Privacy Policy

Last updated: April 5, 2026

1. Introduction

Storlaunch ("we", "our", or "us") is operated by Forjio Studio, an Indonesian technology company. This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you use storlaunch.forjio.com and related services (collectively, the "Service").

By using the Service, you agree to the practices described in this policy. If you don't agree, please don't use the Service.

This policy is written in compliance with Indonesia's Personal Data Protection Law (UU No. 27 Tahun 2022 tentang Pelindungan Data Pribadi).

2. Data We Collect

Account Data

When you register, we collect your name, email address, and password (hashed, never stored in plaintext). You may optionally provide a company name and website.

Payment and Transaction Data

We collect records of checkout sessions, subscriptions, invoices, and payment events processed through the Service. We do not store raw card numbers — card tokenization is handled by Xendit and PayPal under their respective PCI-DSS compliance programs.

API Usage Data

We log API requests (endpoint, timestamp, status code, response time) for security monitoring, rate limiting, and debugging. Logs are retained for 90 days.

Technical Data

IP addresses, browser type, device information, and cookies collected when you use the web dashboard. This data is used to detect fraud, enforce rate limits, and improve the Service.

Customer Data (Merchant's Customers)

When your customers complete a checkout, we collect their email address, payment method details (tokenized), and transaction metadata. This data is processed on your behalf — you are the data controller for your customers' data; Storlaunch is the data processor.

Communications

If you contact our support team, we retain the contents of those communications to resolve your request and improve our support.

3. How We Use Your Data

We use your data to:

- **Provide the Service** — process payments, manage subscriptions, generate invoices, deliver digital products

  • Authenticate you — verify identity, maintain session security
  • Send transactional emails — payment confirmations, subscription notices, dunning notifications, download links
  • Detect and prevent fraud — monitor for suspicious activity, enforce rate limits
  • Improve the Service — analyze usage patterns, diagnose errors, develop new features
  • Comply with legal obligations — respond to lawful requests from Indonesian authorities, fulfill tax and accounting obligations
  • Communicate with you — product updates, security notices, and (with your consent) marketing

We do not sell your personal data to third parties. We do not use your data to train AI models without explicit consent.

4. Data Sharing

Payment Processors

Transaction data is shared with Xendit (for IDR payments) and PayPal (for international payments) as necessary to process payments. Both operate under their own privacy policies and security certifications.

Infrastructure Providers

We use cloud infrastructure providers (storage, hosting, email delivery) who process data on our behalf under data processing agreements.

Legal Requirements

We may disclose data when required by Indonesian law, court order, or lawful government request. We will notify you of such requests where permitted by law.

Business Transfer

If Forjio Studio is acquired or merges with another entity, your data may be transferred as part of that transaction. We will notify you before your data becomes subject to a different privacy policy.

With Your Consent

We share data with third parties only when you explicitly authorize it (for example, connecting a third-party integration).

5. Data Retention

We retain your data for as long as your account is active. If you close your account:

- Account data is deleted within 30 days

  • Transaction records (invoices, payment events) are retained for 5 years to comply with Indonesian tax and accounting law (UU No. 28 Tahun 2007 tentang Ketentuan Umum dan Tata Cara Perpajakan)
  • API logs are deleted after 90 days
  • Anonymized, aggregated analytics data may be retained indefinitely

You can request deletion of your account and data at any time. See Section 8 (Your Rights) for how to submit a request.

6. Security

We implement industry-standard security measures including:

- TLS encryption for all data in transit

  • AES-256 encryption for sensitive data at rest
  • HMAC-SHA256 webhook signatures to verify event authenticity
  • API keys stored as bcrypt hashes, never in plaintext
  • Regular security audits and penetration testing
  • Access controls limiting employee access to production data

No system is perfectly secure. If you discover a security vulnerability, please report it responsibly to security@forjio.com before public disclosure.

7. Cookies

We use cookies and similar technologies to:

- **Authenticate your session** — required for the web dashboard to function

  • Remember your preferences — theme, environment selection (sandbox/live)
  • Detect fraud — identify unusual access patterns

We do not use third-party advertising or tracking cookies. The only third-party cookies that may be set are from our infrastructure providers (CDN, error monitoring) strictly for service delivery purposes.

You can disable cookies in your browser settings. Disabling session cookies will prevent you from logging into the web dashboard, but will not affect API or CLI access.

8. Your Rights

Under Indonesia's Personal Data Protection Law, you have the right to:

- **Access** — request a copy of the personal data we hold about you

  • Correction — update inaccurate or incomplete data (most data can be updated directly from Settings)
  • Deletion — request deletion of your personal data, subject to legal retention requirements
  • Portability — receive your data in a machine-readable format
  • Objection — object to processing of your data for direct marketing

To exercise any of these rights, email privacy@forjio.com with the subject line "Privacy Request — [Right Type]". We will respond within 14 business days.

If you are a customer of a merchant using Storlaunch (i.e., you made a purchase through a Storlaunch-powered checkout), please contact the merchant directly for data requests related to your purchase. The merchant controls how your data is used for their business purposes.

9. Children's Privacy

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, contact us at privacy@forjio.com and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy as the Service evolves. For material changes, we will notify registered users via email at least 14 days before the change takes effect. Continued use of the Service after that date constitutes acceptance of the updated policy.

The date at the top of this page shows when this policy was last updated.

11. Contact

For privacy-related questions, requests, or concerns:

**Email:** privacy@forjio.com **Subject line:** "Privacy — [your question]"

Postal address:

Forjio Studio Indonesia

We aim to respond to all privacy inquiries within 14 business days.

This Privacy Policy is provided in English. In the event of any inconsistency between an English version and an Indonesian translation, the English version prevails.