CorePixel
CorePixel
Back to home
Legal

Privacy Policy

How CorePixel collects, uses, protects, and shares personal data across our website, products, and digital services.

Privacy Policy

Effective date: May 21, 2026
Last updated: May 30, 2026

CorePixel ("we", "us", or "our"), operated by PT COREPIXEL TEKNOLOGI INDONESIA, respects the privacy of every visitor, prospective client, client, user, and other party who uses our website at https://corepixel.id, related pages, and our digital products and services, including but not limited to RestoPage, PropertyStudio, Klinikal AI, Lexara AI, WhatsApp Business API integrations, automation services, and related services.

This Privacy Policy explains the types of Personal Data we collect, the purposes and legal bases for processing, how we protect data, the parties that may receive data, your rights as a Personal Data Subject, and how to contact us for privacy-related requests.

We prepare and apply this Privacy Policy with reference to applicable laws and regulations of the Republic of Indonesia, including but not limited to:

  • Law Number 27 of 2022 on Personal Data Protection (PDP Law);
  • Law Number 11 of 2008 on Electronic Information and Transactions, as amended by Law No. 19 of 2016 and Law No. 1 of 2024;
  • Government Regulation No. 71 of 2019 on the Operation of Electronic Systems and Transactions;
  • requirements related to Private Scope Electronic System Operators (PSE), to the extent applicable to our services;
  • consumer protection, electronic commerce, and other related regulations applicable in Indonesia.

Note: This Privacy Policy is a general document. For certain services, especially SaaS, AI, WhatsApp integrations, clinic, health/beauty, law firm, or other services that process sensitive data or client-owned end-user data, additional agreements, a Data Processing Agreement, order form, proposal, or separate special terms may apply.

1. Definitions

In this Privacy Policy:

  • "CorePixel", "we", "us", or "our" means PT COREPIXEL TEKNOLOGI INDONESIA.
  • "You" means website visitors, prospective clients, clients, users, end users, or other parties whose data is processed by or through our services.
  • "Personal Data" means any data relating to an identified or identifiable individual, whether directly or indirectly, separately or combined with other information, through electronic or non-electronic systems.
  • "Personal Data Subject" means an individual to whom Personal Data relates.
  • "Personal Data Controller" means a party that determines the purposes of and controls Personal Data processing.
  • "Personal Data Processor" means a party that processes Personal Data on behalf of a Personal Data Controller.
  • "Client" means an individual or business entity that orders, uses, or receives services from CorePixel.
  • "End User" means a customer, patient, prospective customer, team member, or other party who uses or interacts with a Client-owned system built, provided, or managed by CorePixel.
  • "Services" means all CorePixel digital services, including websites, landing pages, SaaS, AI assistants, WhatsApp automation, hosting, domains, maintenance, third-party integrations, and related services.

2. CorePixel Identity and Contact

ItemDetails
Legal Entity NamePT COREPIXEL TEKNOLOGI INDONESIA
Trade NameCorePixel
AddressKab. Banjar, South Kalimantan, Indonesia
Emailhello@corepixel.id
WhatsApp+62 859-6142-9667 / +62 853-9831-7561
Websitehttps://corepixel.id
Privacy Contacthello@corepixel.id with subject: Privacy / PDP Request

3. CorePixel's Role as Data Controller and/or Data Processor

In certain contexts, CorePixel may act as a Personal Data Controller and/or Personal Data Processor.

3.1 CorePixel as Personal Data Controller

We act as a Personal Data Controller for data that we collect and process for our own business operations, including:

  • data of visitors to the CorePixel website;
  • data of prospective clients who contact us through forms, email, WhatsApp, social media, or other communication channels;
  • client data for proposals, contracts, invoices, payments, project administration, support, and marketing;
  • business communications between you and CorePixel;
  • website analytics data, cookies, and marketing data used to improve our services.

