Privacy Policy
Last updated: 19 April 2026
1. Who we are
Plugipay is a payment orchestration and subscription billing service operated by PT Forjio Teknologi Indonesia ("Forjio", "we", "us"). Plugipay is part of the Forjio commerce suite. We are based in Indonesia.
Plugipay is infrastructure — not a Merchant of Record. You (the merchant) keep the customer relationship, the tax liability, and the acquirer contract. We collect and process data on your behalf to provide the service.
2. What data we collect
Account data
Your account is managed by Huudis, the Forjio identity and access management service. When you sign in to Plugipay via Huudis OIDC, we receive: your email address, name, and Huudis account ID. We do not store passwords — authentication is fully delegated to Huudis.
Transaction and billing data
We collect and store records of payment transactions processed through Plugipay: checkout session details (amount, currency, status, payment method type), subscription records, invoice data, and ledger entries. This includes transaction IDs, timestamps, status transitions, and amount values.
We do not store card numbers, CVV codes, or full bank account numbers. Card and bank data is collected and stored by Xendit and PayPal directly, under their own PCI DSS compliance obligations. Plugipay receives a tokenized reference — not the raw payment credential.
Customer data (your customers)
When you create customers in Plugipay (via API, CLI, or dashboard), we store the customer information you provide: typically name, email, and an external ID from your system. As the merchant, you are the data controller for your customers' data. We process it on your behalf.
Technical and usage data
We log API requests (including endpoint, response status, and request ID) for debugging and security purposes. Dashboard usage is logged for operational monitoring. We collect IP addresses and user agent strings from dashboard sessions. We do not use third-party analytics or advertising trackers.
Adapter credentials
If you configure a Xendit or PayPal adapter, we store your API credentials encrypted at rest using AES-256 with KMS-managed keys. We never log credentials, display them after saving, or share them with third parties other than the gateway they authenticate.
3. How we use your data
- To provide and operate the Plugipay service
- To process payments and subscriptions on your behalf via Xendit and PayPal
- To generate invoices, ledger entries, and financial records
- To detect and prevent fraud and abuse
- To send transactional notifications (payment events, invoice emails)
- To respond to support requests
- To comply with our legal obligations under Indonesian law
We do not sell your data. We do not use your transaction data to train AI models. We do not share data with advertisers.
4. Third-party services
Plugipay shares data with the following third parties to operate the service:
| Service | Purpose | Data shared |
|---|---|---|
| Xendit | Payment gateway (IDR methods) | Amount, currency, payment method, customer token |
| PayPal | Payment gateway (international) | Amount, currency, PayPal order reference |
| Huudis | Identity, access management, webhook delivery | Account ID, event payloads for webhook fan-out |
Each service operates under its own privacy policy and data processing agreements.
5. Data retention
We retain transaction and financial records for 7 years from the date of the transaction, in compliance with Indonesian financial record-keeping requirements. Account data is retained while your account is active and for 90 days after account termination. Technical logs are retained for 90 days. You can request deletion of non-financial data at any time (see §7).
6. Security
Plugipay stores all data encrypted at rest. Credentials (API keys, adapter secrets) use AES-256 with KMS-managed keys. All data in transit uses TLS 1.2 or higher. We never store card numbers or CVVs — payment credentials go directly to Xendit and PayPal. Our infrastructure runs on servers located in the Forjio cloud environment. Post-mortems for security incidents are published publicly on our status page.
7. Your rights
Under Indonesian Personal Data Protection Law (UU PDP) and applicable regulations, you have the right to:
- Access — request a copy of the personal data we hold about you
- Correction — request correction of inaccurate data
- Deletion — request deletion of your data (subject to legal retention requirements)
- Portability — receive your data in a structured, machine-readable format
- Objection — object to certain processing activities
To exercise these rights, email privacy@plugipay.com. We respond within 14 business days.
8. Cookies
The Plugipay dashboard uses session cookies to maintain your authenticated state (via Huudis OIDC). We do not use advertising cookies or third-party tracking cookies. The marketing site ( plugipay.com) uses no analytics or tracking scripts.
9. Changes to this policy
We will notify you of material changes to this policy by email (to the address associated with your account) at least 30 days before the change takes effect. The updated date at the top of this page reflects the latest revision. Continued use of Plugipay after the effective date constitutes acceptance of the updated policy.
10. Contact
For privacy-related questions or to exercise your rights: