Reference

How bulantoto Protects Your Personal Data

Your personal data belongs to you — and we handle it with that in mind.

Data collected only for account operationDANA, OVO, GoPay & QRIS payment data securedYou can request access or deletion anytimeNo third-party sale of personal informationIndonesia-based data handling where local law permits
bulantoto How bulantoto Protects Your Personal Data
PRIVACY CONTACT PATHS

How to Reach Us About Your Privacy

If you have a question about your stored data, want to correct inaccurate information, or wish to request full deletion of your account records, our privacy support team is available seven days…

Live Chat Available daily from 08:00 to 24:00 WIB. Start a chat from the account dashboard and select 'Privacy & Data' from the topic menu to reach the right team immediately.
Email Support Send your privacy request to our dedicated data address. Include your registered account email so we can verify identity before processing any data access or deletion request.
WhatsApp Reach our privacy team via WhatsApp for faster back-and-forth on data queries. We aim to confirm receipt within two hours and resolve straightforward requests within 24 hours.
DATA HANDLING STANDARDS

Six Ways We Keep Your Account Data Safe

Data security at bulantoto is not a checkbox — it is built into every account action, from the moment you deposit via QRIS to the moment you request a withdrawal.

Encrypted Storage

All personal data — including DANA and OVO account references — is stored with AES-256 encryption at rest. No plain-text identifiers are held in any database we operate.

Cookie Transparency

We use session cookies to keep you logged in and analytics cookies to improve page speed. You can manage or reject non-essential cookies through your browser settings at any time.

Payment Data Isolation

GoPay and QRIS transaction tokens are processed through the payment provider's secure gateway and are never stored on our servers in full — only a masked reference is kept for reconciliation.

Access Controls

Only authorised operations staff can access account-level personal data, and only when an active support ticket or fraud investigation requires it. Access events are logged and auditable.

Retention & Deletion

We keep your data only as long as your account is active or as required by applicable regulations. Once a deletion request is verified, we remove all non-mandatory personal records within 30 days.

Third-Party Sharing

We do not sell your personal data. We share data with third parties only where it is strictly necessary — such as payment processors for DANA or OVO transactions — and only under contractual data-protection obligations.

Your Privacy Questions, Answered Directly

The questions below cover what we hear most often from account holders about their data: what we hold, how long we keep it, and how to act on your rights. If your question is not listed here, our live chat team is available daily until midnight WIB to help you directly.

We collect your name, email, phone number, date of birth and the payment identifier linked to your chosen method — DANA, OVO, GoPay or QRIS. We also record device type and login IP for security verification purposes.

Payment identifiers are masked immediately after a transaction is processed. Only a partial reference is retained for reconciliation. Full wallet numbers are never stored on our servers in plain text.

Yes. Send a data-access request to our support email or via live chat with the subject 'Data Export Request'. We verify your identity and deliver a full export within 14 working days.

Contact us through live chat or email and submit a deletion request. Once we confirm your identity, non-mandatory personal records are removed within 30 days. Payment records required by law are retained only for the minimum period required.

We share data only with payment processors such as DANA and OVO — and only under contractual data-protection terms. We never sell personal data to advertisers or any other commercial parties.

Retention periods depend on local law. In general, we hold transaction records for the period required by applicable Indonesian regulations, then delete them. Non-mandatory profile data is removed within 30 days of account closure.

Contact our live chat support immediately — available daily 08:00 to 24:00 WIB. We will lock the account, investigate access logs and notify you of findings within 48 hours, following our internal incident response procedure.