Privacy Policy
Study Indonesia ("we", "us", or "our") is committed to protecting your personal data and respecting your privacy rights under the General Data Protection Regulation (GDPR) and Indonesia's Undang-Undang Perlindungan Data Pribadi (UU PDP).
1. Who We Are
Study Indonesia is an international student portal helping prospective students discover universities, study programs, and scholarships in Indonesia. Our registered address and Data Controller contact is available at privacy@studyindonesia.id.
2. What Data We Collect
2.1 Information You Provide
- Account registration: name, email address, password (hashed)
- Application forms: academic history, national ID / passport, documents
- Communications: support tickets, feedback forms
2.2 Information Collected Automatically
- Device information: browser type, operating system, screen resolution
- Usage data: pages visited, time spent, clicks (only if analytics consent granted)
- IP address: stored in hashed form only (never raw โ see Section 7)
- Cookies and local storage: see our Cookie Policy
3. How We Use Your Data
| Purpose | Legal Basis (GDPR) |
|---|---|
| Create and manage your account | Contract (Art. 6(1)(b)) |
| Process university applications | Contract (Art. 6(1)(b)) |
| Send transactional emails (verification, application updates) | Contract (Art. 6(1)(b)) |
| Analytics and product improvement | Consent (Art. 6(1)(a)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
| Legal compliance and fraud prevention | Legal Obligation (Art. 6(1)(c)) |
| Record-keeping for compliance audit | Legitimate Interest (Art. 6(1)(f)) |
4. Your Rights
Under GDPR and UU PDP, you have the following rights:
- Right of Access (Art. 15 GDPR) โ Download all your personal data from your Privacy Center.
- Right to Rectification (Art. 16) โ Update your profile information in account settings.
- Right to Erasure (Art. 17) โ Request permanent deletion of your account and data from your Privacy Center.
- Right to Restriction (Art. 18) โ Contact us at privacy@studyindonesia.id.
- Right to Data Portability (Art. 20) โ Download your data in JSON format.
- Right to Object (Art. 21) โ Withdraw consent for analytics/marketing at any time via Cookie Preferences.
To exercise any right, visit your Privacy Center or email privacy@studyindonesia.id. We respond within 30 days.
5. Data Sharing & Third Parties
We do not sell your personal data. We share data only with:
- Registered Universities โ solely for processing your application (with your explicit consent during application)
- SendGrid (Twilio) โ transactional email delivery
- Google Analytics โ only if you consent to analytics cookies
- Meta (Facebook) โ only if you consent to marketing cookies
- Cloudflare โ CDN, DDoS protection, R2 object storage (encrypted)
All third-party processors have signed Data Processing Agreements (DPAs) as required by GDPR Article 28.
6. International Data Transfers
Our infrastructure is primarily hosted in Singapore (AWS ap-southeast-1). For transfers to the European Economic Area (EEA), we rely on Standard Contractual Clauses (SCCs) as per GDPR Article 46(2)(c).
7. Security Measures
- Passwords are hashed with bcrypt (cost factor 12)
- IP addresses are hashed with SHA-256 + secret salt before storage
- All data in transit encrypted via TLS 1.3
- All data at rest encrypted (AES-256)
- Access control: RBAC with principle of least privilege
- Application logs: PII masked using automated log sanitization
8. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Until account deletion + 30-day grace period |
| Application records | Anonymized after account deletion (retained for university audit) |
| Consent records | 5 years (anonymized after account deletion) |
| Session tokens | 7 days from creation |
| Application logs | 90 days |
9. Cookies
For detailed information about the cookies we use and how to manage them, see our Cookie Policy. You can update your cookie preferences at any time via the footer link "Cookie Settings" or your Privacy Center.
10. Changes to This Policy
We will notify registered users by email of any material changes at least 30 days before they take effect. The current version and date are shown at the top of this page.
11. Contact & Complaints
For privacy enquiries: privacy@studyindonesia.id
If you are in the EU/EEA and believe we have not handled your data correctly, you have the right to lodge a complaint with your local Data Protection Authority (DPA).
Kebijakan Privasi (Bahasa Indonesia)
Study Indonesia berkomitmen untuk melindungi data pribadi Anda sesuai dengan GDPR dan Undang-Undang Perlindungan Data Pribadi (UU PDP).
Sebagai subjek data, Anda memiliki hak untuk mengakses, memperbaiki, menghapus, dan membawa data Anda. Kunjungi Pusat Privasi Anda atau hubungi privacy@studyindonesia.id untuk informasi lebih lanjut.