Last Modified: March 1, 2026 10:16:04 UTC+7 (Jakarta/Bangkok)
GDPR Policy
Effective Date: March 1, 2026 06:44:26
This GDPR Policy explains how YPYM Company ("we," "us," or "our") complies with the General Data Protection Regulation (EU) 2016/679 ("GDPR") when processing personal data of individuals located in the European Economic Area (EEA), United Kingdom, and Switzerland. This policy supplements our main Privacy Policy.
1. Scope of This Policy
This policy applies when:
- We offer goods or services to individuals in the EEA/UK/Switzerland
- We monitor the behavior of individuals in the EEA/UK/Switzerland
- We process personal data on behalf of an EEA/UK/Swiss-based controller
2. Data Controller Information
The data controller responsible for your personal data is:
3. Legal Basis for Processing (Article 6)
We process personal data only when we have a valid legal basis under GDPR Article 6:
| Legal Basis | When We Use It |
|---|---|
| Consent (Art. 6(1)(a)) | Marketing emails, non-essential cookies, newsletter subscriptions |
| Contract (Art. 6(1)(b)) | Providing services you've requested, processing orders, account management |
| Legal Obligation (Art. 6(1)(c)) | Tax reporting, regulatory compliance, fraud prevention |
| Legitimate Interest (Art. 6(1)(f)) | Analytics, security monitoring, service improvements, direct marketing to existing customers |
4. Your Rights as a Data Subject
Under GDPR, you have the following rights regarding your personal data:
| Right | GDPR Article | Description |
|---|---|---|
| Access | Art. 15 | Obtain a copy of your personal data and information about how it is processed |
| Rectification | Art. 16 | Correct inaccurate or incomplete personal data |
| Erasure | Art. 17 | Request deletion of your personal data ("right to be forgotten") |
| Restriction | Art. 18 | Limit how we process your data in certain circumstances |
| Portability | Art. 20 | Receive your data in a structured, machine-readable format |
| Objection | Art. 21 | Object to processing based on legitimate interests or direct marketing |
| Automated Decisions | Art. 22 | Not be subject to solely automated decision-making with legal effects |
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days of receiving your request.
5. International Data Transfers
As we are based in Indonesia, personal data of EEA/UK residents may be transferred to countries outside the EEA/UK. We ensure adequate protection through:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where available
- Binding Corporate Rules for intra-group transfers
- Your explicit consent where other mechanisms are unavailable
6. Data Protection Officer (DPO)
Our Data Protection Officer can be contacted at:
Email: [email protected]
Address: IDX Tower 1, 3rd Floor, Jakarta, Indonesia, 12190
7. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms:
- We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (Art. 33)
- If the breach is likely to result in high risk to your rights, we will notify you directly without undue delay (Art. 34)
- We maintain a breach register documenting all incidents, their effects, and remedial actions taken
8. Right to Lodge a Complaint
If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. We encourage you to contact us first at [email protected] so we may attempt to resolve your concern.
9. Contact Us
For GDPR-related inquiries or to exercise your data subject rights:
Questions About GDPR?
If you have any questions about our GDPR compliance or wish to exercise your data rights, please email us at [email protected]. You can also read our full About Us page for more information on our company.