1. Introduction

PT. Cerebrum Edukanesia Nusantara (“Company”, “we”, “us”, or “our”) is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, protect, and share your personal information when you access and use JadiBUMN (“Platform”), accessible at https://jadibumn.id, the platform for state-owned enterprise recruitment preparation.

This Privacy Policy should be read together with our Terms and Conditions. By registering for an account, accessing, or using the Platform, you acknowledge that you have read and understood this Privacy Policy and consent to the collection and processing of your personal data as described herein.

This Privacy Policy is drafted in compliance with Indonesian Law No. 27 of 2022 on Personal Data Protection (Undang-Undang Perlindungan Data Pribadi, “UU PDP”) and other applicable regulations.

2. Data Controller

The data controller responsible for your personal data processed through JadiBUMN is:

As the data controller, we determine the purposes and means of processing your personal data and are responsible for ensuring that such processing complies with applicable data protection laws.

3. Personal Data We Collect

We collect and process the following categories of personal data:

3.1 Identity Data

1. Full name — obtained automatically from your Google account during registration via Google OAuth;
2. Email address — obtained automatically from your Google account during registration; this field is read-only and cannot be modified after account creation;
3. Google profile photo — obtained from your Google account if publicly available.

3.2 Contact Data

1. Phone number — collected during the checkout/package purchase process; not required at registration;
2. WhatsApp number — collected when you interact with our customer support or join community groups.

3.3 Location Data

1. Province and city of residence — collected when you access the Tryout result analysis feature; this data is used for regional performance benchmarking and is not collected at registration.

3.4 Learning Activity Data

1. Tryout attempt history, scores, and answer records;
2. Course progress and completion status;
3. Liveclass attendance and replay viewing history;
4. Journey/Guided Learning progress through learning nodes;
5. Practice Question (Latsol) activity and results;
6. Bookmarks and saved content.

3.5 Transaction Data

1. Membership package purchase history;
2. Payment method selected (via third-party Payment Gateways);
3. Transaction status (Success, Pending, Expired, Cancelled);
4. Voucher codes applied and affiliate referral codes used;
5. Invoice records and payment confirmation timestamps.

3.6 Technical and Device Data

1. Browser type and version;
2. Operating system and device type (web, Android, iOS);
3. IP address;
4. Device identifiers and push notification tokens (Firebase Cloud Messaging / FCM);
5. Session data and access timestamps;
6. App version (mobile application).

3.7 Helpdesk and Support Data

1. Issue reports and inquiry messages submitted through the Helpdesk;
2. Screenshots or attachments uploaded in support tickets;
3. Communication history with our VOC (Voice of Customer) team.

4. How We Collect Your Data

We collect your personal data through the following methods:

Method	Description	Data Collected
Google OAuth SSO	Single Sign-On authentication at registration. No additional registration form is required (lazy collection principle).	Full name, email address, profile photo
In-context collection	Data collected only when a specific feature requires it, at the point of use — not upfront.	Phone number (checkout), province/city (Tryout analysis)
Automatic collection	Data generated through your interaction with the Platform, collected by our systems automatically.	Learning activity, technical/device data, session data
Payment Gateway callbacks	Transaction confirmation data received from third-party payment providers after payment processing.	Transaction status, payment confirmation
User-submitted data	Information you voluntarily provide through Helpdesk reports, support tickets, or profile updates.	Support messages, attachments, profile updates

5. Purpose of Data Processing

We process your personal data for the following purposes:

1. Account creation and authentication — to create and manage your Account on the Platform using Google OAuth SSO, and to authenticate your identity each time you access the Platform;
2. Service delivery — to provide, operate, and maintain the Services, including Tryout, Latsol, Course, Liveclass, and Journey features tailored to BUMN (State-Owned Enterprise) recruitment;
3. Personalization — to display personalized analysis results, learning recommendations, performance benchmarks, and progress reports based on your learning activity data;
4. Transaction processing — to process Membership purchases, verify payments through Payment Gateways, activate packages, apply vouchers, and manage billing;
5. Customer support — to handle your complaints, inquiries, and issue reports submitted through the Helpdesk, and to communicate resolutions through our VOC team;
6. Notifications — to send you push notifications (via Firebase Cloud Messaging), announcements, Liveclass reminders, and other Service-related communications;
7. Analytics and improvement — to conduct internal analytics for understanding usage patterns, improving Service quality, and optimizing Platform performance;
8. Security and fraud prevention — to detect, prevent, and investigate unauthorized access, cheating, or other prohibited activities on the Platform;
9. Legal compliance — to fulfill our obligations under applicable laws and regulations, including UU PDP and related regulations.

6. Legal Basis for Processing

In accordance with UU PDP, we process your personal data based on the following legal grounds:

1. Consent — by registering and using the Platform, you provide explicit consent for the processing of your personal data as described in this Privacy Policy;
2. Contractual necessity — processing necessary for the performance of the contract between you and the Company (i.e., providing the Services you have subscribed to);
3. Legitimate interest — processing necessary for our legitimate interests, such as improving our Services, ensuring Platform security, and preventing fraud, provided these interests do not override your fundamental rights;
4. Legal obligation — processing necessary to comply with our legal obligations under Indonesian law.

