Pokope Card Vault

1. Introduction

PT Pokope Solusi Edukasi ("Pokope", "PSE", "we", "us", or "our") operates the Pokope platform (accessible at pokope.vip and related subdomains), which provides collectible card custody, trading, insurance, and field commerce services.

This Privacy Policy explains how we collect, use, store, share, and protect your personal data in compliance with:

Law No. 27 of 2022 concerning Personal Data Protection (UU PDP) — Republic of Indonesia
General Data Protection Regulation (EU) 2016/679 (GDPR) — for users in the European Economic Area
Government Regulation No. 71 of 2019 on Electronic Systems and Transactions (PP PSTE)
Other applicable data protection laws in jurisdictions where we operate

By using our platform, you acknowledge that you have read and understood this Privacy Policy. Where required by law, we will obtain your explicit consent before processing your personal data.

2. Data Controller

The data controller responsible for your personal data is:

PT Pokope Solusi Edukasi

Jakarta, Indonesia

Email: [email protected]

Data Protection Officer: [email protected]

3. Personal Data We Collect

We collect the following categories of personal data:

3.1 Data You Provide Directly

Account Information: Name, email address, phone number, profile picture
Identity Verification: Government-issued ID (KTP/passport), selfie for verification
Financial Information: Bank account details (for payouts), payment transaction records
Delivery Information: Shipping address, recipient name, postal code, city, province
Communication Data: Messages, support tickets, feedback

3.2 Data Collected Automatically

Device Information: IP address, browser type, operating system, device identifiers
Usage Data: Pages visited, features used, timestamps, session duration
Location Data: Approximate location from IP address; precise GPS location only for rider/field operations with explicit consent
Cookies and Tracking: Session cookies, analytics cookies (see our Cookie Policy)

3.3 Data from Third Parties

Payment Processors: Transaction status and payment confirmation from Midtrans
Authentication Providers: OAuth profile data when you sign in
Grading Services: Card grading results from Novara or other grading partners

4. Purpose and Legal Basis for Processing

We process your personal data for the following purposes:

Purpose	Legal Basis (UU PDP)	Legal Basis (GDPR)
Account creation and management	Consent / Contract performance	Art. 6(1)(b) Contract
Processing card purchases and payments	Contract performance	Art. 6(1)(b) Contract
Card custody and vault management	Contract performance	Art. 6(1)(b) Contract
Insurance policy management	Consent / Contract	Art. 6(1)(b) Contract
Delivery and shipping	Contract performance	Art. 6(1)(b) Contract
Payout processing	Contract performance	Art. 6(1)(b) Contract
Fraud prevention and security	Legitimate interest	Art. 6(1)(f) Legitimate interest
Analytics and platform improvement	Consent	Art. 6(1)(a) Consent
Legal compliance and tax reporting	Legal obligation	Art. 6(1)(c) Legal obligation
Rider GPS tracking (field operations)	Explicit consent	Art. 6(1)(a) Consent

5. Your Rights

Under UU PDP and GDPR, you have the following rights regarding your personal data:

5.1 Rights Under UU PDP (Indonesia)

Right to Information: Know what data we collect and how it is used
Right to Access: Request a copy of your personal data
Right to Correction: Request correction of inaccurate data
Right to Deletion: Request deletion of your data (subject to legal retention requirements)
Right to Withdraw Consent: Withdraw previously given consent at any time
Right to Object: Object to processing based on legitimate interest
Right to Restrict Processing: Request limitation of data processing
Right to Data Portability: Receive your data in a structured, machine-readable format
Right to Compensation: Seek compensation for damages caused by data protection violations

5.2 Additional Rights Under GDPR (EU/EEA Users)

Right to Erasure ("Right to be Forgotten"): Request complete erasure under Art. 17 GDPR
Right to Lodge a Complaint: File a complaint with your local data protection authority
Right Regarding Automated Decision-Making: Not be subject to decisions based solely on automated processing

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (UU PDP) or without undue delay and within one month (GDPR).

6. Data Sharing and Disclosure

We may share your personal data with:

Payment Processors: Midtrans (PT Midtrans) for payment processing
Shipping Partners: Courier services for card delivery
Grading Partners: Novara and other card grading services
Cloud Infrastructure: Hosting and storage providers
Analytics Services: For platform improvement (anonymized where possible)
Legal Authorities: When required by law, court order, or government regulation

We do not sell your personal data to third parties. All third-party processors are bound by data processing agreements.

7. Cross-Border Data Transfers

Your data may be transferred to and processed in countries outside Indonesia. Under UU PDP Article 56, cross-border transfers are permitted when:

The receiving country has equivalent data protection standards
Adequate contractual safeguards are in place
You have provided explicit consent

For transfers to countries within the EU/EEA, we rely on Standard Contractual Clauses (SCCs) or adequacy decisions as appropriate under GDPR Chapter V.

8. Data Retention

We retain your personal data for the following periods:

Account Data: Duration of account + 5 years after deletion
Transaction Records: 10 years (Indonesian tax and commercial law requirements)
Financial/Payout Records: 10 years
Insurance Records: Duration of policy + 7 years
Audit Logs: 7 years
Analytics Data: 2 years (anonymized after 6 months)
Communication Records: 3 years

After the retention period, data is securely deleted or anonymized. Certain data may be retained longer if required by law.

9. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

Encryption of data in transit (TLS/SSL) and at rest
Access controls and role-based permissions
Regular security audits and vulnerability assessments
Secure authentication mechanisms
Audit logging of all sensitive operations
Employee training on data protection

10. Data Breach Notification

In accordance with UU PDP Article 46 and GDPR Article 33, in the event of a personal data breach:

We will notify affected individuals within 72 hours of becoming aware of the breach
We will notify the relevant supervisory authority (Indonesian Ministry of Communication and Information Technology / EU data protection authority)
Notification will include the nature of the breach, data affected, potential consequences, and remedial measures taken

11. Children's Privacy

Our platform is not intended for children under 17 years of age (in accordance with Indonesian law) or under 16 years of age (GDPR). We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without parental consent, we will take steps to delete that information.

12. Cookies

We use cookies and similar technologies. For detailed information about the cookies we use and how to manage your preferences, please see our Cookie Policy.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the platform or via email. The "Last updated" date at the top indicates when the policy was last revised. Continued use of the platform after changes constitutes acceptance of the updated policy.

14. Contact Us

For privacy-related inquiries or to exercise your data rights:

Email: [email protected]

Data Protection Officer: [email protected]

Address: PT Pokope Solusi Edukasi, Jakarta, Indonesia

Indonesian users may also file complaints with the Ministry of Communication and Information Technology (Kominfo). EU/EEA users may file complaints with their local data protection supervisory authority.