Data Categories
Listed in full on this page; summarised on the cookies notice for browser-side signals only. Both pages use the same category names so cross-referencing is direct.
This is the pandahoki privacy policy — a plain read of what we collect, why we collect it, and how long it sits on our systems. We've written...
We process your personal data where local law permits and apply Indonesia-aligned standards to every account opened on pandahoki. The categories we hold are narrow: identity fields you submit at signup, device and session signals that keep your lobby secure, and transaction references tied to your DANA, OVO, GoPay or QRIS top-ups. We do not sell your data. We share it only
with payment processors, identity-verification partners and regulators in supported regions when a lawful request is made. Retention follows the shorter of statutory minimums or active-account need, after which records are anonymised. You can request access, correction or deletion through the contact paths listed further down this page.
Service availability is jurisdiction-dependent. Users are responsible for checking local law before access.
Reach our privacy desk through any of the channels below. We aim to acknowledge data requests within two working days and resolve standard access or deletion queries inside the windows set by Indonesian data-protection practice.
Email our data team directly for access, correction or erasure requests. Include the email tied to your pandahoki account so we can match the record without asking for extra identity proof.
Open the chat panel from any logged-in screen and ask for the privacy queue. Agents route policy questions to the data officer rather than answering from the standard support script.
For formal notices, written correspondence is accepted at our registered address. Mark the envelope for the privacy officer so it bypasses general account support and reaches the compliance desk.
This page is reviewed by named roles inside pandahoki, not auto-generated. Each update is logged with a date and a summary so you can see what changed.
Our compliance lead signs off every revision before it goes live. That review checks the policy against current Indonesian guidance...
External counsel familiar with Southeast-Asian data rules reads the policy yearly. Their notes feed into the next revision so the...
Before publishing, our engineering team confirms that what the policy describes matches what the database stores. If a field is...
Every change is dated and summarised at the foot of this page. You can see when retention windows shifted, when...
A specific person owns this policy, not a generic inbox. Their role is published so requests get to the right...
We rewrite legalese into sentences a new account holder can read once and understand. Where a term is unavoidable, we...
Our privacy policy is written to line up with the cookie notice, terms of service and account-closure pages. The table below shows where each topic lives so you don't have to re-read...
Listed in full on this page; summarised on the cookies notice for browser-side signals only. Both pages use the same category names so cross-referencing is direct.
This page sets the master retention table. Terms of service references it; the account-closure page repeats the deletion timeline so you see it at the moment you decide to leave.
Named here under processors. The cookie notice lists the same vendors where they place browser tags, keeping vendor names identical across both surfaces for easy audit.
Spelled out on this page. The contact form short-links to the same rights list so you can pick access, correction, portability or erasure without re-reading the full policy.
Indonesia-aligned across every legal page. Where supported-region wording appears, it carries the same meaning on this policy, the terms and the deposit-rules page.
Privacy and cookies share a quarterly review cycle. Terms move on a separate annual cycle, which is why timestamps may differ between the documents on any given visit.
The privacy inbox handles only data matters. Account, payment and lobby queries go to general support, keeping response times tight on each queue.
The privacy page is laid out so the answer you came for is reachable in one scroll. Each block below describes a visible element of the...
A sticky list of section links sits to the side on desktop and collapses into a dropdown on mobile, so jumping to retention or third parties takes one tap rather than a long scroll.
The header carries a clear date showing when the wording was last revised. Anything older than the current quarter triggers a review note from our compliance desk before the next publish.
Terms like processor, controller and lawful basis are defined on first use, inline with the sentence. You won't have to break flow to look up vocabulary mid-paragraph.
At the bottom of the page, a short bullet list explains what moved in the latest revision. Substantive shifts are flagged; copy-edits are noted but not highlighted.
Buttons next to the rights section open prefilled requests for access, correction, portability and erasure. The form attaches your account email so the privacy desk skips a step.
The page prints cleanly on A4 with the date stamp and section numbering preserved. Useful if your bank or employer asks for a written copy of the privacy terms you accepted.