7. Data Storage and Security

7.1 Infrastructure

1. Your personal data is stored on servers managed by the Company using Google Cloud Platform (GCP) infrastructure located in secure data center facilities.
2. OAuth tokens are stored with per-user device tracking and support force-revocation capabilities for security purposes.

7.2 Security Measures

We implement reasonable technical and organizational measures to protect your personal data, including but not limited to:

1. Encrypted data transmission using HTTPS/TLS protocols;
2. Google Cloud Secret Manager for sensitive credential storage;
3. Role-based access controls limiting internal access to personal data;
4. Regular security assessments and vulnerability monitoring;
5. Per-user OAuth token management with device-level tracking and force-revocation;
6. Separate database credentials and configurations for data isolation.

While we take commercially reasonable measures to secure your data, no method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee absolute security of your personal data.

8. Cookies and Tracking Technologies

The Platform uses cookies and similar technologies for the following purposes:

Cookie / Technology	Purpose	Type
Authentication cookies	To maintain your login session and authenticate your identity across page loads	Essential / Functional
Google Analytics cookies	To collect anonymized usage statistics for internal analytics and Platform improvement	Analytics
Firebase Cloud Messaging (FCM)	To deliver push notifications for announcements, Liveclass reminders, and Service updates	Functional
Session and preference cookies	To remember your preferences, app version, and session state	Functional

You may manage cookie preferences through your browser settings. Please note that disabling essential cookies may affect the functionality of the Platform.

10. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data to third parties for their marketing purposes. We may share your personal data only in the following circumstances:

1. Service providers — with third-party service providers described in Section 9, strictly for the purpose of providing and operating the Services;
2. Legal requirements — when required to comply with applicable laws, regulations, legal processes, or enforceable governmental requests;
3. Protection of rights — when necessary to protect the rights, property, or safety of the Company, our users, or the public;
4. Business transfers — in connection with a merger, acquisition, or sale of assets, your personal data may be transferred as part of the transaction, subject to the same level of protection described in this Privacy Policy;
5. With your consent — in any other circumstances where we have obtained your explicit prior consent.

11. Data Retention

1. We retain your personal data for as long as your Account is active or as needed to provide you with the Services.
2. Our systems operate on a soft-delete architecture, meaning that when data is deleted through user-facing features, it is marked as inactive rather than permanently erased from our databases. This approach ensures data integrity for audit trails and regulatory compliance.
3. After account closure or deletion request, we may retain certain data for a reasonable period as required by applicable laws and regulations, including but not limited to tax, accounting, and legal compliance obligations.
4. Learning activity data (Tryout scores, Course progress) may be retained in anonymized or aggregated form for analytical purposes even after account deletion.
5. Transaction records are retained in accordance with Indonesian tax and commercial record-keeping requirements.

12. Your Rights as a Data Subject

In accordance with UU PDP (Law No. 27 of 2022), you have the following rights regarding your personal data:

1. Right to access — you have the right to request access to the personal data we hold about you and to obtain a copy of such data;
2. Right to rectification — you have the right to request the correction or update of inaccurate or incomplete personal data;
3. Right to erasure — you have the right to request the deletion of your personal data, subject to applicable legal retention requirements;
4. Right to restrict processing — you have the right to request the restriction of processing of your personal data under certain circumstances;
5. Right to data portability — you have the right to request the transfer of your personal data in a structured, commonly used, and machine-readable format;
6. Right to withdraw consent — you have the right to withdraw your consent for processing at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
7. Right to object — you have the right to object to the processing of your personal data based on legitimate interests.

To exercise any of these rights, please contact us using the information provided in Section 16 (Contact Us). We will respond to your request within 3 × 24 (three times twenty-four) hours as required by UU PDP.

13. Account Deletion

1. You may request the deletion of your Account through the “Delete Account” feature available in the Account & Profile menu on the Platform.
2. Upon submission of a deletion request, your Account will be marked for deletion and access to the Platform will be restricted.
3. The deletion process will be carried out in accordance with our internal procedures and applicable regulations, including any mandatory data retention periods.
4. Certain data may be retained after account deletion to comply with legal obligations, resolve disputes, or enforce our Terms and Conditions. Such retained data will be stored securely and processed only for the specific retention purpose.
5. Account deletion is irreversible. All Membership packages, learning progress, Tryout history, and other associated data will become permanently inaccessible.

14. Children’s Privacy

1. JadiBUMN is designed for job seekers preparing for recruitment examinations at Indonesian state-owned enterprises. The Platform is not directed at children under the age of 13.
2. We do not knowingly collect personal data from children under 13 years of age. If we become aware that we have inadvertently collected personal data from a child under 13, we will take steps to delete such data as promptly as possible.
3. For users between the ages of 13 and 18, we recommend that registration and use of the Platform be conducted with the knowledge and consent of a parent or legal guardian.

15. Changes to This Privacy Policy

1. We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or operational needs.
2. Any material changes to this Privacy Policy will be communicated to you through notifications on the Platform, email, or other official communication channels prior to the changes taking effect.
3. Your continued use of the Platform after any modification constitutes your acceptance of the revised Privacy Policy.
4. The latest version of this Privacy Policy will always be available on the designated page of the Platform, with the effective date clearly indicated at the top.
5. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal data.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, you may contact us through the following channels:

We will acknowledge receipt of your inquiry and respond within 3 × 24 hours in accordance with UU PDP requirements.