Skip to content

Legal Information

Welcome to CatatYuk's legal documentation. We are committed to transparency and compliance in serving MSMEs, online sellers, and small businesses. Please review these terms carefully as they govern your use of our services.

Last updated: September 2025

Terms & Conditions

1. Acceptance of Terms

By accessing and using CatatYuk's web and mobile applications, you accept and agree to be bound by the terms and provision of this agreement. If you do not agree to abide by the above, please do not use this service.

CatatYuk reserves the right to modify these terms at any time. Your continued use of the service following the posting of changes constitutes your acceptance of such changes.

2. Account Creation & Responsibilities

You must create an account to access our services. You are responsible for maintaining the confidentiality of your account credentials and for all activities that occur under your account. You must provide accurate and complete information during registration. You must immediately notify CatatYuk of any unauthorized use of your account. CatatYuk reserves the right to terminate accounts that violate these terms.

3. Data Usage Policy

CatatYuk collects and processes personal data as described in our Privacy Policy. By using our services, you consent to such processing and you warrant that all data provided by you is accurate.

You retain all rights to your data. CatatYuk does not claim ownership of your data but requires certain rights to provide the service:

  • We store and process your data to provide and improve our services.
  • We may use anonymized, aggregated data for analytical purposes.
  • We implement high-level security measures to protect your data.

4. Subscription & Payment Terms

  • Subscription fees are billed in advance on a monthly or annual basis.
  • All payments are non-refundable unless otherwise specified.
  • CatatYuk reserves the right to change subscription fees upon reasonable notice.
  • Failure to pay subscription fees may result in service suspension or termination.

5. Limitations of Liability

CatatYuk services are provided on an “as is” and “as available” basis, without any warranties or representations of any kind, whether express, implied, statutory, or otherwise. This includes, but is not limited to, implied warranties of merchantability, fitness for a particular purpose, non-infringement, and availability.

To the fullest extent permitted by law, CatatYuk and its affiliates, partners, officers, employees, and agents shall not be liable for any indirect, incidental, special, consequential, or punitive damages. This includes, without limitation, loss of profits, revenue, goodwill, business opportunities, or other intangible losses.

However, CatatYuk acknowledges its responsibility for any direct damages resulting from: - Data loss, corruption, or errors caused solely by CatatYuk’s systems, infrastructure, or technical failures. - Failure to deliver services or features explicitly listed in the subscribed package.

6. Termination

CatatYuk may terminate or suspend your account and access to the service immediately, without prior notice or liability, for any reason, including without limitation if you breach the Terms.

Upon termination, your right to use the service will immediately cease. You may terminate your account at any time by contacting support or through your account settings.

Privacy Policy

Introduction

CatatYuk is committed to being a trusted partner for MSMEs, online sellers, and small businesses by simplifying financial recording and reporting. We place great value on transparency, security, and building long-term relationships with our users based on trust. Part of that commitment is safeguarding your personal and financial data and respecting your choices about how that data is used.

CatatYuk processes personal and financial information of Indonesian residents. We comply with applicable data protection laws, in particular Undang-Undang Nomor 27 Tahun 2022 tentang Pelindungan Data Pribadi (UU PDP), and related implementing regulations. It is our duty to inform you of our commitments in this respect and to adopt this privacy policy (the “Privacy Policy”).

Our commitments

  • We respect your privacy and your choices.
  • We implement privacy and security by design and by default across our services.
  • We work only with trusted service providers and partners who meet our security requirements.
  • We are transparent about how we collect, use, share, and retain personal and financial data.
  • We will not use or share your data in ways we have not disclosed.
  • We respect and facilitate the rights afforded to data subjects under UU PDP and we will respond to valid requests in accordance with the law.

Exercising your rights

You have rights including (but not limited to):

  • obtain information about how your data is processed;
  • access and obtain a copy of your personal data;
  • request correction or completion of inaccurate or incomplete data;
  • request deletion or destruction of your personal data where permitted;
  • withdraw consent where processing is based on consent;
  • object to automated decision-making or profiling that produces legal or similarly significant effects; and
  • submit complaints and seek remedies for breaches.

To exercise any of these rights, please contact us at support@catatyuk.com or use the data management portal inside your CatatYuk account. We will respond to valid requests in accordance with UU PDP and applicable timelines.

I. PURPOSES OF THIS PRIVACY POLICY

Who are the Data Controllers?

The primary data controller for the processing of your Personal and Financial Data is:

CatatYuk
Email: support@catatyuk.com

CatatYuk determines how and why your data is processed, ensures the implementation of security and data protection measures, and fulfills its obligations under the Applicable Regulations.

