sojutoto Platform Privacy Notice

What data we collect on sojutoto

We collect information in four categories: identity data, account data, transaction data, and device data. Identity data includes your full legal name, date of birth, email address, phone number, postal address, and government-issued identification (KTP, passport). We collect this during registration and verification to confirm who you are and prevent duplicate accounts.

Account data includes your username, password (hashed and salted), security questions, and two-factor authentication preferences. We collect this to secure your sojutoto account and prevent unauthorized access. Transaction data includes all deposits, withdrawals, and wagers—amounts, timestamps, payment methods, and settlement details. We retain this data for 7 years to comply with AML record-keeping requirements.

Device data includes your IP address, browser type, device type, operating system, and browsing behaviour on sojutoto. We collect this to detect fraudulent activity, prevent account takeovers, and understand platform usage patterns. We do not use device data for marketing or behavioural targeting.

How we use your data on sojutoto

We use identity and account data to verify your age and legal capacity, prevent duplicate accounts, and enable deposits and withdrawals. We cross-reference your information against government databases (KTP verification) and known-fraud lists to ensure you are eligible to use sojutoto. We also use your email and phone to send account notifications—login alerts, settlement confirmations, withdrawal status updates.

We use transaction data to settle wagers, process payments, and maintain account balance records. This data is essential to platform operation. We also use transaction data to detect money-laundering patterns and comply with AML regulations. If we detect suspicious activity—rapid sequential large deposits, unusual withdrawal destinations, round-trip betting patterns—we flag your account for review and may request additional verification.

We use device data to detect unauthorized access, prevent account takeover, and identify fraudulent wagers. If your account is accessed from a new IP address or unusual location (e.g., logged in from Jakarta one day, Surabaya the next), we may trigger a security verification before allowing withdrawal.

Third-party processors and data sharing on sojutoto

We share your data with payment processors to enable deposits and withdrawals. When you fund sojutoto via DANA, e-wallet, mobile banking, local payment, online payment, or e-wallet, your payment details are transmitted to the wallet provider. When you use mobile banking, local payment, online payment, or e-wallet virtual accounts, your bank transfer details are shared with the issuing bank and inter-bank clearing network. These processors are bound by their own privacy policies and data protection agreements.

We share data with fraud-prevention services to detect money laundering, identify stolen payment methods, and prevent account takeover. These services use your transaction history and device data to assess risk. We also share data with law-enforcement authorities if legally compelled by court order or regulatory investigation. We do not resist lawful data requests.

We do not share your data with marketing partners, data brokers, or advertisers. We do not sell your email or phone number. We do not permit third parties to contact you on our behalf.

Data security and encryption on sojutoto

We encrypt all data in transit using TLS (Transport Layer Security) 1.2 or higher. When you log into sojutoto, your password is never transmitted in plain text—it is encrypted end-to-end. When you enter payment details, they are encrypted immediately and transmitted only to the payment processor, not stored on our servers.

We encrypt data at rest using AES-256 encryption. Your personal information, transaction history, and account balance are stored encrypted in our databases. We use salted hashing for passwords—even our system administrators cannot see your password in readable form.

We maintain strict access controls. Only authorized personnel can view your data, and only for legitimate business purposes (fraud investigation, account verification, payment dispute resolution). Access is logged and audited. We conduct annual security audits and penetration testing to identify vulnerabilities.

Your rights regarding your data on sojutoto

You have the right to request a copy of all personal data we hold about you. Submit a request via [email protected] with the subject line "Data Access Request". Include your account username and registered email. We will provide a detailed report within 10 business days. The report includes all identity data, transaction history, and device activity associated with your account.

You have the right to request correction of inaccurate data. If we have your address or phone number wrong, contact support with corrected information. We will update our records within 2 business days. You have the right to request deletion of your data, subject to legal retention requirements. We must retain transaction records for 7 years for AML compliance, but we will delete other personal data (profile photos, saved addresses, device history) upon request within 30 days.

You have the right to withdraw consent for non-essential processing. If we use your data for fraud detection beyond what is necessary for platform operation, you may request we limit such use. However, withdrawing consent may restrict your account functionality (e.g., if you object to AML verification, we cannot process withdrawals).

Cookies and tracking on sojutoto

We use cookies to maintain your login session and remember your preferences (language, theme, notification settings). These cookies are essential to platform function. We do not use tracking cookies to monitor your activity across other websites. We do not partner with analytics services that track behaviour beyond sojutoto.

Our cookie policy is simple: essential cookies (login, session) are set automatically; optional cookies (preferences) are set only with your consent via our cookie banner. You can disable cookies in your browser settings, but this will limit sojutoto functionality (you will be logged out frequently). We do not use third-party cookies.

Data retention on sojutoto

We retain identity data (name, email, address) for the duration of your account plus 2 years after account closure (in case of dispute resolution). We retain transaction data (deposits, withdrawals, wagers) for 7 years to comply with AML regulations. We retain device data (IP logs, login history) for 6 months. We delete cookies after 12 months of account inactivity.

If you request account deletion, we delete non-essential data immediately (profile photos, preferences, device history) but retain transaction records per AML requirements. We also retain identity data for 2 years post-deletion to prevent re-registration and fraud.

Contact and data protection on sojutoto

If you have questions about our privacy practices, contact our data protection team: [email protected]. We respond to privacy inquiries within 5 business days. If you have a data breach concern—believe your account has been compromised or your data exposed—contact support immediately via live chat or email [email protected] with the subject "Security Incident".

We will investigate suspected breaches within 24 hours and notify you of findings. If a breach is confirmed, we notify affected users, provide guidance on account recovery, and take steps to prevent recurrence. We do not cover financial losses from account takeover or payment fraud—that responsibility lies with your payment provider (mobile banking, local payment, your bank). However, we work with payment providers to reverse fraudulent transactions where possible.

Our privacy commitment to sojutoto users

We commit to transparency. We publish this privacy notice upfront and update it whenever our practices change. Material changes (new data collectors, new third-party processors, longer retention periods) are announced via email and in-app notification 30 days before taking effect. You do not need to re-accept our privacy notice unless terms materially change.

We commit to security. We invest in encryption, access controls, and regular security audits. We do not store payment card numbers or sensitive authentication data on our servers. We do not use outdated or deprecated encryption standards. We maintain cyber liability insurance to cover potential breach costs.

We commit to minimal data collection. We ask for identity information only to verify eligibility and comply with law. We do not request unnecessary personal details. We do not monetize your data by selling it to third parties. Our revenue comes from platform fees, not data sales.