General Articles

Welcome to our Privacy Policy. We aim to provide clarity and assurance to Users regarding how we collect, use, and protect your personal information. By reading this Privacy Policy, we hope that Users feel confident and assured that their privacy is our top priority.

In this Privacy Policy, the following terms shall have the meanings set forth below: (i) “we” or “Bank” refers to PT BPR Universal, a limited liability company established under the laws of the Republic of Indonesia and engaged in the banking sector (“BPR Universal”); (ii) “User” refers to each individual owner of Personal Data (data subject) who has used and/or will use our products and/or services, visitors and users of our website/application/electronic systems, as well as any third party to whom this Privacy Policy applies; (iii) “Business Group” refers to all affiliated companies within the same corporate group due to ownership and/or control relationships, whether directly or indirectly, by the Bank (parent company, subsidiaries, and other affiliated entities); (iv) “Personal Data” refers to data relating to a User who is identified or identifiable, either independently or in combination with other information, directly or indirectly through electronic or non-electronic systems as regulated under the Applicable Laws; (v) “Applicable Laws” refers to Law Number 27 of 2022 concerning Personal Data Protection and other relevant prevailing laws and regulations, including any amendments thereto from time to time;(vi) “Processing” refers to any action of obtaining, collecting, processing, analyzing, storing, correcting, updating, displaying, announcing, transferring, disseminating, disclosing, deleting, and/or destroying the User’s Personal Data.

The Personal Data that we process consists of Personal Data that has been and will be provided by the User to us, including Personal Data as described in the section on Collection and Acquisition of Personal Data in this Privacy Policy, for the purpose of providing banking products and/or services requested by the User. This includes fulfilling contractual obligations or our legal obligations under Applicable Laws, as well as when the User visits, accesses, and/or uses the Bank’s products and/or services, including our website/application/electronic systems in connection with the use of the Bank’s products and/or services (“Services”).

Applicability

By using our Services, the User declares that they have read, acknowledged, and understood the entire contents of this Privacy Notice, and further declares that they are a lawful and authorized party to provide their Personal Data to the Bank through the Bank’s Service channels.

We may amend, delete, and/or update this Privacy Notice from time to time as necessary. If such amendments, deletions, and/or updates constitute changes that, under Applicable Laws, require prior notification to Users, we will use reasonable efforts to notify Users in advance through our official channels.

We recommend that Users read this Privacy Policy together with our Terms and Conditions of Service, as those documents may contain service-specific information regarding how the Bank processes the User’s Personal Data.

The version of the Privacy Policy displayed on our website/application/electronic systems constitutes an update to and supersedes all previous versions of our Privacy Policy. Therefore, we encourage Users to review the Privacy Policy on our website/application/electronic systems from time to time.

Types of Personal Data

We recognize the importance for Users to understand the categories and types of Personal Data that may be processed. Such data includes:

1. Personal profile identification data, including full name, National Identity Number (NIK) for Indonesian Identity Card (KTP) holders who are Indonesian citizens (WNI) and foreign nationals (WNA), Taxpayer Identification Number (NPWP)/Tax Identification Number (TIN), immigration documents, gender, nationality, place and date of birth, mother’s maiden name, alias/nickname, religion, voice recordings, image recordings, photographs, the User’s signature (wet and/or electronic), and/or biometric data;

2. Correspondence data, including address as stated on the KTP, domicile address and status, email address, telephone/mobile phone number, and emergency contact details including name, relationship to the User, address, telephone/mobile phone number, and email;

3. Education and employment data, including level of education, type of occupation, line of business, position, division, year of commencement of employment/business, name of employer/company/agency, workplace address, employment status, as well as the name, position, and telephone number of colleagues;

4. Family data, including marital status, spouse’s name, number of children, and number of dependents;

5. Financial data, which may include account numbers, source of income, amount of monthly/annual income, amount of monthly/annual expenses, transaction data, credit/financing data, investment-related data, asset-related data, collateral-related data, tax data, and service data from other financial services received by the User;

6. Digital activity data, which may include geolocation, IP address/MAC Address, the User’s activity within the Bank’s application, and the interaction between the Bank’s application and other applications on the User’s electronic device; and/or

7. Other personal-related data, which may include health information, records of legal violations, communication preferences, hobbies, and interests.

