Privacy Notice of PT XLSMART Telecom Sejahtera Tbk
("Privacy Notice" or "Notice")
Document Numbers : PN-C-DP-004
PT XLSMART Telecom Sejahtera Tbk ("XLSMART") is a telecommunications company legally domiciled in Indonesia, including its subsidiaries and affiliates, both directly and indirectly related (hereinafter referred to as "XLSMART" or "We"). XLSMART is the data controller for all personal information collected from data subjects as covered in this Notice, unless otherwise stated. Contact details for XLSMART are listed in the "Contact Us" section below.
In carrying out our operational activities, we are committed to protecting the personal data of parties related to XLSMART, including the personal data of customers, contractors, and business partners of XLSMART ("You").
Our position on the protection of your privacy can be summarised by the privacy protection principles below:
| TRANSPARENT | We are always open about what, why and how We collect and protect Your Personal Data so that You can make appropriate decisions and express consent to Us. |
| RIGHTS | We respect your rights as an individual, so Your Personal Data remains entirely under your control. |
| USAGE | We use Your Personal Data only for specific purposes that We state in this Notice, and We will retain it as long as necessary for those purposes or as required by regulations. |
| SECURITY | We have established strong cyber security practices in line with leading industry standards to protect Your Personal Data that you have shared with Us. |
| TRANSFER | We are very careful when transferring Your Personal Data to third parties such as vendors, contractors, business partners and government authorities. |
| ACCURACY | We will process Your Personal Data accurately, completely, without misleading information, up-to-date, and responsibly. |
A. Applicability of Privacy Notice
This Privacy Notice applies to personal information about You ("Personal Data") that We collect, obtain, process, or manage, analyse, store, amend, update, display, publish, transfer, disclose, delete or destroy, and/or protect when You:
1. Conduct business with XLSMART, either as a contractor, vendor, or business partner of XLSMART; and/or
2. Become a customer of XLSMART, use XLSMART products or services, use applications, visit XLSMART facilities, applications, and/or website including its derivative websites and applications.
In the event of a more specific privacy policy, the provisions related to privacy also follow that policy. We recommend that You read this Privacy Notice together with the terms and conditions of Our products/services because those documents may contain more specific information related to those products/services.
In brief, this Privacy Notice applies to:
1. All services offered by XLSMART.
2. All XLSMART administrative systems.
3. Contractors, vendors, and business partners of XLSMART.
4. Current customers and prospective customers of XLSMART; and
5. Visitors to XLSMART facilities and or buildings.
B. Basis for Acquiring and Processing of Personal Data by XLSMART
In carrying out operational activities, XLSMART is the Data controller that collects Personal Data based on legitimate grounds under laws and regulations, depending on the type and purpose of collecting Personal Data.
In general, we collect and process Personal Data on several grounds, including:
1. Your consent to this Privacy Notice, both mandatory and optional.
2. To carry out operational activities as a form of fulfilling our service to You, for example to provide network availability to your phone number, process service charges to your credit card, and so forth.
3. Fulfilling our obligations as a data controller of personal data to applicable laws and regulations.
4. Fulfilling our obligations on the basis of legitimate interest whilst taking into account the purpose, needs, and balance of our interests and your data subject rights.
If You have questions about this, please contact Us at the contact details provided in the "Contact Us" section below.
C. How XLSMART collects Your Personal Data
XLSMART collects Your Personal Data when You:
1. Collaborate with XLSMART, for example in due diligence activities, registering your company in the procurement system and/or accounting and billing systems, correspondence, registering your company to become a business partner of XLSMART.
2. Use of XLSMART's network, products, and services.
3. Visit facilities that We provide, such as office buildings and/or customer service centres.
4. Ask questions as a customer, register, update your data/information, to obtain information, or other services available to You.
5. Respond to communications from us (such as SMS, email, questionnaires, or surveys).
6. Interact with XLSMART's website, such as to learn about XLSMART products and services, submit application forms, fill out survey forms, use online services. (If your browser enables internet cookies, this may facilitate XLSMART to track personal preferences, pages visited, etc.).
