Back

Privacy Policy

How Kita2u collects, uses, and protects your personal data. Compliant with UU 27/2022 (Indonesia's Personal Data Protection Law).

What we collect

From riders (Subscribers):

  • Name, email, password (hashed), WhatsApp number
  • Profile photo, bio, area, city
  • Bike details (make, model, year, colour, plate)
  • Per-km pricing + minimum fee + pit-stop fee
  • Service preferences (parcel / food / passenger)
  • Real-time GPS location (only when online + opt-in)
  • Subscription + payment status from Midtrans (we do not store card numbers)

From customers (visitors):

  • GPS location (only with browser permission, used to find nearby riders)
  • Anonymous session ID for analytics (no PII)
  • Quote events: pickup / dropoff coordinates + distance + estimated fare per tap
  • Contact-tap events: anonymous ID + driver ID + page name when you tap the Contact button on a driver listing (used to alert the driver and to rate-limit duplicate taps)

From riders who opt in to booking alerts or tour-guide service:

  • Device push-notification token (FCM token) — required to deliver the loud booking-alert sound when a customer taps Contact
  • Acknowledgement timestamp when the rider taps the in-app alert (used for response-time metrics on the public B2B score)
  • Tour-guide opt-in fields: day rate (Rp/8h), spoken languages, optional pitch notes — shown on /places when displayed

From service providers (massage, beautician, laundry, handyman, home clean):

  • Display name, bio, profile photo URL, years of experience
  • WhatsApp number (visible publicly so customers can contact you direct)
  • City + service-area notes (where you operate)
  • Service-specific fields: massage type + duration prices, beautician package prices, laundry per-kg rates, handyman trade list + hour/day rates, cleaner hour/day rates
  • Availability (online / busy / offline) toggled from your dashboard
  • KTP photo (government ID) — uploaded direct to a private Supabase Storage bucket (ktp-images), scoped to your own folder by row-level security. Visible only to admin verifiers; never returned by the public marketplace. Required to flip your profile from pending to active. Stored in Singapore region.

From partner venues (hotels, villas, restaurants):

  • Venue name, type (hotel/villa/restaurant/etc.), address, city, lat/lng
  • Owner contact email, phone, WhatsApp — stored privately, used for payout coordination
  • Payout method + account details (bank account, QRIS, e-wallet) — stored privately, visible only to drivers who have an outstanding commission with you, and to admin support
  • Commission rate (default 8%, capped at 15%)

Customer accounts + saved places (optional)

Customers can use Kita2u without creating an account — browse drivers, tap Contact, message on WhatsApp. No signup required for booking.

If a customer chooses to save places (Home, Office, etc.) via the Saved chip on the booking page, we ask them to create an account so the saved places sync across their devices. The account collects:

  • Phone number (verified via OTP — also the customer's WhatsApp number)
  • Display name
  • Saved drop-off places: name, emoji, latitude/longitude, optional address label

Limits + retention:

  • Maximum 20 saved places per account
  • Retained while the account is active; deleted instantly on account deletion
  • Never shared with drivers or third parties — purely a personal convenience feature

Delete your account + all saved places anytime via /account/delete or Dashboard → Delete my account.

Push notification alerts (driver-side, opt-in)

Drivers who enable "Loud booking alerts" on the dashboard authorise us to deliver a high-priority push notification to their device the instant a customer taps Contact on their listing. Delivery is routed through Google's Firebase Cloud Messaging (FCM) service. We send the alert title, a short body, and a small data payload (the ping ID + source page) — never the customer's identity or message content.

Your control:

  • Toggle "Loud booking alerts" OFF on the dashboard at any time — delivery stops immediately
  • Revoke the Android notification permission in Settings → Apps → Kita2u → Notifications
  • Sign out of a specific device to remove its registered FCM token
  • Delete your account to remove every registered token across every device

Background location (Android app only)

The Kita2u Android app collects your device's GPS location in the background — meaning while the app is not visible on screen, while the phone is locked, or while you are using other apps. This applies only to riders who have completed onboarding and tapped "Go Online" in the driver dashboard. It never applies to customers.

Why:

  • To keep your live position visible to customers searching the marketplace
  • To compute accurate distance and ETA for nearby customers
  • To detect movement so we can mark you "busy" (mid-trip) vs "online" (available)

What we do NOT do with background location:

  • We do not store a history of where you have been — only your most recent position is kept
  • We do not share your location with any third party other than the customers searching the directory
  • We do not use location for advertising, profiling, or analytics beyond the marketplace
  • We do not track location while you are offline — the moment you tap "Go Offline" the foreground location service stops

Your control:

  • Tap "Go Offline" in the dashboard to stop all location collection immediately
  • Revoke the Android "Allow all the time" location permission in Android Settings → Apps → Kita2u → Permissions
  • Uninstall the app to remove all stored location data along with your subscription cancellation

While location is active, Android displays a persistent notification ("City Rider is online") as a system-level reminder — this notification is required by Android and cannot be hidden while the foreground location service is running.

