Privacy Policy

[LEGAL ENTITY — e.g. PT Kelola Gelar Kreatif] (“Gelar”, “we”, “us”) is the data controller for personal data processed through gelar.co and app.gelar.co. Registered address: [REGISTERED ADDRESS, Jakarta, Indonesia]. For any privacy matter, contact privacy@gelar.co.

We process the following categories of personal data:

• Account data — your email address and display name, used for magic-link sign-in.
• Tenant / lead data — names, phone numbers, and email addresses of the brand contacts (PIC) that event organizers add to manage their booths.
• Payment proof (bukti) — images or PDFs of transfer receipts uploaded to record payments. These may contain bank details visible in the receipt.
• Usage data — aggregate, cookieless analytics (page views, referrers) via Plausible. We do not build advertising profiles.
• Diagnostics — error reports (via Sentry) which may include the URL and a technical stack trace when something breaks.

• To provide the service — running events, plotting booths, managing leads, recording payments. Basis: performance of a contract.
• To authenticate you — sending magic-link sign-in emails. Basis: contract + your consent.
• To keep the service secure and working — error tracking, abuse prevention. Basis: legitimate interest.
• To understand aggregate usage — cookieless analytics. Basis: legitimate interest; no personal profiling.

Event organizers using Gelar to process their tenants' data are themselves controllers of that data; Gelar acts as their processor for tenant/lead records they enter.

We use the following sub-processors. Each is bound by data-processing terms:

We do not sell personal data, and we do not share it with advertisers.

Application data — database, authentication, and uploaded files — is stored in Singapore (ap-southeast-1). Some sub-processors (email, error tracking) operate in the United States or European Union, so limited data crosses borders for those specific functions. Where UU PDP requires it, transfers rely on adequacy or contractual safeguards with each processor.

We keep personal data for as long as your account is active and as needed to run your events, then for a limited period afterward to meet legal, accounting, and dispute-resolution obligations. Payment-proof images are retained as financial records. You can request deletion of data we control at any time (subject to records we must keep by law).

As a data subject, you have the right to:

• access the personal data we hold about you;
• correct inaccurate or incomplete data;
• request erasure / withdraw consent;
• object to or restrict certain processing;
• obtain a portable copy of data you provided;
• lodge a complaint with the relevant supervisory authority.

To exercise any of these, email privacy@gelar.co. We respond within the timeframe required by law.

We use Postgres Row-Level Security for tenant isolation, encrypted transport (HTTPS/HSTS), magic-link authentication (no passwords to leak), and a restricted set of sub-processors. Details are on our Trust page. To report a vulnerability, email security@gelar.co.

Gelar is a tool for businesses and event organizers. It is not directed at children and we do not knowingly collect data from anyone under 18.

We may update this policy. Material changes will be announced on this page with a revised effective date. Continued use after a change means you accept the updated policy.

Questions or requests: privacy@gelar.co — [LEGAL ENTITY — e.g. PT Kelola Gelar Kreatif], [REGISTERED ADDRESS, Jakarta, Indonesia].