### Indonesia PQMS System Privacy Policy #### 1. Introduction This Privacy Policy explains how the PQMS website and mobile application (hereinafter "Service") collects, uses, stores, and protects your personal information. We are committed to protecting your privacy and complying with Indonesian data protection laws, including the Personal Data Protection Law (Undang-Undang Perlindungan Data Pribadi). This policy applies to both mobile app users (PPK, Contractor, Consultant) and web users (PPK, BINTEK & Directorate, BBPJN & BPJN). --- #### 2. Information We Collect **2.1 Account Information** The Service collects the following account information: * Account information: Name, email address, WhatsApp number, department, position * Authentication data: Login credentials, user ID, account code * Work information: Construction project assignments, role (PPK, Contractor, Consultant, BINTEK & Directorate, BBPJN & BPJN) **2.2 Technical Information** Information that may be collected on both web and mobile: * Device information (including device model, OS version, web browser information, cookie information) * Usage data (pages visited, feature usage records, click logs, error logs) * Network information (IP address, network type, connection status) Additional items related to web services: * Session cookies and security cookies * Browser settings, language settings **2.3 Location Data (Mobile App Only)** * GPS coordinates: Collected when recording temperature and core data * Location is collected in the following cases: Taking photos, uploading quality control data **2.4 Media Files (Primarily Mobile Use)** * Photos: Images taken for quality control documentation * Photo metadata: Location information, timestamp **2.5 Quality Control Data** * Temperature measurements (Production, Arrival, Laying, Compaction) * Core data (thickness, test results) * Construction project information * Segment information --- #### 3. How We Use Your Information The Service uses the collected information for the following purposes: **3.1 Service Provision** * User authentication and access control management * Providing web/mobile service functionality (data viewing, recording, uploading) * Providing offline mode (mobile) * System updates and announcement notifications **3.2 Data Management** * Storing quality control data in secure databases * Generating reports and quality control analysis * Maintaining data integrity **3.3 Communication** * Notifications about data uploads, approvals, system changes * Responding to user support requests **3.4 Legal Compliance** * Complying with Indonesian government regulations * Maintaining audit records * Processing legal requests --- #### 4. Legal Basis for Personal Data Collection and Processing This Service collects and processes personal data based on the following legal grounds: * **Contract Performance**: Performance of a contract for service provision * **Legal Obligation**: Compliance with Indonesian government regulations and laws * **Legitimate Interest**: Service improvement and security enhancement * **Consent**: Explicit consent from data subjects --- #### 5. Data Storage and Security **5.1 Data Storage** * All data is stored on secure servers located in the GCP Indonesia region. * All photos and sensitive data transmitted are encrypted. * Data is stored and processed only within Indonesia's borders. **5.2 Security Measures** * **Encryption**: HTTPS/TLS-based data encryption (in transit and at rest) * **Access Control**: Role-based access control (RBAC) * **Account Protection**: Secure passwords and encrypted credential storage * **Regular Patches**: Server and app security updates * **Monitoring**: Unauthorized access detection and audit log recording **5.3 Data Retention Policy** * **Active Account Data**: Retained while the account is maintained, deleted within 30 days of account deletion * **Quality Control Data**: Retained for a minimum of 5 years after project completion according to government requirements * **Project Completion**: Some data may be permanently and securely deleted * **Legal Requirements**: Long-term retention may be possible if required by legal requirements * **Upon Expiration**: Safely destroyed without delay after the purpose is achieved --- #### 6. Data Sharing and Disclosure **6.1 No Sale to Third Parties** We do not sell or rent personal information to third parties. **6.2 Authorized Sharing** Sharing occurs only in the following situations, with explicit consent or legal basis for each case: * **Authorized government officials of the same construction project** - Purpose: Project management and quality control collaboration - Scope: Project-related data only * **System administrators (for technical support purposes)** - Purpose: System maintenance and technical support - Scope: Minimum data necessary for technical issue resolution only * **Legal institutions (when legal obligations arise)** - Purpose: Compliance with legal requests or court orders - Scope: Only within the scope specified in the legal request **6.3 Third-Party Service Providers** The following third-party service providers may be used for service operation: * **Google Cloud Platform (GCP)**: Data storage and hosting - Location: Indonesia region - Security: Complies with GCP security standards * **Firebase**: Push notification service - Data: Notification tokens and device identifiers only - Security: Complies with Firebase security policies **6.4 Aggregated Data** Anonymized analytical data may be used for system improvement purposes. This data cannot identify individual users. --- #### 7. Your Rights Under Indonesian Personal Data Protection Law, you have the following rights: **7.1 Right of Access** * You may request access to your personal information. * Information will be provided within 30 days of request. **7.2 Right of Rectification** * You may request correction of inaccurate or incomplete information. * Rectification requests will be processed immediately. **7.3 Right of Erasure** * You may request deletion of personal information in the following cases: - When the collection purpose has been achieved or is no longer necessary - When