Reference

How ducatitoto Protects Your Personal Data

ducatitoto handles your personal information with a clear, documented approach — covering what we collect, how long we keep it, and exactly who can access it.

Data encrypted at rest and in transitNo third-party sale of your informationDANA, OVO, GoPay, QRIS transaction privacyAccount deletion requests honoured within 30 daysPolicy applies to all Indonesia account holders
ducatitoto How ducatitoto Protects Your Personal Data
PRIVACY CONTACT CHANNELS

Reach Us About Your Privacy Rights

If you want to review, correct, or remove the personal data ducatitoto holds on your account, our privacy team is reachable seven days a week.

Live Chat — Privacy Queries Our live chat agents are available from 08:00 to 23:00 WIB daily. For data-access or data-correction requests, chat is the fastest way to get a reference number and an initial response within two hours.
Email — Formal Data Requests Send formal requests — deletion, portability, or objection — to our privacy inbox. We acknowledge within 24 hours and aim to resolve within 14 working days, with a written confirmation sent back to your registered email address.
In-Account Privacy Centre Log in, open Account Settings, and navigate to Privacy Centre to download a copy of your stored data, update your marketing preferences, or submit a deletion request directly without contacting support.
DATA HANDLING PRACTICES

Six Ways We Keep Your Account Data Secure

Security at ducatitoto runs across every layer — from the moment you tap DANA to fund your account to the point where a withdrawal hits your OVO wallet.

End-to-End Encryption

All data transmitted between your device and our servers uses TLS 1.3 encryption. This covers login credentials, session tokens, and any personal detail you enter during account registration or payment steps via DANA and GoPay.

Cookie Transparency

We use session cookies to keep you logged in and analytics cookies to understand which lobby sections you visit most. You can adjust cookie preferences at any time through the banner that appears on your first visit or via browser settings.

Data Retention Schedule

Account data is retained for as long as your account remains active and for up to five years after closure, where local law permits. Payment transaction records linked to QRIS and OVO are held for the minimum period required by Indonesian financial regulations.

Third-Party Data Limits

We share your data only with the payment processors — DANA, OVO, GoPay, QRIS — and identity verification services strictly necessary to run your account. We do not sell, rent, or trade your personal information to advertising networks or data brokers.

Access Controls & Audit Logs

Internal access to account records is restricted by role. Every access event is logged with a timestamp and staff identifier, so we can audit who viewed your data, when, and for what operational reason — reducing the risk of unauthorised internal access.

Right to Request Changes

You can request a copy of your stored data, ask us to correct inaccuracies, or submit a full deletion request through the in-account Privacy Centre or by emailing us. We confirm receipt within 24 hours and resolve within 14 working days.

Your Questions About Data Privacy Answered

The questions below cover the most common things our account holders in Indonesia ask about how their personal information is handled — from what we collect when you deposit via QRIS to how you request deletion of your account data.

We collect your name, email address, phone number, and the identity document you submit for verification. When you make a deposit via DANA, OVO, GoPay or QRIS, the payment reference and transaction amount are also logged against your account record.

We share data only with payment processors like DANA and GoPay — and only the fields those services need to complete your transaction. We do not sell your information to advertisers or data brokers, and we do not share it with unrelated third parties.

Your account data is retained for up to five years after closure where local law permits, primarily to comply with financial record-keeping requirements. Payment logs tied to QRIS and OVO are kept for the minimum period Indonesian regulations specify.

Yes. Log in and go to Account Settings then Privacy Centre to submit a data-access request, or email our privacy inbox. We acknowledge within 24 hours and deliver your data export within 14 working days to your registered email address.

Submit a deletion request through the in-account Privacy Centre or by emailing us directly. We confirm receipt within 24 hours. Full deletion — including removal of account details and marketing preferences — is completed within 30 days, subject to any legal retention obligations.

We use session cookies for login continuity and analytics cookies to see which lobby sections are most visited. You can adjust or withdraw cookie consent at any time through the cookie preference banner or your browser's privacy settings — no account login required.

No. We do not store full payment credentials on our servers. When you pay via DANA, OVO, GoPay or QRIS, those credentials stay within each provider's encrypted environment. We only retain the transaction reference and amount needed for your account history.