Privacy Notice

This Privacy Notice (the "Notice") describes how the Organizer of APMF 2026 (the "Event") collects, uses, shares, transfers, retains, and protects the personal data of Buyers, Delegates, speakers, partners, sponsors, and visitors in connection with registration for, participation in, and follow-up to the Event. This Notice should be read together with the Event Terms and Conditions; capitalised expressions not defined here have the meaning given in the Terms.

By submitting personal data through any Event-related interface, including the registration form, payment screens, Delegate completion links, the buyer dashboard, the companion mobile application, onsite check-in, or any survey or follow-up communication, each individual is deemed to have read and understood this Notice.

1. Who We Are

APMF 2026 is organized by [Organizer — to be confirmed] (the "Organizer"), acting as the data controller in respect of personal data processed for the Event. The Organizer may engage staff, contractors, partners, agents, and technology providers as authorised processors (collectively, the "Authorised Parties") to handle personal data on its behalf under contractual obligations reasonably calibrated to the sensitivity of the data.

For questions about this Notice or to exercise any data subject right described in Section 9, please contact the Organizer at [[email protected]].

2. Personal Data We Collect

The Organizer collects the following categories of personal data, depending on the role each individual plays in the Event:

• Identity and contact data: full name, email address, phone number, country, job title, company or organisation, and any company category or industry classification you select.
• Order and payment data: order identifier, pass tier, quantity, promotional or voucher application, billing details, payment method, payment status, and tax-related identifiers required for invoice issuance. Payment card or banking details are handled directly by our payment processor and are not stored by the Organizer.
• Delegate assignment data: details of the Delegate assigned to each Seat, including name, email, phone, company, role, and any dietary or accessibility declarations voluntarily provided.
• Access and onsite data: QR pass identifier, badge data, check-in timestamps, session attendance, room or zone access, and any incident reports relating to safety or conduct.
• Communications data: records of email, SMS, in-app, or push notifications sent to you, message status (delivered, opened, clicked, bounced), and any reply or support ticket created in connection with the Event.
• Technical and device data: IP address, device type, browser, operating system, language, referral source, UTM parameters, and analytics events generated when you use the Event website, dashboard, or mobile application.
• Image, audio, and video data: photographs, video, livestream segments, audio recordings, and transcripts captured at the Event in accordance with Section 8 of the Terms.

The Organizer does not knowingly collect special categories of personal data (such as health, religion, or political views) except where you voluntarily disclose such information for a specific purpose, for example a dietary or accessibility request.

3. Purposes of Processing

The Organizer processes personal data only for purposes that are reasonably necessary in connection with the Event, including:

• registration intake, Order administration, deduplication, and reconciliation;
• payment processing, refund handling, invoice and tax document issuance;
• identity verification, anti-fraud, anti-abuse, and lawful interest checks;
• Delegate assignment, badge production, QR pass issuance, and onsite access control;
• session attendance, capacity management, and operational reporting;
• health and safety procedures, incident response, and venue compliance;
• operational, transactional, and safety-critical communications relating to the Event;
• reasonably targeted promotional communications about APMF and future editions, where you have not opted out;
• analytics, performance monitoring, and improvement of Event services;
• archival of Event Materials and post-Event reporting to sponsors and partners on an aggregated or pseudonymised basis where reasonably possible;
• compliance with applicable law, statutory reporting, and lawful requests from authorities.

4. Lawful Basis

The Organizer processes personal data on one or more of the following lawful bases recognised under the Indonesian Personal Data Protection Law (UU No. 27 Tahun 2022) and, where applicable, other regulations binding on a specific data subject:

• Performance of a contract: where processing is necessary to fulfil the registration agreement, deliver Access Credentials, and provide Event services.
• Consent: where you have given explicit consent, for example by accepting this Notice, opting in to specific communications, or providing voluntary disclosures.
• Legitimate interest: where processing is necessary for the Organizer's legitimate operational, security, anti-fraud, or commercial interests, balanced against your rights and reasonable expectations.
• Legal obligation: where processing is required to comply with applicable law, tax, or regulatory requirements.
• Vital interest: where processing is necessary to protect the safety of any person at the Event.

5. Sharing With Authorised Parties and Third Parties

The Organizer may share personal data with the following categories of Authorised Parties strictly for the purposes set out in this Notice and under contractual obligations reasonably calibrated to the sensitivity of the data:

• Payment processors, including MCPayment, for payment authorisation, settlement, refund, and dispute handling.
• Email and messaging providers, including Mailtarget and equivalent transactional senders, for delivery of registration, Delegate, payment, and operational communications.
• Cloud infrastructure and platform providers, including Cloudflare and equivalent hosting, content delivery, and edge providers, for serving Event websites and APIs.
• Badge production and onsite check-in vendors, for generation of physical badges, QR scanning, and access control hardware.
• Venue operators, including Bali Nusa Dua Convention Center, where personal data is necessary for venue access, security, or health and safety.
• Analytics and product telemetry providers, where processing is configured to use aggregated or pseudonymised data wherever reasonably practicable.
• Sponsors and partners, only where you have explicitly consented (for example by opting in at a sponsor booth or scanning a sponsor QR), and only with the data fields disclosed at the point of consent.
• Professional advisers, auditors, and authorities, where reasonably required for legal, tax, audit, or regulatory purposes.