To whom does this Privacy Policy apply?

This Privacy Policy applies to:

  • All visitors to the CatatYuk website.
  • Users of the CatatYuk application.
  • Business partners or organizations that subscribe to CatatYuk services.

What does “Personal and Financial Data” mean?

“Personal and Financial Data” includes:

  • Personal identifiers such as name, email, phone number, and business details.
  • Financial records you input into CatatYuk, such as transaction history, invoices, expenses, and account details.
  • Device and technical information, such as IP addresses, browser type, and cookies.

How do we collect your data?

We may collect your data in the following ways:

  • Directly from you: when you create an account, input transactions, upload documents, or contact our support team.
  • Automatically: through technologies such as cookies, tracking logs, or app analytics.
  • Indirectly: from service providers, partners, or integrations you choose to enable (e.g., payment gateways, banking connections, or third-party accounting tools).

Is providing your data mandatory?

Yes, certain information is required for CatatYuk to function properly (e.g., account details, transactions). If you choose not to provide this information, you are not able to use the features of the service.

II. Table summarizing the Personal Data processing carried out by CatatYuk

Purpose of processing Legal basis Categories of data processed How we collect it Typical retention period Controller / Responsible entity
Account creation & management Performance of contract; legitimate interest (account security) Identification: name, email, phone, business name, role; authentication data (hashed password); account settings Collected directly from you when you register or update profile Until account deletion + 90 days (for operational backup), unless longer required by law CatatYuk
Core bookkeeping & reporting services Performance of contract; legal obligation (tax/accounting laws) Financial records: transaction entries, invoices, receipts, bank reconciliation data, tax identifiers, account numbers; business details Uploaded manually by you, imported via integrations (bank, POS, marketplace), or entered via API Retained for duration of subscription and thereafter per applicable law (typically 5–10 years) CatatYuk
Billing, payments & invoicing Performance of contract; legal obligation (financial/tax recordkeeping) Billing name, billing address, invoicing data, payment method token Collected at checkout or via payment provider integration Retained for 10 years for audit and tax purposes (or longer if local law requires) CatatYuk (payment processors are separate processors)
Support & dispute resolution Performance of contract; legitimate interest Contact details, chat/email logs, support notes, technical logs, screenshots you provide Collected when you contact support or when support captures logs during troubleshooting 3 years from last interaction (longer if needed for ongoing disputes or legal obligations) CatatYuk
Security, fraud prevention & system integrity Legitimate interest; legal obligation (cybersecurity) IP addresses, device identifiers, authentication logs, system logs, incident reports Collected automatically by systems and security tools 2 years for logs (or as required for incident investigation); critical incident data retained longer as needed CatatYuk
Analytics & product improvement Legitimate interest or anonymized analytics; consent for certain tracking Usage metrics, anonymized analytics, page/events, performance metrics Collected automatically (analytics scripts, server logs) Aggregated/anonymized data: indefinite; personal-level analytics: until withdrawal of consent (or up to 3 years then aggregated/deleted) CatatYuk
Marketing & communications Consent (for marketing) or legitimate interest for certain transactional notices Email, name, company, marketing preferences Collected when you opt-in or provide details via site/forms Until withdrawal of consent (or up to 3 years inactive for re-engagement unless you opt-out sooner) CatatYuk
Compliance & legal requests Legal obligation; public interest Any relevant account and transaction data required by regulators Collected from your account or via logs when responding to lawful requests Retained as required by law or until legal matters are concluded CatatYuk

Notes: Under UU PDP, lawful bases include consent, performance of a contract, legal obligation, vital interest, public interest, and legitimate interests. Retention periods may reflect local tax/bookkeeping guidance (often up to 10 years for certain records).

III. Profiling, Access & Security

1. Profiling and automated decision-making

How we use profiling (if at all)
To help you run your business more efficiently, CatatYuk may perform limited automated analysis on account and transaction data — for example:

  • generating aggregated insights and trends (cashflow categories, expense breakdowns);
  • producing non-binding risk or anomaly signals (e.g., potential duplicate transactions, unusual spending patterns) to help spot errors or fraud; and
  • creating product-personalization suggestions (onboarding tips, feature recommendations) to reduce time-to-value.

Legal basis and choice
Such profiling is performed either on the basis of our legitimate interest to improve and secure the service, or on your consent where required. Where we rely on consent for profiling, we will obtain that consent clearly and record it; you can withdraw consent at any time (see “Your rights” below).

