simobile - Collection Engine Platform No 1 di Indonesia

Privacy Policy

PT Neokarya ("simobile", "We") has formulated this Privacy Policy to outline our comprehensive commitment to data protection in accordance with Law No. 27 of 2022 concerning Personal Data Protection (PDP Law).

Last updated: June 16, 2026

1. Role as Data Processor

In accordance with the PDP Law, in the operation of our Collection Engine, the Client acts as the Personal Data Controller (Data Controller), while simobile acts exclusively as the Personal Data Processor (Data Processor). We only process debtor data (data subjects) based on valid written instructions from the Client.

2. Types of Data Collected

We process two main data categories: (a) Client Registration Data: PIC name, corporate email address, phone numbers, and payment information. (b) Third-Party/Debtor Data: Debtor names, ID numbers (NIK), credit history, arrear amounts, contact numbers, domicile addresses, and interaction history logs (robot call results, field collector notes) inputted by the Client.

3. Legal Basis and Purpose of Processing

Our data processing is based on fulfilling our contractual obligations to the Client (Service Agreement). The processing purpose is purely to execute collection automation (Automated Reminders, Robot Calls, Webhook integrations) and facilitate the performance of field agents (Mobile App).

4. Data Use and Disclosure

We guarantee that Client Debtor Data will never be sold, rented, distributed, or monetized for third-party marketing analytics. Data disclosure is only made to: (a) trusted sub-processors providing cloud infrastructure services (AWS/GCP); and (b) law enforcement if mandated by a valid court order.

5. Data Security and Protection

We implement robust Technical and Organizational Measures (TOMs). Protection includes data encryption at-rest (AES-256) and in-transit (TLS 1.3), log data pseudonymization, and multi-tenant database isolation among clients.

6. Data Retention and Destruction

We will retain Client data for the duration of the active subscription. After Service termination, we will hold the data for a maximum of 30 days to allow the Client to export their data. Following this, all Debtor Data will be permanently destroyed (secure wipe) from our servers in accordance with data sanitization procedures.

7. Data Subject Rights & Client Responsibilities

As the Client is the Data Controller, all Data Subject rights requests (the right to access, correct, delete (Right to Erasure), or object to processing) must be directed to the Client. We will assist the Client in fulfilling these obligations by providing technical interfaces and APIs (such as bulk data deletion features).

8. Data Breach Notification

In the worst-case scenario of a data breach incident, we will notify the Client without undue delay, no later than 2x24 hours after discovering the incident, along with details of the technical mitigations we are undertaking.

9. Cross-Border Data Transfer

Our primary servers are located within the legal jurisdiction of the Republic of Indonesia (Jakarta Region). If there is a technical need to transfer data outside Indonesian territory, it will only be done with Client consent and by ensuring the destination country has an equivalent or higher level of data protection.

10. Policy Changes

This Privacy Policy may be revised from time to time to adapt to regulatory dynamics in Indonesia. Any material updates will be notified to the Client via the Service Dashboard or Email.