Effective Date: March 7, 2026
Last Updated: March 7, 2026

Introduction

Buku.Menu (“we,” “us,” or “our”) is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, share, and protect your information when you use our platform—a link-in-bio and digital menu solution for food & beverage businesses in Indonesia.

This policy complies with Indonesia’s Personal Data Protection Law (UU PDP No. 27/2022) and international best practices for SaaS platforms.

Definitions

• Personal Data: Any information that can identify an individual directly or indirectly
• User: Any individual or business using the Buku.Menu platform
• Business Owner: F&B business operators who create profiles on Buku.Menu
• Customer: End-users who view business profiles and menus
• Influencer/Content Creator: Users who create content and promote F&B businesses
• Platform:Menu website and all associated services accessible via dapur.buku.menu and related domains

Legal Basis for Data Processing

We process your personal data based on the following legal grounds as required by UU PDP No. 27/2022:

1. Consent: You explicitly agree to our data collection practices
2. Contract Performance: Processing necessary to provide our services
3. Legal Obligation: Compliance with Indonesian regulations
4. Legitimate Interest: Service improvement and fraud prevention

Information We Collect

Business Owner Data

When you register as a business owner, we collect:

Category	Data Types
Identity Data	Business name, owner name, brand logo, business type (restaurant, cafe, cloud kitchen, etc.)
Contact Data	Email address, phone number (WhatsApp), business address (per branch), social media handles
Financial Data	Payment method details (for subscription), billing address, transaction history
Business Data	Branch locations, operating hours, menu items (names, descriptions, prices, images), facilities (parking, prayer room, etc.), service types (dine-in, delivery, take-away)
Marketing Data	Promotional content, campaigns, special offers, referral program participation
Technical Data	IP address, browser type, device information, login timestamps, usage patterns

Table 1: Business Owner Personal Data Categories

Customer Data

When customers view business profiles, we collect:

• Technical Data: IP address, device type, browser information, location data (city/region level), pages viewed, time spent
• Behavioral Data: Menu items viewed, search queries, favorite businesses, click patterns
• Optional Account Data: If customers create accounts—name, email, phone number, saved preferences

Influencer/Content Creator Data

• Identity: Name, profile photo, bio
• Contact: Email, phone, social media links
• Content: Reviews, photos, videos, ratings submitted
• Performance: Engagement metrics, referral links, commission tracking

Automatically Collected Data

Our platform automatically collects:

• Cookies and Similar Technologies: Session cookies, analytics cookies, preference cookies
• Analytics Data: Page views, user flows, feature usage, error logs
• Device Information: Operating system, screen resolution, language settings
• Referral Source: How users found your business profile (Google, social media, direct link)

How We Use Your Information

Primary Purposes

1. Service Delivery
   • Create and maintain business profiles
   • Display menus and business information to customers
   • Enable order buttons (GoFood, GrabFood, WhatsApp, etc.)
   • Manage multi-branch operations
   • Facilitate content creator campaigns
2. Platform Improvement
   • Analyze usage patterns to enhance features
   • Conduct A/B testing for user experience optimization
   • Fix bugs and improve performance
   • Develop new features based on user needs
3. Communication
   • Send service-related notifications (subscription renewal, feature updates)
   • Provide customer support
   • Share promotional content (with your consent)
   • Conduct surveys and gather feedback
4. Business Operations
   • Process payments and manage subscriptions
   • Prevent fraud and ensure platform security
   • Enforce terms of service
   • Comply with legal requirements
5. Marketing & Discovery
   • Show relevant businesses to customers based on location and preferences
   • Enable category-based discovery (coffee shops, desserts, halal food, etc.)
   • Promote featured businesses and campaigns
   • Support influencer collaboration programs

Data Sharing and Disclosure

Third-Party Service Providers

We share data with trusted partners who help us operate the platform:

Category	Purpose	Examples
Hosting	Infrastructure	Cloudflare Workers, cloud storage providers
Database	Data storage	Supabase
Analytics	Usage tracking	Google Analytics, Meta Pixel (if applicable)
Payment	Transaction processing	Payment gateway providers
Communication	Email/SMS	Email service providers, WhatsApp Business API
Authentication	Account security	OAuth providers (Google, Facebook login)

Table 2: Third-Party Data Processors

All third parties are contractually bound to protect your data and only use it for specified purposes.

Business Transfers

If Buku.Menu is involved in a merger, acquisition, or asset sale, your data may be transferred. We will notify you before this occurs and your data becomes subject to a different privacy policy.

Legal Requirements

We may disclose your data when required by law, to:

• Comply with legal processes (court orders, subpoenas)
• Enforce our terms of service
• Protect rights, property, or safety of Buku.Menu, users, or the public
• Prevent fraud or security threats
• Cooperate with government authorities as mandated by UU PDP

Public Information

The following data is publicly accessible on your business profile:

• Business name, logo, and photos
• Menu items with descriptions and prices
• Branch addresses and operating hours
• Contact information (phone, social media links)
• Customer reviews and ratings (if feature enabled)
• Promotional campaigns

Data Security

We implement industry-standard security measures to protect your information:

Technical Safeguards

• Encryption: Data encrypted in transit (TLS/SSL) and at rest
• Access Control: Role-based permissions, multi-factor authentication for admin accounts
• Secure Infrastructure: Hosted on Cloudflare’s secure network with DDoS protection
• Regular Audits: Security assessments and vulnerability scanning
• Secure Development: Code reviews and security testing before deployment

Organizational Safeguards

• Employee training on data protection
• Confidentiality agreements with staff and contractors
• Incident response procedures
• Regular backup and disaster recovery plans

Data Breach Protocol

In the event of a data breach, we will:

1. Notify affected users within 72 hours (as required by UU PDP)
2. Report to the Badan Perlindungan Data Pribadi (BPDP) if required
3. Take immediate steps to contain and remediate the breach
4. Provide guidance on protective measures you can take

Your Rights Under UU PDP

As a data subject in Indonesia, you have the following rights:

Right to Information

You have the right to know what personal data we collect and how it is used.

