Last Updated October 15, 2021
With this policy, we present transparently that we gather, store and handle the data of persons fairly and in accordance with law. As part of our drive to serve you better, we need to obtain and process your information. This includes any offline or online data that makes a person identifiable such as names, addresses, usernames and passwords, digital footprints, photographs, social security numbers, financial data, etc.
Brankas collects or processes this information only with the full knowledge, cooperation and consent of interested parties. Once this information is available to us, the following rules apply.
Your data will be kept up-to-date, collected or processed fairly and for lawful purposes only. The information you give us will be processed within legal boundaries and will be protected against any unauthorized or illegal access by internal or external parties. You are free to exercise your rights under the law as a data subject and we fully respect the same.
Your data will not be distributed to any party other than the ones consented and agreed by you or the data's owner (exempting those compellable to be disclosed by law and legitimate requests from courts of competent jurisdiction and law enforcement authorities). Without such express consent from you or the data owner, it will not be communicated or transferred, informally or in any manner, to any other person, entity, organization or country.
In addition to our methods of handling the data, Brankas has direct obligations towards people to whom the data belong. We allow people to modify, erase, reduce or correct data contained in our databases in line with their rights under the law. We will have provisions in cases of lost or corrupted data.
For protection, Brankas is committed to restrict and monitor access to sensitive data. Our officers and employees will be trained in online privacy and data security and will establish data protection practices (secure locks, data encryption, access authorization, etc.). In addition, security measures will be built through a secure network to protect data from cyber attacks.
Thank you for using Brankas!
CHAPTER I - DEFINITIONS
Data Subject refers to an individual (e.g. the end user of the Brankas service) whose Personal Data is collected or processed;
Personal Data refers to any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Processing refers to any operation performed upon Personal Data including, but not limited to, collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Processing may be performed through automated means or manual processing.
Specific Personal Data refers to Personal Data:
- personal finances, including but not limited to bank deposit data including savings, deposits, and credit cards.
- about a person's race, ethnic origin, marital status, age, color, religious affiliation, philosophy, or politics;
- about a person's health, education, genetic or sexual life, or any legal process for any offence committed or alleged to have been committed by that person, the completion of such legal process, or the punishment of any court authorized in respect of such proceedings;
- issued by government agencies specifically for individuals that include, but are not limited to, social security numbers, residence identities, previous or current health records, their permits or refusals, their suspension or revocation, and tax returns (tax returns); and
- specifically stipulated by executive orders or legislation to be kept confidential.
CHAPTER II - PERSONAL DATA COLLECTED, USED AND SHARED
Information Brankas Collects - Brankas collects your (or "you") Personal Data, which, where applicable, may include credentials such as user name and password or security token. In some cases, we also collect your phone number, email address, and one-time password (OTP) to help verify your identity before providing our services to you. When providing this information, you give Brankas permission to act on your behalf to access, use, disclose and share your Personal Data from relevant banks or other entities (i.e., providers of financial products and services) for the purpose of providing our services for your use. Further, with your consent and at the request of your financial services provider, Brankas may store your credentials such as username, password, OTP, and token number which is generated digitally or through hard tokens. The data will be stored on the servers of the Company or a third party provider. If we will use your data beyond this state purpose, Brankas will ask for your consent anew. We uphold confidentiality and privacy of your data. You can also provide us with other information, including your name, email address and phone number, when you call.
The specific information we collect from your bank or financial product and service providers depends on the service you availed from us. Overall, this includes:
- Account information, including financial institution name, account name, account type, and account ownership;
- Information about an account balance, including current and available balance;
- Information about account transactions, including amount, date, payee, type, quantity, price, location, involved securities, and a description of the transaction;
- Information about credit accounts, including due dates, balances owed, payment amounts and dates, transaction history, credit limit, repayment status, and interest rate;
- Information about loan accounts, including due dates, repayment status, balances, payment amounts and dates, interest rate, guarantor, loan type, payment plan, and terms; and
- Information about the account owner(s), including name, email address, and phone number.
Upon using our services, if you have given consent to process your Personal Data, and later on you change your mind, you may withdraw your consent by contacting us via email@example.com.
How Brankas Uses Your Personal Data – With your consent, we use your Personal Data for a number of business and commercial purposes, including to operate, improve, and protect the services we provide, and to develop new services. More specifically, we use your Personal Data:
- To provide, operate, and maintain our services;
- To improve, modify, add to, and further develop our services;
- To develop new services;
- To protect you, our partners, us, and others from fraud, malicious activity, and other privacy and security-related concerns;
- To provide customer support to you, including to help respond to your inquiries related to our service;
- To investigate any misuse of our service, criminal activity, or other unauthorized access to our services;
- To notify you about our latest service that may be tailored to your need; and
- for any other purpose notified subject to your explicit consent and taking into account the objectives, needs, and balance of the Interests of Brankas and the rights of the Data Subject.
