“Brankas” Privacy Policy and Consent Terms Agreement (Privacy Terms) apply to PT Brankas Teknologi Indonesia and its affiliated companies (collectively, “Brankas”,“we”, or “our”). The user’s privacy is paramount to Brankas and represents our commitment to treat your personal information with the utmost care, maintain transparency and confidentiality of data. These Privacy Terms cover information about how Brankas collects, processes, shares, discloses and uses users data.

These Privacy Terms do not cover actions taken by third parties with whom the user might have fundamental obligations regarding any information they may collect about you separately from Brankas. These Privacy Terms also do not cover any websites, product platforms or services provided by third parties.

Please read our Privacy Policy thoroughly to ensure you understand our data processing practices for our Services provided to you, and to build trust in our system. We recommend you to check our website (www.brankas.com) for any change in Privacy Policy from time to time.

The objective of Privacy Terms is to convey that Brankas fairly and transparently processes user’s personal data in accordance with applicable legal provisions. As part of our efforts to serve you better through our solutions, we need to process information relating to you.

The Privacy Policy includes the following:

1. Definitions;
2. Collection of Personal Information;
3. Use of Personal Information;
4. Disclosure of Personal Information;
5. Retention of Personal Information;
6. User’s (Your) Rights;
7. Organizational Obligations and Data Security Measures;
8. Technical Security Measures;
9. Data Breaches and Security Incidents;
10. Third Party Platforms;
11. Summary of Processing Activities by Product;
12. Acknowledgment and Consent, and;
13. Customer Support Details.

Brankas will update these Privacy Terms from time to time. If we make updates to our Privacy Terms, we will announce them on the Brankas website (https://brankas.com) and other communication channels within 30 (thirty) working days of the changes with the updated effective date in section of these Privacy Terms. If there is a conflict with other Brankas policies regarding data, information and system security measures, these Privacy Terms will apply. For any questions about these Privacy Terms, you can send them via email privacy@brankas.com or chat service via the widget in the lower right corner, with the Brankas Service Officer at https://brankas.com.

Thank you for using Brankas!

1. Data Subject refers to an individual as a data subject (for example the end user of Brankas services) who has Personal Data attached to him or her whose Personal Data is collected or processed;
2. Personal Data refers to any information relating to an identified or identifiable natural person individually or in combination (’data subject’); Individuals who can be identified directly or indirectly, in particular by reference to identification such as name, identity number, location data, online identification or one or more specific factors leading to aspects of physical, physiological, genetic identity, mental, economic, culture, or social identity of the person or data subject;
3. Processing refers to any operations performed on Personal Data which includes acquiring, collecting, filtering, analyzing, storing, fixing, updating, displaying, announcing, transferring, disseminating, disclosing, and/or deletion or destruction of data . Processing of data can be conducted automatically through usage of software or algorithms or conducted manually.
4. Specific Personal Data refers to Personal Data:
   1. Regarding personal finances, including but not limited to data on the amount of savings at the bank which includes savings, deposits and credit cards.
   2. Regarding biometric data, including but not limited to physical, physiological, or behavioral characteristics of an individual, such as a person’s race, ethnic origin, marital status, age, color, religious, philosophical, or political affiliation;
   3. Regarding a person’s health, education, genetic or sexual life, or any legal proceedings for any offense committed or alleged to have been committed by such person, the resolution of such legal proceedings, or the sentence of any court of competent jurisdiction regarding such legal proceedings, and/or;
   4. Other data in accordance with provisions of laws and regulations in the countries we operate in.

