Legal

Privacy Policy

Version 1.0.0 Last updated April 24, 2026

Introduction

This Privacy Policy describes how PT Genorah Teknologi Indonesia (“Genorah Labs,” “we,” “us,” or “our”) collects, uses, stores, and protects your personal data when you visit our website at genorah.id, use our services, or communicate with us.

We are committed to protecting your privacy in accordance with:

  • Regulation (EU) 2016/679 — the General Data Protection Regulation (GDPR)
  • Indonesian Government Regulation No. 71 of 2019 concerning the Implementation of Electronic Systems and Transactions (PP No. 71/2019)
  • Indonesian Law No. 27 of 2022 concerning Personal Data Protection (UU PDP)

By using our website or services, you acknowledge that you have read and understood this Privacy Policy.

Data Controller

Data Controller:
PT Genorah Teknologi Indonesia
Jl. KH. Wahid Hasyim No. 14, RT.1/RW.4
Gondangdia, Menteng, Jakarta Pusat 10350
Indonesia

Data Protection Officer (DPO):
Email: hello@genorah.id
Response time: Acknowledgment within 3×24 hours; fulfillment within 14 days.
Office hours: Monday–Friday, 09:00–18:00 WIB (UTC+7)

What Data We Collect

Information You Provide Directly

  • Contact information: Name, email address, phone number, company name, job title
  • Account information: Username, password (encrypted), profile preferences
  • Communication records: Emails, support tickets, meeting notes, feedback
  • Payment information: Billing address, bank details, transaction history (processed by our payment processors; we do not store full card numbers)
  • Project information: Requirements, documents, and other materials you share during service engagements

Information Collected Automatically

  • Device and connection data: IP address, browser type and version, operating system, device type, screen resolution
  • Usage data: Pages visited, time spent, click patterns, referral sources, download history
  • Location data: Approximate geographic location derived from IP address (not precise GPS)
  • Cookie data: See our Cookie Policy for detailed information

Information from Third Parties

  • Professional networks: LinkedIn profile data when you connect via LinkedIn authentication
  • Referral partners: Contact details shared by partners who refer you to us
  • Public sources: Company information from public registers and professional databases

Lawful Bases for Processing (GDPR)

Under GDPR Article 6, we rely on the following lawful bases:

PurposeLawful Basis
Providing our servicesContract (Art. 6(1)(b))
Legal complianceLegal obligation (Art. 6(1)(c))
Marketing communicationsConsent (Art. 6(1)(a)) or legitimate interest (Art. 6(1)(f))
Website analytics and improvementLegitimate interest (Art. 6(1)(f))
Fraud prevention and securityLegitimate interest (Art. 6(1)(f))
Employment and recruitmentConsent or contract (Art. 6(1)(a)/(b))

For processing special categories of personal data (if any), we rely on explicit consent (GDPR Article 9(2)(a)) unless another exemption applies.

How We Use Your Data

We use your personal data for the following purposes:

  1. Service Delivery: To provide, maintain, and improve our software development, cloud consulting, and digital transformation services
  2. Communication: To respond to inquiries, send project updates, and provide customer support
  3. Marketing: To send newsletters, case studies, and service updates (only with your consent; you may opt out anytime)
  4. Analytics: To understand how users interact with our website and optimize user experience
  5. Security: To detect and prevent fraud, abuse, and security incidents
  6. Legal Compliance: To comply with tax, accounting, and regulatory obligations
  7. Recruitment: To evaluate candidates for employment opportunities

Cookies and Similar Technologies

We use cookies and similar tracking technologies. For detailed information about the types of cookies we use, their purposes, and how to manage them, please see our Cookie Policy.

Data Sharing and Sub-processors

We do not sell, rent, or trade your personal data. We share data only with:

  • Service providers (sub-processors): Hosting, cloud infrastructure, analytics, payment processing, email delivery, and customer support tools
  • Professional advisors: Lawyers, accountants, and auditors under professional confidentiality obligations
  • Legal authorities: When required by law, court order, or to protect our rights

All sub-processors are bound by data processing agreements (DPA) that comply with GDPR Article 28. For a complete list of sub-processors, see our Sub-processors page.