No fully automated decisions that have legal or similarly significant effects
We do not make fully automated decisions that produce legal effects or similarly significant consequences for you (for example, account suspension, denial of access, or other materially adverse outcomes) without human review. Any automated signals that could influence a significant decision will be reviewed by a CatatYuk employee before action is taken.

2. Who may access your Personal, Financial Data, and Payment Data

Internal access – The following CatatYuk teams may access your data for legitimate business purposes and only on a need-to-know basis:

  • Customer Success & Support (to troubleshoot issues and help you onboard);
  • Engineering & Operations (to maintain, run and secure the platform);
  • Product & Analytics (to improve features using aggregated or pseudonymized data);
  • Billing & Finance (to manage subscriptions and invoicing); and
  • Legal & Compliance (for legal requests, audits, or investigations).

All internal access is governed by role-based permissions, least-privilege controls, logging, and mandatory training on data protection.

External recipients (processors and third parties) – We sometimes share your data with carefully selected third parties who act as data processors or joint controllers under written agreements that limit their use of data. These include:

  • Cloud hosting and infrastructure providers;
  • Payment processors and billing partners;
  • Integration partners you enable (bank connectors, marketplace connectors);
  • Analytics and monitoring providers (for performance and error reporting); and
  • Legal advisors, auditors, or regulators where required by law.

We never sell your Personal or Financial Data. If CatatYuk (or its assets) is ever transferred in a sale, we will provide notice and continue to protect your data under contract; the buyer would become the new controller for transferred data.

3. Where we store data and cross-border transfers

Storage location – By default CatatYuk stores and processes data on secure servers located in Jakarta. Where we must transfer or process data outside Indonesia (for example, to a global cloud provider region or a partner), we do so only with appropriate safeguards.

Cross-border transfers – Cross-border transfers are performed in accordance with UU No. 27/2022 and implementing rules. We rely on one or more of the following safeguards before transferring personal data abroad: (i) transfer to a country with an adequate level of protection; (ii) appropriate safeguards such as contractual clauses or binding policies; or (iii) explicit consent from the data subject if required by law. CatatYuk documents and monitors cross-border transfers and can provide details on request.

4. Security measures and breach handling

Technical & organisational measures – We apply industry-standard technical and organisational safeguards appropriate to the sensitivity of the data, including but not limited to:

  • encryption in transit (TLS) and at rest;
  • strong access controls and role-based permissions (least privilege);
  • secure development practices and regular vulnerability assessments; and
  • regular encrypted backups.

We also require our processors and partners to implement comparable security measures through binding contracts.

Data breach notification – If CatatYuk becomes aware of a personal data breach that is likely to result in a risk to the rights and freedoms of data subjects, we will follow our incident response procedures and notify affected individuals and the competent authorities in accordance with UU No. 27/2022 and applicable implementing rules.

5. Your rights and how to exercise them (under UU PDP)

Under UU No. 27/2022 you have rights as a Data Subject. These include the right to:

  • obtain clear information on how we process your data;
  • access and obtain a copy of your Personal Data;
  • request correction or completion of inaccurate or incomplete data;
  • request deletion or destruction of your Personal Data (when permitted by law);
  • withdraw consent where processing is based on consent;
  • object to processing based on legitimate interest;
  • request restriction of processing in certain circumstances;
  • request portability of Personal Data you provided in a structured, machine-readable format; and
  • object to automated decision-making or profiling that produces legal or similarly significant effects.

6. How to exercise your rights

You may exercise your rights by:

  1. Using the data management / privacy tools in your CatatYuk account (recommended); or
  2. Sending an email to support@catatyuk.com with the subject line: “Data Privacy Request_[Your name]”, describing the request and the email used for the account.

For verification we may ask for reasonable proof of identity (e.g., a photo of an ID or confirmation from the account admin). We delete any identity proof after verification unless retention is required by law.

We will acknowledge simple requests promptly and handle requests in accordance with UU No. 27/2022. Where a request is complex we will inform you about any extension, the reason, and expected timing. Where permitted by law, we may refuse manifestly unfounded or excessive requests (e.g., repetitive requests) and will tell you why.

If you are not satisfied with our response, you may lodge a complaint with the competent data protection supervisory authority in Indonesia, or pursue other remedies provided by law. We also welcome you to contact us first at support@catatyuk.com so we can try to resolve the issue directly.

7. Contact & Data Protection Officer (DPO)

If you have questions about profiling, access, transfers, or any privacy matter, contact us at:

CatatYuk
Email: support@catatyuk.com

If CatatYuk appoints a Data Protection Officer (DPO) or local privacy lead, we will publish their contact details here and in your account.