Privacy Policy

This Privacy Policy explains how Fibidy collects, uses, stores, and protects the personal data of Users who use the fibidy.com platform along with all subdomains and services.

Fibidy is operated independently by an individual operator based in Indonesia. In the context of Law No. 27 of 2022 on Personal Data Protection (UU PDP), Fibidy acts as the Personal Data Controller for data collected through the Platform.

For all questions, requests, or complaints related to personal data, contact admin@fibidy.com.

Account data — At registration we collect email address and password (stored encrypted with bcrypt). For Users who upgrade to Seller, we also collect store name, business category, WhatsApp number, description, and address that you voluntarily provide.

Store profile data — Sellers may upload logos, product photos, and other content to display their store and digital products.

Digital product data — PDF files uploaded by Sellers for sale, along with related metadata (file name, size, page count, upload time).

Transaction data — For each purchase, we record the payment session ID, payment intent ID, amount paid, currency, platform fee, and transaction source (Direct or Discover). Payment card data never reaches Fibidy's servers — all card processing is done by Stripe.

Download log data — For each product download by a Buyer, we record the IP address, User-Agent, and download time. The purpose is to provide evidence of file access as chargeback evidence. This data is kept for a maximum of 365 days.

Session data — We use httpOnly session cookies to keep you logged in. Details in the Cookie Policy at fibidy.com/legal/cookies.

Aggregate usage data — We use Vercel Analytics which collects anonymous visitor statistics, without tracking cookies and without identifying individuals.

To provide and operate the Platform, including authentication, account management, and service delivery to Sellers and Buyers.

To process payments and payouts through Stripe.

To fulfill Seller identity verification (KYC) obligations through Stripe Connect for compliance with anti-money-laundering regulations.

To provide technical evidence (download logs) for chargeback disputes and protection against unfounded claims.

To send important notifications about accounts, transactions, service changes, or policy changes.

To prevent, detect, and handle fraud, security violations, or Terms of Service violations.

To improve the Platform based on aggregate usage analysis.

To fulfill legal obligations under the laws of the Republic of Indonesia.

We do not use your data for third-party advertising, do not sell your data, and do not share it for third-party marketing purposes.

Processing of personal data is performed under one or more of the following legal bases, consistent with Article 20 of UU PDP:

Consent — you give explicit consent at registration by accepting this Privacy Policy.

Performance of contract — processing needed to fulfill the Terms of Service and provide services to you.

Legal obligation — processing needed to meet Fibidy's legal obligations.

Legitimate interest — processing for reasonable purposes such as Platform security, fraud prevention, and protection of legal rights, to the extent that it does not infringe fundamental User rights.

To operate the Platform, we use third-party service providers that act as Data Processors under Fibidy's instructions. Each provider has their own privacy policy governing how they handle data.

Stripe, Inc. (United States and global affiliates) — processes payments, performs Seller KYC verification, and manages payouts. Stripe receives Seller identity data, transaction data, and Buyer card data. Stripe's privacy policy is available at stripe.com/privacy.

Supabase, Inc. (United States) — provides the PostgreSQL database infrastructure. All account data, transactions, and product metadata are stored in the database hosted by Supabase.

Upstash, Inc. (United States) — provides Redis infrastructure for cache, session management, and rate limiting. Data stored is transient and does not contain sensitive data.

Cloudflare, Inc. (global) — through the R2 service, we store the PDF files of digital products and preview files uploaded by Sellers.

Cloudinary Ltd. (United States and Israel) — stores image assets such as store logos and feature icons.

Railway Corp. (United States) — provides backend server hosting infrastructure for Fibidy.

Vercel, Inc. (United States) — provides frontend web hosting and anonymous analytics for Fibidy.

Some of the providers above are based outside Indonesia. Cross-border data transfers are performed on legal bases consistent with Article 56 of UU PDP, including your consent and performance of contract.

PDF files uploaded by Sellers are stored encrypted on Cloudflare R2. The internal file key (fileKey) is never exposed to Buyers or the public.