Sources of Personal Data

To support us in providing optimal Services to Users, we will collect the User’s Personal Data from various sources, including the following:

1. From the User directly;

2. Information about the User generated when the User applies for a Service, uses our Services, or has previously used our Services;

3. Personal Data obtained from the Bank’s Business Group and/or other third parties who are partners of the Bank or have cooperation agreements with the Bank;

4. Cookies, location services, the User’s IP address when the User visits our website/application/electronic systems, or when the User fills out our contact form on our website/application/electronic systems, or data that the User permits to be accessed through the User’s device;

5. From correspondence between the User and the Bank via email, physical mail, or the Bank’s official correspondence/communication channels; and/or from survey data provided to the Bank.

Use of Personal Data

The processing of the User’s Personal Data by the Bank is carried out for the following purposes:

1. The purposes of processing the User’s Personal Data are as follows:
   a. To provide or deliver our products or Services, both offline and online.
   b. To support banking operations.
   c. To facilitate identification or verification activities prior to providing Services to the User or before registering the User as a customer/consumer, including conducting customer due diligence, enhanced due diligence, and credit scoring.
   d. To fulfill obligations related to the implementation of Anti-Money Laundering (AML), Counter-Terrorism Financing (CTF), and Counter-Proliferation Financing of Weapons of Mass Destruction (CPF-WMD) in accordance with applicable laws and regulations, including reporting to authorized institutions/agencies regarding Money Laundering/Terrorism Financing and/or Proliferation Financing of Weapons of Mass Destruction.
   e. To prevent, detect, investigate, and address money laundering, terrorism financing, proliferation financing of weapons of mass destruction, fraud, unlawful acts, or harmful activities.
   f. To analyze and manage risks and ensure our business continuity.
   g. To respond to, process, and handle User complaints, inquiries, requests, and suggestions.
   h. To manage our relationship with the User.
   i. To request the User to provide input, feedback, or participate in surveys, as well as to conduct research and/or analysis for statistical or other purposes.
   j. To design Services/products and/or to review, develop, and improve the quality of our products and Services.
   k. To conduct consumer behavior analytics, preference analysis, and market trend analysis, including analyzing how the User utilizes our products or Services.
   l. To perform data analysis to better understand the User’s circumstances and preferences so that we can ensure the best service and offer products or Services tailored to the User’s conditions or needs.
   m. To conduct audits, business operational administration, and implement our internal policies and procedures.
   n. To correspond with our lawyers, surveyors, appraisers, and intermediaries.
   o. To send the User marketing information, advertisements, and surveys regarding our Services and products, whether through traditional marketing methods or online advertising, including informing Users of updates/changes/maintenance of our Services.

Legal Basis for Processing Personal Data

The processing of Personal Data will only be carried out by the Bank to the extent that the Bank has fulfilled one or more of the following legal bases for processing:

1. The Bank has explicitly and lawfully obtained consent from the User;

2. The Bank exercises its rights and fulfills its obligations under an agreement with the User;

3. The Bank is required to exercise its authority or comply with obligations under applicable laws and regulations or pursuant to an order from an authorized authority;

4. The Bank is required to protect the vital interests of the User;

5. The Bank is required to perform tasks in the public interest and/or for public service purposes;

6. The Bank is required to fulfill other legitimate interests, while taking into account the balance between the Bank’s interests and the rights of the User.

Management of Personal Data

The Bank is committed to storing and managing the User’s Personal Data with the highest level of protection for as long as necessary to provide our Services. We will process the User’s Personal Data for as long as the User remains a customer or user of our Services. Thereafter, the User’s Personal Data will be retained for a period of 5 (five) years following the termination of the relationship with the User or for a longer period if such retention is necessary or required under applicable laws and regulations (the “Retention Period”).

