Privacy Policy
Berlaku sejak: 2026-05-20
Effective date: 2026-05-20
Version: 1.1
Capital Commerce Consulting (a service brand of PT Mega Supertek Indonesia, hereinafter "we") operates capital-commerce.com. This policy describes the personal data we collect, how we process it, the third parties involved, your rights as a data subject, and how to contact us. Drafted in accordance with Indonesia's UU PDP No. 27/2022 and standard international practice (GDPR-equivalent).
1. Data controller identity
PT Mega Supertek Indonesia
Komplek Marinatama Blok A No. 8–9, Jakarta Utara, Indonesia
Service brand: Capital Commerce Consulting
Data privacy contact: consultant@capital-commerce.com
2. Data we collect
2.1 Contact form (submitted voluntarily)
When you submit the form at /contact, we receive:
- Full name (required)
- Email address (required)
- Company name (optional)
- Role / title (optional)
- WhatsApp number (optional)
- Pain context / message (required)
- Budget range (optional)
- Timeline (optional)
- Source page (the page from which you submitted)
- Browser locale (id-ID or en-US)
2.2 Analytics data (opt-in, only after you click "Accept")
We collect anonymized behavior data to understand site usage:
- Page views + URLs visited
- Traffic source (referrer, campaign)
- Device + browser metadata (model, OS, viewport)
- Approximate city-level location (IP-based, IP anonymized)
- Outbound link clicks and file downloads
- Scroll depth + time on page
2.3 Operational data
- Server access logs (IP, timestamp, user agent) — retained 30 days for security + debugging
- Cookie consent state (stored in your browser via localStorage)
3. Processing purposes + legal basis
| Data | Purpose | Legal basis (UU PDP Art. 20) |
|---|---|---|
| Contact form | Respond to your inquiry, send confirmation email, internal team notification | Your consent (Art. 20 §1) |
| Analytics | Site content + UX optimization, audience understanding | Your consent via banner (Art. 20 §1) |
| Server logs | Operational security + debugging | Legitimate interest (Art. 20 §2.f) |
4. Third parties (data processors)
We use the following third-party services. Each is bound by its own privacy policy and processes data per our instructions.
| Service | Function | Controller | Jurisdiction |
|---|---|---|---|
| Google Analytics 4 | Opt-in web analytics | Google LLC | United States |
| Resend | Transactional email (form confirmation) | Resend Inc. | United States |
| Telegram Bot API | Internal lead notification to team group | Telegram Messenger Inc. | UAE |
| Strapi CMS + PostgreSQL | Content + form data storage | Self-managed | Indonesia (DO Singapore region) |
| Cloudflare | DNS + CDN + DDoS protection | Cloudflare Inc. | United States |
| DigitalOcean | Hosting infrastructure (VPS) | DigitalOcean LLC | Singapore (SGP1 region) |
Third-party privacy policies: Google (policies.google.com/privacy), Resend (resend.com/legal/privacy-policy), Telegram (telegram.org/privacy), Cloudflare (cloudflare.com/privacypolicy), DigitalOcean (digitalocean.com/legal/privacy-policy).
5. Cookies in use
| Name | Purpose | Party | Type | Duration |
|---|---|---|---|---|
_ga | Unique visitor ID | Google Analytics 4 | Persistent cookie | 24 months |
_ga_6KGBSGGDWX | GA4 session state (property-specific) | Google Analytics 4 | Persistent cookie | 24 months |
capcom-consent-analytics | Cookie consent state | Capital Commerce | Persistent localStorage | Until you reset |
capcom-locale | Language preference (id-ID or en-US) | Capital Commerce | Persistent cookie | 12 months |
Analytics cookies (_ga*) are only set after you click "Accept" on the consent banner. You may revoke consent at any time via the "Cookie settings" link in the site footer.
6. Cross-border data transfers
Some third-party services (Google, Resend, Cloudflare) process data in the United States. Such transfers occur under:
- Your explicit consent for analytics (via banner)
- Necessity for service execution (transactional email)
- Equivalent data protection standards (Standard Contractual Clauses / equivalent safeguards)
7. Your rights as a data subject (UU PDP Art. 4–13)
You have the right to:
- Access — request a copy of the personal data we hold about you
- Correction — request rectification of inaccurate or outdated data
- Erasure (right to be forgotten) — request deletion of your personal data
- Restriction of processing — limit processing for specific purposes
- Portability — receive your data in machine-readable format
- Objection — object to processing for specific purposes (e.g. analytics)
- Withdraw consent — revoke consent at any time without consequence
- Lodge complaint — to Komisi Perlindungan Data Pribadi (KPDP)
How to exercise your rights
Email consultant@capital-commerce.com with subject "PDP Request: [type of request]" or "Data Request: [type]". Include:
- Name and email used when submitting the form (for identity verification)
- Request type (access / correction / erasure / etc.)
- Specific details (optional)
Response within 7 business days. Complex requests may extend up to 30 business days with prior notice.
8. Storage + retention
| Data type | Retention | Reason |
|---|---|---|
| Contact form submissions | Indefinite (until you request erasure) | Ongoing commercial relationship |
| Transactional email log (Resend) | 30 days | Resend default, delivery debugging |
| Analytics data (Google Analytics) | 14 months | Google Analytics 4 default |
| Server access logs | 30 days rolling | Security + audit |
| Cookie consent state | Until you reset | Persistent localStorage in your browser |
9. Data security
We apply reasonable technical and organizational measures:
- TLS 1.2+ for all communications (HTTPS via Let's Encrypt)
- Password-protected database, access restricted to authorized staff
- Periodic backups (daily Postgres dump, 30-day retention)
- Server hardening (UFW firewall, SSH key-only, no password login)
- API key + secret rotation upon detected compromise
- Internal audit log for sensitive data access
No system is 100% secure. In case of a data breach, we will notify KPDP within 72 hours and affected data subjects per UU PDP Art. 46.
10. Minors
Our services target B2B audiences (adult professionals). We do not knowingly collect data from individuals under 18. If you believe your child has submitted data to us, contact consultant@capital-commerce.com for erasure.
11. Policy updates
This policy may be updated. Material changes will be announced via a site banner. Version and effective date appear at the top. Continued use after changes are in effect constitutes acceptance of the latest version.
12. Contact
For questions, complaints, or to exercise your rights:
Email: consultant@capital-commerce.com
Mail: Capital Commerce Consulting, c/o PT Mega Supertek Indonesia, Komplek Marinatama Blok A No. 8–9, Jakarta Utara, Indonesia
Lodging complaints with the authority:
Komisi Perlindungan Data Pribadi (KPDP) Complaints via the KPDP portal once the agency becomes operational (timeline per government announcement).