Privacy Policy
Updated 18 May 2026
Sancorino respects your privacy. This page explains exactly what data we collect, why, who else sees it, and how you can ask us to delete or export it. It's written to comply with Undang-Undang Perlindungan Data Pribadi (UU PDP) No. 27/2022 and applies to everyone using sancorino.shop.
1. Who's responsible
Sancorino is the data controller for personal data collected through this site. Operated as a sole proprietorship in Jakarta. For privacy questions, write to hello@sancorino.shop with "Privacy" in the subject.
2. What we collect, and why
We deliberately keep this short — we only ask for what we need.
When you browse (no account)
- Cart contents — stored in a cookie (
audi_cart) so the cart survives a refresh. Cleared after checkout. - Applied discount code — cookie (
audi_discount), same lifecycle. - Theme preference — light/dark, stored in
localStorage, never sent to our servers. - Approximate IP and request metadata — used only to rate-limit abuse and write server logs. Not used to profile you.
When you sign up or sign in
- Email address — for account login and receipts.
- Display name — optional, used to greet you.
- Password hash (if you signed up with email + password) — stored as a salted bcrypt hash. We never see the plaintext.
- Google profile (if you signed in with Google) — Google ID, name, email, profile picture. No other Google data.
- Session cookie — a signed JWT identifying you on subsequent requests.
When you place an order
- Email address — for receipts and download links.
- Order details — what you bought, when, and how much you paid.
- Discount code used, if any.
- Bayar.gg invoice ID and payment method label — for reconciliation. We do not store card numbers, CVVs, or e-wallet credentials; those stay with Bayar.gg.
When you book a 1-on-1 class
- Name, email, WhatsApp number — so we can confirm the booking and reach you if anything changes.
- Optional notes you send us about the session.
- The slot you booked and its status.
When you write to us
- Email content and any attachments you send. Used only to reply to your message.
3. Who we share it with
We do not sell or rent your data. We use a small number of vendors ("data processors") to run the site. Each only sees the data they need:
- Neon (PostgreSQL hosting, Singapore region) — stores the database.
- Vercel (web hosting + Blob file storage) — runs the site and serves uploaded files.
- Bayar.gg (payment gateway) — sees your name, email, and order amount during payment.
- Resend (transactional email) — sees your email address when we send a receipt or magic link.
- Google (OAuth provider, optional) — only involved if you choose to sign in with Google.
- Upstash (rate limiting cache) — sees a hash of your IP or user ID for abuse prevention.
- Sentry (error monitoring, when enabled) — sees error stack traces, which may include the URL you were on and your user ID.
We may also disclose data when legally compelled (e.g. a valid court order under Indonesian law). We'll resist over-broad requests and notify you if we're legally permitted to do so.
4. Where it lives
Database is hosted in Singapore (Neon ap-southeast-1). Files are on Vercel Blob (global CDN). Emails routed via Resend (United States). This means some of your data is transferred outside Indonesia for processing. By using the site you consent to this transfer.
5. How long we keep it
- Account data: until you delete the account or ask us to.
- Order records: 5 years, as required for tax and accounting under Indonesian regulation.
- Pending booking holds: released back to the pool within 24 hours of expiry.
- Server logs: 30 days.
- Newsletter subscribers: until you unsubscribe.
6. Your rights under UU PDP
You have the right to:
- Access — ask for a copy of everything we have on you.
- Correct — fix anything inaccurate.
- Delete — close your account and erase your personal data (we'll keep order records for the legally required 5 years; everything else is removed).
- Object — to processing you don't agree with.
- Withdraw consent — for anything you previously opted into (newsletter, marketing).
- Portability — get your data in a machine-readable format.
- Complain — to Komisi Pelindungan Data Pribadi if you believe we've violated the law.
Email us with your request and the email associated with your account. We'll verify it's actually you and respond within 14 working days.
7. Cookies, exactly
We use the minimum number of cookies that make the site work:
audi_cart— your cart contents.audi_discount— currently applied discount code.authjs.session-token— your sign-in session, when logged in.__Host-authjs.csrf-token— anti-CSRF token for sign-in.
We do not use third-party advertising cookies or trackers. We use Vercel Analytics (when enabled) for aggregated page views — no personal identifiers leave your browser to Vercel.
8. Security
We take reasonable measures to protect your data: TLS everywhere, bcrypt for password hashes, signed JWTs for sessions, signed webhooks for payments, rate limiting on auth + payment endpoints. No system is 100% secure; if we discover a breach affecting your data we'll notify you within 72 hours as required by UU PDP.
9. Children
Sancorino isn't aimed at children under 17. We don't knowingly collect data from minors without parental consent. If you believe a child has signed up, email us and we'll remove the account.
10. Changes to this policy
We may update this policy from time to time. The "Updated" date at the top reflects when. For material changes we'll email you (if you have an account) or show a banner before the changes take effect.
Questions about this page?
Email us at hello@sancorino.shop or message us on WhatsApp — we'll get back to you within a business day.