5. This personal information includes data (both stored offline and online) that allows a person to be identified. This personal information can be used separately or in combination with any other information collected directly or indirectly through electronic or non-electronic means.
6. Prior to and during your use of our Service, some personal information is collected, including but not limited to:
   1. Personal identifiers such as, name, address, username, photos, and national identity number;
   2. Specific Personal Data
   3. Digital traces;
   4. Transactional data including financial data;
   5. Electronic network activity identifiers, including IP address, device type, and the country where the device is located;
   6. Commercial information such as billing information, products or services purchased;
   7. Cookies and related technologies
7. You may also provide Brankas with other information, including your name, email address, and telephone number, when you contact Brankas.
8. Brankas collects and processes such personal information only with the knowledge, cooperation, and explicit consent of the end user or data subject. Once such personal information is made available to Brankas, the rules in Article III apply.
9. While we collect the personal information from you, we can also combine the collected personal information with other information in our possession or that we may receive from third party sources, including marketers, partners, affiliates, and our clients, as per the law to share your personal information with us.
10. If you have an account and want to use our Service or want to use more than one Service, we may also combine and link various personal information provided by you at various times to facilitate your access and use of Service.
11. Whenever you use our website or application, certain information may also be collected on an automated basis using cookies. Cookies are small application files stored on your computer, laptop or mobile device. Cookies are used to track your activity to enhance user interface and experience. Most websites and applications support the use of cookies. You can adjust the settings on your computer, laptop or mobile to reject several types of cookies however, doing so may affect the functionalities available on our website and application.

12. Brankas processes your Personal Data, as mentioned in Article II, to help verify your identity before Brankas can provide services to you. When providing this information, you give Brankas permission to process your Personal Data from banks or other relevant entities (including but not limited to providers of financial products and services) for the purpose of providing Brankas services for your use.
13. The legal basis for Brankas collection and processing of Personal Data is restricted for the conditions below:
    1. To fulfill the responsibilities and obligations in any contract or agreement with you (for example, to fulfill the Service Provision Agreement)
    2. To fulfill our responsibilities and obligations in any contracts or agreements with our Clients as Data Controllers and our obligations as Data Processors.
    3. To fulfill obligations in accordance with prevailing applicable laws and regulations;
    4. To fulfill the protection of the vital interests of Personal Data Subjects;
    5. To protect you, Brankas, our Clients, Partners and other stakeholders from fraud, malicious acts, and other privacy and security related issues;
    6. Processing is necessary for the legitimate interests of Brankas and without prejudice to your data protection interests or fundamental rights and freedoms (for example, for the protection of Brankas services; to communicate with you, or to update Brankas services).
14. The personal information collected from you may also be used by Brankas for the following purposes:
    1. to diagnose, fix issue, and improve the Services
    2. to evaluate and develop new Services
    3. to comply with legal obligations and law enforcement
    4. to provide customer service and support to you
    5. to support business functions and marketing purpose and
    6. for any other uses that impact provision of our Services to you
15. The accuracy of the Service we provide depends on the accurate and complete personal information provided by you.
16. If Brankas will process your data outside of the previously stated purposes, Brankas will ask for your explicit consent again. Brankas upholds the confidentiality and privacy of your data.
17. Your data will always be updated, collected and/or processed fairly and will only be used for lawful purposes. The information you provide to us will be processed within legal limits in line with the data protection laws applicable to your location and will be protected from unauthorized or unlawful access by internal or external parties. You are given guarantees and freedom to exercise your rights under the law as a Data Subject and we fully respect your rights.
18. Brankas will document Brankas’ Processing of Personal Data procedures. Brankas ensures that these procedures are updated and that your explicit consent is properly obtained where required by law and proven in writing, electronically or recorded, which may be submitted electronically or non-electronically as mentioned on Article 10 below. Obtainment of explicit consent will also be enforced if the Personal Data processing contains other purposes. These procedures will also be monitored, modified and updated periodically to ensure that your rights as a Data Subject remain secure.
19. Brankas does not “sell” or “rent” any Personal Data or information that Brankas processes.

