Privacy Policy

Last updated: June 13, 2026

1. Introduction

This Privacy Policy describes how Warung Rantau (“we”, “us”, “our”) collects, uses, and protects information about you when you use our cross-border e-commerce platform connecting Indonesian products with customers in Japan. It does not apply to third-party websites or services we link to.

2. Data We Collect

Account information. When you create an account, we collect your email address and a password (stored as a hash). If you sign in with Google, we receive your email address, name, and profile picture from Google. Account data is stored in our authentication and database provider, Supabase.

Contact information. During checkout, you may optionally provide a phone number so we can send order updates by WhatsApp. We only store your phone number if you explicitly opt in.

Shipping address. Addresses you save for delivery, including recipient name, full address, and any consignee details required for international shipping.

Order history. Items you have purchased, totals in both JPY and IDR, and order status.

Behavioural data. When telemetry is enabled, we record page views, clicks, search queries, and similar usage events. This data is collected by PostHog and used in aggregate to improve the site.

Advertising and measurement data. We use Meta Platforms (Facebook) tools — the Meta Pixel and Conversions API — to measure and improve our advertising. For all visitors, we share certain activity with Meta — for example viewing a product, adding to cart, starting checkout, and completing a purchase — together with Meta’s own advertising cookies (_fbc/_fbp) and your device’s IP address and browser type. This activity is not linked to your name or contact details unless you opt in. Only if you give marketing consent, we additionally send hashed identifiers to help Meta match these events to you — your email address and phone number (irreversibly hashed with SHA-256 before they leave our systems) and an internal account identifier. We never share these contact identifiers before you consent.

3. How We Use Your Data

We use the information described above to:

  • Fulfill and ship your orders.
  • Send you transactional emails (account verification, order updates) via Brevo.
  • Send order updates by WhatsApp, if you opted in to providing a phone number.
  • Understand how the site is used and improve it.

What we do not do: we do not sell your personal data, and we do not use your personal data to train AI models. Advertising: we use Meta (Facebook) tools to measure our advertising and to reach audiences similar to our customers; with your consent we additionally share hashed contact identifiers to help match these events to you. You can decline the sharing of your contact identifiers, or withdraw it later, at any time (see Section 5).

4. Third-Party Services

We rely on the following third-party providers to operate the service. Each link goes to the provider’s own privacy policy.

  • Supabase — authentication, database, and file storage. Privacy policy.
  • Google — Sign-in OAuth. We receive your email address, name, and profile picture only. Privacy policy.
  • PostHog (EU Cloud, Frankfurt) — product analytics. Privacy policy.
  • Brevo — transactional email delivery. Privacy policy.
  • Meta Platforms (Facebook) — advertising and conversion measurement (Meta Pixel and Conversions API). Used for all visitors to measure advertising; your hashed contact identifiers are shared only with your consent. We and Meta act as joint controllers for the personal data collected through these tools. Privacy policy.

5. Cookies, Local Storage & Consent

We use a small number of cookies and local-storage entries:

  • Supabase authentication session cookies — essential, required for you to stay signed in.
  • Cart state in your browser’s local storage — essential, required for shopping.
  • PostHog analytics cookies — non-essential. You can opt out by emailing contact@warungrantau.com (we do not currently offer an in-product toggle).
  • Meta advertising cookies (_fbc, _fbp) — non-essential. Used to measure the effectiveness of our advertising. If you opt in to marketing, we additionally share hashed contact identifiers with Meta to improve event matching. You can decline that contact-sharing, or withdraw your consent later, using the cookie banner or the cookie-settings link in the site footer.

Meta advertising cookies and event measurement are used to evaluate our advertising. Sharing your hashed contact identifiers with Meta (to improve how events are matched to you) is optional and used only if you opt in; you can withdraw that consent at any time.

6. Data Retention & Deletion

Account data is retained while your account is active. If you request deletion, we remove your account data within a reasonable period; some records may be retained briefly to allow account recovery.

Order records are retained for as long as required by Indonesian and Japanese tax and legal obligations — typically up to 7 years — even after an account is deleted.

Behavioural data is retained for the default period set by PostHog.

To request deletion of your data, email contact@warungrantau.com.

7. Your Rights

You can:

  • Request a copy of the personal data we hold about you (email contact@warungrantau.com).
  • Correct your personal data through the profile page in the app, or by email.
  • Request deletion of your account and data by email (we do not currently offer an in-product self-serve flow).
  • Opt out of analytics by emailing contact@warungrantau.com (we do not currently offer an in-product toggle).
  • Withdraw your consent to sharing your contact identifiers for advertising matching at any time, using the cookie banner or the cookie-settings link in the site footer.

We will respond to verified requests within a reasonable time.

8. Security & Data Transfers

Your data is hosted by Supabase in the Southeast Asia (Singapore) region. Because we ship from Indonesia to Japan, data necessarily flows between Indonesia, Japan, and our hosting provider’s region for order fulfillment.

Data is encrypted in transit (HTTPS) and at rest (Supabase default). If we become aware of a data breach that affects you, we will notify you by email within a reasonable time.

Advertising and measurement data is transferred to Meta Platforms, Inc. in the United States. Where you consent, this additionally includes your hashed contact identifiers. Meta self-certifies under the EU-U.S. Data Privacy Framework, which provides a recognised basis for international transfers of this data.

9. Children’s Privacy

Warung Rantau is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe we have, please contact us so we can remove it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be reflected in the “Last updated” date at the top of this page; where we hold your email address, we will also notify you by email. Minor or clarifying changes update the date only.

11. Contact

If you have questions about this Privacy Policy or want to exercise any of your rights, contact us at contact@warungrantau.com. Warung Rantau is operated under PT. Mitra Amanah Internasional.