Reference

How to28 Handles Your Personal Data

At to28, your personal data belongs to you — and we treat it that way.

Encrypted account storageDANA, OVO, GoPay & QRIS transaction privacyClear data-retention scheduleDirect deletion requests acceptedIndonesia-region data handling
to28 How to28 Handles Your Personal Data
PRIVACY CONTACT PATHS

Browse How to Reach Our Privacy Team

If you have a question about your data, need to update stored information, or want to submit a deletion request, our privacy support team is reachable seven days a week. Requests submitted before 21.00 WIB are acknowledged the same day; complex deletion requests are resolved within five business days. You can reach us through any of the channels below.

Team online

Live Chat

Start a live chat session directly from your account dashboard. Available 07.00–24.00 WIB daily — our privacy team handles data queries, account corrections and deletion requests through this channel.

Email Support

Send a detailed request to our privacy inbox. Include your registered email and the specific data you want accessed or removed. We aim for a written response within two business days.

Help Center

Browse the privacy section of our Help Center for step-by-step instructions on downloading your data, updating account details, or revoking consent for optional processing — no wait time required.

DATA HANDLING PRACTICES

Switch on Confidence With Our Security Standards

Every layer of your account — from login to payment processing — is covered by specific security and privacy controls.

Cookies & Tracking

We use session cookies to keep you logged in and preference cookies to remember your lobby settings. Analytics cookies are anonymised; you can turn off non-essential cookies from your account settings at any time.

Account Security Layer

Two-step verification is available on every account. Login attempts from unrecognised Jakarta or Surabaya IP addresses trigger an automatic email alert, so you know immediately if someone else tries to access your profile.

Data Retention Schedule

Active account data is retained while your account remains open. If you close your account, personal identifiers are removed within 30 days; transaction records required by jurisdiction rules are archived separately and anonymised.

Payment Data Isolation

DANA, OVO, GoPay and QRIS payment credentials are processed through tokenised gateways. We never store your full wallet credentials — only a masked reference ID used to match your transaction history.

Third-Party Sharing Rules

We share data with payment processors and fraud-prevention services only to the extent needed to complete your transaction or protect your account. We do not share data for advertising purposes with any external party.

Your Right to Request Changes

You can request a copy of all data we hold, ask us to correct inaccurate details, or ask us to delete your profile entirely — where local law permits. Submit your request via live chat or email; we confirm receipt the same business day.

Open Answers to Your Privacy Questions

These are the questions we hear most from Indonesian members when it comes to how their data is managed on to28. Each answer is specific to how our system actually works — not a generic legal template.

We collect your name, email address, date of birth, and the payment method you register — such as DANA, OVO, GoPay or QRIS. We also log device type and login timestamps to protect your account from unauthorised access.

We share data only with payment processors and security services needed to run your account. We do not sell your information or share it with advertisers. Third-party access is limited, documented, and bound by data-handling agreements.

We keep your personal data while your account is active. After you close your account, identifiers are removed within 30 days. Certain transaction records are retained longer where required — this depends on local law in Indonesia.

Yes. Send a request via live chat (07.00–24.00 WIB) or email us with your registered email address. We compile and send your data export within five business days, at no cost to you.

Contact our privacy team through live chat or email, state that you want full account deletion, and we will begin the removal process. Personal identifiers are erased within 30 days, where local law permits us to do so.

Yes. Payment credentials are tokenised at the gateway level — we store only a masked reference ID, never your full wallet number or PIN. This means even internal staff cannot read your payment credentials in plain text.

Go to your account settings, open the Privacy tab, and toggle off analytics or preference cookies. Session cookies remain active to keep you logged in; all other cookie categories can be disabled individually without affecting core account functions.