Privacy Policy

1. Introduction

PT. Pintar Manajemen Sekolah ('Cekolah', 'we', or the 'company') is committed to protecting and respecting your personal data privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data in the operation of the Cekolah platform as a multi-tenant school management system.

This policy is drafted in accordance with Law No. 27 of 2022 on Personal Data Protection (UU PDP) and other applicable data protection regulations in Indonesia.

2. Personal Data Collection

2.1 Data We Collect

We collect various categories of personal data depending on your role in the system:

• Identity Data: Full name, date of birth, identification number (KTP/NIK/Passport), address, phone number, email address, profile photo.
• Account Data: Username, password (encrypted), authentication data, language preferences, notification settings.
• Educational Data: Academic grades, attendance, class schedules, assignments, progress reports, transcripts.
• Financial Data: Tuition fee payment information, transaction history, card data (encrypted), invoice details.
• Parent/Guardian Data: Parent/guardian names, relationship, emergency contacts, medical authorizations, enrollment information.
• School Data: School name, school address, accreditation number, NPSN, operational license, administrative data.
• Device Data: IP address, device type, browser, operating system, approximate location, cookies, activity logs.

3. Purpose of Data Usage

We use your personal data for the following purposes:

• To provide and manage school management system services (including enrollment, academics, finance, and communication)
• To process tuition payments and other financial transactions
• To manage user accounts and authentication
• To send important notifications related to academics, payments, and school information
• To improve service quality and platform feature development
• To analyze usage and needs for product development
• To comply with legal obligations and regulations
• To protect system security and prevent fraud

4. Legal Basis for Data Processing

In accordance with Article 19 of UU PDP, personal data processing is conducted on the following legal basis:

• Consent of the data subject, given explicitly and consciously
• Performance of a contract with the data subject
• Compliance with legal obligations
• Protection of the vital interests of the data subject
• Performance of tasks for public interest
• Legitimate interests of the data controller (legitimate business interests)

5. Data Retention

We retain personal data according to operational needs and legal obligations:

• Account Data: While account is active + 5 years after closure
• Academic Data: According to education regulations (minimum 10 years)
• Financial Data: 10 years for tax compliance and financial regulations
• Transaction Data: 5 years for audit and fraud protection purposes
• Log Data: 1 year for security and analysis

After the retention period expires, data will be permanently deleted or anonymized.

6. Multi-Tenant Data Isolation

Cekolah uses a multi-tenant architecture with strict data isolation:

• Each school (tenant) has logically isolated data from other schools
• Users can only access data from schools they are authorized to access
• Primary data controllers are each individual school for student, teacher, and staff data
• Cekolah acts as the data controller for platform account data and operational data

7. Data Sharing

We may share your personal data in the following circumstances:

• With School: Student, teacher, and staff data is shared with the relevant school for school management purposes
• With Service Providers: Payment gateways, email providers, analytics providers, and cloud computing providers with confidentiality agreements
• Authorities: In accordance with legal obligations or requests from competent authorities
• Business Transfer: In case of merger, acquisition, or asset sale

We do not sell your personal data to third parties.

8. Cross-Border Data Transfer

Your personal data is stored and processed in data centers located in Indonesia. For certain services (such as international email or analytics providers), data may be transferred abroad with the assurance of:

• Equivalent or higher protection level than UU PDP
• Binding data transfer agreements
• Consent from the data subject if required

9. Data Subject Rights

In accordance with UU PDP, you have the following rights regarding your personal data:

• Right to Access: Request information about the processing of your data
• Right to Correction: Request correction of inaccurate or incomplete data
• Right to Erasure: Request deletion of data if no longer necessary
• Right to Portability: Receive data in a structured and machine-readable format
• Right to Restriction: Request restriction of data processing under certain conditions
• Right to Withdraw Consent: Withdraw consent given at any time
• Right to Presence: Be present during automated decision-making
• Right to Appeal: Appeal to the supervisory authority if rights are violated

To exercise your rights, contact us at: malikcekolah@gmail.com with subject "Personal Data Request"

10. Data Security

We implement high security standards to protect your personal data:

• Data encryption in transit (TLS 1.3) and at rest (AES-256)
• Strong authentication with multi-factor authentication (MFA)
• Role-based access control (RBAC) with principle of least privilege
• Routine audit logs and activity monitoring
• Regular data backups with encryption
• Regular vulnerability assessments and penetration testing
• Strong password policy and credential rotation

11. Children's Data

Our platform serves schools that serve children. Parents/guardians:

• Provide consent on behalf of the child for data collection and processing
• Can request access, correction, or deletion of child's data at any time
• Have the right to withdraw consent

12. Breach Notification

In accordance with UU PDP, if a security breach occurs that endangers your personal data:

• We will notify you within 3x24 hours after the breach is discovered
• We will report to Kominfo and the Personal Data Protection Authority within 3x24 hours
• We will take mitigation measures to minimize impact

13. Changes to Policy

We may update this Privacy Policy from time to time. Significant changes will:

• Announced via email or notification on the platform
• Request renewed consent if changes affect how your data is processed
• Published on this page with the last updated date