This policy explains how PT Next Step Advisory (“NSA”, “we”) collects, uses and protects personal data under Indonesian Law No. 27 of 2022 on Personal Data Protection (UU PDP). If you visit this site from the EU or the UK, the GDPR / UK GDPR additionally apply and we provide an equivalent level of protection.
1. Data Controller
PT Next Step Advisory
Jalan Raya Semat No. 1, Tibubeneng, North Kuta, Badung Regency, Bali 80361, Indonesia
KBLI 46511 — Wholesale of computers, computer peripherals and software
Email: nextstepadvisory11@gmail.com
2. Personal Data We Collect
We collect the minimum data needed to respond to commercial enquiries and meet our obligations as a supplier:
- Identification data: name, job title, company.
- Contact data: work email, phone number, delivery address.
- Enquiry data: content of your message, requested models or categories, quantity, deadline.
- Technical data: IP address, browser type, pages visited — for security and aggregate analytics only.
3. Specific Personal Data and Children
We do not collect “Specific Personal Data” as defined in Article 4(2) of UU PDP — health, biometric, genetic, criminal-record, personal financial, children’s, or religious / belief data. The site is intended for adult B2B clients; we do not knowingly collect personal data from anyone under 17 (Article 35 of UU PDP). If we discover that children’s data has reached us inadvertently, it will be deleted without delay.
4. Lawful Basis and Purposes
Pursuant to Article 20 of UU PDP, each category of data is processed under one of the following lawful bases:
| Data category | Lawful basis | Purpose |
|---|---|---|
| Identification + contact + enquiry | Contract performance (Art. 20(2)(b)) | Prepare quotes, issue invoices, deliver goods, provide post-sale support. |
| Invoices + transaction records | Legal obligation (Art. 20(2)(c)) | Tax records (PPN / PPh) under Indonesian Tax General Provisions Law (UU KUP). |
| Technical data (IP, logs, browser) | Legitimate interest (Art. 20(2)(f)) | Site security, abuse prevention, aggregate analytics. |
| Non-essential cookies | Consent (Art. 20(2)(a)) | Only after explicit opt-in via the cookie banner. |
5. Retention Period
- Quotes and commercial correspondence — 3 years from last message.
- Invoices and transaction documents — 10 years (UU KUP Art. 28(11)).
- Technical logs — 12 months.
- Cookie consent records — 6 months from last acceptance.
6. Disclosure to Third Parties (Processors)
We do not sell personal data. The full list of processors we use, in line with transparency obligations:
| Processor | Purpose | Jurisdiction |
|---|---|---|
| DigitalOcean LLC | Site hosting (Droplet, Singapore) | Singapore |
| Cloudflare, Inc. | DNS, CDN, DDoS protection | USA (EU & UK DPAs) |
| MinIO / S3-compatible storage | Product image storage | Singapore |
| Google LLC (Gmail SMTP) | Outbound mail delivery from /contact and /quote, plus the destination inbox. | USA |
| Logistics providers (goods shipping) | Delivery address, name, phone — for delivery. | Indonesia |
| Indonesian Tax Office (DJP) | Tax reporting where legally required. | Indonesia |
7. Cross-border Transfers
Several processors above are located outside Indonesia (Singapore and the United States). Under Article 56 of UU PDP, we transfer data only when one of the following is met: (a) the destination country provides equivalent or higher protection; (b) Standard Contractual Clauses (SCC) or Binding Corporate Rules (BCR) are in place between us and the processor; or (c) the data subject has given explicit consent. Transfers to processors in Singapore and the USA are currently based on the standard SCC / DPA published by each provider. ISO 27001 / SOC 2 certifications held by processors are an additional layer, not the legal basis for transfer.
8. Data Subject Rights
Under Articles 5–13 of UU PDP, you have the right to:
- Receive clear information about the processing (Art. 5–6).
- Access your data and receive a copy (Art. 7).
- Complete and update inaccurate data (Art. 8).
- Erase your data (Art. 9), subject to lawful retention periods.
- Withdraw consent at any time for consent-based processing (Art. 10).
- Object to solely-automated decisions (Art. 11). We do not currently use automated profiling.
- Restrict certain processing (Art. 12).
- Claim compensation for damages arising from a data breach (Art. 13).
- Port your data to another controller.
Reach us at nextstepadvisory11@gmail.com to exercise these rights. We respond within 30 calendar days.
9. Data Breach Notification
Pursuant to Article 46 of UU PDP, in the event of a personal-data breach with significant impact, we will notify affected data subjects and the supervisory authority no later than 3 × 24 hours from becoming aware of it. The notification will set out: the categories of data affected, the time and impact of the breach, and the containment and mitigation steps taken.
10. Security
We use TLS for all data transfers, storage encryption, role-based access control, and audit logs. Access is restricted to staff who need it for their work. Third-party processors we select hold recognised security certifications (ISO 27001 and/or SOC 2).
11. Data Protection Officer
Under Article 53 of UU PDP, formal appointment of a Data Protection Officer is mandatory only for controllers that (a) process data on behalf of a public body, (b) conduct large-scale systematic monitoring, or (c) process Specific Personal Data at scale. Our activity as a wholesale IT dealer does not fall into those categories. Privacy questions are handled directly by management via the email above; queries can be addressed to the director (Ilgar Mustafaev) as Person-in-Charge.
12. Changes to this Policy
We may update this policy from time to time. The effective date at the top reflects the most recent revision. Material changes will be marked clearly on this page and, where they significantly affect processing, communicated to relevant data subjects by email.
Questions?
Email nextstepadvisory11@gmail.com.