20. Your data will not be distributed to any party other than those to whom you have agreed (with the exception of information that is required to be disclosed by law and valid requests from competent courts and orders of other competent law enforcement authorities). Without explicit consent from you as the data owner, your data will not be communicated or transferred, informally or in any way, to any other person, entity, organization, or country.
21. However, we may necessarily share your information to various third parties with your consent for the purposes of:
    1. Clients: Brankas’s services are integrated with our client’s products and services. Client would effectively be the Data Controller. Hence, it is a prerequisite for you to use Brankas technology along with our client’s products and services. In both scenarios, both Brankas and the clients need to share your personal and financial information amongst themselves for the purpose of transaction implementation, records, compliance and audit. The clients may have their own privacy policy and process of collecting consent.
    2. Service Providers: Similar to the relationship we have with our clients, we may also have with our service providers, partners and data processors. We may share information with other companies, we use to support our Services. These companies provide services like analytics, transaction systems, and customer support. We have contracts with service providers, who are obligated by agreement to provide sufficient privacy protections for that information. At their level, they may also have their own privacy policy.
    3. Marketing Partners: We may share your information with sponsors of events, webinars for which you register at our website, or other parties with whom we may engage in joint marketing activities.
    4. Legal Advisor or Government Authorities: We may share your personal information with our legal advisors, law enforcement officials, government authorities and other parties:
       1. To respond to an emergency situation that threatens the life, health and safety of a person
       2. For the public interest or during a pandemic i.e. public health crisis, contact tracing purposes, or safeguarding our community
       3. To reasonably protect the rights, privacy, security or property of Data Subjects such as yourself, Brankas, Brankas Clients, Brankas Partners and others
       4. Under applicable law, audit or to respond to legal processes.
    5. Your Employer or Organization: When you create a corporate account on behalf of the organization, that organization may undertake certain actions that may affect your account.
    6. In case of any Organizational Change:
       1. In connection with a change in ownership or control of all or part of Brankas’ business (including but not limited to e.g merger, acquisition, reorganization, and bankruptcy, etc.); and/or
       2. Between Brankas affiliated entities such as parent companies, affiliates, subsidiaries, and other companies under common control or ownership, and subject to data sharing agreements between such entities.
22. Transfer of Personal Data Outside the Legal Territory of Indonesia: Brankas may transfer Personal Data to other personal data controllers outside the legal territory of the Unitary State of the Republic of Indonesia in the case of:
    1. the country where the other personal data controller is domiciled or the international organization that receives the transfer of Personal Data has a level of protection for Personal Data that is equivalent to or higher than that regulated in the applicable laws and regulations;
    2. there are international agreements between countries;
    3. there is a contract between the personal data controller and the personal data processor/controller which has standards and/or guarantees for the protection of personal data in accordance with those stipulated in the applicable laws and regulations; and/or
    4. obtain the explicit consent of the Data Subject.

23. Regarding the processing of Personal Data, Brankas will only retain Personal Data in accordance with the Brankas Retention Policy. The retention period of Brankas is no longer than necessary for the purposes for which it is processed and/or as required to comply with applicable laws.
24. When the retention period ends or at the request of the Data Subject, the Personal Data that has been processed will be deleted or destroyed or removed from the list, with the exception of statutory regulations that provide otherwise.
25. Where there are technical limitations that prevent deletion or anonymization, we safeguard personal information and limit active use of it.