consent is withdrawn - When data has been processed unlawfully * However, deletion may be restricted if retention is required by legal obligations or government requirements. **7.4 Right to Data Portability** * You may receive your personal information in a machine-readable format. * Will be provided within 30 days of request. **7.5 Right to Restrict Processing** * You may request restriction of personal information processing in certain situations. **7.6 Right to Object** * You may object to specific processing activities. * Upon objection, processing activities will be suspended and reviewed. **7.7 Right to Withdraw Consent** * You may withdraw consent at any time. * Withdrawal of consent does not affect the validity of processing activities prior to withdrawal. * Some services may be restricted upon withdrawal of consent. **7.8 How to Exercise Your Rights** * You may exercise your rights through the following methods: - Email: atmacsdev@gmail.com - Department: Technology Research Institute * Identity verification procedures will be conducted upon request. * Request processing period: Within 30 business days * If a request is denied, reasons will be specified and notified. --- #### 8. Location Data (When Using Mobile App) **8.1 Collection Purpose** * Recording the location of quality control data * Verifying data authenticity and preventing fraud * Providing map-based features **8.2 Usage Method** * Location is collected only when using features that require it. * Some features may be limited if location is disabled. --- #### 9. Photo and Media Data * Photos are used for quality control records. * Each photo can only be viewed by authorized users related to the project. * They are not used for other purposes. --- #### 10. Notification Features (Mobile App) * Provides notifications for major events such as temperature data uploads. * Notifications can be controlled in device settings. --- #### 11. Offline Mode (Mobile App) * Data can be stored locally and synchronized when internet connection is restored. * Users can delete local data at any time. --- #### 12. Children's Privacy This service is not intended for individuals under 18 years of age and does not intentionally collect information from children. --- #### 12. International Data Transfers **12.1 Data Storage Location** * All data is stored and processed only within Indonesia's borders (GCP Indonesia region). * We currently do not transfer personal information outside Indonesia. **12.2 Future International Transfers** * If it becomes necessary to transfer data outside Indonesia in the future: - The receiving country must implement equal or higher levels of data protection measures. - Explicit consent from data subjects must be obtained. - Appropriate protective measures (contractual obligations, standard contractual clauses, etc.) must be in place. - Users will be notified and consent obtained before transfer. --- #### 13. Data Breach Notification **13.1 Notification Obligation** * In the event of a data breach, we will take the following measures in accordance with Indonesian Personal Data Protection Law: - **Authority Notification**: Notify relevant authorities within 72 hours of breach occurrence - **Victim Notification**: Notify affected individuals immediately upon breach occurrence - **Notification Content**: Nature of breach, affected data, potential risks, measures taken, etc. **13.2 Response Measures** * Upon breach occurrence, we will immediately take the following measures: - Identify and block the cause of breach - Strengthen security to prevent additional breaches - Take measures to minimize damage - Conduct breach investigation and prepare reports --- #### 14. Automated Decision-Making **14.1 Use of Automated Decision-Making** * This Service does not use automated decision-making (including profiling). * All decisions are made through human intervention. **14.2 Future Changes** * If automated decision-making is introduced in the future: - Users will be notified in advance - Explicit consent will be obtained - Procedures for objection and manual review will be provided --- #### 15. Cookies and Tracking Technologies (Web Service) **15.1 Cookie and Session Usage** * The web service uses cookies and sessions for the following purposes: - Session management: Maintaining login status - Security: Authentication through security cookies - Functionality enhancement: Storing user settings **15.2 Cookie Management** * Users can manage cookies through browser settings. * Essential cookies are necessary for service provision, and some features may be restricted if disabled. --- #### 16. Data Protection Officer (DPO) **16.1 DPO Appointment** * This Service has appointed a Data Protection Officer (DPO) to oversee personal information protection. **16.2 DPO Contact Information** * **Email**: atmacsdev@gmail.com * **Department**: Technology Research Institute * **Role**: Handling inquiries and requests related to personal information protection and rights exercise --- #### 17. Contact Us For inquiries regarding personal data, please contact: * **Email**: [atmacsdev@gmail.com](mailto:atmacsdev@gmail.com) * **Department**: Technology Research Institute * **Data Protection Officer (DPO)**: Same as above --- #### 18. Compliance Standards This policy complies with the following laws and regulations: * **Indonesian Personal Data Protection Law** (Undang-Undang Perlindungan Data Pribadi, Law No. 27 of 2022) * **Indonesian Electronic Information and Transactions Law** (Undang-Undang Informasi dan Transaksi Elektronik, ITE Law) * **Indonesian Government Information Security Regulations** * **Internationally recognized personal information protection best practices** (GDPR, etc.) --- #### 19. Policy Change Notification **19.1 Change Notification** * When this policy is changed: - Changes will be announced on the website and app. - Major changes may be notified via email. - Changes will take effect 30 days after announcement. **19.2 Consent to Changes** * If you do not agree to the changed policy, you may discontinue service use. * Continued use of the service after changes constitutes acceptance of the changed policy.