How Brankas Shares Your Personal Data – With your specific consent and only in specific instances, we share your Personal Data for a number of business purposes:
- To enforce any contract with you;
- With our data processors and other service providers, partners, or contractors in connection with the services they perform for us and subject to any data sharing agreement they have with us;
- If, in good faith, disclosure is appropriate to comply with applicable law or legal process;
- In connection with a change in ownership or control of all or a part of our business (e.g. merger, reorganization, bankruptcy, etc.);
- Between and among Brankas affiliated entities such as parents, affiliates, subsidiaries and other companies under common control or ownership, subject to any data sharing agreement among such entities;
- To reasonably protect the rights, privacy, safety, or property of Data Subjects such as yourself, us, our partners, and other; or
- For any other notified purpose subject to your consent.
Transfer of Personal Data outside the jurisdiction of Indonesia – Brankas may transfer Personal Data to other personal data controllers outside the jurisdiction of the Unitary State of the Republic of Indonesia in the case of:
- the country in which the controller of such other personal data or international organization receives the transfer of Personal Data has a level of protection of Personal Data equal to or higher than stipulated in the prevailing laws and regulations;
- there are international agreements between countries;
- there is a contract between personal data controllers that has standards and/or guarantees of protection of personal data in accordance with the applicable laws and regulations; and/or
- data subject's consent.
Retention period of Personal Data – For the processing of such Personal Data, we will only retain Personal Data for a set period of time. When such retention period ends or at the request of the Data Subject, the Personal Data we have processed will be deleted or destroyed or removed from the list, with the exception of other decisive laws and regulations.
Other - We may collect, use and share your Personal Data aggregated or anonymously (without personally identifying you) for any purpose permitted by law, including creating or using data collected or anonymized based on Personal Data collected to develop new services and to facilitate research subject to your explicit consent.
And we do not sell or rent Personal Data or any information we collect.
CHAPTER III - ORGANIZATIONAL SECURITY OBLIGATIONS AND MEASURES
Data Privacy Principles - All Processing of Personal Data within Brankas will be conducted in compliance with the following data privacy principles:
- collection of Personal Data is limited and specific, legally valid, appropriate, and transparent;
- the processing of Personal Data is carried out in accordance with its purposes;
- the processing of Personal Data is carried out by guaranteeing the rights of the Owner of the Personal Data;
- the processing of Personal Data is accurate, complete, not misleading, current and accountable;
- the processing of Personal Data is done by protecting the security of Personal Data from unauthorized access, unauthorized disclosure, unauthorized alteration, misuse, destruction, and/or loss of Personal Data;
- the processing of Personal Data is carried out by notifying the purposes and activities of the processing, as well as the failure to protect personal data;
- Personal Data is destroyed and/or deleted after the retention period ends or at the request of the Owner of the Personal Data unless otherwise provided by legislation; and
- the processing of Personal Data is carried out responsibly by fulfilling the implementation of the principles of protection of Personal Data and can be clearly proven.
Data Processing Records – We will maintain adequate and up-to-date records of Personal Data Processing activities at all times. These records shall include, at the minimum:
- Information about the purpose of the Processing of Personal Data, including any intended future Processing or data sharing;
- A description of all categories of Data Subjects, Personal Data, and recipients of such Personal Data that will be involved in the Processing;
- General information about the data flow within Brankas, from time of collection and retention, including the time limits for disposal or erasure of Personal Data;
- A general description of the organizational, physical, and technical security measures in place within Brankas; and
- The name and contact details of any staff accountable for ensuring compliance with the applicable laws and regulations for the protection of data privacy and security.
Brankas will, from time to time as necessary, conduct a privacy impact assessment relative to all activities, projects and systems involving the Processing of Personal Data. We will review security policies, conduct vulnerability assessments and perform penetration testing, as applicable, within Brankas on a regular schedule to be prescribed by our IT Team.
Personal Data Management – We will develop and implement measures to ensure that all Brankas staff who have access to Personal Data will strictly process such data in compliance with applicable laws and regulations. These measures may include drafting new or updated relevant policies of Brankas and conducting or sponsoring training programs to educate our stockholders, directors, officers, employees, agents and other interested parties on data privacy related concerns.