7. Participate in XLSMART's social media pages.
8. Participate in XLSMART promotional events or loyalty programmes.
9. Contact XLSMART's customer call centre either physically, by telephone, or electronically to submit complaints or request other services.
10. Conduct mobile commerce transactions online on or through XLSMART's platform.
11. Grant permission to access information about the device/equipment and or telecommunications network used, including access to data about your location.
D. Personal Data that XLSMART Collects from You
Personal Data that We may collect from You includes but is not limited to:
1. Contact information (such as full name, date of birth, address, email address and telephone number).
2. Identification information (such as National Identity Card (KTP), Family Card (KK), passport, Tax Identification Number (NPWP), Social Security number (BPJS), Driver's Licence (SIM), or other identification issued by the government).
3. Demographic information (such as age range, marital status, gender, nationality, religion, race, and ethnicity).
4. Photos and video recordings, such as photos and/or video recordings for documentation needs at customer service centres, photos You submit for contests, reporting needs for agreement implementation, and recordings from CCTV cameras.
5. Information specific to products and services (such as preferences, closed user groups (CUGs), friends and family you choose to include in your service package, credit limits).
6. Banking information (such as account number, credit card information, bill payment history).
7. Telecommunications and XLSMART service information (such as call and SMS history, credit balance, transaction history, billing information, loyalty points).
8. Type and version of operating system, hardware version, device settings, software type, battery and signal strength, screen resolution, device identity (International Mobile Equipment Identity), brand and model, language, internet browser type and version, application usage and version.
9. Geographic location information, such as location obtained from your IP address or GPS, Base Station, Bluetooth or Wi-Fi signals, satellite, and location of telecommunications towers that are connected.
10. Some of Our services use biometric information as identification or authentication. Biometric data may include fingerprints, voice, audio, facial recognition features and/or video.
11. Information from and about various types of technology where our services are used (internet of things "IOT"), for example computers, phones, and tablets, as well as devices that can be used interactively, technology connected in homes or vehicles.
12. Your social media links or public profile, and any personal information that may be visible in them, which you may provide to Us for customer support transactions.
13. Account passwords that You may create; and
14. Other personal information that You may provide to us while using XLSMART products and/or services.
E. How XLSMART uses Your Personal Data
Your Personal Data may be obtained and processed by us for the following purposes:
1. To provide Our services and products:
a. To provide products, services, and offers that may be of interest to You.
b. To inform You about benefits and changes to Our products or services.
c. To provide You with Our latest offers, advertisements, and promotions.
d. To respond to and resolve Your complaints.
e. To understand how You use Our services.
f. To provide You with security updates, versions, features, options, and controls related to your system or device.
g. To process requests for products and/or services that You request or to process prizes that are your right for prize-winning activities that You carry out through XLSMART facilities.
2. To communicate with You:
a. To send You service messages.
b. When You participate in surveys.
c. To convey notifications regarding Your Personal Data, including in the event of a failure in the protection of Your Personal Data.
d. To send You information about Our product and service offerings or those offered by third parties that We think may be of interest to You.
3. In daily business operational activities:
a. To process payments and respond to customer service requests.
b. For research and studies related to Our business operational activities.
c. To carry out accounting, auditing, reconciliation and billing activities, protect Our legal rights and Yours, and fulfil our obligations under contracts to You and to Our business partners.
d. To process decision making both by Us and by Our third-party partners, including business partners and Our service providers.
4. For functionality, development, and service improvement:
a. To provide network connectivity, measure service usage levels, diagnose problems, and provide you with the latest security features.
b. To analyse, test, modify, improve, or develop new products, services and technologies and to identify existing trends.
c. To contact You and check and resolve issues and complaints that You face.
5. For advertising and marketing, as long as your data is relevant for this purpose:
a. We may use Your Personal Data to provide product and service offerings that match Your preferences.
b. We may use the physical location of Your device, combined with information about what advertisements You view and other information We obtain, to provide content that matches Your preferences.
c. You may choose to allow or decline these advertisement offerings. You may also decline permissions requested through Your device. However, if You choose to decline these offers and/or permissions, We may not be able to provide You with services and content that match Your preferences, which may benefit You. In such cases, You may still receive offer messages for some time while We update Our database.