26. Brankas has direct obligations towards the Data Subjects who own the data. We allow Data Subjects to change, delete, reduce or correct their data which Brankas has previously requested stored in our database in accordance with the rights they have under applicable law. We have provisions and procedures in our system in case of data loss or damage.
27. After using Brankas services, if you have given consent to the processing of your Personal Data, and later you change your mind, you can withdraw that consent by contacting Brankas directly at privacy@brankas.com.
28. You can also reach out to us:
    1. to ask us about the processing of your personal information;
    2. to obtain a copy of the personal information we possess;
    3. to ask us if you believe your information is being processed or stored in violation of Privacy Policy or applicable laws and regulations
    4. request transfer of your personal information to another organization in a machine-readable format.
29. In case of request for data, provision of access is provided no later than 3 x 24 (three times twenty four) hours from the time the Personal Data Controller receives the request for access both electronically and non-electronically
30. Brankas will update and/or correct errors and/or inaccuracies in Personal Data within 3 x 24 (three times twenty four) hours from the time Brankas receives a request for updating and/or correcting Personal Data via privacy@ brankas.com, or the chat service embedded in the lower right corner at https://brankas.com or Brankas’ mailing address. Brankas will immediately notify you once the process has been completed.
31. However, do note your information might be imminent for us to provide our Services. And in case of deletion of your information, we won’t be able to extend some of our Services to you anymore.
32. Brankas will delay and suspend, and limit the processing of Personal Data, either partially or completely, no later than 3 x 24 (three times twenty four) hours from the time Brankas receives a request for delays and limitations on processing Personal Data from the Data Subject both electronic and non-electronic.
33. Brankas is committed to limiting and consolidating access to sensitive personal data. Our officers and employees undertake training about online privacy and data security and will implement data protection practices and policies (including but not limited to secure keys, data encryption, and access authorization, etc.) to prevent any unauthorized data processing. Additionally, security measures will be implemented over a secure network to protect data from cyber attacks.

34. Brankas develops and implements measures to ensure that all Brankas staff who have access to Personal Data will strictly process such data in accordance with applicable laws and regulations. These steps include developing or updating relevant Brankas policies and conducting learning and development programs or sponsoring training programs to educate shareholders, directors, officers, employees, agents, and other interested parties related to the protection of personal data.

35. Brankas are ISO 27001 and PCI DSS certified which requires rigorous testing and proofing, to ensure that the organization maintains a highly secure environment. Brankas works to protect the security of your information during transmission by using Secure Sockets Layer/Transport Layer Security (SSL/TLS) software that encrypts the information you enter, and unprocessed data Brankas encrypts under the 256-bit Advanced Encryption Standard. In line with Brankas certification, the Brankas IT team continues to develop and evaluate the following in accordance with these Privacy Terms, with the following considerations:
    1. Safeguards to protect Brankas’ computer networks and systems from unauthorized and unlawful use, any interference that would affect data integrity or hinder system function or availability, and unauthorized access as well as illegal access;
    2. Ability to ensure and maintain the confidentiality, integrity, availability and resilience of data processing systems and services;
    3. Routine monitoring of security breaches, and a process for identifying and accessing reasonably foreseeable vulnerabilities in Brankas’ computer networks and systems, and taking preventive and corrective action against security incidents that could result in a Personal Data breach;
    4. Ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
    5. Process for regularly testing and evaluating the effectiveness of security measures;
    6. Encryption of Personal Data and during the transit phase, during the authentication process, and other technical security measures that control and limit access to it; And
    7. Determining the security level of Brankas Personal Data by taking into account the nature and risks of Personal Data that must be protected in the processing of Personal Data.
36. Brankas installs the latest version of anti-virus software on electronic computing devices connected to an internet or wifi connection (desktops, notebooks, mobile phones and similar devices). Brankas also uses an intrusion detection system to monitor security breaches and alert Brankas if there is an attempt to compromise the system.
37. All software applications are reviewed and evaluated by Brankas’ IT team prior to installing them on Brankas computers and devices to ensure compatibility of security features with overall operations.
38. Brankas Personnel with access to Personal Data verifies identity using secure encrypted links and multi-level authentication as adopted by the IT Team.

39. All of our stakeholders, directors, officers, employees and agents involved in the Processing of Personal Data regularly monitor for indications of data breaches or security incidents. If such indications are discovered, the facts and circumstances will be reported to authorized personnel within 24 (twenty four) hours of discovery to verify whether a violation has occurred that requires notification to the regulator. If this happens, we will provide written notification no later than 3 x 24 (three times twenty-four hours) which contains the disclosed Personal Data, when and how the Personal Data are disclosed, and efforts to handle and recover from the disclosure of Personal Data to the competent authorities and affected Data Subjects in accordance with the requirements and procedures regulated by law.
40. All security incidents and Personal Data breaches will be documented through written reports, including those not covered by notification requirements. In the case of a Personal Data breach, the report will include the facts surrounding the incident, the effects of the incident, and the corrective actions taken by Brankas. In other security incidents that do not involve Personal Data, a report containing aggregated data is sufficient.

