizational security measures:

• In-transit data encryption using TLS 1.2 or higher for all web and API communications.
• At-rest encryption on production databases using AES-256 native to the cloud provider (Supabase/PostgreSQL).
• Role-based access control (RBAC) on least-privilege principles for all internal staff.
• Audit logging of all sensitive personal data access, periodically reviewed by security and compliance teams.
• Regular information security and privacy awareness training for all employees, at least once per year.

6. Data Sharing

We do not sell or rent your personal data to third parties. Data may only be shared with:

• Logistics partners assisting with device delivery and installation.
• Technology service providers supporting our operations (see Third-Party Processors).
• Government authorities when required by applicable law or valid court order.
• Successor parties in the context of mergers, acquisitions, or corporate restructuring, with prior notice to data subjects.

7. Third-Party Data Processors

Arental uses the following third-party providers for data processing, each with a specific purpose and documented security commitment:

• Supabase (ap-southeast-1 region, Singapore) — primary database for client data, contracts, and transactions; SOC 2 Type II compliant.
• Resend — transactional email delivery (invoices, confirmations, system notifications) from the arental.co.id domain.
• Vercel — web frontend hosting and edge functions; global CDN with Singapore as primary region.
• Microsoft Clarity — anonymous user behavior analytics (heatmaps, session recording) to improve site UX.
• Google Analytics 4 — traffic and conversion analytics with IP anonymization enabled.
• Google Ads — marketing campaign conversion measurement; event data is sent in aggregated and hashed form.

8. Cross-Border Data Transfer

Some of Arental's data processors are based outside Indonesia. We apply the following safeguards:

• Primary data domicile is Singapore (ap-southeast-1) for the production database, located in a jurisdiction with data protection levels equivalent to or higher than Indonesia.
• All in-transit data to overseas processors is encrypted with TLS 1.2+, and at-rest data is encrypted with AES-256 on the processor side.
• Every third-party processor is bound by a Data Processing Agreement (DPA) imposing standards equivalent to UU PDP.
• Clients may request an annual cross-border transfer summary report via the DPO for internal audit purposes.

9. Cookies & Tracking Technologies

Our website uses cookies to operate the site and to measure analytics and advertising performance so we can keep improving our service. Categories of cookies we use:

• Strictly necessary cookies (session, theme preference, locale): 1-year retention — core site functions, cannot be disabled.
• Analytics cookies (Google Analytics 4, 14-month retention; Microsoft Clarity, 1-year retention): measure how the site is used so we can improve UX. Microsoft Clarity records heatmaps and session replays. Active by default.
• Marketing cookies (Google Ads conversion tracking, 90-day retention): measure advertising campaign effectiveness. Active by default.
• Managing cookies: to restrict analytics and advertising cookies, use your browser's privacy or cookie controls (block third-party cookies, enable tracking prevention, or use a private/incognito window), or contact our DPO via email.

10. Your Rights

Under Articles 5–15 of UU PDP, you have the right to:

• Access and obtain a copy of the personal data we hold about you.
• Request correction of inaccurate or incomplete data.
• Request deletion of your personal data (right to erasure), subject to legal retention obligations.
• Object to the use of data for marketing purposes (marketing opt-out).
• Withdraw previously given consent at any time, without affecting the lawfulness of processing prior to withdrawal.
• File a complaint with the Personal Data Protection Authority or MOCI if you believe your rights have been infringed.

11. Data Protection Officer (DPO)

Arental appoints a Data Protection Officer (DPO) as the official point of contact for all personal data protection matters:

• DPO contact: email dpo@arental.co.id, addressed to "Data Protection Officer PT Amanah Sewa Nanjaya".
• Request mechanism: data subjects may submit access/correction/deletion requests via the DPO email with identity verification (ID card or valid corporate document).
• Response SLA: initial response within 7 Business Days of receiving the request; full resolution within a maximum of 14 Business Days, extendable by 14 additional days for complex requests with written notice.

12. Data Retention

Personal data retention periods reflect operational needs and legal obligations:

• Active contract data and supporting documents are retained for the contract duration plus 3 years after termination for dispute resolution purposes.
• Tax documents (invoices, withholding receipts) are retained for 10 years pursuant to PER-23/PJ/2020 and Article 28(11) of the General Tax Provisions Law.
• Marketing data (leads, prospects) are retained for a maximum of 24 months from the last interaction, unless the subject withdraws consent earlier.
• Web analytics data is aggregated and anonymized within 14 months per Google Analytics 4 default retention.

13. Data Breach Notification

Per Article 46 of UU PDP, Arental follows the following data breach notification protocol:

• Security incidents resulting in personal data leakage will be notified to affected data subjects and the supervisory authority (MOCI/PDP body) within a maximum of 72 hours of discovery.
• Notifications include: type of data affected, number of affected subjects, potential impact, and mitigation actions taken or planned.
• Corporate clients are notified separately via DPO email and/or executive contacts registered in the Contract.
• Arental conducts a post-incident review and provides a final report to affected clients within 30 Business Days of incident closure.

14. Minors' Data

Arental's services are intended exclusively for corporate clients and adult professionals. We do not knowingly collect personal data from individuals under the age of 18. If we learn that data from minors has been collected without valid parental/guardian consent, that data will be promptly deleted from all our systems in line with Article 25 of UU PDP.

15. Marketing Consent

Arental's marketing communications operate on an explicit consent mechanism:

• Opt-in: data subjects actively consent to receive newsletters, promotions, and product updates via a separate checkbox on contact forms or subscription pages.
• Opt-out: every marketing email includes a one-click unsubscribe link in the footer; opt-out requests are processed within 7 Business Days.
• Transactional communications (invoices, contract confirmations, service notifications) do not require opt-in and cannot be opted out during an active contract because they are essential to the service.

16. Changes to Policy

Arental reserves the right to update this Privacy Policy at any time to reflect changes in services, technology, or regulation. Material changes will be notified to registered data subjects via email and published on this page at least 30 days before taking effect. Continued use of services after the effective date constitutes acceptance of the updated policy.

17. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights regarding personal data, please contact us via email at sales@arental.co.id or through the contact page on our website.