Privacy Policy
Last updated: June 1, 2025

Klik tautan ini untuk membuka Kebijakan Privasi dalam bahasa Indonesia.

This Privacy Policy describes the Controller’s policies and procedures regarding the processing of the User’s information when the User uses the Services and informs the User on the User’s rights as a data subject and how the law protects the User.

The Controller uses the User’s Personal data to provide and improve the Services. By using the Services, the User has agreed to the processing of information under this Privacy Policy.

This Privacy Policy shall apply to any other notices, contractual clauses, and agreement clauses applicable related to the processing of Users' personal data by Controller, and it is not intended to override such notices or clauses unless Controller state otherwise.


DEFINITIONS

Words initialed with a capital letter have the meanings defined according to the following provisions:

  1. Affiliate shall mean an entity that controls, is controlled by or is under the common control of one party, where control shall mean an ownership of 50% or more of shares, equity interest and/or other securities having the rights to vote in the appointment of Directors and/or Management or other authorized management. 
  2. Account shall mean a unique account created for the User to access the Services or any part of the Services.
  3. Personal Data shall mean any information of an identified or identifiable individual separately or jointly combined with any other information, either directly or indirectly, through electronic or non-electronic systems. The processed Personal Data covers any information, including but not limited to name, identification number, and contact information, as well as any data that was provided and will be provided by the User to the Controller.
  4. Cookies shall mean small pieces of text placed on the User’s computer, mobile device, or any other device through a website, containing the details of the User browsing history on the website among its many uses.
  5. Services shall mean the Cikal Community belongs to the Controller., which is accessible through https://community.cikal.co.id and https://admission.cikal.co.id/.
  6. Third-Party Social Media Service shall mean any website or any social network where the User can log in or create an account to use the Services.
  7. Country shall mean the Republic of Indonesia
  8. User shall mean any student jointly with his/her parents/legal guardian, employees (Cikal Team Member/CTM), or any individual, organization, or other legal entity accessing or using the Services.
  9. Data Usage shall refer to any data collected automatically, either data generated from the use of the Services or sourced from the Services infrastructure (e.g. the duration of a page visit).
  10. Service Provider shall mean any individual or legal entity processing the data on behalf of the Controller. The Service Provider shall refer to an individual or legal entity assigned by the Controller to facilitate and provide the Services on behalf of the Controller, to perform any works related to the Services, or to assist the Controller in analyzing on how the Services is being used.
  11. Device shall mean any device that can access the Services such as a computer, mobile device, digital tablet, etc. 
  12. Controller shall mean PT Sekolah Cikal.


COLLECTION AND USE OF THE USER’S PERSONAL DATA

Types of the User’s Personal Data collected:

  1. Personal Data
    While using the Services, the Controller may ask the User’s Personal Data to be used to contact or identify the User. Personal Data shall include, but not limited to:
    1. First name and last name;
    2. E-mail address;
    3. Date of birth;
    4. Payment information;
    5. Bank statement; (if applicable)
    6. Phone number;
    7. Gender;
    8. Medical record;
    9. Information sent by or connected to one or more devices used to access the Services;
    10. Photographs, including photographs taken by CCTV or audio and/or video recordings;
    11. Any other information of the User when the User registers to use the Services, and when the User uses the Services as well as information on how the User uses the Services.
    12. Any information or data related to any party or individual that has not registered to the Services provided by the User while using the Services.
  2. Requirements to Conduct Personal Data Processing
    Personal Data processing may only be conducted if the Controller has fulfilled one or more of the following requirements:
    1. The Controller has explicitly and lawfully obtained the User’s consent; or
    2. The Controller exercises its rights and obligations under an agreement with the User; or
    3. The Controller is required to perform its authorities, or to fulfill its obligations under prevailing laws and regulations or directives from authorized institutions; or
    4. The Controller is required to fulfill the User’s vital interests.
  3. Purposes of Processing of the User’s Personal Data
    The Controller may process the User’s Personal Data for one or more of the following purposes:
    1. To provide and maintain the Services, including to monitor the use of the Services.
    2. To manage the User’s Account such as managing the User registration as the Services user. The available User’s Personal Data may provide access to different functionalities of the Services to the User that can only be obtained by the registered User.
    3. To fulfill an agreement such as follow-up actions, compliance and undertaking of the purchase agreement of the products, goods or services purchased by the User or any other agreement with the Controller related to the Services.
    4. To contact the User via e-mail, telephone calls, short messages service (SMS), or any other similar electronic communication, such as short messages sent directly to mobile application's (push notification) regarding current or informative communications related to the functionality of a service, product service and contracted services, including security updates, when such updates are necessary and reasonable to implement the Services.
    5. To provide the User with news, special offers and general information on goods, services and events offered by the Controller that are similar to those that the User has purchased or enquired about, unless the User has chosen not to receive any of such information.
    6. To arrange the User’s requests to attend and manage the requests of the User to the Controller.
    7. For business transfers, as the Controller may use information of the User to evaluate or conduct a merger, divestment, restructuring, reorganization, dissolution, or other sale or transfer of some or all the Controller’s assets, whether as a business continuation or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Data held by the Controller on the Services user is among the assets that are transferred.
    8. For administrative purposes of licensing for Sekolah Cikal and/or Rumah Main Cikal including any matters related to school building and facilities.
    9. The Controller may use the User’s information for other purposes, such as for data analysis, identifying usage trends, determining the effectiveness of the Controller’s promotional campaigns and to evaluate and improve the Services, products, services, marketing and the User experience.
    10. To comply with laws and regulations and regulators direction, law enforcement authorities, and other authorized institution.
  4. Data Usage
    1. Data Usage collected automatically while using the Services.
    2. Data Usage shall include information of the address of Internet Protocol of the User’s Device (e.g. IP address), browser type, browser version, the pages of the Services visited by the User, the time and date of the User visits, the time spent on the site, unique device identifiers and other diagnostic data.
    3. At the time the User access the Services through a mobile device, the Controller may automatically collect certain information, including but not limited to the type of mobile device used by the User, the unique ID of the User’s mobile device, the IP address of the User’s mobile device, the User’s mobile device operating system, the type of the Internet browser used by the User’s mobile device, unique device identifiers and other diagnostic data.
    4. The Controller may also collect information sent through the User’s browser at any time when the User visits the Services or when the User is accessing the Services through a mobile device.


CONTROLS AND TRANSFERS OF THE USER’S PERSONAL DATA

In processing the User’s Personal Data, the Controller may involve the third parties as joint controllers and/or processors of the User’s Personal Data, whether within and/or outside of Indonesia with the User consent. In such matters, the Controller will protect the User's Personal Data in accordance with applicable laws and regulations.

  1. Controls and Transfers of the User’s Personal Data within the country:
    1. To Service Providers
      The Controller may share the information of the User’s personal data with the Service Providers to monitor and analyze the use of the Services and to contact the User.
    2. For business transfer 
      The Controller may share or transfer the information of the User’s Personal Data in connection with, or during the negotiations process of any merger, sale of the Controller assets, financing, or acquisition of all or a portion of the Controller business to other Controller.
    3. To Affiliate
      The Controller may share Users' Personal Data with Affiliates of the Controller, in which case the Controller will require such Affiliates to respect this Privacy Policy. These affiliates include the Controller's parent company and its subsidiaries, joint venture partners or other Controllers over which the Controller has control or which are under common control with the Controller..
    4. To the Ministry of Education and Culture, Education Services and other related Government Authorities
      The Controller may share the User’s Personal Data with the Ministry of Education and Culture, the Education Office, and other related government authorities for the purpose of licensing, reporting, school administration and/or other licensing obligations by the Controller in respect of the establishment, management and operation of schools, school buildings, school facilities to the related government authorities.
    5. To business partners
      The Controller may share the User’s Personal Data with the Controller’s business partners to offer the User with certain products, services, or certain promotions.
    6. To other users 
      When the User shares Personal Data or otherwise interacts in the public areas with the other User, such information may be viewed by all users and may be publicly distributed outside. If the User interacts with the other User or register to a Third-Party Social Media Service, the User’s contacts listed on the Third-Party Social Media Service, may see the User’s name, profile, picture and an overview of the User's activities. Similarly, other Users will be able to see an explanation of the User's activities, communicate with the User and view the User's profile.
  2. Controls and Transfers of Personal Data Overseas:
    In the case that the Controller transfers the User’s Personal Data outside Indonesia, the Controller shall take reasonable measures to ensure that the destination country receiving the transfer of the User’s Personal Data has the same level of Personal Data Protection or higher than the applicable regulation in Indonesia.
    In the case that the destination country for the transfer of the User’s Personal Data does not have the same or higher level of protection, the Controller may still transfer the User’s Personal Data, provided that the Controller complies with the applicable laws and regulations.