3.2 CorePixel as Personal Data Processor

For Personal Data belonging to customers, patients, prospective customers, end users, team members, or other parties that is collected, entered, sent, or processed by a Client through CorePixel products or services, including RestoPage, PropertyStudio, Klinikal AI, Lexara AI, WhatsApp Business API integrations, reservation systems, dashboards, simple CRM, chatbots, or other SaaS services, CorePixel may act as a Personal Data Processor processing data based on the Client's instructions as the Personal Data Controller.

When CorePixel acts as a Personal Data Processor:

  • the Client is responsible for ensuring a lawful basis, consent, privacy notice, and valid authority to collect and process End User Personal Data;
  • CorePixel will process Personal Data according to the Client's instructions, service agreement, Data Processing Agreement, and applicable laws and regulations;
  • CorePixel will not use End User Personal Data for purposes outside providing services to the Client, unless required by law or lawfully approved;
  • the responsibilities of each party may be further regulated in a cooperation agreement, proposal, order form, or Data Processing Agreement.

4. Personal Data We Collect

We only collect Personal Data that is relevant and necessary to operate our services in a reasonable, lawful, and proportionate manner.

4.1 Data you provide directly

Data you may provide directly to us includes:

  • full name or business name;
  • email address;
  • phone or WhatsApp number;
  • company name, position, industry, and other business information;
  • message content, project brief, business needs, documents, files, materials, or information you send through forms, WhatsApp, email, or other channels;
  • project administration data, such as PIC details, meeting schedules, revision notes, approvals, and project communications;
  • payment data, such as account holder name, bank name, transfer proof, invoice number, and transaction information; we do not intentionally store credit card data directly;
  • other information you voluntarily provide to us.

4.2 Data collected automatically

When you access our website or services, we may automatically collect certain data, including:

  • IP address;
  • device type;
  • operating system;
  • browser type and version;
  • pages visited;
  • visit time and duration;
  • referrer URL;
  • website interaction data;
  • cookies, pixels, tags, and similar tracking technologies;
  • system logs, access logs, security logs, and other technical data required for service security and operations.

4.3 Data from third parties

We may lawfully receive data from third parties, including:

  • analytics data from Google Analytics or similar analytics services;
  • interaction data from Meta Business Platform or WhatsApp Business API if you contact us or our Clients through those channels;
  • payment data from banks or payment gateways;
  • data from domain, hosting, email, CRM, form, or cloud service providers used to provide our services;
  • public or business data that you make publicly available, such as business websites, business social media profiles, or business directories.

4.4 Client-owned End User data

For certain services, Clients may enter or connect End User Personal Data into systems that we build, manage, or provide. Such data may include:

  • customer names, emails, phone numbers, addresses, and identities;
  • reservation history, schedules, orders, transactions, or service preferences;
  • WhatsApp conversations, chats, forms, or customer messages;
  • user account data, roles, access, and dashboard activity;
  • other data entered by the Client or End User into the system.

For this data, the Client is responsible for ensuring that collection and processing have a lawful basis.

4.5 Sensitive or high-risk data

Some of our services, especially services for clinics, beauty, healthcare, law firms, finance, education, or other sensitive sectors, may involve more sensitive or higher-risk data, such as:

  • health data, complaints, treatment history, procedure schedules, or patient information;
  • photos of face, skin, teeth, or other body parts used for service purposes;
  • legal consultation data, legal documents, or case information;
  • financial data, invoices, or business transactions;
  • children's data or data of vulnerable parties, if a Client's service interacts with them.

CorePixel does not ask Clients to enter sensitive data into a system unless the data is necessary for the agreed service. If a Client uses our services to process sensitive data, the Client must ensure that such processing has a valid legal basis, required consent, adequate privacy notice, and appropriate safeguards.

5. Purposes and Legal Bases for Data Processing

We process Personal Data for the following purposes, using legal bases consistent with the PDP Law and related regulations.