Right of Access

You can request a copy of your personal data at any time by contacting us.

Right to Rectification

You can update or correct inaccurate information through your account dashboard or by contacting us.

Right to Erasure

You can request deletion of your personal data. We will comply unless we have legal grounds to retain it (e.g., for accounting purposes, legal disputes).

Right to Withdraw Consent

You can withdraw your consent for data processing at any time. This may affect your ability to use certain features.

Right to Object

You can object to automated decision-making or profiling that significantly affects you.

Right to Restrict Processing

You can request that we limit how we use your data in certain circumstances.

Right to Data Portability

You can request your data in a structured, machine-readable format (e.g., JSON, CSV) to transfer to another service.

How to Exercise Your Rights

To exercise any of these rights, contact us at:

• Email: [email protected]
• WhatsApp: +62 822-1166-6252

We will respond within 10 business days as required by UU PDP.

Data Retention

We retain your data for the following periods:

Data Category	Retention Period
Active account data	Duration of subscription + 1 year
Inactive account data	2 years after last activity, then deleted
Transaction records	10 years (tax/accounting requirement)
Analytics data (anonymized)	3 years
Customer service logs	2 years
Security logs	1 year
Marketing consent records	Until consent withdrawn + 1 year

Table 3: Data Retention Schedule

After retention periods expire, we securely delete or anonymize your data.

International Data Transfers

While Buku.Menu primarily serves Indonesian users, some of our service providers may be located outside Indonesia (e.g., cloud hosting). When we transfer data internationally, we ensure:

• Adequate protection through standard contractual clauses
• Compliance with UU PDP cross-border transfer requirements
• Transparency about which countries may access your data

Countries where data may be processed: United States (Cloudflare, analytics providers), Singapore (regional data centers).

Cookies and Tracking Technologies

What Are Cookies?

Cookies are small text files stored on your device that help us provide and improve our services.

Types of Cookies We Use

Type	Purpose
Essential	Required for platform functionality (login sessions, security)
Analytics	Help us understand how users interact with the platform (Google Analytics)
Preference	Remember your settings (language, display options)
Marketing	Track campaign effectiveness (optional, with consent)

Table 4: Cookie Categories

Managing Cookies

You can control cookies through:

• Browser settings (most browsers allow cookie blocking)
• Our cookie consent banner (for non-essential cookies)
• Third-party opt-out tools (Google Analytics opt-out, etc.)

Note: Blocking essential cookies may prevent platform functionality.

Children’s Privacy

Buku.Menu is not intended for children under 17 years old. We do not knowingly collect data from children. If we discover we have collected data from a child, we will delete it immediately.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us.

Changes to This Privacy Policy

We may update this policy periodically to reflect:

• Changes in our practices
• New features or services
• Legal or regulatory requirements
• User feedback

When we make significant changes:

1. We will notify you via email or platform notification
2. The “Last Updated” date at the top will change
3. We will provide a summary of changes
4. You will be asked to re-consent if required by law

Previous versions of this policy are available upon request.

Contact Information

Data Protection Officer

For questions, complaints, or to exercise your rights:

• Company: PT JURAGAN KREATIF NUSANTARA
• Email: [email protected]
• WhatsApp: +62 822-1166-6252
• Address: Surabaya, Indonesia
• Privacy Request Portal: buku.menu/privacy

Regulatory Authority

If you are not satisfied with our response, you have the right to lodge a complaint with:

• Badan Perlindungan Data Pribadi (BPDP)
• Ministry of Communication and Information Technology
• Website: https://www.komdigi.go.id/

Special Provisions

For Business Owners Using WhatsApp Integration

When you connect WhatsApp Business to Buku.Menu, customer messages go directly to your WhatsApp—we do not intercept or store these conversations. WhatsApp’s own privacy policy applies to these interactions.

For Users of OAuth/Social Login

If you sign in using Google or Facebook, we only receive basic profile information you authorize (name, email, profile photo). We do not access your social media content or contacts.

For Payment Processing

We do not store your full credit card details. Payment information is processed securely by our payment gateway partners who are PCI-DSS compliant.

For Analytics and Marketing

You can opt out of marketing communications at any time by:

• Clicking “unsubscribe” in emails
• Adjusting preferences in your account settings
• Contacting our support team

Opting out of marketing does not affect service-related communications (e.g., subscription renewals, security alerts).

Acknowledgment and Consent

By using Buku.Menu, you acknowledge that you have read, understood, and agree to this Privacy Policy. If you do not agree, please discontinue use of our platform.

For business owners: By creating a profile, you confirm you have the right to share business information (including employee data if applicable) and customer data displayed on your profile.

Appendix A: Glossary of Technical Terms

• Encryption: Conversion of data into a code to prevent unauthorized access
• TLS/SSL: Protocols that secure internet communications
• IP Address: Unique identifier for devices connected to the internet
• Cookies: Small data files stored on your device
• Anonymization: Removing identifying information from data
• PCI-DSS: Payment Card Industry Data Security Standard
• OAuth: Open standard for secure authorization (social login)
• DDoS: Distributed Denial of Service attack

Appendix B: Document Control

Version	Date	Changes
1.0	March 7, 2026	Initial policy release

Table 5: Version History

Next Review Date: March 7, 2027