INFORMATION FROM THIRD-PARTY SOCIAL MEDIA SERVICE

The Controller allows the User to create an account and log in to use the Services through the Third-Party Social Media Service as follows:

  1. Google
  2. Facebook
  3. Instagram
  4. X (Twitter)
  5. LinkedIn

In the event that the User decides to register through or grants access to a Third-Party Social Media Service to the Controller, then the Controller may collect Personal Data that has been associated with the User’s account on the Third-Part Social Media Service, including but not limited to name, e-mail address, activities and/or contact lists of the User that have been linked to the registered account.

The Controller may collect Personal Data that Users have submitted to Third Party Social Media Service providers in accordance with the policies of Third Party Social Media Service providers. The Controller will manage and use such personal data in accordance with this Privacy Policy at all times while the User's Personal Data is in the Controller's Service system..

The User may also have the option to share additional information with the Controller through the User’s account on the Third-Party Social Media Service. If the User chooses to provide such information and Personal Data to the Controller, during or after registration period, the User shall grant permission to the Controller to use, share, and store that information in a manner consistent with this Privacy Policy.


TRACKING TECHNOLOGIES AND COOKIES

The User uses Cookies and similar tracking technologies to track the activity on the Services and store certain information. The tracking technologies used are beacons, tags, and scripts to collect and track the information and to improve and analyze the Services. The technologies used shall include:

  1. Cookies or Browser Cookies
    A cookie is a small file placed on the User's Device. The User may instruct to the browser to reject all Cookies or to indicate when a Cookie is being sent. However, if the User rejects the Cookies, the User may not be able to use some sections of the Services. Unless the User has adjusted the browser setting so that the browser will reject Cookies, then the Services may use the Cookies.
  2. Web Beacons
    Certain sections of the Services and the Controller’s e-mails contain small electronic files known as clear web beacons (also referred to as graphics interchange format or gif), pixel tags, and single-pixel gifs that allow the Controller to, for example, count the number of the Users who have visited those pages or opened an e-mail and for other related website statistics (e.g. tracking the popularity of a particular section and as a verifying system and server integrity).

Cookies can be a Persistent Cookies or a Session Cookies. Persistent Cookies shall remain on the User’s personal computer or mobile device when the User is offline, while Session Cookies shall be immediately deleted once the User closes the web browser.

The User may reject the use of cookies by selecting the desired settings on their browser or device. In the event that the User rejects the use of cookies, the User may not be able to use all functionality of the Services.


RETENTION OF THE USER’S PERSONAL DATA

The Controller shall retain Users' Personal Data from the time the Controller obtains a legal basis for processing and only for as long as such retention is necessary for the purposes specified in this Privacy Policy. The Controller shall retain and use Users' Personal Data to the extent necessary to comply with the Controller's legal obligations (e.g., the Controller is required to retain Users' Personal Data to comply with applicable laws), resolve disputes, and enforce the Controller's legitimate policies and agreements.