We will obtain your informed consent, evidenced by written, electronic or recorded means, in relation to:
- The Processing of your Personal Data, for purposes of maintaining Brankas' records;
- The sharing of your Personal Data with a third party, if it is necessary and it so happens, subject to the requirement that you will be provided with the following information before your Personal Data is shared:
- Identity of the third party that will be given access to the Personal Data;
- Purpose of the data sharing;
- Categories of Personal Data concerned;
- Intended recipients or categories of recipients of the Personal Data;
- Existence of your rights as Data Subject, including the right to access and correction, and the right to object; and
- Other information that would sufficiently notify you of the nature and extent of data sharing and the manner of Processing.
A continuing obligation of confidentiality is imposed on our stockholders, directors, officers, employees, agents or other interested parties in connection with the Personal Data that they may encounter during the period of which they are such with Brankas. This obligation will still apply after they cease to work with Brankas for whatever reason.
Data Collection Procedures – We will document our Personal Data Processing procedures. We ensure that these procedures are updated and that your consent is properly obtained when required by law and evidenced by written, electronic or recorded means. These procedures will also be regularly monitored, modified, and updated to ensure that your rights as a Data Subject are respected, and that we process your Personal Data according to law.
Delays and Restrictions on Data Processing – We will delay and restrict the processing of Personal Data either in part or in whole no later than 2 (two) working days from the time we receive the request for delay and restriction of processing of Personal Data from the Data Subject.
Internal Monitoring – Brankas will regularly supervise any party involved in the processing of Personal Data under the control of Brankas.
Provision of Personal Data access – Brankas provides the Data Subject with access to the processed Personal Data along with a track record of processing Personal Data in accordance with the period of retention of the Personal Data. The provision of such access is granted no later than 3 (three) working days from the date the Personal Data Controller receives the access request.
Denial of access to Personal Data – Brankas may refuse to grant personal data access to data in the event of known or should be expected:
- jeopardize the safety or physical health or mental health of data subjects and/or others;
- impact on the disclosure of other people's Personal Data; and/or
- contrary to national defense and security interests.
Personal Data Update and Correction – Brankas will update and/or correct any errors and/or inaccuracies in Personal Data within 1 (one) working day from the time Brankas receives a request for updating and/or repairing personal data.
Guarantees for the accuracy, completeness and consistency of Personal Data – Brankas guarantees the accuracy, completeness and consistency of Personal Data in accordance with the provisions of the laws and regulations under which the Warrants, Brankasconduct verification of such processed Personal Data.
Termination of processing of Personal Data – Brankas will terminate the processing of Personal Data if:
- has reached retention period;
- the purpose of processing Personal Data has been achieved; or
- there is a request from Subject Data.
Deletion or destruction of Personal Data – Brankas will delete Personal Data if:
- Personal Data is no longer necessary for the achievement of the purposes for which personal data is processed;
- The Data Subject has withdrawn consent to the processing of Personal Data;
- there is a request from the Data Subject; or
- Personal Data is obtained and/or processed unlawfully.
Appointment of a Personal Data protection officer – Brankas may appoint an officer or officer who performs the functions of personal data protection who has the following obligations and responsibilities:
- inform and advise Brankas as the controller of personal data in order to comply with the provisions in the prevailing laws and regulations;
- monitor and ensure compliance with applicable laws and regulations and privacy policies, including assignment, responsibility, awareness raising and training of parties involved in the processing of Personal Data, and related audits;
- provide advice on assessing the impact of personal data protection and monitoring the performance of brankas as a personal data controller and personal data processor; and
- coordinate and act as a contact person for issues relating to the processing of Personal Data, including consulting on risk mitigation and/or other matters.
The officer or officer performing the protective function of such Personal Data shall be appointed based on professional quality, knowledge of the laws and practices of personal data protection, and the ability to fulfill its duties, as well as pay attention to risks associated with the processing of Personal Data, taking into account the nature, scope, context and purpose of processing.
Data Retention Period - Subject to applicable law, we will not retain Personal Data for a period longer than necessary or comparable to the purpose for which such data was collected. Upon the expiration of such period, all physical and electronic copies of the Personal Data will be destroyed using fully secure technology or processes. We will develop measures to determine the retention or retention of applicable data. For transparency purposes, you will be notified of the destruction and deletion of your Personal Data.
