Legal

Privacy Policy

Last updated: May 2026

1. Who We Are

ZenMiles is operated by a PT Perorangan registered in Indonesia. As the Data Controller under Law No. 27 of 2022 on Personal Data Protection (UU PDP), we are responsible for how your personal data is collected, used, and protected.

Contact: privacy@zenmiles.app

2. Data We Collect

We only collect data necessary to provide the service:

  • Account data: name, email address, phone number, country.
  • Loyalty program data: program name, membership number, points balance, expiry dates.
  • Credit card data: card name, statement and due dates, annual fee dates. We never store full card numbers — tokenisation is handled by Xendit (PCI DSS Level 1).
  • Usage data: anonymised activity logs for service improvement via Mixpanel.
  • Device data: anonymous device identifier, push notification token via Firebase.

3. Legal Basis for Processing

We process your personal data on the following grounds:

  • Contract performance — to deliver the ZenMiles service you requested.
  • Legitimate interests — to improve security and service quality.
  • Consent — for marketing communications, which you can withdraw at any time.

4. Sharing Your Data

We do not sell your data. Data is shared only with the following service providers who help us operate ZenMiles:

  • Supabase — database and authentication (servers in Singapore).
  • Firebase (Google) — push notifications and phone authentication.
  • Xendit — QRIS payment processing (licensed by Bank Indonesia).
  • Wise — international remittance (Phase 3).
  • Midtrans — web subscription payment processing.
  • Mixpanel — anonymised usage analytics.

5. Your Rights

Under UU PDP, you have the right to:

  • Know what personal data we hold about you.
  • Correct inaccurate data.
  • Request deletion of your data — your account is soft-deleted immediately and permanently deleted after 30 days.
  • Withdraw marketing consent at any time.
  • Data portability — export your data in a structured format.

To exercise any of these rights, email us at privacy@zenmiles.app.

6. Data Security

We apply appropriate technical and organisational measures including TLS encryption in transit, encryption at rest, role-based access controls, and continuous security monitoring.

7. Data Retention

Active account data is retained for as long as your account is active. Following a deletion request, data is soft-deleted within 24 hours and permanently purged within 30 days, unless we are legally required to retain it longer.

8. Changes to This Policy

We will notify you of material changes to this policy via in-app notification and email at least 14 days before they take effect.

9. Contact

For privacy questions or to exercise your rights: privacy@zenmiles.app