About This Policy

PT. Panemu Solusi Industri (hereinafter "Panemu", "we", "us", or "our") is committed to protecting the privacy and personal data of every individual who interacts with us — whether through the panemu.com website, the Spares Cataloguing System® (SCS®) service, master data consulting projects, official communication channels, or any other business activity.

This policy transparently explains: (a) what personal data we collect; (b) how we use it; (c) with whom we share it; (d) how we protect it; and (e) what rights you have over your data.

This policy applies on an enterprise-wide basis and is not limited to website interactions. It binds all Panemu entities, subsidiaries, employees, contractors, and partners who process personal data on our behalf.

Data Controller

The Data Controller as defined in Article 1(4) of Indonesia's PDP Law is:

PT. Panemu Solusi Industri
Head Office: Jl. Panemu No.01, Kalisoka, Margosari, Kec. Pengasih, Kab. Kulon Progo, Special Region of Yogyakarta, 55652, Indonesia
Email: [email protected]
Phone: +62 812-1590-2011

Data Protection Officer (DPO): Reachable via [email protected] with subject "DPO".

For EU customers, Panemu appoints a GDPR Article 27 representative (where required) through our authorised partner; details available upon request.

Definitions

Data We Collect

We collect the following categories of data, either directly (you provide) or automatically (via system interaction):

A. Identity & Contact Data

• Full name, job title, company
• Email address, phone number, business address
• Professional profile information (LinkedIn, etc.)

B. Technical & Usage Data

• IP address, device type, operating system, browser
• Activity logs, access history, pages visited
• Cookies and other digital identifiers

C. Commercial & Communication Data

• Demo request history, proposals, contracts
• Email correspondence, WhatsApp Business, recorded calls (with consent)
• Meeting notes, payment history, invoices

D. Client Data (within SCS® / consulting projects)

• Client material/spare parts master data (typically non-personal)
• Identity of client users accessing SCS® (name, email, role)
• Audit logs and in-application user activity

E. Job Applicant Data

• CV/resume, education, work experience
• Assessment results, references, photo (if provided)

Legal Basis for Processing

We process personal data on the following legal bases (aligned with PDP Law Art. 20 & GDPR Art. 6):

1. Consent — for marketing, non-essential cookies, and other specific purposes.
2. Contract Performance — to provide SCS®, consulting, and support services to clients.
3. Legal Obligation — to comply with tax, reporting, and sectoral regulations.
4. Legitimate Interest — for system security, fraud prevention, and non-intrusive business analytics.
5. Vital Interest — to protect life in emergency situations.
6. Public Task — where required for specific government projects.

Purposes of Use

Client Data Processing in SCS®

For SCS® services and master data projects, our relationship with clients is governed by a separate Data Processing Agreement (DPA), under which:

• The Client acts as Data Controller for data they upload to SCS® (including their own user identities).
• Panemu acts as Data Processor, processing data solely under the Client's written instructions.
• Panemu implements technical & organisational measures (TOMs) compliant with ISO 27001 and the PDP Law.
• Sub-processors (cloud providers, supporting vendors) are engaged only after due diligence and with Client approval as set out in the DPA.
• Client data is not used for Panemu's marketing or sold to third parties.
• Upon contract termination, data is returned or securely destroyed in accordance with the DPA.

Cookies & Tracking Technologies

The panemu.com website uses cookies in the following categories:

• Essential Cookies — required for basic functions (session, security). No consent required.
• Analytics Cookies — Google Analytics 4 (configured anonymous, IP-masked). Consent required.
• Marketing Cookies — Meta Pixel, LinkedIn Insight Tag, Google Ads remarketing. Consent required.
• Preference Cookies — store language and display settings. Consent required.

You can manage cookie preferences via the consent banner on first visit, or through cookie settings.

Sharing with Third Parties

We do not sell your personal data. Data may be shared on a limited basis with:

• Service Providers (Sub-processors) — cloud hosting, email marketing, CRM, payment gateway, analytics. Bound by confidentiality and DPA.
• Business Partners — only for services you have requested, with consent.
• Legal Authorities — under valid legal requests (courts, police, tax authorities, regulators).
• Professional Advisors — accountants, auditors, legal counsel bound by confidentiality obligations.
• Corporate Transactions — in mergers, acquisitions, or restructuring, with notice to you.

A complete and up-to-date list of sub-processors is available upon request.

Cross-Border Data Transfers

Some of our sub-processors are located outside Indonesia. Cross-border transfers are conducted with equivalent protection guarantees, in accordance with:

• PDP Law Art. 56 — transfers only to jurisdictions with equivalent or higher protection, or with adequate contractual safeguards.
• GDPR Chapter V — European Commission Standard Contractual Clauses (SCCs) for transfers outside the EEA.
• Australia Privacy Principle 8 — accountability for transfers outside Australia (where applicable).

We apply additional safeguards: encryption, access controls, and contractual clauses preserving data subject rights.

Data Retention

After the retention period, data is destroyed or permanently anonymised using industry-standard methods.

Data Security

We implement technical and organisational measures (TOMs) aligned with ISO/IEC 27001 and ISO 8000 standards:

Technical Controls

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Multi-factor authentication for critical system access
• Role-based access control (RBAC) with least-privilege principle
• Continuous audit logging and monitoring
• Regular vulnerability assessment & penetration testing
• Patch management and secure SDLC (OWASP Top 10)
• Encrypted backups with 3-2-1 strategy

Organisational Controls

• Documented Information Security Management System (ISMS)
• Annual security awareness training for all employees
• Non-disclosure agreements (NDA) for all staff and contractors
• Incident response plan and business continuity plan
• Vendor risk management for all sub-processors
• Privacy by Design & by Default in product development

Data Subject Rights

Under PDP Law Art. 5–13, GDPR Chapter III, and Australia Privacy Principles, you have the following rights:

1. Right to Information — know what data we process and for what purpose.
2. Right of Access — request a copy of your personal data.
3. Right to Rectification — request correction of inaccurate data.
4. Right to Erasure (Right to be Forgotten) — request deletion under certain conditions.
5. Right to Restrict Processing — request processing restrictions in specific situations.
6. Right to Object — object to processing for marketing or profiling purposes.
7. Right to Data Portability — receive your data in a structured, transferable format.
8. Right to Withdraw Consent — withdraw any consent given, at any time.
9. Rights regarding Automated Decisions — not be subject to solely automated decisions with legal effect.
10. Right to Lodge a Complaint — complain to the supervisory authority (in Indonesia: the body established under the PDP Law).

To exercise your rights, send a request to [email protected]. We will respond within 3×24 hours (PDP Law Art. 14) or 30 calendar days (GDPR Art. 12).

Data Breach Notification

In the event of a personal data breach:

• We notify data subjects and the supervisory authority within 3×24 hours of identification (PDP Law Art. 46).
• For EU data subjects: notification within 72 hours as required by GDPR Art. 33.
• The notification includes: type of data affected, possible impact, mitigation steps taken and planned, and recommended actions for you.
• Forensic investigation and post-mortem are conducted to prevent recurrence.

Minors

Panemu services are intended for adult business users (B2B). We do not knowingly collect data from individuals under 18 years of age (or the minimum age applicable in your jurisdiction). If we become aware of such collection, we will delete it promptly.

Marketing & Communications

• Marketing communications (email, WhatsApp, phone) are sent only after your consent or under legitimate B2B interest.
• Every marketing email includes a working one-click unsubscribe link.
• You may withdraw consent at any time via [email protected].
• We use third-party platforms (e.g. LinkedIn Ads, Meta Ads, Google Ads) configured to respect your privacy preferences.
• Lookalike audiences and retargeting are used only under legitimate interest and can be opted out via cookie settings.

Recruitment & Employees

• Applicant data (CV, assessments, references) is used solely for recruitment.
• For unsuccessful applicants, data is retained for up to 1 year for talent pool — with explicit consent. Without consent, data is deleted within 90 days.
• For employees: HR data is processed under employment contracts, legal obligations (BPJS, tax), and legitimate company interests.
• Employees sign a separate Employee Privacy Notice detailing processing activities.

Policy Changes

This policy may be updated from time to time. Material changes will be notified via:

• Notice on panemu.com (at least 14 days before effective);
• Email to registered users and active clients;
• In-application notice within SCS® (where relevant).

The latest effective date is always shown at the top of this policy. Previous versions available upon request.

Governing Law

This policy is governed by and construed under the laws of the Republic of Indonesia, in particular:

• Law No. 27 of 2022 on Personal Data Protection;
• Law No. 11 of 2008 as amended by Law No. 19 of 2016 on Electronic Information & Transactions;
• Government Regulation No. 71 of 2019 on Electronic Systems and Transactions;
• Related implementing regulations.

For data subjects in other jurisdictions, more protective local laws apply, including:

• GDPR (Regulation EU 2016/679) for data subjects in the EEA;
• Privacy Act 1988 (Cth) and Australian Privacy Principles for data subjects in Australia.

Disputes shall first be settled amicably; failing which, through the District Court at Panemu's domicile, unless otherwise determined by contract or applicable law.

Contact

For questions, requests regarding your rights, or to report privacy issues, please contact us via:

PT. Panemu Solusi Industri
Email: [email protected]
Phone: +62 812-1590-2011
Head Office: Jl. Panemu No.01, Kalisoka, Margosari, Kec. Pengasih, Kab. Kulon Progo, Special Region of Yogyakarta, 55652, Indonesia

Supervisory authority: you have the right to lodge a complaint with Indonesia's personal data protection supervisory body under the PDP Law, or your local Data Protection Authority.