CHAPTER IV TECHNICAL SECURITY MEASURES
- Safeguards to protect Brankas computer network and systems against accidental, unlawful, or unauthorized usage, any interference which will affect data integrity or hinder the functioning or availability of the system, and unauthorized access;
- Our ability to ensure and maintain the confidentiality, integrity, availability, and resilience of Brankas data processing systems and services;
- Regular monitoring for security breaches, and a process for identifying and accessing reasonably foreseeable vulnerabilities in Brankas computer network and system, and taking preventive and corrective actions against security incidents that can lead to a Personal Data breach;
- Our ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
- A process for regularly testing and evaluating effectiveness of security measures; and
- Encryption of Personal Data during storage and while in transit, authentication process, and other technical security measures that control and limit access thereto.
- determination of the level of security of Personal Data taking into account the nature and risks of Personal Data that must be protected in the processing of Personal Data
Monitoring for security breaches – We install updated versions of anti-virus software on electronic computing devices that access the internet or wifi connections (desktops, notebooks, smart phones, ipads and similar devices). We also use an intrusion detection system to monitor security breaches and alert us of any attempt to interrupt the system.
Security features of the software/s and application/s use - All software applications are reviewed and evaluated by our IT team before installing these in Brankas computers and devices to ensure the compatibility of security features with overall operations.
Encryption, authentication process, and other measures - Brankas personnel with access to Personal Data will verify his or her identity using a secure encrypted link and multi-level authentication as adopted by the IT Team.
CHAPTER V - RIGHTS OF THE DATA SUBJECT
As Data Subjects, you have the following rights in connection with the Processing of your Personal Data: right to be informed, right to object, right to access, right to rectification, right to erasure or blocking, and right to damages. Stockholders, directors, officers, employees and agents of Brankas are required to strictly respect and obey the rights of the Data Subjects.
Right to be Informed – You have the right to be informed whether Personal Data pertaining to you will be, are being, or have been processed. You will be notified and furnished with information indicated below before the entry of your Personal Data into our records:
- Description of the Personal Data to be entered into the system;
- Brankas identity as personal data controller
- Purposes for which they are being or will be processed, including Processing for direct marketing, profiling or historical, statistical or scientific purpose;
- Basis of Processing, when Processing is not based on your consent;
- Scope and method of Personal Data Processing;
- The recipients to whom the Personal Data are or may be disclosed or shared;
- Methods utilized for automated access, if you allow the same, and the extent to which such access is authorized, including meaningful information about the logic involved, as well as the significance and the envisaged consequences of such Processing for you;
- The period for which the Personal Data will be stored; and
- The existence of your rights as Data Subject, including the right to access, correction, and to object to the Processing.
Right to Object - You have the right to object to the Processing of your Personal Data, including Processing for direct marketing, automated Processing or profiling. You will also be notified and given an opportunity to withhold consent to the Processing in case of changes to the information supplied or declared to you in the preceding section.
When you object or withhold consent, we will no longer process your Personal Data, unless:
- The Personal Data is collected or processed pursuant to a legal process or needed to comply with a legal obligation; or
- The Processing is for obvious purposes, including when it is necessary for the performance of or in relation to a contract to which you are a party, or when necessary or desirable in the context of an employer-employee relationship between you and us
Right to Access – You have the right to reasonable access to, upon demand, the following, if such information is available with us:
- Contents of your Personal Data that were processed;
- Sources from which Personal Data were obtained;
- Names and addresses of recipients of the Personal Data;
- Manner by which your Personal Data were processed;
- Reasons for the disclosure of the Personal Data to recipients;
- Information on automated processes where the Personal Data will, or is likely to, be made as the sole basis for any decision that significantly affects or will affect you; and
- Date when Personal Data concerning you were last accessed and modified.
Right to Rectification – You have the right to dispute the inaccuracy or rectify the error in your Personal Data, and we will correct it immediately and accordingly, unless the request is vexatious or otherwise unreasonable. If the Personal Data has been corrected, we will ensure accessibility of both the new and the retracted Personal Data and the simultaneous receipt of the new and the retracted Personal Data by the intended recipients. In connection with this, recipients or third parties who have previously received such processed Personal Data will be informed of its inaccuracy and its rectification, upon reasonable request.
Right to Erasure or Blocking/Delisting - You have the right to suspend, withdraw, or order the blocking, delisting, removal or destruction of your Personal Data from our system. This right may be exercised upon discovery and substantial proof of any of the following:
- The Personal Data is incomplete, outdated, false, or unlawfully obtained;
- The Personal Data is being used for purpose not authorized by you;
- The Personal Data is no longer necessary for the purpose for which they were collected;
- You withdraw consent or object to the Processing, and there is no other legal ground or overriding legitimate interest for us to continue the Processing;
- The Personal Data concerns private information that is prejudicial to you or other Data Subjects, unless justified by freedom of speech, expression or authorized by law;
- The Processing is unlawful; or
- You or other Data Subjects' rights have been violated.
We will notify third parties who have previously received such processed Personal Data that you have withdrawn consent or objected to the Processing thereof upon reasonable request.
Right to object – The Data Subject reserves the right to object to decision-making actions based solely on automated processing of a person's profile*(profiling).*
Right to indemnification – The Data Subject reserves the right to sue and receive damages for the breach of his/her Personal Data in accordance with the provisions of the laws and regulations.
Transmissibility of Rights of Data Subjects – Your lawful heirs and assigns may invoke your rights as the Data Subject at any time after your death, or when you become incapacitated or incapable of exercising your rights.
Data Portability – Where we process your Personal Data through electronic means and in a structured and commonly used format, you will have the right to obtain a copy of such data in an electronic or structured format that is commonly used and allows for your further use. The exercise of this right will primarily take into account your right to have control over your Personal Data being processed based on consent, for commercial purpose, or through automated means.
CHAPTER VI - DATA BREACHES AND SECURITY INCIDENTS
Data Breach Notification - All our stockholders, directors, officers, employees and agents involved in the Processing of Personal Data are tasked with regularly monitoring for signs of a possible data breach or security incident. In the event that such signs are discovered, facts and circumstances will be reported to our authorized personnel within 24 hours from for verification as to whether or not a breach requiring notification to regulators has occurred. If indeed there is a breach of such nature, we will notify any relevant government authority and affected Data Subjects pursuant to requirements and procedures prescribed by law.
The notification will at least describe the nature of the breach, the Personal Data possibly involved, and measures taken by Brankas to address the breach. The notification will also include measures taken to reduce the harm of the breach and the name and contact details of Brankas authorized personnel. The form and procedure for notification will conform with law.
Breach Reports - All security incidents and Personal Data breaches will be documented through written reports, including those not covered by notification requirements. In the case of Personal Data breaches, a report will include the facts surrounding an incident, the effects of such incident, and the remedial actions taken by Brankas. In other security incidents not involving Personal Data, a report containing aggregated data will be sufficient.
CHAPTER VII - DISPUTE RESOLUTION AND LAW
If there is a suspected violation of Personal Data committed by Brankas and/or a party affiliated with us that can be proven legally, then the aggrieved Data Subject or other related parties may file a dispute resolution through arbitration, court, or other alternative dispute resolution institution in accordance with the provisions of the laws and regulations. The law applicable in dispute resolution and/or the process of personal data protection court shall be carried out based on the applicable law in accordance with the provisions of the legislation. Valid evidence in the process of resolving this dispute is a tool of evidence as referred to in the law of the event and other evidence tools in the form of electronic information and / or electronic documents in accordance with the legislation. In the event that it is necessary to protect Personal Data, the proceedings are conducted in private.
CHAPTER VIII - OUTSOURCING AND SUBCONTRACTING
Any Personal Data Processing conducted by an external agent or entity (third-party service provider) on our behalf should be evidenced by a valid written contract with us. The contract should expressly set out the subject matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects, our obligations and rights, and the geographic location of the Processing under the contract.
The fact that we entered into such an arrangement does not give the said external agent or entity the authority to subcontract to another entity the whole or part of the subject matter of said arrangement, unless expressly stipulated in writing. The subcontracting agreement will also comply with the criteria prescribed by the preceding paragraph.
In addition, both foregoing contracts described will include express stipulations requiring the external agent or entity (including the subcontractor) to:
- Process the Personal Data only upon our documented instructions, including transfers of Personal Data to another country or an international organization, unless such transfer is required by law;
- Ensure that an obligation of confidentiality is imposed on persons and employees authorized by the external agent/entity and subcontractor to process the Personal Data;
- Implement appropriate security measures;
- Comply with applicable laws and regulations, in addition to the obligations provided in the contract, or other legal act with the external party;
- Not engage another processor without our prior instruction, and any such arrangement will ensure that the same obligations for data protection under the contract or legal act are implemented, taking into account the nature of the Processing;
- Assist us, by appropriate technical and organizational measures, and to the extent possible, fulfill the obligation to respond to requests by Data Subjects relative to the exercise of their rights;
- Assist us in ensuring compliance with law, taking into account the nature of Processing and the information available to the external party;
- At our discretion, delete or return all Personal Data to us after the end of the provision of services relating to the Processing, including the deletion of existing copies unless storage is authorized by law;
- Make available to us all information necessary to demonstrate compliance with law, and allow for and contribute to audits, including inspections, conducted by us or another auditor mandated by us; and
- Immediately inform us if, in its opinion, an instruction violates law.