Why we collect it

  • To show online riders on the directory
  • To enable customers to find the nearest available rider
  • To generate WhatsApp message links
  • To process subscription payments via Midtrans
  • To send notifications (incoming-order modal, app updates)
  • To compute platform analytics (zone demand, ROI dashboard)

What we DO NOT collect

  • The content of WhatsApp conversations between riders and customers
  • Customer payment details or trip transaction records (we never touch money)
  • Rider bank accounts (we don't need them — drivers are paid by customers direct on WhatsApp)
  • SIM (driver licence) or NPWP (tax ID) — drivers self-declare compliance with local transport rules
  • Browsing history outside the Kita2u app

Note on KTP: we DO collect a KTP photo from service providers (massage, beautician, laundry, handyman, home clean) as anti-fraud / identity verification. It is stored privately as described above and is never visible on the marketplace. We do not collect KTP from riders, customers, or partner venues.

Sharing + third-party processors

We share only as needed, with these named processors:

  • Customers browsing the directory — see rider profile data (name, photo, WhatsApp, pricing, GPS); that's the product
  • Midtrans (PT Midtrans) — payment processing under their own data agreement; PCI-DSS compliant
  • Vercel — Next.js hosting (servers in Singapore region)
  • Supabase — managed PostgreSQL database + auth; storage region Singapore
  • Google LLC (Firebase Cloud Messaging) — delivers driver booking-alert push notifications; receives only the alert title, body, and our internal ping ID — never customer identity
  • Sentry — crash reporting + error telemetry; configured to redact PII, no session replay enabled
  • OpenFreeMap — public map tiles (no per-user tracking)
  • Nominatim (OpenStreetMap Foundation) — reverse geocoding for place names

We do not sell personal data to third parties. We do not share customer GPS with any party other than the customer's own browser session.

Retention

  • Rider profile data: retained while subscription is active + 30 days after cancellation, then deleted unless legally required to keep longer
  • Service-provider profile data (massage / beautician / laundry / handyman / home clean): same as riders — active subscription + 30 days, then deleted
  • KTP photos: retained while the provider account is active; deleted from the private bucket within 7 days of account deletion or as soon as the provider replaces it during signup. Verifiers may keep a hashed audit trail of the verification decision (no image) for fraud-defence purposes.
  • Partner venue data: retained while the partner status is "active"; listings (name, city, lat/lng) survive owner deletion as anonymised public records since they aren't personal data; payout + contact fields are deleted with the owner's account
  • Quote events: 12 months for rider analytics, then anonymised
  • Contact-ping events: 90 days for B2B response-time metric, then deleted
  • Push notification tokens: pruned automatically after 90 days of inactivity; removed immediately on sign-out, app uninstall, or token rotation by the OS
  • GPS location: only the latest position is kept; not stored as history
  • Sentry crash reports: 30 days, then deleted
  • Logs: 90 days for security + debugging

Deleting your account

You can permanently delete your account at any time:

  • From inside the app: Dashboard → scroll to the bottom → "Delete my account" → type DELETE to confirm
  • From a browser: visit /account/delete for full step-by-step instructions
  • If you have lost access: email streetlocallive@gmail.com from your registered address — processed within 14 days

Deletion removes your auth record, profile, listings, push tokens, subscription, and the reviews you authored. Reviews other users wrote about you remain visible but display your profile as "[deleted account]". Tax records may be retained per Indonesian tax law (up to 10 years).

Your rights (UU PDP)

Under Indonesia's UU 27/2022 you have the right to:

  • Access your personal data we hold
  • Correct inaccurate data
  • Delete your data (right to be forgotten) — subject to legal retention requirements
  • Restrict or object to processing
  • Data portability — export your data in a common format
  • Withdraw consent at any time (cancel subscription)
  • File a complaint with Lembaga Pelindungan Data Pribadi

To exercise these rights, use the Contact page — we respond to all UU PDP data-subject requests within 14 days.

Security

Passwords are hashed (never stored in plain text). All traffic uses HTTPS. Payment data lives inside Midtrans (PCI-DSS compliant). We follow industry-standard practices for the SaaS platform itself but cannot guarantee absolute security; users should use strong unique passwords.

Cookies + storage

We use localStorage to remember your language preference and your anonymous customer session ID. No third-party advertising cookies. No tracking pixels.

Children

Kita2u is not directed at users under 18. Riders must be 18+ to subscribe (legal age to operate a motorcycle commercially in Indonesia). Customers using the directory must be of legal age to enter service contracts.

Changes to this policy

Material changes will be announced to active Subscribers via their dashboard at least 14 days before taking effect.

Privacy Policy · Kita2u · Kita2u