Privacy Policy for SIMSDIG

Last Updated: March 24, 2026

This Privacy Policy describes how SIMSDIG ("we," "our," or "us") collects, uses, and shares your information when you use our mobile application and web platform (the "Service"). SIMSDIG is a school management platform developed by Akhmad Qasim and team, used by multiple educational institutions across Indonesia. We are committed to protecting your personal data and your privacy in accordance with the following Indonesian regulations:

• Undang-Undang No. 27 Tahun 2022 (Personal Data Protection Law - UU PDP)
• Peraturan Pemerintah No. 71 Tahun 2019 (Government Regulation on Electronic Systems and Transactions)
• Peraturan Menteri Komunikasi dan Informatika No. 20 Tahun 2016 (Ministerial Regulation on Personal Data Protection in Electronic Systems)

By using the Service, you agree to the terms of this Privacy Policy and our Privacy Rights.

Table of Contents

1. Information We Collect
2. How We Use Your Information
3. Data Sharing and Third-Party Services
4. Data Security
5. Cookies and Authentication
6. Data Retention and Deletion
7. Children's Privacy
8. Data Storage Location
9. Data Breach Notification
10. Automated Decision-Making
11. Anonymous and Aggregate Data
12. Complaints and Disputes
13. Contact Information
14. Changes to This Privacy Policy

1. Information We Collect

We collect several types of information to provide educational services, school administration, and a secure user experience.

Important: Most personal data listed below is originally collected offline by the school administration during the formal registration process. The Service serves as a digital interface to view and update this existing data. However, certain data - such as GPS coordinates, attendance photos, and session information - is collected directly by the Service during usage.

A. Data Shared Across All Roles

The following data is collected for all users (students, teachers, and staff):

Important: User accounts are created and managed by the school administration, not by users themselves from within the application. Users do not register or create accounts through the app. Authentication is handled through the school's official web portal, not through an in-app login form.

• Account: Email, secondary email, phone number, profile picture (avatar), and role-based permissions. Accounts are provisioned by school administrators.
• Authentication: Hashed passwords and verification codes. Authentication is handled through the school's secure web-based login flow, external to the mobile application.
• Session Data: IP address, user agent, login history (country, browser type, device model, CPU architecture, OS version), and timestamp.
• Attendance: Check-in/check-out timestamps, attendance status (present, late, permit, sick, absent, business trip), notes, and evidence attachments.
• Location (Attendance): GPS coordinates (latitude/longitude) collected during check-in and check-out when GPS-based attendance is used. An out-of-zone flag indicates if the user is outside the designated area.
• Attendance Photos: Photos captured during face-based attendance as visual proof of presence. These photos are not processed as biometric data - no facial recognition templates, models, or biometric identifiers are generated or stored. Photos are reviewed manually by authorized education staff (tenaga kependidikan) for verification purposes only. Attendance photos are retained for one semester (6 months) as part of the attendance recap, after which they are deleted. The Service supports GPS, QR code, face-based (photo), and manual attendance methods.

B. Student Data (Peserta Didik)

• Identity: NIK, Family Card (KK) number, Birth Certificate number, SKHUN, NISN, and NIPD.
• Demographics: Full name, gender, religion, blood type, place and date of birth, birth order, and nationality.
• Physical Info: Height, weight, head circumference, and special needs (disability conditions).
• Personal Interests: Hobby and aspiration (dream/cita-cita).
• Family: Father, mother, and guardian information (name, NIK, education, occupation, income, contact).
• Social Assistance: KPS/PKH, KIP, and PIP eligibility status including reasons for approval or rejection.
• Household: Home address (RT/RW, sub-district, city, postal code), residence type, number of siblings, landline number.
• Travel: Distance to school, travel time, and mode of transportation.
• Academic: Class, grade level, academic year, enrollment type (new student, transfer, promoted), enrollment status, and homeroom teacher.

C. Teacher & Staff Data (GTK)

• Identity: NIK, NIP (Employee ID), NPWP (Tax ID), tax name, and Family Card (KK) number.
• Demographics: Full name, gender, religion, place and date of birth, nationality, and special needs.
• Employment: Employment status and role within the school.
• Family: Father and mother information, marital status, spouse name/NIP/occupation.
• Contact: Phone number and home address.
• Teaching (Teachers only): Subject assignments, class schedules, time slots, homeroom class, and attendance session management.

D. Letters & Documents

• Letters: Subject, type of letter (dispensation, recommendation, duty assignment, exit permit, active student, custom), status, attachments, recipients, and processing history.

E. Regional Identifiers

• Country/Region: Country codes and regional identifiers used for administrative classification (e.g., province, city, district).