International Data Transfers

Your data may be transferred to and processed in countries outside your residence, including Indonesia, Singapore, and the United States. When transferring personal data outside the European Economic Area (EEA), we use:

  • Standard Contractual Clauses (SCCs) approved by the European Commission (GDPR Article 46)
  • Adequacy decisions where applicable
  • Appropriate safeguards including encryption in transit and at rest

Data Retention

We retain personal data for the following periods:

Data CategoryRetention Period
Account dataAs long as the account is active + 2 years
Contract and project dataDuration of contract + 10 years (Indonesian tax law)
Marketing consent recordsAs long as consent is valid + 2 years after withdrawal
Website analytics26 months (Google Analytics default)
Support tickets3 years after resolution
Job applications2 years after the recruitment process ends

After the retention period expires, we securely delete or anonymize the data. Legal obligations may require longer retention for certain categories.

Your Data Protection Rights

Under the GDPR and Indonesian UU PDP, you have the following rights:

GDPR Rights (for EU residents)

  1. Right to access (Art. 15): Obtain a copy of your personal data and information about how it is processed
  2. Right to rectification (Art. 16): Correct inaccurate or incomplete data
  3. Right to erasure (“right to be forgotten”) (Art. 17): Request deletion of your data under certain conditions
  4. Right to restrict processing (Art. 18): Limit how we use your data
  5. Right to data portability (Art. 20): Receive your data in a structured, machine-readable format and transfer it to another controller
  6. Right to object (Art. 21): Object to processing based on legitimate interests or direct marketing
  7. Right not to be subject to automated decision-making (Art. 22): Object to decisions made solely by automated means with legal or significant effects

Indonesian UU PDP Rights

In addition to GDPR-equivalent rights, Indonesian residents have:

  • Right to withdraw consent at any time
  • Right to compensation for violations of personal data protection
  • Right to cease processing upon death or legal incapacity (through heirs or representatives)

How to Exercise Your Rights

To exercise any of these rights, contact our Data Protection Officer:

  • Email: hello@genorah.id
  • Acknowledgment: Within 3×24 hours
  • Resolution: Within 14 days (or 30 days for complex requests under GDPR)
  • Office hours: Monday–Friday, 09:00–18:00 WIB (UTC+7)

We will verify your identity before processing your request. We do not charge a fee for exercising your rights unless requests are manifestly unfounded or excessive.

Security Measures

We implement appropriate technical and organizational measures to protect your personal data:

  • Encryption: TLS 1.3 for data in transit; AES-256 for data at rest
  • Access control: Role-based access with multi-factor authentication (MFA)
  • Monitoring: Continuous security monitoring and intrusion detection
  • Backups: Encrypted, geographically distributed backups with regular restoration testing
  • Employee training: Annual data protection and security awareness training
  • Incident response: Documented breach notification procedure (within 72 hours to authorities and without undue delay to affected individuals, per GDPR Article 33-34)

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  1. Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR Article 33)
  2. Notify affected individuals without undue delay if the breach is likely to result in high risk (GDPR Article 34)
  3. Document all breaches, including their effects and remedial actions taken

Children’s Privacy

Our website and services are not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us immediately and we will delete the information.

Complaints and Supervisory Authorities

If you believe we have violated your data protection rights, you have the right to lodge a complaint with:

  • For EU residents: The supervisory authority in your country of residence, workplace, or place of the alleged infringement. A list of EU Data Protection Authorities is available at edpb.europa.eu.
  • For Indonesian residents: The Ministry of Communication and Informatics (Kemenkominfo) through their complaint channels.

We encourage you to contact us first so we can resolve your concern directly.

Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or service offerings. When we make material changes:

  • We will update the “Last updated” date and version number at the top of this policy
  • We will post a notice on our website or send an email notification for significant changes
  • Your continued use of our services after the effective date constitutes acceptance of the revised policy

For changes that require re-consent under GDPR or UU PDP (such as new purposes or new categories of data), we will seek your explicit consent before implementing the changes.

Contact Us

For questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our Data Protection Officer:

PT Genorah Teknologi Indonesia
Jl. KH. Wahid Hasyim No. 14
Jakarta Pusat 10350, Indonesia
Email: hello@genorah.id
Response time: 3×24h acknowledgment / 14 days fulfillment
Hours: Monday–Friday, 09:00–18:00 WIB (UTC+7)

Questions about this policy?

Our legal team is here to help. Reach out for any privacy, compliance, or legal inquiries.

Office

Jakarta, Indonesia

Response Time

Ack: 3×24h / Fulfill: 14 days

Office Hours

Mon–Fri, 09:00–18:00 WIB