6. For litigation purposes or fulfilment of legal obligations:
a. For the purposes of monitoring or investigating and taking further action on transactions that are [suspected] suspicious or contain elements of fraud, or violations of the terms of use of Our services or applicable legal regulations or norms, including maintaining the security of XLSMART's network and services.
b. fulfilment of legal obligations from XLSMART in accordance with the provisions of laws and regulations, including but not limited to the need for investigation processes, reporting to regulators, helping to detect and prevent fraud, tax evasion and financial crimes and fulfilling other obligations regulated by the provisions of applicable laws and regulations from time to time.
F. Automated Decision Making
In some services and features, We, either by Ourselves or by third-party business partners, may use Your Personal Data to generate automated decision-making that may affect You. Automated decisions are decisions related to the provision and offering of services that are made automatically based on the results of algorithmic calculations, without human intervention.
We, either by Ourselves or by third-party business partners, use automated analysis to:
a. Makes predictions about the types of products or services You are interested in, or in order to prevent criminal acts.
b. Conduct market research and statistical analysis, including analysis of activities, behaviour, and while You use Our products and/or services.
c. Determine marketing strategies.
d. Provide information to third parties, but not containing information that can identify You as an individual.
Artificial intelligence can lead to the automatic processing of Your Personal Data in various ways, and We ensure personal information is made anonymous or de-identified at certain stages. If this automated decision-making activity has significant consequences for You, We will implement steps to protect Your rights, freedoms and interests, by conducting a Data Privacy Impact Assessment to identify appropriate steps to protect those rights, or obtaining Your consent as required by laws and regulations.
G. Information Pertaining to Children and Persons with Disabilities
Before using the XLSMART network, products and/or services, We will only collect and process Personal Data belonging to children under the minimum age requirement or included in the category of children's age as determined by applicable legal regulations who have received consent, permission and supervision from parents (father or mother) or legal guardian of the owner of the Personal Data, subject to certain age restrictions on digital content that may be imposed by government authorities in Indonesia.
In the case of processing Personal Data belonging to persons with disabilities, such consent may be given by the owner of the relevant Personal Data directly or in the event that such direct consent is not possible, then it may be given by the legal guardian of the owner of the Personal Data.
H. Storage of Personal Data (Retention)
Personal Data that has been collected will be stored for the period of time necessary to fulfil the purposes mentioned above. We may store Your Personal Data to provide services that You request, or for other legitimate interests, such as complying with Our legal obligations under laws and regulations and obligations from government authorities, resolving legal issues, and carrying out Our business operational activities. The storage period of Personal Data is based on applicable legal requirements.
However, if there are no relevant laws and regulations, then Your Personal Data will be stored for the necessary time. Furthermore, this Personal Data may be stored by Us in printed or electronic form.
We may store Your data in data centres or archival storage spaces managed by Us or by data storage service providers, for and on behalf of Us. All Our storage locations, systems, and products are equipped with the necessary security controls to ensure the protection of Personal Data.
Retention periods may vary based on the type of information and the legally required retention period, the course of judicial proceedings, needs in business operations, exercise of intellectual property rights, agreements, operational needs, and archiving. In the event that Your Personal Data is deleted from Our system, such data will be deleted or destroyed using appropriate security protocols so that it cannot be reconstructed or read again by parties not authorised to do so.
I. Third-Party Sites and Services
This Privacy Notice does not address, and We are not responsible for, the policies and practices carried out by third parties or other organisations that do not operate for and on behalf of XLSMART, including their policies and practices relating to privacy and security, collection, processing, use, storage, and disclosure of Personal Data. This includes:
1. any third party operating any platform, website, or service linked by XLSMART services. The inclusion of links on XLSMART services does not imply a connection or affiliate relationship between Us and the provider of that platform or service.
2. application developers, application providers, social media platform providers, operating system providers, wireless service providers or telecommunications and network equipment manufacturers.
