FanHub
Sign in

Privacy Policy

Effective date: 25 April 2026
Last reviewed: 25 April 2026

This Privacy Policy explains how PT FanHub Kreasi Indonesia ("FanHub", "we", "us") collects, uses, discloses, and protects personal data when you visit fanhub.id or use the FanHub dashboard at app.fanhub.id (the "Service").

We are committed to compliance with Undang-Undang Republik Indonesia Nomor 27 Tahun 2022 tentang Pelindungan Data Pribadi ("UU PDP") and align our global practices with the principles of the EU General Data Protection Regulation (GDPR) where applicable.

1. Data controller

The data controller for personal data processed through the Service is:

PT FanHub Kreasi Indonesia
Jakarta, Indonesia
Email: privacy@fanhub.id

For questions about this policy or to exercise your data subject rights (Section 7), contact our Data Protection Officer (DPO) at dpo@fanhub.id.

2. Personal data we collect

We collect the categories of personal data listed below.

2.1 Account data

  • Email address (used for magic-link login).
  • Display name (optional, set during onboarding).
  • Organization affiliation, role, and entitlements.
  • Account creation timestamp, last sign-in time.

2.2 Usage data

  • Pages and dashboards you view, search queries you run.
  • Watchlists you create, exports you generate, alerts you configure.
  • Approximate IP-derived city/country, device, browser, OS.
  • Server-side request logs (timestamp, route, status code, latency).

2.3 Billing data (when paid plans are enabled)

  • Company name, billing address, tax identifier (NPWP), payment-method identifier.
  • Invoice and payment history.
  • We do not store full card numbers — Stripe processes payments and is the controller of payment-instrument data.

2.4 Communications

  • Demo requests, support tickets, and email replies you send us.
  • Sales-call notes (only if you have spoken with our team).

2.5 Cookies and similar technologies

See our Cookie Policy for details on cookies, local storage, and similar technologies.

3. How we use personal data

We process personal data for the following purposes:

  • Provide the Service — authenticate you, render dashboards, run scoring, send watchlist alerts.
  • Operate and improve the Service — debug issues, plan capacity, measure feature usage in aggregate.
  • Billing and accounting — invoicing, tax compliance, fraud prevention.
  • Communicate with you — send service announcements, respond to support requests, send invoices.
  • Comply with legal obligations — respond to lawful requests from authorities, retain records as required by Indonesian law.

4. Lawful basis for processing

Under UU PDP Article 20 and GDPR Article 6, we rely on the following lawful bases:

  • Performance of a contract — providing the Service you requested.
  • Legitimate interests — operating, securing, and improving the Service, balanced against your rights.
  • Consent — for non-essential cookies, marketing emails, and any optional features that ask for explicit opt-in.
  • Legal obligation — tax records, anti-fraud, lawful authority requests.

5. Music-industry data

FanHub aggregates publicly observable signals about musical artists (streaming counts, social-media follower counts, chart positions, press mentions, search trends). These signals describe the artist as a commercial entity, not a private individual:

  • We collect data only from public APIs, public web pages, and licensed third-party data providers — never via scraping authenticated surfaces or using credentials we are not authorized to hold.
  • We do not collect or process special-category personal data about artists (health, religion, sexual orientation, etc.).
  • Artists may request removal from the FanHub roster by emailing roster@fanhub.id with proof of identity or representation.

6. Sharing and disclosure

We do not sell personal data. We share personal data only with the categories of recipients listed below, and only as necessary:

  • Service providers (sub-processors): Supabase (database + auth, Singapore), Upstash (Redis cache, Singapore), Vercel (hosting, global edge), Stripe (payments, Singapore/Ireland/US), Resend (email, US), Sentry (error tracking, US), Crisp (in-app help, France).
  • Within your organization — admins of your workspace can see usage and billing information for the workspace.
  • Legal authorities — when required by Indonesian law, court order, or government request that we are legally obligated to comply with.
  • Business transfers — in the event of merger, acquisition, or sale of assets, with notice to you.

7. Your rights

UU PDP Articles 5–14 and GDPR Articles 15–22 give you the following rights regarding personal data we hold about you:

  • Access — request a copy of personal data we hold.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure — request deletion of personal data, subject to retention obligations under Indonesian law.
  • Restriction — restrict processing while a dispute is resolved.
  • Portability — receive your data in a machine-readable format.
  • Objection — object to processing based on legitimate interests, including for direct marketing.
  • Withdraw consent — at any time, where processing is based on consent. Withdrawal does not affect prior lawful processing.
  • Lodge a complaint — with the Indonesian data protection authority (Otoritas Pelindung Data Pribadi) once established, or with your local supervisory authority if you are in the EU.

Submit rights requests to privacy@fanhub.id. We respond within 30 days as required by UU PDP Article 12.

8. International transfers

Personal data is primarily stored on infrastructure in Singapore (Supabase ap-southeast-1) to keep latency low for Indonesian users. Some sub-processors operate from the United States, the European Union, and other jurisdictions; in those cases we rely on standard contractual clauses or comparable transfer mechanisms, consistent with UU PDP Articles 56–57.

9. Retention

  • Account data: retained while the account is active, and for 30 days after account closure to allow recovery.
  • Billing records: retained for 10 years to comply with Indonesian tax law (UU KUP).
  • Server logs: 30 days, then deleted.
  • Aggregated usage data: retained indefinitely in a de-identified form.

10. Security

We protect personal data with industry-standard measures: TLS 1.2+ in transit, AES-256 at rest, role-based access control, audit logging of admin actions, least-privilege secrets management (Infisical), separation of staging and production environments, and routine backups. No system is fully immune; in the event of a personal-data breach we will notify affected users and the relevant authority within the 72-hour window required by UU PDP Article 46.

11. Children

The Service is not intended for individuals under 17 (the age of digital consent in Indonesia under UU PDP Article 25). We do not knowingly collect personal data from children under 17. If you believe a child has provided personal data, contact us and we will delete it.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email and an in-app notice at least 14 days before they take effect. The "Last reviewed" date at the top of this page indicates the most recent update.

13. Contact

Questions, complaints, or rights requests:
Email: privacy@fanhub.id
DPO: dpo@fanhub.id
Postal: PT FanHub Kreasi Indonesia, Jakarta, Indonesia