PRIVACY
Privacy policy
Last updated: May 2026 (DRAFT-v2)
Draft — pending counsel review
This text is preliminary boilerplate and has not yet been reviewed by qualified legal counsel. It is provided for transparency only and is not legally binding. The final version will be published before launch.
Data controller
Joint controllers within the meaning of Art. 26 GDPR are PT LOMBOK INVEST CAPITAL (Indonesia) as the issuer, and Benito Flizikowski (Seefeldstrasse 17, 6006 Luzern, Schweiz) as the European point of contact. The Swiss point of contact handles data-protection inquiries on behalf of the issuer. For all data-protection matters please write to info@lombokinvest-capital.com with the subject "Data protection" or use the contact form at /contact. We have not appointed a statutory Data Protection Officer; threshold criteria under Art. 37 GDPR are not met at the current platform size [to be reviewed if user numbers grow significantly — TBD].
What data we collect
Account data (email, full name, postal address — collected for invoicing and AML record-keeping); payment data (IBAN of the originating bank account, transaction amounts and references; processed via Wise Payments Ltd); blockchain data (the address of your custodial Polygon wallet and the public history of mints, transfers, buybacks and swaps); transactional records linking your account to your token holdings, invoices and proof-of-ownership PDFs; and technical data (IP address — used only for rate-limiting, abuse prevention and Sentry error attribution — and a single first-party session cookie). We do not knowingly collect special categories of personal data under Art. 9 GDPR. Identity-verification (KYC) documents are not collected during the closed beta and will only be requested once payout thresholds require it; the legal basis at that point will be Art. 6(1)(c) GDPR.
Legal basis
Art. 6(1)(b) GDPR — performance of the investor contract (account creation, token purchase, buyback, swap, payout). Art. 6(1)(c) GDPR — legal obligations including Indonesian and (where applicable) German commercial- and tax-law record-keeping and anti-money-laundering rules. Art. 6(1)(f) GDPR — legitimate interest in platform security, fraud prevention and product analytics, balanced against your rights and freedoms.
Processors and recipients
We share the minimum data necessary with the following sub-processors: • Wise Payments Ltd (United Kingdom) — EUR payments and SEPA settlement. • Privy.io / Privy, Inc. (United States) — custodial wallet provisioning and server-side transaction signing. • Vercel Inc. (United States) — web hosting and edge delivery for the platform front-end. • Fly.io / Hashicorp-hosted regions — hosting of the platform worker that orchestrates Wise reconciliation and blockchain minting. • Neon, Inc. (United States / EU region) — managed Postgres database. • Resend, Inc. (United States) — transactional email delivery (sign-up, verification, invoice notifications). • Sentry (Functional Software, Inc., United States) — error and performance monitoring. • A third-party Swiss IT service provider — platform development and maintenance, with access strictly limited to operational debugging. For transfers outside the EEA we rely on EU Standard Contractual Clauses (Art. 46 GDPR). Blockchain data published to Polygon is by design public, world-readable and irreversible; this includes your wallet address and every transaction it signs.
Retention
Account and contract data is retained for the duration of the investor relationship and thereafter for the longer of Indonesian commercial- and tax-law retention periods and the corresponding German periods (we currently apply a 10-year retention as a conservative reference; the binding figure will follow legal review — [TBD]). Sentry error events and Vercel/Fly access logs are retained for up to 30 days. Wise transaction records are subject to Wise's own retention policy. Blockchain data on Polygon cannot be deleted from the public ledger.
Your rights
You have the right of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20) and objection (Art. 21 GDPR). To exercise these rights please contact us via /contact or info@lombokinvest-capital.com. You may also lodge a complaint with the supervisory authority responsible for your place of residence; for German residents this is the competent Landesbeauftragte für den Datenschutz or the BfDI. Please note that blockchain data cannot be erased on request — the right to erasure under Art. 17 is necessarily limited for blockchain-published transactions and is in those cases substituted by the disassociation of the wallet from your account.
Cookies
We use a single first-party session cookie set by NextAuth to keep you signed in, plus a CSRF-protection cookie required for form submissions. We do not use third-party advertising, profiling or cross-site tracking cookies and we do not embed third-party analytics that set cookies (Sentry runs server-side; performance traces use no cookies).