J. Security
We strive to process your information in a secure environment by preventing unauthorised or unlawful access. We also safeguard Your Personal Data from loss or damage. We have implemented various types of physical, technical, and administrative safeguards to protect Your Personal Data and Our network from unauthorised access. These measures include:
1. Encryption during data transit or at rest.
2. Strict adherence to privacy and security practices.
3. Information Security Management Systems (ISMS) ISO 27001 certification.
4. Regular data audits and reviews to improve Our operational standards.
5. Restricting access to Personal Data only to personnel who have a need to know such data.
6. Destroying/eliminating Your Personal Data information if such information is no longer needed, referring to applicable regulatory provisions.
We require Our suppliers and vendors to implement similar protections when they access or use Personal Data that We share with them. We also continually encourage You and all users of XLSMART services to protect the data, systems, networks, and services they use. Nevertheless, no technology, data transmission or system can be guaranteed 100% secure. Therefore, if you identify any Personal Data breach, please notify Us immediately in the manner set out in the "Contact Us" section below.
K. How XLSMART shares information
We work with Our other partners to provide services as part of fulfilling Our obligations to You, including for verification processes by third parties. We will also provide certain information about Your Personal Data to third parties in the event that:
1. You have agreed to receive product and/or service offerings from them and the third party requires Your information as one of the considerations or requirements in processing applications for the intended products and/or services, including but not limited to purchase transactions, transactions using XLSMART services, and other relevant information.
2. You purchase third-party products or services through your account on the XLSMART platform and/or you conduct transactions/activities/services of XLSMART or other services found on the XLSMART platform through a platform owned by a third party.
When We provide Your Personal Data to Our partners, We implement necessary measures to limit the use of Your Personal Data only for legitimate reasons in accordance with this Privacy Notice, as well as adequate confidentiality and security measures. In addition to these purposes, We also share information with third parties to fulfil Our legal obligations such as when requested by government authorities and to handle legal processes, to protect Your vital interests, to carry out tasks in the public interest when requested by governmental authorities, public services, or the exercise of Our authority based on laws and regulations, as well as to fulfil other legitimate interests by taking into account the purpose, needs, and balance of Our interests and Your rights.
L. Corporate Actions
In the event of corporate actions such as reorganisation, merger, consolidation, sale of company assets, joint venture establishment, transfer of all or part of Our business, assets, or shares (including in connection with bankruptcy) that may have an impact on the processing of Your Personal Data, such as in the case of disclosure or transfer of Personal Data to related parties, the implementation of these activities will be carried out by Us in accordance with applicable laws and regulations, including regarding the delivery of notifications to You.
M. Communication Preferences and Choices
XLSMART always takes necessary and reasonable steps to keep Your Personal Data accurate, complete, and up-to-date. You may choose not to receive promotional emails or other XLSMART communications by contacting us at the contact information details mentioned below. This choice does not apply to receiving product or service communications that are considered part of XLSMART products or services (such as billing information or service expiration), unless You choose to no longer use such products or services.
Additionally, We do not require You to provide Your Personal Data to Us. The decision to provide Personal Data is voluntary. However, if You do not wish to provide the required Personal Data, You may not be able to continue activities or receive benefits for Our services where such Personal Data is required.
N. Cross-Border Transfer of Personal Data
We may transfer Your Personal Data across geographical boundaries to other parties as long as it can be ensured that their Personal Data protection is at the same level as what We do. Transfer of Personal Data is carried out based on Our standard contracts with data protection clauses or data transfer agreements with similar rights and obligations for the party receiving such information to protect the security and confidentiality of Your Personal Data.
XLSMART does not share Your Personal Data, except in some of the following conditions:
1. To Axiata group companies and or Sinarmas group if necessary, and within the limits of applicable legal rules.
2. As required by law or to comply with the law or court/legal proceedings, such as in relation to judicial proceedings, dispute resolution, and/or similar legal processes.
3. With other operators who cooperate with us to carry out call transfers or international roaming.
4. To protect Our rights and protect Your security.
5. With Our business partners in providing XLSMART services, such as field technician providers, contractors who work for and on behalf of Us.
6. With Our business partners in marketing activities for XLSMART products and services, in which case no raw Personal Data is provided, as the information provided is generally combined into aggregate data.
7. With third parties for the purposes of education, research, and development of science.
8. With sister companies, subsidiaries and Our affiliates, such as XLSMART dealers.
In all cases, third parties must agree to strict obligations to maintain the confidentiality of Personal Data and to use it only for the purpose for which the information was obtained.