F. Device Permissions

The Service requests the following device permissions. Each permission is optional and can be revoked at any time through your device's system settings.

• Camera: Used to capture attendance photos as visual proof of presence during face-based attendance check-in, and to take a new profile photo. The camera is not used for facial recognition processing, advertising, or any purpose other than attendance verification and profile photo capture.
• Location (GPS): Used to record your coordinates (latitude/longitude) during GPS-based attendance check-in and check-out. This is used to verify that you are within the designated school attendance zone. Location data is not tracked continuously - it is only collected at the moment of check-in or check-out.
• Photo Library: Used to select an existing photo from your device's gallery when updating your profile picture. The Service does not access or read any other photos in your library.

2. How We Use Your Information

We use the collected data for the following purposes:

• Educational Administration: Managing student, teacher, and staff records across multiple schools.
• Attendance Management: Recording and verifying attendance through GPS, QR code, face-based photo, or manual entry to reduce fraud in presence tracking.
• Service Delivery: Processing official school letters, documents, academic tracking, and class scheduling.
• Security & Authentication: Protecting your account from unauthorized access through login history monitoring and secure sessions.
• School Logistics: Administrative classification for school zoning, transportation planning, and geofencing for attendance zones.
• Communications: Sending important notifications regarding school activities or administrative status.

3. Data Sharing and Third-Party Services

We do not sell your personal data to third parties. Data is shared only under the following conditions:

• School Authorities: Authorized teachers and administrators have access to relevant data for educational purposes.
• Infrastructure Provider: The Service uses Cloudflare for security, performance, and content delivery. Cloudflare may process limited technical data (such as IP addresses and request headers) as part of its network and security services. As a global network provider, Cloudflare may route and process this technical data through servers located outside of Indonesia. Student records, academic records, attendance records, and other educational content stored by the school are not shared with Cloudflare for its own independent use.
• No Analytics or Advertising: The Service does not integrate any third-party analytics, advertising, or tracking SDKs.
• Legal Compliance: When required by law, government regulations, or legal processes.

4. Data Security

Given the highly sensitive nature of the data (such as NIK and Family Card numbers), we implement rigorous security measures using industry-standard, high-security algorithms:

• Encryption at Rest: Sensitive identifiers and personal data are encrypted using industry-standard encryption algorithms.
• Password Hashing: Passwords are hashed using a cryptographically secure, one-way hashing algorithm resistant to brute-force and rainbow table attacks.
• Encryption in Transit: All data transmitted between the client and server is protected using HTTPS with modern TLS protocols.
• Access Control: Data access is strictly restricted based on user roles and permissions. Each role has granular access to only the data necessary for their function.
• Monitoring: Every login attempt is recorded to detect and prevent suspicious activities.

Data Controller and Liability

The school is the data controller and is solely responsible for the storage, management, and security of all personal and educational data on its own server infrastructure. The Service developer provides the software platform but does not host, store, or have direct access to the school's data.

The Service developer shall not be held liable for any data breach, unauthorized access, or data loss caused by the school's negligence, misconfiguration, or failure to maintain adequate security measures on its server infrastructure. In the event of a security incident, an independent audit may be conducted to determine the cause and responsible party.

5. Cookies and Authentication

The Service uses a limited set of cookies for authentication and user preferences. These cookies:

• Are not used for advertising, tracking, or analytics.
• Are stored locally on your device.
• Do not collect or transmit data to third parties.

The following cookies are used:

• __Secure-core.session_token - Stores your authenticated session token. Expires when you sign out.
• __Secure-core.session_data - Stores session-related metadata. Expires when you sign out.
• __Secure-core.dont_remember - Controls whether the session persists after closing the browser.
• colorPref - Stores your preferred color theme (light/dark mode). Persists across sessions.

6. Data Retention and Deletion

Retention Period

Your personal data is stored on the school's own server located in Indonesia and is retained for the duration of your enrollment at the school. The Service developer does not independently store or control this data - the school is the data controller.

Attendance photos are retained for one semester (6 months) for attendance recap purposes, after which they are automatically deleted from the server.

Account Deactivation

Account deactivation is managed by the school administration based on the student's academic status. Accounts are deactivated under the following circumstances:

• Graduation: Upon graduation, the account role is changed to alumni. Alumni accounts have limited access to the Service, restricted to the tracer study program (program Kemendikti).
• Transfer: If a student transfers to another school, their account is deactivated.
• Dismissal: If a student is dismissed from the school, their account is deactivated.
• Voluntary request: A student may request account deactivation through the school's administrative office (Tata Usaha). This will be treated as withdrawal from the school.

