Privacy Policy — Yourever

1. Introduction

Yourever ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, disclose, and safeguard your information when you use our platform, website, and services (collectively, the "Platform").

By accessing or using the Platform, you agree to the practices described in this Privacy Policy. If you do not agree with this policy, please do not use the Platform.

This policy applies to all users of the Platform, including rental business owners ("Tenants"), their staff members, and end-customers who interact with rental storefronts powered by Yourever.

2. Information We Collect

2.1 Account Information

When you register for an Account, we collect: your full name, email address, phone number, business name, business address, and payment information. This information is necessary to create your Account, process payments, and communicate with you regarding your use of the Platform.

2.2 Business Data (Tenant Content)

In running your rental business through the Platform, you will input various business data, including but not limited to: inventory lists, rental pricing, booking schedules, customer information (name, phone number, email address), transaction records, uploaded images, and business documents.

We do not sell, rent, or use your business data for any commercial purposes beyond the provision of the Service. Your data is yours.

2.3 Customer Data

When your customers place orders or inquiries through storefronts powered by Yourever, we collect and process their information on your behalf. This may include customer names, contact details, booking preferences, and payment information. You are the data controller for your customer data, and Yourever acts as your data processor.

2.4 Technical Information

We automatically collect certain technical information when you access the Platform, including: IP address, device type, operating system, browser type, access times, pages viewed, features used, and cookie data. This information helps us improve the Platform, ensure security, and diagnose technical issues.

2.5 Communication Data

When you contact our support team, subscribe to newsletters, or participate in surveys, we collect the information you provide, including the content of your communication and any attachments.

2.6 Inner Circle Transaction Data

If you participate in the Inner Circle program, we additionally collect limited transaction data necessary to operate the shared blacklist: names and WhatsApp numbers of involved parties, item descriptions, and a chronological summary of the disputed transaction. We do not collect government-issued ID numbers (KTP), residential addresses, or subjective evaluations; only objective, factual information required for the blacklisting function.

3. How We Use Your Information

We use the information we collect for the following purposes:

To provide, maintain, and improve the Platform and Service;
To process transactions and send related information, including confirmations and invoices;
To authenticate users and maintain Account security;
To send administrative notifications, such as security alerts and Account-related communications;
To respond to inquiries and provide customer support;
To monitor and analyze trends, usage, and activities relating to the Platform (in aggregate and anonymous form);
To detect, investigate, and prevent fraudulent transactions, security breaches, and other prohibited or illegal activities;
To comply with applicable legal obligations and enforce our Terms of Service.

We do not use your personal information or business data to display third-party advertisements, and we do not sell your personal data to data brokers or advertisers.

4. Legal Basis for Processing

We process your personal information based on the following legal grounds:

Contractual Necessity — Processing necessary to perform our contract with you (providing the Platform);
Legitimate Interests — Processing for our legitimate business interests, such as improving services and ensuring security, provided these interests are not overridden by your rights;
Legal Obligation — Processing necessary to comply with applicable laws and regulations;
Consent — Processing based on your explicit consent, which you may withdraw at any time.

We do not sell your data. We share information only in the limited circumstances described below:

5.1 Service Providers

We engage trusted third-party companies to perform functions and provide services on our behalf. These providers have access to your information only to the extent necessary to perform their functions and are contractually obligated to protect your data.

Provider	Service	Stored Data
Supabase	Cloud database, authentication, real-time sync	Tenant Data, user credentials
Vercel	Web application hosting, CDN	Application code, static assets
Midtrans / Xendit / Stripe	Payment processing	Transaction data (we do not store full card numbers)
WhatsApp Business API / Twilio	Automated notifications	Customer phone numbers, message content

5.2 Legal Requirements

We may disclose your information if required by law or in response to a valid request by public authorities (e.g., a court order, government agency). We will notify you of such disclosure if legally permitted.

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of the transaction. We will notify you of any change in ownership or control of your personal information.

We may share your information with third parties if you have given us explicit consent to do so, such as when connecting third-party integrations to your Account.

