Privacy Policy

Last updated: May 2026

This Privacy Policy describes how RodaGo collects, uses, discloses, retains, and protects personal data of Users of the RodaGo platform. It is issued in compliance with Law of the Republic of Indonesia No. 27 of 2022 on the Protection of Personal Data ("UU PDP"), Law No. 11 of 2008 on Electronic Information and Transactions (as amended), and Government Regulation No. 71 of 2019 on the Implementation of Electronic Systems and Transactions.

1. Definitions

  • "Platform" means the RodaGo website, mobile interfaces, and related online services.
  • "Personal Data" means any data identifying or capable of identifying a natural person, alone or in combination with other information, as defined under Article 1(1) UU PDP.
  • "Specific Personal Data" means data referred to in Article 4(2) UU PDP (including biometric data, financial data, identity document numbers).
  • "Data Subject" means the natural person to whom Personal Data relates.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, transfer, and deletion.
  • "User" means any person who accesses or uses the Platform, including Listing Owners and Customers.

2. Data Controller

For the purposes of UU PDP, RodaGo is the Personal Data Controller (Pengendali Data Pribadi). Data subject requests, inquiries, and complaints may be addressed to the contact details in Section 19 of this Policy.

3. Legal Bases for Processing

RodaGo processes Personal Data only where one of the following legal bases under Article 20 UU PDP applies:

  • Consent — explicit, informed consent of the Data Subject, e.g., for marketing communications, non-essential cookies, or onboarding via Google OAuth.
  • Performance of a contract — to operate the User's account, host Listings, deliver inquiries, and provide other services requested by the User.
  • Legal obligation — to comply with applicable laws, court orders, or lawful requests of competent authorities.
  • Protection of vital interests — to protect the life or physical integrity of the Data Subject or another person.
  • Legitimate interest — to operate, secure, and improve the Platform, prevent fraud, enforce our Terms, and conduct internal analytics, where these interests are not overridden by the rights of the Data Subject.

4. Categories of Personal Data We Collect

We collect the following categories of Personal Data:

  • Account data: username, full name, email address, phone number, hashed password, profile photo (avatar), preferred language and currency, role (renter / owner), authentication provider (email or Google), and (where applicable) Google account identifier.
  • Verification (KYC) data: identity documents (e.g., KTP, passport, driving licence), business documents for business owners, and selfies, submitted voluntarily for identity verification. KTP numbers and similar identity document numbers constitute Specific Personal Data under Article 4(2) UU PDP.
  • Listing data: vehicle photographs uploaded by Listing Owners (stored on RodaGo servers, processed for resizing and watermarking), vehicle descriptions, pricing, availability, and location.
  • Communication and lead data: inquiries sent through the Platform, WhatsApp/phone click events (date, time, listing identifier, anonymised IP), reviews, and content of messages exchanged through Platform features.
  • Transaction data: records of bookings, favourites, coupon redemptions, and, where the payment module is activated, payment metadata returned by the payment provider (RodaGo does not store full payment card data).
  • Newsletter data: email address, source/surface (footer, popup, listing, blog), and UTM parameters (source, medium, campaign).
  • Technical data: IP address, user-agent string, device and browser information, language headers, cookie identifiers, and timestamps of access.
  • Preferences: selected language, selected currency, favourite listings, dashboard settings.

5. How We Use Your Personal Data

We use Personal Data exclusively for the following purposes:

  • creating, maintaining, and securing User accounts;
  • publishing Listings and operating the marketplace;
  • enabling Users to find each other and exchange contact details upon initiating an inquiry;
  • conducting identity verification (KYC) when voluntarily requested by a User;
  • sending transactional and service notifications (booking updates, verification outcomes, password resets, account alerts);
  • sending marketing communications, only to Users who have given prior consent;
  • preventing fraud, abuse, and unlawful use of the Platform;
  • complying with legal, tax, and regulatory obligations;
  • operating internal analytics and improving the Platform.

6. Sharing with Other Users

RodaGo is a marketplace and necessarily facilitates information exchange between Users.

  • Listings, including the photographs, descriptions, prices, and the public profile of the Listing Owner (display name, public phone or WhatsApp number, ratings, badges), are visible to all visitors of the Platform.
  • When a Customer initiates an inquiry, contact details necessary to conduct the rental or sale (such as name and phone number) may be disclosed to the Listing Owner; and vice versa.
  • Reviews, including the reviewer's display name, become public after moderator approval.
  • Communications conducted outside the Platform (for example, via WhatsApp, telephone, or in person) are not controlled, monitored, or stored by RodaGo and are governed by the privacy policies of those third-party services.

7. Sharing with Third-Party Service Providers

RodaGo engages a limited number of third-party service providers to operate the Platform. These providers act as Personal Data Processors and are bound by contractual confidentiality and data-protection obligations. We share only the Personal Data strictly necessary for each provider's function.

  • Google LLC — Google Sign-In (OAuth) where the User chooses to authenticate with a Google account. We receive the User's email address, display name, profile photo, and Google account identifier.
  • Google LLC (Google Analytics 4) — anonymised usage analytics, where measurement is enabled and the User has consented.
  • Meta Platforms, Inc. (Meta Pixel) — conversion measurement and audience analytics, where measurement is enabled and the User has consented.
  • Midtrans (PT Midtrans) — payment processing, when the payment module is activated. Payment card details are entered directly with Midtrans and are not stored on RodaGo servers.
  • Email and hosting providers — for delivery of transactional email and operation of the underlying server infrastructure.
  • WhatsApp / Meta — when a User clicks a "Contact via WhatsApp" link, the User is redirected to WhatsApp; the subsequent conversation is operated by WhatsApp and falls under WhatsApp's privacy terms.
  • Telegram Messenger — used to send internal administrative notifications to RodaGo staff. No Personal Data of Users beyond the minimum context needed for the notification (e.g., "new verification request") is transmitted.