Processing PurposeLegal Basis
Responding to questions, consultations, and information requestsConsent, pre-contractual steps, and/or legitimate interests
Preparing offers, proposals, contracts, invoices, and project administrationContract performance and/or pre-contractual steps
Providing, developing, maintaining, and supporting services you orderContract performance
Providing SaaS, dashboards, integrations, hosting, domains, AI assistants, and WhatsApp automationContract performance, legitimate interests, and/or processing based on Client instructions
Managing accounts, access, authentication, security, and user rolesContract performance and legitimate interests
Sending service updates, technical notices, feature changes, and important informationContract performance and legitimate interests
Analyzing website performance, improving user experience, and developing servicesLegitimate interests and/or consent for non-essential cookies
Measuring marketing campaign effectiveness and retargetingConsent, where required by law or relevant platform policies
Sending newsletters, promotions, or marketing materialsConsent; you may unsubscribe at any time
Fulfilling tax, accounting, audit, legal, and compliance obligationsCompliance with legal obligations
Preventing misuse, spam, fraud, unauthorized access, security incidents, or legal violationsLegitimate interests and/or legal compliance
Handling disputes, claims, investigations, or requests from authoritiesLegitimate interests, legal defense, and/or legal obligations

We will not process Personal Data for purposes incompatible with the original collection purpose unless permitted by law, necessary for legitimate legal interests, or supported by an appropriate processing basis.

6. Cookies, Analytics, Pixels, and Tracking Technologies

Our website and services may use cookies, pixels, tags, SDKs, local storage, and similar technologies to operate the website, maintain security, analyze performance, and support marketing.

6.1 Types of cookies we may use

  • Essential cookies: required for the website and services to function, such as security, sessions, authentication, basic preferences, and misuse prevention.
  • Functional cookies: used to remember your preferences, such as language or display choices.
  • Analytics cookies: used to understand how visitors use the website, for example through Google Analytics or similar tools.
  • Marketing cookies: used to measure campaigns, ads, remarketing, or integrations with platforms such as Google Ads or Meta, if enabled.

6.2 Managing cookies

You may manage or disable cookies through your browser settings. For non-essential cookies, we will seek to provide a reasonable notice or consent-management mechanism in line with service development and applicable legal obligations.

Disabling certain cookies may affect the functionality, security, or user experience of the website and services.

7. Data Sharing with Third Parties

We do not sell your Personal Data.

We may share or provide access to Personal Data to third parties only as necessary to provide services, operate our business, comply with legal obligations, or based on a lawful processing basis.

Such third parties may include:

  • hosting, cloud, CDN, server, database, and infrastructure providers, such as Vercel, Cloudflare, VPS providers, or other cloud providers;
  • analytics providers, such as Google Analytics;
  • advertising or marketing providers, such as Google Ads or Meta, if used;
  • Meta Platforms, Inc. and/or WhatsApp Business API providers if communication occurs through the WhatsApp Business Platform;
  • payment gateways, banks, and payment service providers;
  • domain, email, form, CRM, helpdesk, logging, monitoring, and productivity service providers;
  • contractors, developers, designers, consultants, or vendors that help us provide services;
  • accountants, notaries, tax consultants, legal counsel, auditors, or other professional advisors;
  • affiliates or parties involved in business restructuring, mergers, acquisitions, or asset transfers, where conducted according to law;
  • law enforcement agencies, courts, regulators, ministries/agencies, or competent authorities when required by law.

We will seek to ensure that third parties processing Personal Data apply reasonable safeguards and process data only for lawful purposes. For global providers such as Google, Meta, Vercel, Cloudflare, and similar providers, data processing is also subject to each provider's terms of service, privacy policy, and data processing agreements.

The list of providers or sub-processors used may change from time to time. You or a Client may contact us to request further information about relevant categories of service providers.

8. Data Transfers Outside Indonesia

Some of our service providers may process or store data outside the territory of the Republic of Indonesia, including but not limited to cloud, hosting, analytics, communications, payment, and third-party platforms such as Google, Meta, Vercel, Cloudflare, or other providers.

If Personal Data is transferred outside Indonesia, we will seek to ensure that the transfer is conducted on a lawful basis and with reasonable protection in accordance with the PDP Law and related regulations, including through one or more of the following mechanisms:

  • the destination country has an equal or higher level of Personal Data protection;
  • there is an agreement or contractual clause regulating Personal Data protection obligations;
  • the Personal Data Subject has provided consent, where required;
  • the transfer is necessary for contract performance or legitimate legal interests;
  • the transfer is required or permitted by laws and regulations.