The Inner Circle shared blacklist enables participating tenants to share limited blacklisting data among themselves. Each tenant that joins Inner Circle acts as an independent data controller for the data they submit to and query from the shared blacklist. The legal basis for this processing is your explicit consent, which you grant when enrolling in Inner Circle and which you may withdraw at any time by contacting us. Data subjects whose information appears in the blacklist retain all rights under this policy, including the right to access, correction, and erasure of their data from the shared system.

5.6 Non-Custodial Characterization

Yourever is a non-custodial platform. We never hold, receive, or process rental funds on behalf of Tenants or their customers. All rental payments are processed directly by third-party payment processors (Midtrans, Xendit, or Stripe) and settled directly to the Tenant's designated bank account. Yourever does not at any point take constructive possession, control, or ownership of rental proceeds.

Invoice Credits represent a prepaid license to use specific system features within the Platform. They are not deposits, escrow funds, stored value, electronic money, or any other form of financial instrument. Invoice Credits are non-refundable, non-transferable, and have no cash value. They may only be used to access the corresponding Platform features and expire according to the terms of your subscription plan.

6. Data Security

We implement industry-standard technical and organizational measures to protect your information:

Encryption: All data in transit is protected using TLS 1.3 encryption. Stored sensitive data is encrypted using AES-256.
Authentication: Multi-factor authentication (MFA) is available and may be required for administrative accounts. Passwords are hashed using bcrypt with a unique salt.
Access Control: Role-based access control (RBAC) limits internal access to your data only to authorized personnel.
Monitoring: We maintain audit logs to track access to sensitive data and detect anomalous activity.
Backups: Automatic daily backups with 30-day retention to protect against data loss.
Infrastructure: Our infrastructure providers maintain SOC 2 and ISO 27001 certifications.

Despite these measures, no system is completely secure. In the unfortunate event of a data breach affecting your information, we will notify you within 72 hours in accordance with applicable data protection regulations.

7. Data Retention

We retain your information for as long as your Account is active or as needed to provide the Service to you. After Account termination, we will retain your data for ninety (90) days to allow for recovery if you reactivate, after which it will be permanently deleted from our active systems. Backup copies may persist for an additional thirty (30) days in our disaster recovery systems.

We may retain certain information as required by law, for legitimate business purposes, or to resolve disputes, even after Account closure.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

Right to Access — Request a copy of the personal information we hold about you.
Right to Rectification — Request correction of inaccurate or incomplete information.
Right to Erasure — Request the deletion of your personal information, subject to legal retention requirements.
Right to Data Portability — Request an export of your data in a structured, machine-readable format (CSV, Excel, JSON).
Right to Restrict Processing — Request limitations on how we use your information.
Right to Object — Object to processing based on legitimate interests or for direct marketing purposes.
Right to Withdraw Consent — Withdraw previously granted consent at any time.

To exercise any of these rights, please contact us at privacy@yourever.dev. We will respond to your request within thirty (30) calendar days.

9. Cookies & Tracking Technologies

We use cookies and similar tracking technologies to:

Maintain your session and keep you logged in;
Remember your preferences (language, display settings);
Analyze Platform usage and improve functionality;
Secure the Platform against unauthorized access.

You can control cookies through your browser settings. Disabling cookies may affect the functionality of certain features.

10. Children's Privacy

The Platform is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a minor, please contact us immediately and we will take steps to delete that information.

11. International Data Transfers

Your information is primarily stored and processed in Indonesia. However, some of our service providers may process data in other jurisdictions. By using the Platform, you consent to the transfer of your information to countries outside of your jurisdiction, which may have different data protection laws. We ensure that such transfers are subject to appropriate safeguards.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, features, or legal requirements. Material changes will be notified via email and through the Platform dashboard at least thirty (30) days before they take effect. Your continued use of the Platform after the effective date of any changes constitutes your acceptance of the revised policy.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our Data Protection Officer:

Email: privacy@yourever.dev
Business Address: Yourever - Jakarta, Indonesia. A remote-first team based in Jakarta.
Response Time: Within 30 calendar days

We are committed to addressing your concerns transparently and promptly.