The Organizer does not sell personal data to any third party.

6. Cross-Border Transfer

Some Authorised Parties operate infrastructure outside Indonesia. Where personal data is transferred outside Indonesia for legitimate operational purposes, the Organizer relies on safeguards required by applicable law, including contractual commitments by the recipient to maintain a level of protection consistent with this Notice.

7. Retention

The Organizer retains personal data only for as long as is reasonably necessary to fulfil the purposes set out in this Notice, satisfy applicable legal, tax, audit, and regulatory obligations, resolve disputes, and protect the legitimate interests of the Organizer and Authorised Parties. Indicative retention periods:

• Order, payment, and tax records: retained for the period required by Indonesian tax and accounting law, typically up to ten years from the date of the Order.
• Delegate assignment, attendance, and access logs: retained for the period reasonably necessary for post-Event reporting and the planning of future editions, typically up to three years.
• Marketing contact data: retained until you opt out or until the contact data is deemed inactive based on engagement signals.
• Image, audio, and video archives: retained on a perpetual basis for editorial, archival, and promotional purposes in accordance with Section 8 of the Terms.
• Technical logs: retained for the period required for security, anti-fraud, and operational diagnostics, typically up to twelve months.

After the applicable retention period, personal data is deleted, irreversibly anonymised, or archived in a form that does not identify any individual.

8. Security

The Organizer applies organisational, technical, and contractual measures reasonably designed to protect personal data against loss, misuse, unauthorised access, disclosure, alteration, and destruction. These measures include access controls, transport encryption for sensitive interactions, separation of payment data from Order data, and contractual obligations on Authorised Parties to maintain equivalent safeguards.

No system is perfectly secure, and the Organizer cannot guarantee absolute security. Where the Organizer becomes aware of a personal data breach that meets the notification threshold under applicable law, it will notify the relevant authorities and affected data subjects within the time frames required by law.

9. Your Rights

Subject to applicable law and any lawful retention requirement, each data subject has the following rights in respect of their personal data:

• Access to a copy of the personal data the Organizer holds about you;
• Rectification of personal data that is inaccurate, outdated, or incomplete;
• Erasure of personal data where it is no longer necessary for the purposes for which it was collected, subject to lawful retention requirements;
• Restriction or objection in respect of certain processing activities, including processing based on legitimate interest or for direct marketing;
• Portability of personal data you provided to the Organizer, in a structured, commonly used, machine-readable format, where technically feasible;
• Withdrawal of consent, where processing is based on consent, without affecting the lawfulness of any processing carried out before withdrawal;
• Lodge a complaint with the relevant Indonesian personal data protection authority where you consider that the Organizer's processing infringes applicable law.

To exercise any of these rights, please contact the Organizer at [[email protected]]. The Organizer may need to verify your identity before fulfilling certain requests and will respond within the period required by applicable law.

10. Marketing and Communications Preferences

Transactional, operational, and safety-critical communications relating to your Order and the Event may not be opted out of while the Order remains active. Promotional and marketing communications may be opted out of at any time using the unsubscribe mechanism provided in the relevant message or by contacting the Organizer. Withdrawal of marketing consent does not affect operational communications you continue to receive in connection with an active Order.

11. Cookies and Similar Technologies

The Event website, registration platform, and dashboard may use first-party cookies and similar technologies for session management, security, preference storage, and analytics. Where the law requires consent for non-essential cookies, the Organizer presents a consent interface on first visit and respects your choice unless you change it later. You may also control cookies at the browser level; doing so may affect the functionality of the Event services.

12. Children

The Event is intended for a professional adult audience. The Organizer does not knowingly collect personal data from children under the age of majority in their place of residence. If you believe a child has submitted personal data to the Organizer, please contact us so the data can be reviewed and, where appropriate, deleted.

13. Updates to This Notice

The Organizer may amend this Notice from time to time to reflect changes in operational practice, applicable law, or processor relationships. The current version will be published at the Event website. Material changes will be communicated through registered contact channels where reasonably practicable. Continued use of the Event services after publication of an amended version constitutes acceptance of the amended version to the extent permitted by law.

14. Contact

For privacy questions, requests to exercise data subject rights, or notification of a suspected privacy incident, please contact:

APMF Secretariat Office
Email: [[email protected]]
Address: [Organizer registered address — to be confirmed]