Privacy Policy
Version 1.0 · Effective 10 Mei 2026
- We are a Data Controller under Indonesian Law 27/2022 (PDP).
- Your data is processed for: work registration, royalty distribution, and legal obligations.
- You have rights of access, correction, erasure, restriction, and portability.
- We do not sell personal data.
- Data subject requests: privasi@lmkn.org — we respond within 30 days.
1. Data Controller
Perkumpulan Lintas Media Kreasi Nusantara ("we") is the Personal Data Controller as defined in Article 1(4) of Indonesian Law 27/2022 on Personal Data Protection (PDP Law).
Domicile: Jakarta, Indonesia
Data Protection Officer (DPO): privasi@lmkn.org
2. Data We Collect
| Category | Examples | Source |
|---|---|---|
| Identity | Name, NIK/passport, date of birth, profile photo | You |
| Contact | Email, mobile, postal address | You |
| Professional | IPI, ISWC/ISRC, work catalogue, writer splits | You & Partner CMOs |
| Financial | Bank account, tax ID, royalty distribution history | You & Partner CMOs |
| Technical | IP address, user agent, access logs, session cookies | Automatic, from your device |
We do not request sensitive data (health, biometric, religion, sexual orientation, etc.). If you submit such data voluntarily, we will delete it.
3. Purposes and Legal Basis
Per Article 20 PDP Law, we rely on the following bases:
- Performance of contract (Art. 20(2)(b)): work registration, royalty distribution, account support.
- Consent (Art. 20(2)(a)): newsletters, marketing communications (opt-in, revocable).
- Legal obligation (Art. 20(2)(c)): tax reporting, audit, AML/CFT compliance.
- Legitimate interest (Art. 20(2)(f)): system security, fraud prevention, service improvement — balanced against your rights.
4. Recipients of Your Data
- Licensed Partner CMOs in Indonesia and foreign CMOs — for registration and royalty claims of your works.
- Cloud infrastructure providers: Cloudflare, Inc. (USA/EU edge) for site hosting.
- Payment providers: Indonesian banks, payment gateways, international remittance systems for royalty distribution.
- Independent auditors and tax/Ministry authorities when required by law.
We do not sell or trade your personal data for third-party commercial purposes.
5. Cross-Border Data Transfers
Your data may be processed outside Indonesia (e.g. Cloudflare servers in Singapore/USA, partner CMOs in Europe/USA). Per Article 56 PDP Law, transfers are made with safeguards ensuring an equivalent or higher protection level — through standard contracts, Binding Corporate Rules, or your explicit consent. Details available on request to privasi@lmkn.org.
6. Data Retention
- Active account data: while account is active + 3 years after closure.
- Royalty transaction data: 10 years per Indonesian tax documentation rules.
- Technical logs: 12 months, then anonymized.
- Marketing data: deleted upon consent withdrawal.
7. Your Rights as a Data Subject
Per Articles 5–13 PDP Law, you have the right to:
- Be informed about processing of your data.
- Access and obtain a copy of your data.
- Correct inaccurate data.
- Erase your data (right to erasure), subject to legal-obligation exceptions.
- Restrict or object to certain processing.
- Withdraw consent at any time (for consent-based processing).
- Receive your data in a structured, portable format.
- Object to automated decision-making.
- Claim damages for processing violations.
- File a complaint with the Indonesian Personal Data Protection Authority if dissatisfied.
Send requests to privasi@lmkn.org. We confirm receipt within 72 hours and respond substantively within 14 days (extendable once to a maximum of 30 days with notice).
8. Data Security
- TLS 1.3 encryption for all transmissions.
- Encryption at rest on databases (AES-256).
- Argon2id password hashing.
- Role-based access control (RBAC) with audit logging.
- Encrypted backups, tested regularly.
- Annual risk assessment and penetration testing.
9. Breach Notification
If a personal data breach occurs, we will notify you and the Indonesian PDP Authority within 72 hours per Article 46 PDP Law, including: affected data categories, potential impact, and mitigation steps.
10. Cookies and Tracking
This site uses only essential cookies for login session and CSRF protection. We do not use ad-tracking cookies, Google Analytics, or third-party marketing pixels. Aggregate statistics are collected via Cloudflare Web Analytics (no cookies, no fingerprinting).
11. Children's Privacy
Our service is not directed to children under 18. For minor rights holders, registration must be performed by a legal guardian with supporting documentation.
12. EEA / UK Data Subjects
If you reside in the EEA or UK, your GDPR / UK GDPR rights are recognized at parity with the PDP Law. You may complain to your local data protection authority.
13. California (CCPA/CPRA) Residents
If you reside in California, you have the right to "Do Not Sell or Share" — by default we neither sell nor share your data for targeted advertising.
14. Policy Changes
Material changes will be notified at least 30 days before they take effect, by email and a banner on this site. Version history available on request to privasi@lmkn.org.
15. Contact
Data Protection Officer (DPO): privasi@lmkn.org
Data Controller: Perkumpulan Lintas Media Kreasi Nusantara, Jakarta, Indonesia