Privacy Policy

Pang — Personal Finance for Indonesia (Android, iOS)

Effective date: 15 June 2026
Last updated: 15 June 2026
Operator: PT Joko Pang Brzk ("Pang", "we", "us", "our")
Contact: privacy@pang.app

🇮🇩 Versi Bahasa Indonesia ada di bagian bawah dokumen ini. A short Indonesian summary of this policy is at the bottom of the page.

1. Who we are

Pang is a personal-finance application developed by PT Joko Pang Brzk, a company registered in the Republic of Indonesia. We build Pang to help Indonesians track their money in a way that's calm, private, and respectful of their attention.

This policy explains exactly what data Pang collects, where it goes, who sees it, and what control you have. It applies to the Android and iOS applications named "Pang" published by PT Joko Pang Brzk.

2. The short version

If you read nothing else:

3. What data we collect

3.1 Account data (cloud-synced)

3.2 Financial data (local + optional cloud sync)

3.3 Profile / demographic data (cloud-synced)

3.4 Voice transcription data

3.5 Receipt OCR data

3.6 Mood tags (LOCAL ONLY, never transmitted)

3.7 Device biometric data (LOCAL ONLY)

3.8 Diagnostic data

3.9 Payment data (when applicable)

3.10 Push notification token

3.11 Bank notification auto-detection (planned, not yet active)

Future versions of Pang may include an opt-in feature on Android that reads notifications from a fixed allow-list of Indonesian banking apps to auto-fill transactions. When that feature ships, the notification text will be parsed entirely on-device and never transmitted. As of v1.0 (August 2026 launch), this feature is not active. We'll update this policy and notify you in-app before enabling it.

4. How we use this data

PurposeData used
Show you your transactions, wallets, budgetsSection 3.2 (your data shown back to you)
Sync across your devicesSection 3.1, 3.2, 3.3 — only when signed in
Share with your spouse (Couple mode)Wallets/transactions you've marked shared, only with the partner you invited
Share with family members (Family mode)Same as above, with role-based access (admin, member, viewer)
Auto-categorize transactions from receipts/voiceSections 3.4, 3.5 — processed locally where possible
Suggest spending categories based on your historySection 3.2 — entirely on-device pattern learning
Fix bugs and crashesSection 3.8 — Sentry, PII scrubbed
Process paymentsSection 3.9 — Stripe
Deliver push notificationsSection 3.10 — device token only
Send you transactional emails (e.g., password reset)Section 3.1 — email address

We do not use your data to:

5. Who we share data with (subprocessors)

We use the following third-party services to deliver Pang. Each has its own privacy policy that you can review:

ServiceWhat they processWhere data livesPrivacy policy
SupabaseAccount, financial, profile, sharing dataSingapore / US data centers, encrypted at restlink
AnthropicReceipt photos (only when you scan a receipt)US, in-memory only, not retainedlink
StripePayment processing (paid plans only)US, PCI DSS certifiedlink
SentryAnonymized crash reportsUS / EUlink
Expo Push ServicePush notification token + deliveryUSlink
Google Sign-In (optional)OAuth-only — email, name, profile photoPer Google's policieslink

We do not integrate with any advertising networks, analytics SDKs (other than Sentry for crashes), social media SDKs, or data brokers.

6. How we secure your data

6.1 On your device

6.2 In transit

6.3 On our servers

6.4 Breach notification

If a breach affecting your data occurs, we will notify you within 72 hours of discovery via the email associated with your account, and report to relevant authorities as required by Indonesian law.

7. Your rights

You can exercise these rights at any time directly inside the app or by emailing privacy@pang.app:

RightHow to exercise
Access — see all data we have about youSettings → Profil → Lihat data saya, or email request
Delete — wipe everythingSettings → Hapus Akun (cascades local + server)
Export — get a copy of your dataSettings → Export → CSV
Correct — fix wrong informationEdit directly in app; for read-only fields, email us
Withdraw consentSettings → toggle off the relevant feature OR Android/iOS Settings → app permissions
Object — to specific processingEmail privacy@pang.app describing the concern
Lodge a complaintIndonesia: Kementerian Komunikasi dan Informatika (Kominfo)

Account deletion is irreversible. We may retain certain data for legal obligations (e.g., financial transaction records for 5 years per Indonesian tax law) — these are minimal and never used for any other purpose.

8. Specific feature disclosures

8.1 Beta program data

During the beta period (May 2026 – Aug 2026), participating testers may have their app usage observed more closely for bug discovery. We log:

We do not read your transactions or financial data during beta. Beta data handling reverts to the normal policy at production launch.

8.2 Couple / Family mode

When you invite a partner or family member:

8.3 Easter eggs and small unannounced moments

Pang has a small number of intentionally-undocumented UI moments (approximately 30 across the app) that fire on specific gestures or dates. These are not trackers — they're decorative reactions. They process device sensor data entirely on-device. No data is transmitted.

9. Data retention

Data typeRetention periodWhy
Active account dataWhile account existsProvides the service
After account deletionWiped within 30 daysAllow time for accidental-deletion recovery
Financial records (tax)5 years from transactionIndonesian tax law
Crash reports90 daysBug analysis
Beta program logsUntil beta ends + 30 daysBug analysis during beta
Server backups30 days rollingDisaster recovery
Payment records (Stripe)7 yearsAnti-fraud regulation

10. Children's data

Pang is intended for users aged 17 and over. We do not knowingly collect data from anyone under 17. If you believe we have collected data from a child under 17, please email privacy@pang.app and we will delete it immediately.

11. International data transfers

Because Supabase, Anthropic, Stripe, and Sentry have infrastructure outside of Indonesia, your data may be transferred to and processed in the United States, European Union, or Singapore. We rely on Standard Contractual Clauses (SCCs) and equivalent safeguards to protect your data during transfer.

12. Changes to this policy

We will notify you of material changes to this policy at least 30 days before they take effect via:

13. Contact us

TopicEmail
Privacy questions, data requestsprivacy@pang.app
Security vulnerabilities (responsible disclosure)security@pang.app
General supporthelp@pang.app
Press / partnershipshello@pang.app

Postal address:
PT Joko Pang Brzk
[Registered business address — to be updated when PT formation completes]


🇮🇩 RINGKASAN DALAM BAHASA INDONESIA

Versi ringkas, untuk yang ingin baca cepat. Versi lengkap (bahasa Inggris) ada di atas dan secara hukum mengikat.

Apa itu Pang?

Pang adalah aplikasi catat keuangan yang dibuat oleh PT Joko Pang Brzk.

Data apa yang Pang ambil?

Yang Pang TIDAK lakukan

Keamanan

Hak kamu

Kontak

Pertanyaan privasi: privacy@pang.app
Laporan bug keamanan: security@pang.app
Bantuan umum: help@pang.app

PT Joko Pang Brzk
[Alamat bisnis terdaftar di Indonesia — akan diisi setelah PT terbentuk]