41. Any Processing of Personal Data carried out by agents or external entities (third party service providers) on behalf of Brankas must be proven by a valid written contract with Brankas. The contract must expressly determine the roles, responsibilities, and relationship, the jointly appointed Contact Person and the interrelated purposes and ways of Personal Data Processing which are mutually determined.
42. The fact that Brankas enters into this collaboration means that the third party service provider is not permitted to subcontract the rights and obligations as stated in the agreement to other parties, unless expressly provided otherwise in writing. Subcontract agreements must also meet the provisions as stated in the previous paragraph.
43. In addition, both contracts described previously will include provisions requiring external agents or entities (including subcontractors) to:
    1. Process Personal Data only if we have obtained valid documented instructions from Brankas, including the transfer of Personal Data to another country or international organization, unless such transfer is prohibited by law;
    2. Ensure that obligations of confidentiality are imposed on persons and employees authorized by external agents/entities and subcontractors to process Personal Data;
    3. Implement appropriate security measures;
    4. Comply with applicable laws and regulations, in addition to obligations stipulated in contracts, or other legal actions with external parties;
    5. Not use other data processors without Brankas’ prior instructions, and such terms and conditions will ensure that the same obligations regarding data protection under contracts or legal acts are applicable, taking into account the nature of the Processing;
    6. Assist Brankas, with appropriate technical and organizational measures, and to the extent possible, fulfill obligations to respond to Data Subject requests regarding guarantees of their rights as data subjects;
    7. Help Brankas ensure compliance with the law, taking into account the nature of Processing and information available to external parties;
    8. At Brankas’ discretion, to delete or return all Personal Data to Brankas after the end of providing services related to Processing, including deletion of existing copies unless retention is permitted by law;
    9. Provide Brankas with all information necessary to demonstrate compliance with the law, and cooperate in the audit process, including inspections, carried out by Brankas or auditors appointed by Brankas; And
    10. Immediately notify Brankas if there are instructions that violate the law.

44. The following are Brankas products that collect information about you and how the information collected is used. Please note that Brankas products mentioned during these Privacy Terms apply and may not include products or services that are in development during that period.
    44. Brankas TAP is a trusted front-end interface that allows Brankas End Users to securely log in using their bank account information to complete transactions. Brankas TAP data flow integrates with your online bank account application, and utilizes the bank login page. Once you log in your bank’s security features, such as authentication by requesting your banking details, such as but not limited to your account details, occur before your transaction is completed. Brankas processes information as stated in Article III of this Privacy Terms.
    45. Brankas Direct is a fund transfer service that allows you to make instant and digital fund transfers via web and mobile applications. Brankas Direct serves as a single integration point for Brankas Partners where you can transfer funds through various banks integrated with Brankas. Brankas Direct allows you to transfer directly using your bank. Brankas Direct also does not charge any fees for your transactions. Transactions are processed directly through your source bank account to the recipient’s account, and Brankas does not hold funds. There are no additional transaction fees that will be charged from using the Brankas Service. Brankas processes information as stated in Article III of this Privacy Terms.
    46. Brankas Statement is one of our data information products that allows our Clients to pull comprehensive financial and personal data from you. This allows our Clients to pull financial data, such as transaction data and account data from multiple financial institutions through a single integration. This enables data sharing via encrypted technology according to leading industry standards and is only based on your explicit consent. The time period for data that can be withdrawn is between 2 weeks to 180 days, depending on each bank/e-wallet (electronic wallet).

45. By accepting and providing consent to Privacy Terms for Brankas Services, you are acknowledging that you have read and agree to accept the Privacy Policy and the Consent Terms Agreement. Other specific consent that is required for the data collection, processing and storing will be provided in each web page/application page where your data is requested.