The Controller shall also process and retain Personal Data to the extent that the User is still using the Services for internal analysis purposes and/or any other purposes in accordance with applicable laws and regulations. The Controller shall also retain the User's Personal Data after the User terminates the use of the Service until the necessary period with reference to the applicable laws and regulations.


TRANSFER OF THE USER’S PERSONAL DATA

The information of the User, including Personal Data, which is processed at the Controller's operating offices and at any other places where the parties involved in the processing of such data are located. It means that this information may be transferred to, and stored in the computers located outside of the User’s state, province, country or other governmental jurisdiction where the data protection laws may differ from those at the User’s jurisdiction.

The User consent to this Privacy Policy followed with the User submission on such information, representing the User consent upon the said transfer.

The Controller shall take every reasonable step as required to ensure that the User’s data is treated as secure as possible and under this Privacy Policy and no transfer of the User’s Personal Data shall take place to an organization or a country unless there are adequate controls in place including the security of the User’s data and other personal information.


DELETION OF THE USER’S PERSONAL DATA

The User has the right to delete or request for a deletion where the Controller shall assist in regarding the User’s Personal Data that the Controller has collected.

The Services may provide the User the ability to delete certain information on the User itself within the Services.

The User may update, modify, or delete the User’s information at any time by signing up for the User’s Account, if the User has owned it, and visiting the account settings section that enable the User to manage the User’s personal information. The User may also contact the Controller to request access to, correct, or delete any personal information that the User has provided to the Controller.

Please be advised accordingly that, however, the Controller may need to retain certain information when the Controller has a legal obligation or legal basis to do so.


DISCLOSURE OF THE USER’S PERSONAL DATA

  1. Business Transactions
    If the Controller is involved in a merger, acquisition or asset sale, the User’s Personal Data may be transferred. The Controller shall provide a prior notice to the User before the User’s Personal Data transferred and becomes subject to a different privacy policy. 
  2. Law Enforcement
    Under certain circumstances, the Controller may be asked to disclose the User’s Personal data if required to do so by law or in responding to valid requests from public authorities (e.g. a court or a government institution).
  3. Other Legal Requirements
    The Controller may disclose the User’s Personal Data with good faith that such action is necessary to:
    1. Comply with a legal obligation
    2. Protect and defend the rights or assets of the Controller
    3. Prevent or investigate the possibility of any wrongdoing in connection with the Services
    4. Protect the personal safety of the Users, or the public
    5. Protect the Controller from any legal liabilities


SECURITY OF THE USER’S PERSONAL DATA

The Controller will implement various security measures and strive to ensure the security of the User’s Personal Data on the Services. The User’s Personal Data is protected within a secured network and may only be accessed by an authorized officer who has special access and rights to the Services’ system. However, there is no guarantee that any method of transmission over the internet, or method of electronic storage, is completely secure or that absolute security cannot be guaranteed. While the Controller strive to use commercially acceptable means to protect the User’s Personal Data, the Controller shall not be able to guarantee an absolute security on the data.

The Controller shall store the User’s Personal Data in accordance with Law No. 27/2022 concerning Personal Data Protection (“PDP Law”) and/or other applicable laws.

The Controller shall dispose the User’s Personal Data in the event of:

  1. The purpose of the collection of the User’s Personal Data is no longer served by the retention of the User’s Personal Data;
  2. Retention is no longer necessary for any legal or business purposes;
  3. No instruction letter legitimizes the further withdrawal of the User’s Personal Data.

In the event the User is no longer using the Services, the Controller may continue to retain, use, and/or disclose the User’s Personal Data in accordance with this Privacy Policy and the Controller’s obligation under the Personal Data Protection Law (PDP Law) and any other applicable laws and regulations. By complying with the applicable laws and regulations, the Controller may securely dispose the User’s Personal Data without prior notice to the User.


CHILDREN’S PRIVACY

The Controller is not collecting Personal Data from anyone under the age of 18 without the approval of his/her parents/legal guardian. If the User is a parent or guardian and the User is aware that the User’s child has provided the Controller with Personal Data without the approval of his/her parents/legal guardian, please immediately contact the Controller. 