O. Use Your Rights
We respect Your rights and privacy, and We always take the necessary steps to ensure that Your Personal Data is always accurate and up-to-date. We guarantee You that:
1. You have the right to obtain Information about the clarity of identity, the basis of legal interest, the purpose of requests, and the use of Personal Data, and the accountability of XLSMART.
2. You have the right to complete, update, and/or correct errors and/or inaccuracies of Personal Data about You, including requesting us to delete Your Personal Data (right to be forgotten).
3. You have the right to access and request copies of Your Personal Data, in accordance with Our policy on requesting copies of such Personal Data. Regarding copies of Personal Data, You have the right to obtain them in a format that You can store and transfer for the purposes of Your data portability.
4. While maintaining Our obligations towards customer data storage based on laws and regulations, You have the right to request Us to suspend processing, restrict processing, stop processing, and/or delete Your Personal Data in Our system. Please note that this may make it impossible for Us to continue providing certain services to You.
5. You have the right to object to automated decision-making by Us.
6. You have the right to withdraw Your consent from the processing of Your Personal Data by Us, as long as it is not related to basic telecommunications services.
To exercise your rights, You are required to follow all policies, procedures, and steps that We have established. In the event of a request for service withdrawal by You, it remains subject to our approval to the extent permitted by law.
You can exercise your rights by:
· Visiting the nearest XL Center (for XL, Axis, and Home customers); or
· Visiting the nearest smartfren gallery (for smartfren customers) or
· Through other facilities that will be developed and/or provided by XLSMART in the future.
P. Consequences arising from not providing Your Personal Data
You may use Our products or services and access Our platforms or websites without providing Your Personal Data. However, some activities or services on Our products, services, platforms, or websites require Us to collect certain Personal Data about You. If You cannot provide such Personal Data, then this may:
1. Cause You to be unable to continue with that activity.
2. Cause Us to be unable to respond to Your request.
3. Limit or prevent access to certain features.
4. Cause Us to be unable to provide You with the latest information regarding Our promotions or service/product launches; and
5. Result in You not receiving promotions that We send.
Q. Access or Correction to Customer Information
Requests related to access and/or copies of Personal Data contained with Us will be carried out in accordance with the provisions of applicable laws and regulations and the procedures We apply, including regarding the use of security features such as the form or method of using media for the delivery of such Personal Data.
If You wish to change Your Personal Data, please note that We may still need to retain certain information for recording purposes, and/or to complete any transactions that You initiated before requesting such changes (for example, when You make a purchase or participate in a promotion, You may not be able to change the Personal Data provided until after the completion of that purchase or promotion). Some of your information may also remain in Our system and other records if necessary to comply with applicable law.
R. By providing Your Personal Data to us, You agree that:
1. You have read and understood this Privacy Notice and agree to the use of Your Personal Data as set out in this Privacy Notice.
2. You guarantee that all data/information provided to Us are truly Your property. In the event that You provide Us with Personal Data relating to other individuals (such as Your spouse, family members, friends or other parties), You represent and warrant that You have obtained and received consent from that individual for, and hereby agree on behalf of that individual to use such Personal Data as set out in this Privacy Notice.
3. All Your statements are true and accurate to Your knowledge, and You have not deliberately omitted information related to that which is harmful.
4. The consent You give to Us is done without any coercion from any party.
S. Contact Us
If You have questions about this Notice, You can contact Us through the Data Protection Office team at [email protected] or [email protected] (for XL, Axis, and Home customers) or [email protected] (for smartfren customers).
T. Dispute Resolution
In cases of alleged/violations of your privacy in connection with the processing of Your Personal Data, You may file objections with the relevant regulatory authorities based on the provisions of laws and regulations.
U. Updates to the Privacy Notice
In the event of changes that We consider significant and affect your rights as a data subject, XLSMART will notify You before such changes take effect. In the event of non-significant changes, this Privacy Notice is the most current and will apply in place of previous versions. We strongly recommend that You check this Privacy Notice from time to time to get information about any changes related to the Privacy Notice.
V. Version information
This Privacy Notice was last updated on 16 April 2025.
