Privacy Policy

Last updated: July 17, 2026

This document is available in English and Bahasa Indonesia. If the two versions differ, the English version applies.

1. Who is responsible for your data

OnlineJobs Indonesia is operated by [LEGAL_ENTITY_NAME], [LEGAL_ADDRESS] ("we", "us"). We are the data controller for the personal data described in this policy.

Our data protection officer (DPO) is [DPO_NAME], reachable at [LEGAL_CONTACT_EMAIL]. Contact the DPO for any question or request about your personal data.

This policy is published in English and Bahasa Indonesia and applies to everyone who uses the platform, wherever they are.

2. The data we collect

Account data. Name, email address, password (stored as a hash), role (worker or employer), language preference.

Worker profile data. What you choose to put in your profile: photo, skills, work experience, education, expected salary, English level, an introduction video if you add one, city, and similar. Your profile is meant to be shown to employers, so treat it as public within the platform.

Employer data. Company name, contact details, job posts, and subscription and billing records (our payment provider processes the payment itself; we do not store full card numbers).

Identity verification data (KTP). Handled separately, see section 3.

Messages. Messages you send and receive through the platform.

Contact reveal records. When an employer unlocks a worker's contact details, we record who revealed what and when. This audit trail protects workers from misuse of their contact information.

Usage data. Log data (IP address, browser, pages viewed) and, where permitted or consented, product analytics. See the Cookie Policy.

3. Identity verification (KTP)

Verification is optional for workers and requires your separate, explicit consent, which we ask for at the moment you start verification. If you decline, you can still use the platform; you just do not get the verified badge.

  • KTP images are stored in a private storage bucket. They are never public, never cached, and only accessible to trained reviewers through time-limited signed links.
  • We review the document to confirm your identity, then keep the image only as long as needed for the verification record and legal obligations.
  • KTP images are never shown to employers. Employers only see whether your identity is verified.
  • You can withdraw consent and request deletion of your KTP data at any time by contacting the DPO.

4. Why we process your data, and on what basis

  • To operate your account and provide the platform (contract performance).
  • To show worker profiles to subscribed employers and deliver applications to jobs (contract performance).
  • To verify identity when you request it (your explicit consent).
  • To secure the platform, prevent scams and abuse, and enforce our terms (legitimate interest in a safe marketplace, and legal obligations).
  • To send transactional email such as application updates and billing notices (contract performance). Marketing email is sent only with your consent and every message has an unsubscribe link.
  • To understand product usage through analytics (consent where required by law, otherwise legitimate interest; see the Cookie Policy).

We do not sell your personal data. We do not make decisions with legal or similarly significant effect about you by automated means alone; applications are always read and decided by the humans involved.

5. Who we share data with

We share personal data only with service providers who process it for us under contract, listed below, and with authorities where the law requires it.

ProviderPurposeLocation
CloudflareHosting, content delivery, securityUnited States
SupabaseDatabase, authentication, file storageUnited States
UpstashRate limitingUnited States
ResendTransactional emailUnited States
PostHogProduct analyticsUnited States
SentryError monitoringUnited States
StripePayment processing (when payments launch)United States

Employers see worker profiles and, after an entitled reveal, worker contact details. We never give employers access to KTP images or verification documents.

6. International transfers

We are a US-based service and the providers above store data in the United States. For users in Indonesia, we transfer and process personal data outside Indonesia in line with Law No. 27 of 2022 (UU PDP): we ensure the receiving parties provide an adequate level of protection through binding contractual safeguards, and where required we ask for your consent. For users in the EEA, UK, or Switzerland, transfers rely on recognized safeguards such as standard contractual clauses entered into with the providers above.

7. Your rights

If you are in Indonesia, under UU PDP you have the right to:

  • access your personal data and get a copy of it
  • correct inaccurate or outdated data
  • delete your data
  • withdraw consent you have given
  • object to processing, including to solely automated decision-making
  • receive your data in a portable format
  • lodge a complaint with the Indonesian data protection authority

If you are in the EEA, UK, or Switzerland, you have the equivalent rights under the GDPR and its UK and Swiss counterparts, including the right to complain to your local supervisory authority.

To exercise any right, email the DPO at [LEGAL_CONTACT_EMAIL] from the address on your account. We respond within the time the applicable law sets, and in any case within 30 days. You can also download your data and delete your account from your account settings once those controls launch; until then the DPO handles requests by email.

8. How long we keep data

We keep personal data while your account is active. When you delete your account, we delete or anonymize your personal data, except records we must keep for legal, tax, security, or dispute purposes, which we keep only as long as those purposes require. KTP data follows the shorter retention described in section 3.

9. Security and breach notification

We protect personal data with encryption in transit, private storage for sensitive files, access controls, audit logs on sensitive actions, and rate limiting. No system is perfectly secure. If a breach affects your personal data, we will notify you and the relevant authority without undue delay, and for users protected by UU PDP within 3x24 hours of learning of the breach, as that law requires.

10. Cookies

What we set and why is described in the Cookie Policy, including the consent banner shown where the law requires opt-in and our support for the Global Privacy Control signal.

11. Children

The platform is for adults. You must be 18 or older to create an account. We do not knowingly collect data from anyone under 18; if we learn we have, we delete it.

12. Changes to this policy

We may update this policy. The "Last updated" date shows the current version. For material changes we notify registered users by email or in the product before the changes take effect.

13. Contact

Data protection officer: [DPO_NAME] [LEGAL_ENTITY_NAME] [LEGAL_ADDRESS] Email: [LEGAL_CONTACT_EMAIL]