The Bank may delete and/or destroy the User’s Personal Data from our systems so that such Personal Data can no longer identify the User, except in the following circumstances:

1. If it is necessary to retain the Personal Data to comply with legal obligations, future evidentiary purposes, taxation, audit, and accounting requirements; and/or

2. If the Personal Data is still within the retention period as required under applicable laws and regulations.

When destroying Personal Data, we will take reasonable measures to permanently destroy, erase, or render the Personal Data practically irrecoverable. The specific method of destruction will depend on the type of Personal Data being destroyed and the manner in which such Personal Data was collected and stored.

Disclosure of Personal Data

1. We may disclose the User’s Personal Data to other companies, organizations, individuals, affiliates, regulators, and other parties cooperating with us in connection with the provision of Services to the User, taking into account the applicable legal basis for processing, for the following purposes or other purposes permitted under applicable laws and regulations:
   a. To facilitate the provision of services, products, or other interactions between us, the User, and/or service providers.
   b. For internal audit and/or digital forensic purposes related to criminal acts or violations of laws or internal policies within PT BPR Universal and our affiliates.
   c. To assist in detecting, preventing, and addressing fraud, financial crimes, unlawful acts, or activities that may harm us or the User.
   d. To exercise, protect, defend, or enforce the rights of PT BPR Universal, including undertaking measures to handle outstanding credit issues involving the User.
   e. For law enforcement purposes, court interests, dispute resolution, our supervisory authorities, auditors, and any party appointed or requested by our supervisory authorities to conduct investigations or audits of our activities.
   f. To comply with or implement requirements mandated by applicable laws and regulations (including but not limited to responding to regulatory inquiries, audit requirements, reporting obligations, investigations, criminal proceedings, judicial processes in divorce or civil cases between us and customers, audit processes, and compliance with legal archiving and reporting requirements), for purposes stipulated under applicable laws and regulations.
   g. In connection with corporate transactions such as mergers, acquisitions, consolidations, or asset sales, in which case the User’s Personal Data may be disclosed and transferred as part of such transaction.
   h. For legal proceedings between the User and us or between the User and other parties, in connection with or related to our Services, as relevant to such legal process.
   i. To fulfill mutual legal assistance in criminal matters.
   j. To respond to requests for financial information for taxation purposes in accordance with applicable laws and regulations.
   k. For the interests of other institutions for state administration purposes at the central level and in the public interest in accordance with their duties and authority under the law.
   l. For the execution of duties in the monetary, macroprudential, and payment system sectors by Bank Indonesia.

Security of Personal Data

The Bank is committed to ensuring that the User’s information or Personal Data obtained through the Bank’s Services remains secure during the processing of Personal Data (and throughout the Retention Period). In implementing this commitment, the Bank has established procedures and utilizes electronic systems equipped with an adequate level of security as required under applicable laws and regulations. These measures include restricting access to the User’s Personal Data solely to authorized parties on a need-to-know basis, ensuring that parties processing the User’s Personal Data do so only in a permitted manner and are obligated to maintain confidentiality, maintaining dedicated functions responsible for safeguarding the security of Personal Data, and implementing other security measures as required by applicable laws and regulations.

When accessing the Bank’s Services or products, please ensure that you download the Bank’s Services or products through the official App Store or Play Store and not from links provided by unauthorized parties. In addition, the Bank may require the User to:

1. Enter a Login Password and/or Transaction MPIN and/or use biometric access before accessing the Bank’s Services;

2. Maintain the confidentiality of the Login Password and/or Transaction MPIN and not disclose them to any party;

3. Contact the Bank if the Login Password and/or Transaction MPIN is blocked and follow the Bank’s instructions to reactivate the Bank’s Services or products.

Please note that the transmission of information via online channels is not entirely secure. Although we have made our best efforts to protect the User’s Personal Data, there remains a possibility of security risks to data/information transmitted through the network used by the User. Upon receiving data/information from the User, we will apply strict procedures and secure features as efforts to prevent unauthorized access.

In the event of unauthorized access or illegal activities affecting the confidentiality of the User’s Personal Data beyond the Bank’s control, the Bank will promptly notify the User at the earliest opportunity so that the User may mitigate potential risks arising from such incidents.