Where required by law, we may also disclose Personal Data to law-enforcement agencies, regulatory authorities, and courts.

8. International Data Transfers

Some of our third-party service providers (Google, Meta) operate infrastructure located outside the territory of the Republic of Indonesia. To the extent your Personal Data is transferred outside Indonesia, we rely on the legal bases set out in Article 56 UU PDP, including transfers to jurisdictions providing an adequate level of personal data protection or, where this is not the case, on the basis of contractual safeguards or your explicit consent.

9. Retention Periods

We retain Personal Data only for as long as necessary to fulfil the purposes for which it was collected, plus any period required by law. Indicative retention periods:

  • Active account data — for the duration of the User's active account.
  • Deleted account data — purged within ninety (90) days of account deletion, except where longer retention is required by law.
  • Verification (KYC) documents — retained for twelve (12) months after the conclusion of the verification process and then securely deleted, except where regulatory obligations require longer retention.
  • Listing data — retained while the Listing is active, archived or anonymised within twelve (12) months after deactivation.
  • Lead and click events — retained up to twenty-four (24) months for fraud prevention and analytics, then aggregated or deleted.
  • Server and access logs — retained for up to ninety (90) days unless required for security investigations.
  • Newsletter subscriber data — retained until the Subscriber withdraws consent (unsubscribe), then deleted from active mailing systems within thirty (30) days.
  • Transactional records — retained for the period required by Indonesian tax and accounting legislation.

10. Your Rights as a Data Subject

Subject to UU PDP, the Data Subject is entitled to exercise the following rights, free of charge, in respect of their Personal Data:

  • Right to information — to obtain clear information on the processing of Personal Data.
  • Right of access — to obtain a copy of Personal Data held by RodaGo.
  • Right to rectification — to have inaccurate or incomplete Personal Data corrected or updated.
  • Right to erasure — to request deletion of Personal Data where it is no longer necessary or where consent is withdrawn.
  • Right to withdraw consent — to withdraw any consent previously given, without affecting the lawfulness of prior processing.
  • Right to restriction — to request restriction of processing in certain circumstances.
  • Right to object — to object to processing based on legitimate interest, including profiling.
  • Right to data portability — to receive Personal Data in a structured, commonly used, machine-readable format where technically feasible.
  • Right not to be subject to automated decisions — not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.
  • Right to lodge a complaint — to lodge a complaint with the Personal Data Protection authority of the Republic of Indonesia.

Data subject requests should be submitted in writing to the contact in Section 19. We will respond no later than thirty (30) days from receipt, subject to verification of identity. Certain rights may be subject to limitations where their exercise would conflict with legal obligations, the rights of other persons, or the public interest.

11. Cookies and Similar Technologies

The Platform uses cookies and similar technologies in the following categories:

  • Strictly necessary cookies — required for authentication, session management, CSRF protection, language and currency preferences, and security. These cannot be disabled.
  • Functional cookies — to remember User preferences such as favourite Listings.
  • Analytics and marketing cookies — where activated, used for usage analytics (Google Analytics 4) and audience measurement (Meta Pixel). These are placed only with the User's consent where required by law.

The User may at any time disable cookies via browser settings; disabling strictly necessary cookies may render parts of the Platform inoperative.

12. Children's Privacy

The Platform is not directed at, and is not intended for use by, persons under eighteen (18) years of age. RodaGo does not knowingly collect Personal Data from minors. If we become aware that we have collected Personal Data of a minor without verified parental authorisation, we will delete such data without undue delay.

13. Information Security

RodaGo implements technical and organisational measures appropriate to the nature, scope, and purposes of the processing, including (without limitation): encrypted transport (HTTPS/TLS), cryptographic hashing of passwords, segregated and access-controlled storage of verification documents, image watermarking of uploaded photographs, regular software updates, server hardening, and role-based access controls for administrators.

Notwithstanding such measures, no system of transmission or storage can be guaranteed to be one-hundred-per-cent secure, and the User accepts this inherent risk.

14. Personal Data Breach Notification

In the event of a Personal Data breach that is likely to result in a risk to the rights and freedoms of Data Subjects, RodaGo shall, in accordance with Article 46 UU PDP, notify the affected Data Subjects and the competent authority of the Republic of Indonesia within seventy-two (72) hours of becoming aware of the breach. The notification shall describe the nature of the breach, the categories and approximate number of Data Subjects affected, the likely consequences, and the measures taken to address the breach.

15. Automated Decision-Making

RodaGo does not subject Users to decisions producing legal or similarly significant effects based solely on automated processing. Limited algorithmic processing is used for purposes such as ranking, search, fraud screening, and rate-limiting, with human review available where material decisions are taken.

16. Changes to This Policy

RodaGo may amend this Privacy Policy from time to time to reflect changes in law, technology, or processing practices. The updated version takes effect upon publication on the Platform. Material changes will be communicated by email or by a notice on the Platform.

17. Governing Law

This Privacy Policy is governed by, and shall be construed exclusively in accordance with, the laws of the Republic of Indonesia, including UU PDP. Disputes shall be resolved in accordance with the dispute-resolution clause of the RodaGo Terms of Service.

18. Language

This Privacy Policy may be published in multiple languages. In accordance with Law No. 24 of 2009, the Indonesian-language (Bahasa Indonesia) version is the binding authoritative version. Any translation is provided for convenience only; in the event of any discrepancy, the Indonesian version shall prevail.

19. Contact and Data Protection Officer

For any request, inquiry, or complaint concerning the processing of your Personal Data, including the exercise of any right under Section 10, please contact RodaGo at privacy@rodago.com. Where applicable, requests will be routed to the designated Data Protection Officer.