Privacy Policy
This Privacy Policy (“Policy”) describes how Excrow (“we,” “us,” “our,” “Excrow”) collects, uses, stores, discloses, transfers, and protects your personal data and information when you access and use our website, platform, services, applications, subdomains, systems, and any associated tools (collectively, the “Platform”).
Your access to and use of the Platform signifies your acknowledgment and consent to the terms described herein. If you do not agree to this Policy in its entirety, you must cease all access to the Platform.
1. Data Collection and Categorization
We collect various types of data from users, including but not limited to:
Personally Identifiable Information (PII): such as your name, address, telephone number, email, national ID number, taxpayer information, geolocation, and biometric data (if applicable).
Transactional Data: payment records, QRIS codes, purchase history, escrow reference IDs, timestamps, shipping activity, refund requests, and related metadata.
Device and Access Data: browser type, IP address, operating system, screen resolution, device ID, and behavioral tracking analytics.
Communication Records: interactions with customer service, dispute resolutions, support tickets, chat history, and audio call recordings (if applicable).
Third-Party Integration Data: where applicable, information received from authorized APIs, third-party plugins, or platforms you connect with.
2. Purpose of Processing
The collection and processing of your data serve multiple lawful purposes, including:
Facilitating secure, regulated, and traceable transactions between transacting parties.
Verifying identities under KYC (Know Your Customer) protocols, AML (Anti-Money Laundering) regulations, and financial supervision frameworks governed by OJK and BI (Bank Indonesia).
Complying with national and international legal requirements related to cross-border payments, escrow holdings, and dispute arbitration.
Optimizing Platform functionality, performing behavioral segmentation, A/B testing, and service personalization.
Enabling escrow status notifications (e.g., pending payment, under review, claim opened, etc.) to users.
Preventing fraud, abuse, or system manipulation through automated and manual monitoring.
3. Legal Basis for Processing
We rely on various legal bases depending on the nature of the data and context of collection:
Contractual Obligation: to perform our agreement with you in facilitating escrow.
Legal Compliance: to adhere to laws and regulatory requirements.
Legitimate Interest: to improve the platform and protect users from malicious activities.
Consent: in instances where your explicit authorization is required.
4. Data Retention and Storage
Your data will be retained for the duration necessary to fulfill the purposes outlined in this Policy or as required by applicable law, whichever is longer. Retention durations may vary depending on the nature of the data, the regulatory landscape, and the transactional context.
Personal data stored in encrypted format
Sensitive data may be pseudonymized, anonymized, or hashed
Data backups are subject to multi-region retention protocols
5. Geographic Scope and International Transfers
Your personal data may be processed or stored in jurisdictions outside of your country of residence. These transfers are executed under compliance frameworks such as Standard Contractual Clauses (SCCs), intercompany agreements, or equivalent data protection safeguards.
6. Data Subject Rights
You may have, depending on your jurisdiction, rights including:
Right to access your data
Right to correct or update your data
Right to deletion (right to be forgotten)
Right to data portability
Right to restrict or object to processing
We reserve the right to request verification before processing any data subject request and may decline in cases where the request conflicts with legal or operational obligations.
7. Disclosure to Third Parties
We do not sell or rent your personal data. However, we may share your data with:
Payment partners, such as QRIS, banks, and e-wallet gateways
Logistics providers, for order tracking and fulfillment
Government and regulatory bodies, upon lawful request or audit
Affiliated entities and service providers that help us operate and secure the Platform
All third-party engagements are governed by data processing agreements and confidentiality obligations.
8. Use of Cookies and Tracking Technologies
We utilize:
Session Cookies
Persistent Cookies
Web Beacons
Tracking Pixels
LocalStorage / SessionStorage
These technologies enable functionality such as login persistence, fraud prevention, behavior analytics, and service customization.
You can modify or reject cookie use via your browser, although this may affect Platform functionality.
9. Security Measures
We employ physical, technical, and organizational security measures, including but not limited to:
TLS/SSL encryption for all communications
AES-256 encryption for stored sensitive data
Two-Factor Authentication (2FA)
Role-based access control for internal teams
Regular vulnerability assessments and security audits
Despite these efforts, no system is completely immune. You acknowledge and accept residual risk.
10. QRIS-Specific Considerations
If you make payments via QRIS, note that:
The QRIS code reflects the seller’s registered domicile (e.g., “INDOFONE JAKARTA”)
QRIS payments are governed by the BI and OJK framework
Transactions are logged, validated, and reconciled through certified partners
Your data is shared with QRIS-accredited financial institutions for processing
11. Children’s Privacy
The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect data from children. If you are a parent or guardian and believe your child has provided us with data, please discontinue access and notify us via our standard form.
12. Automated Decision-Making
In some cases, we may use automated tools to assess fraud risk, transactional anomalies, or compliance red flags. These processes are monitored and reviewed periodically to ensure fairness and legal alignment.
13. Platform Usage Monitoring
We monitor user behavior across the Platform for:
Service improvement
Abuse detection
Performance optimization
Legal compliance
Such monitoring may include behavioral profiling and session recording.
14. Behavioral Advertising
We may use third-party tools (e.g., Meta Pixel, Google Ads) to serve relevant ads to users based on activity. Opt-out options are provided within the respective advertising networks.
15. Consent Withdrawal
Where we rely on your consent, you may withdraw it at any time. However, withdrawal does not affect the lawfulness of processing done prior to the withdrawal, and may impact your ability to use certain features or services.
16. Third-Party Links
The Platform may contain links to third-party websites or embedded content. We are not responsible for their privacy practices, and this Policy does not apply to them. You should consult their respective policies independently.
17. Policy Modification
We reserve the right to modify, update, or replace this Policy at our sole discretion and without prior notice. Continued use of the Platform after any changes constitutes acceptance of the revised Policy.
18. Governing Law
This Policy shall be governed and construed in accordance with the laws of the Republic of Indonesia, without regard to its conflict of law provisions.
19. Dispute Resolution
Any disputes arising out of or in relation to this Policy shall be subject to the exclusive jurisdiction of Indonesian courts, tribunals, or arbiters as designated by Excrow, in accordance with prevailing legal frameworks.
20. Language
In case of conflict between the English version and any translation of this Policy, the English version shall prevail and be deemed the controlling document for all legal purposes.
• 