The User is responsible for maintaining the confidentiality of their information and Personal Data details, including username, password, email, and OTP information, and for safeguarding and being responsible for the security of the device used.

Rights of Data Subjects

Users have the right to:

1. Obtain access to and request a copy of their Personal Data, including obtaining and/or using their Personal Data in a format that is structured and/or commonly used and machine-readable. We reserve the right to charge a reasonable fee to fulfill such requests;

2. Request us to correct inaccurate data, complete incomplete Personal Data, or update Personal Data. However, we may not accommodate requests to change Personal Data if we believe that such changes would violate applicable laws and regulations or legal requirements, or result in inaccurate information;

3. Submit complaints to the data protection authority or other independent regulators regarding how we use Users’ Personal Data, as well as request compensation and enforcement of obligations that must be fulfilled by the Personal Data Controller in relation to violations of Personal Data processing;

4. Request us to terminate processing, delete, and/or destroy Personal Data if it is no longer necessary for the purposes set out in the Personal Data Use section, or if there is no other legal basis for processing, or if not restricted by applicable provisions. Upon receiving such a request for termination, deletion, and/or destruction, we will provide confirmation of receipt and subsequently confirm once the Personal Data has been deleted and/or destroyed as required by applicable Regulations. As a consequence, Users may not be able to receive/use our Services if they request deletion/destruction of Personal Data, whether partially or entirely;

5. Object to the use of Personal Data for direct marketing purposes (including related profiling) or other processing based on legitimate interests;

6. Object to automated decision-making processes, including profiling, that produce legal effects or significantly impact the User;

7. Where relevant, Users may proportionally delay or restrict the processing of their Personal Data. If such restriction is not possible, we will notify the User accordingly. However, Users may still exercise other rights described in this Privacy Notice, including withdrawing consent for the processing of Personal Data, provided that Users understand and accept the potential consequences related to the provision of products and/or services (if any).

8. Where processing is based on consent, Users may withdraw their consent at any time regarding the processing of their Personal Data by us. Upon receiving such withdrawal, we will confirm receipt and proceed to stop processing the Personal Data, provided that Users understand and accept the potential consequences related to the provision of products and/or services (if any).

Acting on Behalf of Others

Users are required to provide accurate data and information, including Personal Data, to the Bank. Failure to provide certain data and/or information may result in the Bank being unable to fully provide Services to the User.

When Users provide us with Personal Data about another person, the User represents that they have been appointed and authorized by that person to provide their Personal Data and/or act on their behalf. The User further ensures and warrants that the individual understands and agrees that their Personal Data will be further processed in accordance with applicable Regulations. This includes giving consent for:

1. Our processing of their Personal Data and sensitive Personal Data (as described in the Personal Data Collection and Acquisition section above); and

2. The User to receive privacy protection notices on their behalf.

Offer of Products and Services

We may send information about our products and/or services, as well as carefully selected third-party services, through the Bank’s official channels and directly through Users’ communication channels, including by mail or electronic means such as telephone calls, email, social media, and other electronic media. This includes details about products, services, and any special offers. We will only do so if Users have given their consent for us to contact them through electronic and/or non-electronic means.

Withdrawal of consent to receive direct marketing communications, whether through electronic or non-electronic media, may be made through one of the channels listed in the Contact Us section. Upon receiving such a withdrawal request, we will confirm receipt and proceed to stop processing the User’s Personal Data for that purpose. Please note that even if Users request us not to send product and service offer messages, we will continue to use their contact information to send important communications, such as updates to terms and conditions, transaction information, notifications required to comply with applicable laws and regulations, service-related information, educational materials, and other communications necessary to fulfill our obligations to Users.

Contact Us

Users may contact us through the following channels:

1. Our Head Office: Ruko Emerald Avenue I No. 16-17, Jl. Boulevard Bintaro Jaya, Parigi, Pondok Aren, South Tangerang, Banten 15227.

2. Customer Service Contact Information:
   a. Universal Care : 02122213993
   b. E-mail : customercare@universalbpr.co.id