Privacy Policy

We collect the following categories of information:

1.1 Information you provide directly. When you register an account, we collect your name, email address, and a hashed representation of your password. We do not store passwords in plain text.

1.2 Business information. When you operate a restaurant on the Service, we collect business profile data including outlet name, address, contact details, branding assets, menus, pricing, operating hours, and other content you choose to upload or configure.

1.3 Transactional information. We process records of orders placed through your digital menus, payment events handled via Makan Pay, subscription invoices, refunds, and supporting metadata required for accounting and audit purposes.

1.4 Technical and usage information. We automatically collect device identifiers, IP address, browser type and version, operating system, referring URLs, pages viewed, timestamps, and feature interactions. This information is used to operate, secure, and improve the Service.

1.5 Marketing attribution. Where you arrive at our marketing pages through an advertising channel, we may capture campaign parameters (UTM values) and the Google Click Identifier (gclid) for the limited purpose of measuring campaign performance.

We use the information described above for the following purposes:

• To provide, maintain, and improve the Service and its features;
• To create and manage your account and authenticate sessions;
• To process subscription payments, issue invoices, and prevent payment fraud;
• To send service-related communications such as security alerts, password resets, and order confirmations;
• To respond to inquiries and provide customer support;
• To detect, investigate, and prevent fraudulent, unauthorised, or abusive activity;
• To measure the effectiveness of our marketing and product initiatives in aggregate;
• To comply with applicable legal, regulatory, and tax obligations.

We do not sell your personal data, and we do not disclose your personal data to third parties for their independent marketing purposes.

We process personal data on one or more of the following legal bases recognised under Law No. 27 of 2022 on Personal Data Protection (UU PDP) and applicable regulations:

• Performance of the contract under which we provide the Service to you;
• Compliance with legal obligations to which we are subject;
• Our legitimate interests in operating, securing, and improving the Service, where such interests are not overridden by your rights and freedoms;
• Your consent, where required and obtained.

To deliver the Service, we engage trusted third-party providers under written agreements that require appropriate confidentiality, security, and data protection commitments. These providers process personal data only on our instructions and for the purposes set out below:

• Cloudinary — image and asset hosting for menu and brand content;
• Pusher — real-time delivery of order and kitchen notifications;
• Resend — delivery of transactional email;
• Amazon Web Services — cloud hosting, encrypted backups, and object storage;
• Sentry — application error monitoring and diagnostics;
• Google Analytics 4 and Google Ads — analytics and conversion measurement, limited to our marketing pages;
• Plausible Analytics — privacy-focused page analytics that does not use cookies or collect personal data.

Some of these providers operate servers outside of Indonesia. Where personal data is transferred internationally, we ensure that appropriate safeguards are in place in accordance with UU PDP and any subsequent implementing regulations.

We use a limited set of cookies and browser storage mechanisms:

• Strictly necessary — session cookies required to authenticate users and operate core features;
• Functional — preferences such as language and interface settings;
• Analytics — Plausible operates without cookies; Google Analytics 4 may set cookies, and only on our public marketing pages.

We do not use third-party advertising cookies inside the authenticated dashboard. You can control cookies through your browser settings; disabling strictly necessary cookies may impair functionality.

We retain personal data for as long as your account remains active and for such additional period as is reasonably necessary to fulfil the purposes set out in this Policy or as required by applicable law. Upon account deletion, we will delete or irreversibly anonymise your personal data within thirty (30) days, except where:

• Retention is required by Indonesian tax, accounting, or anti-money laundering legislation (typically up to ten (10) years for financial records); or
• Retention is necessary for the establishment, exercise, or defence of legal claims.

Subject to and in accordance with UU PDP, you have the right to:

• Obtain confirmation as to whether we process your personal data and access a copy of such data;
• Request correction or completion of inaccurate or incomplete data;
• Request deletion of your personal data;
• Withdraw consent where processing is based on consent, without affecting the lawfulness of processing prior to withdrawal;
• Object to or request restriction of certain processing activities;
• Receive your personal data in a structured, commonly used format (data portability);
• Lodge a complaint with the competent supervisory authority.

To exercise these rights, please contact us at admin@biissa.com. We will respond within the period required by applicable law.

We implement administrative, technical, and organisational safeguards designed to protect personal data against unauthorised access, alteration, disclosure, or destruction. These safeguards include encryption of data in transit using TLS, encryption of backups at rest, password hashing, role-based access controls, audit logging, and regular review of our security posture. While we work to protect your information, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

The Service is intended for use by businesses and the adults operating them. It is not directed to children under the age of 13, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at admin@biissa.com and we will take appropriate steps to delete such information.

We may update this Privacy Policy from time to time to reflect changes to our practices, the Service, or applicable law. Where changes are material, we will provide reasonable advance notice through the Service or by email. The “Effective date” at the top of this Policy indicates when the current version took effect. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

For questions, requests, or complaints regarding this Privacy Policy or our processing of your personal data, please contact:

PT. Biissa Maju Bersama
Email: admin@biissa.com
Website: makan.biissa.com