Buyers only obtain access via a temporary signed URL valid for 15 minutes, generated fresh each time the Buyer clicks the download button.

For each PDF product, the system automatically generates a preview file containing a maximum of the first 3 pages. The preview file is what appears on the public product page — the original file remains hidden until the Buyer purchases.

File integrity is verified at upload using the pdf-lib library. Files that are corrupt or cannot be processed are rejected at upload.

Each time a Buyer downloads a purchased product, the system records the IP address, browser User-Agent, download time, and related product ID.

Download log data is collected for two specific purposes: to provide file access evidence to Stripe if the Buyer files a chargeback, and to provide download history to Sellers for store operations.

Download logs are kept for a maximum of 365 days from the download time, then deleted periodically through a cleanup mechanism.

Recorded IP addresses are considered personal data under UU PDP. We process this data on legitimate interest grounds to protect against unfounded chargeback claims.

We apply reasonable technical and organizational security measures to protect personal data, including — data transmission over encrypted HTTPS/TLS connections, password hashing with bcrypt cost factor 12, login sessions with httpOnly and secure cookies, token versioning for automatic session invalidation when passwords change, rate limiting against brute-force attacks, and inter-User data isolation at the application and database layers.

Payments are processed by Stripe, which is certified PCI-DSS Level 1. Payment card data is never stored or processed on Fibidy servers.

No system can guarantee absolute security. If a security incident materially endangers User personal data, we will notify you as soon as possible after the incident is confirmed, consistent with the data breach notification obligations under UU PDP.

If you discover a security vulnerability, please report it to admin@fibidy.com with the subject "Security Report".

Active account data — retained while the account is actively in use.

Closed account data — once a closure request is confirmed, account data is permanently deleted within 30 days. After that period the data cannot be recovered.

Transaction data — retained for legal compliance and financial audit needs for the period required by tax regulations and other related regulations in Indonesia.

Download log data — retained for a maximum of 365 days, then automatically deleted.

Stripe webhook data — retained for a maximum of 90 days to support reprocessing if needed, then deleted.

Data stored by Stripe as a Data Processor is subject to Stripe's retention policies, including the need to maintain transaction records and KYC records in line with applicable financial regulations.

Under UU PDP, you have rights as a Personal Data Subject, including:

Right of access — request a copy of the personal data we hold about you.

Right to rectification — request correction of inaccurate or incomplete data.

Right to erasure — request deletion of personal data, taking into account legal obligations that may limit it.

Right to restrict processing — request restriction of data processing under certain conditions.

Right to data portability — request a copy of your data in a structured and machine-readable format.

Right to withdraw consent — withdraw consent for processing you previously gave.

Right to object and complain — object to specific processing or file a complaint with the relevant authority.

To exercise these rights, send a request to admin@fibidy.com with the subject "Data Request". We will respond within a maximum of 14 business days. Some rights may be limited by legal obligations or Fibidy's legitimate interests.

The Platform is not intended for children under 17 years old. We do not knowingly collect personal data from minors.

If you become aware or have concerns that a minor has provided personal data to the Platform, please contact admin@fibidy.com and we will delete the data as soon as possible.

Because some of our Data Processors are based outside Indonesia, your personal data may be processed and stored in jurisdictions outside Indonesia, including the United States.

Cross-border data transfers are performed with regard to the level of personal data protection in the destination country consistent with Article 56 of UU PDP, and on the basis of your consent and the performance of a contract with you.

Fibidy may update this Privacy Policy from time to time. Material changes will be notified to registered Users via email at least 7 days before the effective date.

The latest version is always available at fibidy.com/legal/privacy. The "last updated" date at the top of the page shows the current effective version.

Continued use of the Platform after the effective date is considered acceptance of the latest version.

For general questions about this Privacy Policy, contact admin@fibidy.com.

For Data Subject rights requests (access, correction, deletion, portability, and so on), use the same email with the subject "Data Request".

For security incidents or data breach reports, use the subject "Security Report".