Privacy Policy
This page — covers what data we collect, why we hold it, and how you exercise your rights over your winner toto record.
LEGAL REFERENCE
How We Handle Your Account Data
This is the winner toto privacy policy — the plain-English version of how we collect, store and protect the information tied to your account. We cover what we...
Data we collectCookies explainedYour rightsRetention rulesContact our DPO
Our Privacy Posture and Your Rights
We process your personal data only where local law permits and only for the account, transaction and security reasons spelled out in this policy. That means identity details at signup, device and session logs while you browse, and payment references when you move funds through DANA, OVO, GoPay or QRIS. We never sell your data. We share it with licensed processors —
KYC partners, payment rails, fraud screens — under written agreements. You can ask us to export, correct or delete your record at any time, subject to retention duties we owe regulators in supported regions. Requests are handled within thirty days. Where Indonesian data protection rules apply, we follow them in full.
Service availability is jurisdiction-dependent. Users are responsible for checking local law before access.
WHY THIS PLATFORM
How We Keep This Policy Honest
Annual Policy Audit
Our legal team reviews every clause once a year and after any major product change, so what you read here matches what our systems actually do behind the scenes.
Named Reviewers
Each revision is signed off by our DPO and head of compliance. We log who approved what and when, and we can show that audit trail if a regulator asks.
Processor Register
We keep a live register of the third parties that touch your data — KYC vendors, payment rails, anti-fraud screens — and we vet each one before they handle a single record.
Breach Protocol
If something goes wrong, we follow a written incident plan: contain, assess, notify affected accounts and the regulator inside seventy-two hours where Indonesian law requires it.
Minimum Collection
We ask for the least data needed to run your account safely. Optional fields stay optional, and we flag clearly when something is required for KYC or payment processing.
Plain Language
This policy avoids legalese where it can. If a clause sounds vague to you, that is a bug — write to us and we will rewrite it in the next revision cycle.
WHY THIS PLATFORM
Consistency Across Our Policy Pages
Cookie Notice
Sister page focused only on browser storage, tracking pixels and the consent toggles you can flip from the footer at any time.
Terms of Service
Covers the contract between you and us. Privacy sits alongside it but stands on its own legal footing under Indonesian data rules.
KYC Policy
Explains the identity checks we run at signup and before larger withdrawals. Cross-referenced here whenever we mention verification data.
AML Policy
Describes the transaction monitoring we do. Privacy clauses align so you know which payment data feeds anti-money-laundering screens.
Complaints Procedure
Tells you how to escalate if a privacy answer from us does not satisfy you, including the regulator path in supported regions.
Account Closure
Documents the deletion and retention rules referenced in this policy, so the timelines you read here match what happens at closure.
AT A GLANCE
What Sits Inside This Policy Page
01
Scope Statement
The opening clause tells you which winner toto surfaces are covered — web, mobile lobby, live chat — so you know where this policy applies and where partner terms take over instead.
02
Data Categories
A clear list of the data types we hold: identity, contact, device, session, transaction and support history. Each category links to the legal basis we rely on.
03
Retention Table
We publish how long each data category stays on file, from session logs that drop in days to KYC records we must keep for years under Indonesian rules.
04
Rights Panel
A dedicated block walks you through access, correction, portability, objection and erasure — with the exact channel to use for each request type.
05
Update Log
Every revision is dated at the foot of the page with a short summary of what changed, so you can spot a new clause without rereading the whole document.
06
Contact Block
DPO email, postal address and chat route sit at the bottom of the page so you never have to hunt for the right channel when you want to raise something.
Privacy Questions We Hear Most
We ask for your name, date of birth, email, phone and a government ID reference for KYC. Anything beyond that is optional and clearly marked as such on the signup form itself.
Only the minimum needed to route a transaction. DANA, OVO, GoPay and QRIS receive a reference and amount, not your full profile. Their own privacy terms cover what they then do with it.
Active account data stays while your profile is open. After closure we hold KYC and transaction records for the period Indonesian financial law requires, then purge the rest on schedule.
Yes. Email the DPO from your registered address, pass a quick identity check, and we send a structured export within thirty days. There is no charge for a first request.
Open a closure request through chat or the DPO inbox. We remove marketing and profile data immediately and erase the rest once statutory retention windows for supported regions have passed.
Our incident team contains the issue, assesses the impact and notifies you and the regulator within seventy-two hours where required. You will hear from us directly if your record was touched.
The headline rules are summarised here, but the full detail sits on our cookie notice. You can flip consent toggles from the footer banner at any time without affecting your login.