9. Data Storage and Retention

We retain Personal Data only for as long as necessary to fulfill collection purposes, provide services, comply with legal obligations, resolve disputes, maintain security, and carry out legitimate business interests.

Our general retention periods are as follows:

Data TypeGeneral Retention Period
Active client dataDuring the contractual relationship
Former client dataUp to 5 years after the project or subscription ends, unless law requires a longer period
Prospect/lead dataUp to 2 years from the last contact, unless you request earlier deletion or another lawful basis applies
Invoice, payment, tax, and bookkeeping dataIn accordance with applicable tax, accounting, and legal obligations
SaaS account dataWhile the account is active and for a reasonable period after termination for backup, recovery, and administration
Technical and security logsAs long as necessary for security, audits, troubleshooting, and compliance
Analytics and marketing cookiesAccording to cookie settings, relevant platforms, or periods stated in a cookie banner/policy
Backup dataMay be stored temporarily in backups until the deletion or backup rotation cycle is complete

After the retention period ends, Personal Data will be deleted, destroyed, anonymized, or made no longer identifiable, unless further storage is required or permitted by law.

Data deletion requests may be subject to certain exceptions, for example where data is still needed for legal obligations, bookkeeping, dispute resolution, security investigations, or legal claim defense.

10. Data Security

We apply reasonable technical and organizational measures to protect Personal Data from unauthorized access, disclosure, alteration, loss, misuse, or unlawful processing.

Security measures we may apply include:

  • use of HTTPS/TLS;
  • access restrictions based on need and role;
  • authentication and internal access control;
  • regular backups;
  • security logging and monitoring;
  • restricted access to credentials and production systems;
  • use of infrastructure providers with reasonable security standards;
  • separation of access between internal data and client data where possible;
  • security incident response procedures.

Although we work to keep data secure, no electronic system is entirely risk-free. You and Clients are also responsible for keeping accounts, passwords, API keys, devices, admin access, and credentials under your control secure.

11. Use of AI and Automation

Some of our services may use AI, machine learning, chatbots, WhatsApp automation, or automated systems to support communication, reservations, scheduling, information management, customer support, and other operational processes.

In AI-based or automation services:

  • conversation data, briefs, instructions, questions, answers, logs, and metadata may be processed to operate the service;
  • AI output may be incomplete, inaccurate, or require human verification;
  • for sensitive sectors such as clinics, healthcare, beauty, law, finance, education, or services involving children's data, the Client must ensure appropriate human oversight, required consent, and usage limitations;
  • an AI assistant must not be used as the sole basis for medical, legal, financial, or other decisions that significantly affect a person without review by an authorized professional;
  • we may use AI providers or third-party infrastructure as necessary to provide the service and in accordance with applicable agreements and processing bases.

If an AI service requires specific privacy arrangements, those arrangements may be set out in an agreement, proposal, Data Processing Agreement, or other special document.

12. Your Rights as a Personal Data Subject

Under the PDP Law, you have rights as a Personal Data Subject, including the right to:

  1. obtain information about identity clarity, the legal-interest basis, the purpose of requesting and using Personal Data, and the accountability of the party requesting Personal Data;
  2. complete, update, and/or correct errors and/or inaccuracies in Personal Data;
  3. access and obtain copies of Personal Data;
  4. end processing, delete, and/or destroy Personal Data in accordance with legal requirements;
  5. withdraw consent to Personal Data processing;
  6. object to decisions based solely on automated processing that have legal consequences or significant impact;
  7. delay or restrict Personal Data processing proportionally according to processing purposes;
  8. sue and receive compensation for violations of Personal Data processing according to law;
  9. obtain and/or use Personal Data in a structured and/or commonly used format readable by electronic systems;
  10. use or send Personal Data to another Personal Data Controller where the systems can securely communicate in accordance with Personal Data protection principles.

To exercise your rights, please contact us at hello@corepixel.id with the subject Privacy / PDP Request.

We may request additional information to verify your identity and ensure that the request is made by an authorized party. We will seek to confirm receipt of requests within a reasonable time and process requests within the period required by applicable laws and regulations.

In certain circumstances, we may reject, postpone, or limit fulfillment of a request where permitted by law, for example because data is still needed for legal obligations, bookkeeping, security interests, dispute resolution, legal claim defense, or because the request is made by an unauthorized party.

13. Consent Withdrawal, Opt-Out, and Data Deletion

If Personal Data processing is based on your consent, you may withdraw that consent at any time by contacting us through the available contact channels.

Consent withdrawal does not affect the lawfulness of processing carried out before the withdrawal. Withdrawal may also mean that some services can no longer be provided, especially where the data is necessary to operate the service, fulfill a contract, or comply with legal obligations.

For marketing communications, you may unsubscribe through an unsubscribe link, reply with a stop request, or contact us by email.

14. Children's Data and Underage Users

CorePixel services are generally intended for business operators, business owners, professionals, and users aged at least 18 years.

We do not intentionally collect Personal Data of minors directly through the CorePixel website. If we become aware that we have collected a child's Personal Data without parental/guardian consent or a valid legal basis, we will take reasonable steps to delete or restrict processing of such data.

For services used by Clients that may interact with children or process children's data, including clinics, education, family services, or other child-related services, the Client is responsible for ensuring that processing of children's data complies with applicable regulations, including obtaining parental/guardian consent where required and applying appropriate additional safeguards.

15. Personal Data Protection Failure

If a Personal Data protection failure affects Personal Data under our control, we will take reasonable steps to:

  • identify and assess the incident;
  • limit the incident's impact;
  • restore system security where possible;
  • document the incident;
  • notify Personal Data Subjects and/or competent authorities according to applicable legal obligations.

Under the PDP Law, where required, notification of a Personal Data protection failure will be made no later than 3 x 24 hours after the failure becomes known, taking into account applicable laws and regulations.

If CorePixel acts as a Personal Data Processor, we will notify the Client as the Personal Data Controller within a reasonable time after we become aware of the relevant incident, so the Client can fulfill its legal obligations.

16. PSE Obligations and Electronic System Compliance

To the extent CorePixel services fall within the category of Private Scope Electronic System Operator or are subject to registration, reporting, governance, electronic system security, or other obligations applicable in Indonesia, we will seek to fulfill those obligations according to the scale, type, and characteristics of the services we operate.

For services that we build or manage on behalf of Clients, Clients are responsible for ensuring legal obligations attached to their business, sector, licensing, and electronic systems, unless it is agreed in writing that CorePixel will assist with a specific part of that compliance process.

17. Third-Party Links and Services

Our website or services may contain links, integrations, widgets, APIs, or third-party services. Use of those third-party services is subject to each third party's own terms of service and privacy policy.

We are not responsible for privacy practices, security, content, or policies of third parties outside our control. You are advised to read third-party privacy policies before using their services.

18. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in services, technology, business practices, or applicable legal regulations.

The latest version will be available on our website with an updated "Last updated" date. For material changes, we will seek to provide notice through email, dashboard, website notice, or other reasonable communication channels.

Use of the website or services after changes take effect is considered acceptance of the updated Privacy Policy, to the extent permitted by law. If a change requires new consent, we will request that consent in accordance with applicable requirements.

19. Contact Us

For questions, complaints, access requests, correction, deletion, consent withdrawal, or other requests related to Personal Data, please contact:

PT COREPIXEL TEKNOLOGI INDONESIA - CorePixel
Email: hello@corepixel.id
WhatsApp: +62 859-6142-9667 / +62 853-9831-7561
Kab. Banjar, South Kalimantan, Indonesia
https://corepixel.id

Suggested email subject: Privacy / PDP Request.

If you believe your Personal Data rights have not been fulfilled, you have the right to submit a complaint to the competent authority for Personal Data protection in the Republic of Indonesia in accordance with applicable laws and regulations.