In the case that the Controller has become aware that the Controller has collected Personal Data from anyone under the age of 18 without verification of parental consent or guardian, the Controller shall take steps to remove the information from the Controller’s servers.

In the case that the Controller needs to rely on consent as a legal basis for processing the User’s information and the User’s country requires consent from a parent or guardian, the Controller shall require the consent from the User’s parents before the Controller collects and uses the information.


THE USER’S RIGHTS AS A SUBJECT  OF PERSONAL DATA

  1. Rights to information and access
    The User has the right to obtain information of the Controller of the parties requesting the User’s Personal Data, the purpose of the request, and access to the copies of the User’s Personal Data. The Controller shall provide an access to such information via its official means, as regulated by laws and regulations and the Controller's policies.
  2. Rights to data rectification
    The User has the right to complete, update, and/or revise the inaccurate or incorrect Personal Data.
  3. Rights to obtain, use, and/or transfer Personal Data to the other Parties
    The User has the right to obtain, utilize, or transfer the User’s Personal Data held by the Controller to third parties, provided that the communication system used between the Controller and the third party is secure.
  4. Rights to terminate the process, delete, and/or dispose Personal Data
    The User has the right to terminate the process, delete, and/or dispose the User’s Personal Data and to provide the Controller with sufficient time to terminate the process, delete, and/or dispose the User’s Personal Data insofar as needed by the Controller to exercise the right to terminate the process, delete and/or dispose the User’s Personal Data.
    The Controller’s obligation to delete and suppose the User’s Personal Data is exempted in cases of:
    1. The interests of the national defense and security;
    2. The interests of law enforcement process; 
    3. Public interest in the context of state administration; 
    4. The interests of supervision of the sectors of financial services, monetary, payment system, and financial system stability carried out in the context of state administration; or
    5. The interests of statistics and scientific search.
  5. Rights to withdraw consent
    The User has the right to withdraw the consent for the processing of Personal Data that the User has provided to the Controller, and the User agrees to provide the Controller with an additional time to process the termination of Personal Data processing as further required by the Controller. 
    The User is required to understand that the withdrawal of such consent may affect the use of the Services.
  6. Rights to file an objection to the results of an automated processing
    The User has the right to file an objection to the results of automated processing of the User’s Personal Data conducted automatically, giving rise legal consequences or significant impacts to the User.
  7. Rights to suspend or restrict the processing of Personal Data
    The User has the right to suspend or restrict the processing of the User’s Personal Data proportionally in accordance with the purpose of such processing of the User’s Personal Data.
    The User is required to understand that the requesting of such suspension or restriction of the processing may affect the use of the Services.
  8. Other Rights under applicable laws and regulations
    The User has the right to exercise any other rights related to the processing of Personal Data to the extent that those rights are provided by applicable laws and regulations.


LINKS TO OTHER WEBSITES

The Services may contain links to other websites that are not operated by the Controller. If the User clicks on a third-party link, the User will be directed to the third party's site. The Controller strongly advises the User to review the Privacy Policy of any site the User visits.

The Controller has no control over and holds no responsibility for the content, privacy policies or practices of any third-party sites or services.


AMENDMENT TO THIS PRIVACY POLICY

The Controller may amend this Privacy Policy from time to time. The Controller shall notify the User of any changes by posting the new version of this Privacy Policy on this page.

The Controller shall inform this amendment to the User through an e-mail, and/or other official communication channels of the Controller, and/or through a prominent notice on the Services.

The amendment of this Privacy Policy shall be effective as soon as the amendment published on this page. In that case, the User shall be advised to review this Privacy Policy periodically to be aware of any amendment.


CORRESPONDENCE

Shall the User have any inquiries regarding this Privacy Policy, the User may contact the Controller’s Data Protection Officer (“DPO”) at the following::

Name : Sitti Pingkan Fakhria Juwita
E-mail : sitti.pingkan@cikal.co.id


Already of a Cikal Community?

Sign In