BukuTamu Privacy Policy

1. Scope of Policy

This policy governs the processing of personal data and operational data that we perform when you access the site, create an account, manage a workspace, run an event, upload a guest list, use RSVP and check-in features, communications, analytics, billing, third-party integrations, and when you interact with our support team.

Buku Tamu by Einvite.id operates on an event-package model. After an event is declared completed, the event may remain available for customer access in read-only mode for as long as the applicable data-retention period remains in effect, as described in this policy and our Terms & Conditions.

In general, event data may remain available for up to 180 (one hundred eighty) calendar days from the time the event is declared completed. Before the retention period expires, customers are responsible for downloading and archiving the data they wish to retain.

This policy covers data collected directly from you, data generated when the service is used, and data we receive from integrations and technology partners that you activate.

2. Data We Collect

• Account and identity data, such as name, email address, phone number, company name, workspace name, login credentials, and account preferences.
• Event and operational data, such as event name, venue, event time, guest lists, guest categories, RSVP, check-in, seating, souvenirs, broadcasts, QR data, and activity notes that you enter into the system.
• Billing and transaction data, such as event packages, invoice history, payment status, transfer proofs, billing identity, and relevant payment metadata.
• Technical data, such as IP address, browser type, operating system, device identifier, error logs, audit logs, page performance, and security activity.
• Marketing and analytics data, including cookies, event measurement, campaign attribution, conversion tracking, audience analytics, and parameters processed through Google Tag Manager, Google Analytics, Google Ads, or similar tools that we use from time to time.

3. Purposes of Data Use

• To provide, operate, secure, and improve the BukuTamu service.
• To process account registration, authentication, password resets, workspace onboarding, billing, and customer support.
• To run event features, RSVP, guest management, reporting, communications, and other operational workflows.
• To detect, prevent, and investigate misuse, spam, fraud, unauthorized access, or security disruption.
• To measure campaign effectiveness, understand product usage behavior, and optimize marketing experience and conversion.
• To comply with legal obligations, internal audits, reporting, and lawful requests from competent authorities.

4. Our Role in the Data

For account data, billing data, and the direct customer relationship with BukuTamu, we act as the data controller to the extent necessary for operating our service.

For guest data, RSVP data, attendance records, broadcasts, and other event data that you upload or manage in the platform, you or your organization act as the party determining the purposes of use for that data. In that context, BukuTamu acts as a service provider or data operator in accordance with the instructions you provide through your use of the platform.

You are responsible for ensuring that you have the required legal basis, privacy notice, and consent before entering guest data or third-party data into BukuTamu.

5. Cookies, Google Tag Manager, Google Analytics, and Google Ads

Buku Tamu by Einvite.id may use essential cookies and similar technologies to maintain login sessions, security, language preferences, and application stability.

We may also use Google Tag Manager to manage measurement tags, Google Analytics for usage analytics, Google Ads for conversion tracking and campaign evaluation, and Meta Ads for campaign measurement, audience matching, and remarketing in accordance with the configuration applied in production.

Data processed through those tools may include page views, interaction events, traffic sources, campaign parameters, device metadata, and conversion signals. You may limit cookies through your browser settings, but some service functions may not operate optimally if essential cookies are disabled.

6. Disclosure of Data to Third Parties

We disclose data only to the extent necessary to provide the service, comply with the law, or support legitimate operational interests. Data recipients may include:

• hosting providers, cloud infrastructure providers, CDNs, monitoring services, and backup providers;
• email, notification, payment gateway, and billing service providers;
• communications providers and third-party integrations that you activate, including WhatsApp providers or other engagement tools;
• analytics and advertising providers such as Google Tag Manager, Google Analytics, and Google Ads; and
• professional consultants, auditors, legal advisers, or competent authorities where required by law.

We require relevant third parties to process data only for legitimate purposes, maintain confidentiality, and implement reasonable safeguards.

7. Storage and Data Retention

We retain data while your account is active, for as long as necessary to provide the service, or for as long as needed for audit, dispute, billing, backup, security, and legal compliance purposes.

For event data managed through BukuTamu, once an event is declared completed, the event may remain available to customers in read-only mode. During that period, some operational features may be limited or disabled, but customers may continue to view available event data, reports, and information while the retention period remains in effect.

In general, event data may remain available for up to 180 (one hundred eighty) calendar days from the time the event is declared completed. Customers are responsible for downloading, exporting, and archiving reports, guest data, attendance data, RSVP data, uploaded files, and other information they wish to retain before the retention period expires.

After the retention period expires, some or all event data may be permanently deleted and deleted data may not be recoverable. We may retain certain data for a longer period where required by law, taxation, security, audit, fraud investigations, dispute resolution, or other compliance obligations. Data no longer needed will be deleted, anonymized, or securely archived in accordance with our internal policies.

Customers understand that the deletion of data after the retention period expires is part of the service’s normal operational lifecycle and does not constitute a service failure, unauthorized data loss, or a breach of PT Einvite Karya Sejahtera’s data-storage obligations.

8. Data Security

We implement reasonable technical and organizational measures to protect data from unauthorized access, alteration, disclosure, loss, or destruction. Such measures may include role-based access controls, audit logs, network restrictions, webhook protection, backups, and authentication safeguards.

Although we seek to maintain service security, no system can be guaranteed to be 100% risk-free. You are also responsible for maintaining the confidentiality of your account credentials, limiting internal access, and applying good security practices.

9. Your Rights and Choices

• updating your account and profile data through the dashboard where features are available;
• requesting access to, correction of, or deletion of certain data as permitted by applicable law;
• closing your account or ceasing to use the service; and
• managing cookie preferences through your browser or device settings.

For requests related to data you uploaded on behalf of guests or third parties, we may direct such requests to the event organizer or customer that acts as the primary controller of that data.

10. Cross-Border Transfers

Some of our infrastructure, analytics, communications, or advertising providers may process data outside Indonesia. By using the service, you understand that data may be processed in other jurisdictions to the extent necessary for service delivery and where reasonable safeguards are available.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes to features, operational processes, legal obligations, or the use of technology partners. The latest version will be published on this page together with its effective date.

If a change is material, we may provide additional notice through the application, email, or other reasonable channels.

12. Contact

If you have questions, requests, or complaints regarding this Privacy Policy, please contact us using the contact details listed on this page. For legal or data-protection matters, please use a clear email subject so that your request can be handled more efficiently.