Upon deactivation:

• Your login credentials are disabled and you can no longer access the Service.
• Your profile is no longer visible to other users within the Service.

Limitations on Data Deletion

Student, teacher, and staff records are part of the national education data system (Dapodik) maintained by the Indonesian Ministry of Education. Due to regulatory requirements, certain data (such as NISN, NIP, and enrollment records) cannot be permanently deleted from the school's system, as doing so would affect the integrity of national education records.

What You Can Do

• Update your data: Correct or modify personal information through the Service or by contacting your school administration.
• Request deactivation: Submit an explicit request to the school's administrative office (Tata Usaha).
• Revoke optional permissions: Disable device-level permissions (such as camera for profile photo) at any time through your device's system settings.

Response Timeline

When you submit a request to update, correct, or deactivate your data, the school administration will process your request within 5 business days from the date the request is received. You will be notified once the action has been completed.

7. Children's Privacy

The Service is designed for students (typically aged 12 and above). We collect sensitive data of minors strictly for official school administration, in compliance with UU No. 35 Tahun 2014 (Child Protection Law). By using the Service, parents or guardians are acknowledged to have provided consent through the school's formal registration process.

Data of minors is managed by the school in compliance with Indonesian education regulations. The Service developer does not independently collect or process children's data beyond what the school provides. Schools are responsible for obtaining parental or guardian consent during the student registration process.

8. Data Storage Location

All personal and educational records are primarily stored on servers located in Indonesia, typically hosted on-premise at each respective school. The school's core educational records - including student data, academic records, and attendance records - are not intentionally hosted outside of Indonesia. However, limited technical data (such as IP addresses and request headers) may be processed internationally by Cloudflare as part of its security and content delivery services (see Section 3).

9. Data Breach Notification

In the event of a data breach that may compromise your personal data, we will notify affected users via email within 72 hours of becoming aware of the breach, in accordance with UU PDP No. 27/2022 (Personal Data Protection Law). The notification will include the nature of the breach, the data affected, and the steps we are taking to mitigate the impact.

10. Automated Decision-Making

The Service does not use automated decision-making, artificial intelligence (AI), or profiling algorithms that produce legal effects or significantly affect users. All decisions regarding academic records, attendance verification, and account management are made by authorized school personnel.

If this changes in the future, we will update this Privacy Policy and notify affected users accordingly.

11. Anonymous and Aggregate Data

We may create and use anonymized or aggregate data derived from personal data, where all identifying information has been removed so that the data cannot be linked to any individual. Examples include:

• Total number of students enrolled (displayed on the school's public website)
• Aggregate attendance statistics
• General usage metrics for Service improvement

Anonymized data is not considered personal data under UU PDP No. 27/2022 (Personal Data Protection Law) and may be used without restriction for statistical, analytical, or reporting purposes.

12. Complaints and Disputes

If you believe your personal data has been misused, processed without proper authorization, or handled in violation of this Privacy Policy, you have the right to file a complaint.

How to File a Complaint

• To the school: Contact the school's administrative office (Tata Usaha) directly. The school is the data controller and is responsible for handling complaints and requests related to personal data processed within the Service.
• To the developer: You may also contact the developer for technical issues related to the Service or if you need help identifying the appropriate school contact. If a privacy-related complaint is sent to the developer, the developer may acknowledge receipt and forward the complaint to the relevant school, but the school remains responsible for reviewing and resolving the matter.

Response Timeline

The school will review and respond to privacy-related complaints and requests within a reasonable timeframe in accordance with applicable laws and internal school procedures. If a complaint is first submitted to the developer, the developer may acknowledge receipt and forward it to the relevant school, but this does not transfer responsibility for handling the complaint from the school to the developer.

13. Contact Information

If you have any questions or concerns regarding this Privacy Policy, please contact us:

For Google Play Developers:

• Contact: Muhammad Fauzan Gifari Dzul Fahmi
• Email: fauzan.gifari30@gmail.com

For Apple App Store Developers:

• Contact: Akhmad Qasim
• Email: hi@akhmadqasim.com

For data-related requests (updates, corrections, deactivation, or portability):

Please contact your school's administrative office (Tata Usaha) directly. For a list of schools currently using SIMSDIG and their contact information, see the Privacy Rights page.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make changes:

• The "Last Updated" date at the top of this page will be revised.
• For material changes that affect how your personal data is collected, used, or shared, we will notify affected users via email.

We encourage you to review this page periodically to stay informed about how we protect your data.

Revision History

• March 24, 2026 - Initial version published.