Privacy Policy
Last updated: 2026-05-30
This Privacy Policy describes how PT Sanjaya Solusi Digital Indonesia ("Hexolus", "we", "us", or "our") collects, uses, shares, and protects personal data in
connection with the website at https://hexolus.com and any related APIs,
dashboards, and services (collectively, the "Services").
1. Who we are
Hexolus is operated by PT Sanjaya Solusi Digital Indonesia, a company registered in Indonesia with offices at Scientia Business Park Tower 2, Jl. Boulevard Gading Serpong O/2, Kelapa Dua, Kab. Tangerang 15821. We act as the data controller (Pengendali Data Pribadi) for personal data submitted through the Services. You can reach our Data Protection point of contact at support@hexolus.com.
2. Information we collect
We collect three categories of data:
2.1 Account & operator data
- Identifying info: name, email address, role (admin / client / portal user).
- Authentication data: password (stored only as bcrypt hash), session cookies, two-factor authentication secrets (encrypted at rest).
- Business info: for client tenants — company name, contact email, phone, address, currency.
2.2 Transaction data
- Payment intents: amount, currency, payment method (Virtual Account / QRIS / E-Wallet), channel (BCA, OVO, DANA, etc.).
- End-customer info supplied by clients: customer name, email, phone — only when the integrating client passes it on the
POST /v1/paymentscall. Hexolus does NOT collect this directly from end-customers. - Settlement records: aggregated payment totals, bank-account snapshot (when manual disbursement is recorded), audit metadata.
We never receive or store credit card numbers, CVVs, or banking credentials. All sensitive payment instrument data is handled by our payment processor (Xendit) under their PCI-compliant infrastructure.
2.3 Technical & usage data
- Server logs: IP address, HTTP method + path, user agent, timestamps, response status — retained for 90 days for security + diagnostics.
- Cookies: a session cookie (
session) for authenticated areas and a CSRF protection cookie (hexolus_csrf). No third-party tracking cookies, no advertising pixels. - Metrics: aggregated counters (payments / settlements / webhook deliveries) exposed at
/metricsfor self-hosted Prometheus — no per-user identifiers.
3. How we use your data
- To provide and operate the Services (account auth, payment intake, settlement, webhook delivery).
- To detect, investigate, and prevent fraud, abuse, or security incidents.
- To comply with applicable laws (tax records, AML/KYC where applicable to our payment processor).
- To send transactional notifications (invoice emails, webhook events, security alerts).
- To improve the Services (aggregated, non-identifying analytics).
We do not sell, rent, or trade personal data. We do not use personal data for advertising targeting.
4. Legal bases (UU PDP)
Under Indonesia's UU PDP, we rely on these lawful bases:
- Performance of contract — to operate the Services you sign up for.
- Legal obligation — tax records, anti-fraud, AML.
- Legitimate interest — security, fraud detection, service improvement.
- Consent — for any optional channel (e.g. marketing emails), revocable at any time.
5. Third parties we share data with
We share personal data only with the following categories of processors, under binding data processing agreements:
| Recipient | Purpose | Data shared |
|---|---|---|
| Xendit | Payment processing (when payment gateway is enabled for your account) | Customer name, email, phone (when supplied), amount, payment method |
| Meta (WhatsApp Business Platform) | WhatsApp Business API (WABA) message delivery | WhatsApp message templates, recipient phone numbers, conversation metadata |
| Meta (Marketing API) | Facebook + Instagram ad campaign delivery | Campaign creative, custom audience hashes (when uploaded), conversion events |
| Google (Ads + Analytics) | Google Ads campaign delivery | Campaign creative, audience signals (when uploaded), conversion events |
| TikTok for Business | TikTok ad campaign delivery | Campaign creative, audience signals (when uploaded), conversion events |
| Domain registrars (Liquid, Dynadot, OVH, Namecheap, etc.) | Domain registration on operator's behalf | Registrant contact info (when supplied) |
| Email service providers (SMTP relay) | Transactional emails (invoices, password resets) | Email address, message body |
| Hosting + database infrastructure (Linode / equivalent) | Service hosting | All categories above (at-rest storage) |
6. Cross-border data transfer
Some of our processors (Xendit, email relay, hosting infrastructure) may process data in datacenters located outside Indonesia. We ensure adequate safeguards through contractual data processing agreements aligned with UU PDP cross-border transfer requirements.
7. Data retention
- Account data: retained while your account is active + 7 years after closure (Indonesian tax record requirement).
- Transaction data: 7 years (tax + financial record retention).
- Server logs: 90 days.
- Webhook delivery audit trail: 1 year.
- Password reset tokens, email verification tokens: 24 hours.
After the applicable retention period, data is irreversibly deleted or anonymized.
8. Your rights
Under UU PDP, you have the right to:
- Access the personal data we hold about you.
- Correct inaccurate or incomplete data.
- Delete your data (subject to legal retention requirements).
- Restrict or object to processing.
- Data portability — receive your data in a machine-readable format.
- Withdraw consent at any time (where consent is the legal basis).
- Lodge a complaint with the Indonesian data protection authority.
Email support@hexolus.com with your request. We respond within 30 days. For deletion specifically see our Data Deletion page.
9. Security
- All connections enforced over HTTPS (TLS 1.2+, HSTS).
- Passwords stored as bcrypt hashes (cost factor 12). API tokens as SHA-256 hashes.
- Webhook signing secrets encrypted at rest with AES-GCM.
- Sessions backed by signed, HttpOnly, SameSite=Lax cookies.
- Database access restricted to the application server with per-IP firewalling.
No system is perfectly secure. If you suspect a breach affecting your data, contact support@hexolus.com.
10. Cookies
We use only two cookies, both essential for service functioning:
session— authentication state, expires when you sign out.hexolus_csrf— CSRF protection token, 1-year max-age, HttpOnly.
We do not use third-party advertising, analytics, or tracking cookies.
11. Children's data
The Services are not directed to individuals under 18. We do not knowingly collect data from minors. If you believe a minor has provided us with personal data, please contact us and we will delete it.
12. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be announced via the Service or by email at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the current version.
13. Contact
Email (privacy, security, support, business): support@hexolus.com
Postal address:
PT Sanjaya Solusi Digital Indonesia
Scientia Business Park Tower 2
Jl. Boulevard Gading Serpong O/2
Kelapa Dua, Kab. Tangerang 15821, Indonesia