Privacy Policy

1. INTRODUCTION

Gokil Works ("we," "our," or "us") operates the AJSB Discord bot, website, and related services (collectively, the "Service"). This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our Service.

By using the Service, you agree to the practices described in this Privacy Policy. This policy is drafted in compliance with:

• Law No. 27 of 2022 on Personal Data Protection (UU PDP) — Republic of Indonesia
• General Data Protection Regulation (GDPR) — applicable to users in the EU/EEA
• Law No. 11 of 2008 as amended by Law No. 19 of 2016 on Electronic Information and Transactions (UU ITE)

2. DATA CONTROLLER

The party responsible for processing your personal data is:

For any questions or requests regarding your personal data, please contact us at the email address above.

3. PERSONAL DATA WE COLLECT

3.1 Discord Account Information

Collected via Discord OAuth login:

• Discord User ID
• Username and Discriminator
• Avatar URL
• Email address (from your Discord profile)

Purpose: Authentication, session management, and digital product delivery.

3.2 Roblox Account Information

Collected when you link your Roblox account via Roblox OAuth 2.0:

• Roblox User ID
• Roblox Username and Display Name
• Roblox Avatar URL
• OAuth Access Token and Refresh Token (stored encrypted)

Purpose: Purchase verification, automated product delivery, and smart polling of purchase history.

3.3 Transaction and Product Data

For each transaction, we store:

• Linked Roblox account ID
• Linked Discord account ID
• Gamepass ID / Developer Product ID
• Purchase timestamps
• Email delivery status and delivery method
• Unique redemption codes and Midtrans order references

Purpose: Order fulfillment, duplicate-delivery prevention, and customer support.

3.4 Server Management Data

For Discord server owners who use our management features:

• Discord Server (Guild) ID, name, and icon
• Server owner ID
• Member associations (which Discord accounts belong to which server)
• Shop settings (shopSettings): email templates, webhook configurations
• Midtrans production/sandbox API keys provided by server owners

Purpose: Role-based access control, shop customization, and purchase notifications.

3.5 Session and Cookie Data

We use HTTP-only cookies to store JSON Web Tokens (JWT) for authenticated session management. These cookies:

• Are HTTP-only (inaccessible to client-side JavaScript)
• Are used solely to maintain your login session
• Are shared across our trusted domains (*.zebua.site, *.ze4.me, *.ajsb.app) via CORS configuration

We do not use tracking, advertising, or third-party analytics cookies.

4. LEGAL BASIS FOR PROCESSING

Under Article 20 of UU PDP and Article 6 of the GDPR, we process your personal data on the following legal bases:

• Explicit consent: You authorize access when linking your Discord and/or Roblox accounts via OAuth.
• Performance of a contract: Processing is necessary to deliver the services you request (purchase verification, product delivery).
• Legitimate interests: Fraud prevention, platform security, and service improvement.
• Legal obligation: Compliance with UU PDP, UU ITE, and other applicable Indonesian regulations.

5. HOW WE USE YOUR DATA

We use your personal data strictly for the following purposes:

• Linking your Discord account with your Roblox account
• Verifying Robux payments (Gamepass / Developer Product) or fiat payments via Midtrans
• Delivering purchased digital files (e.g., .rbxm, .fbx, or model files) directly to you
• Managing role-based access on Discord servers using our Service
• Sending purchase notifications to server owners via configured webhooks
• Maintaining records of purchased asset ownership
• Providing customer support
• Maintaining platform security and integrity

6. DATA SHARING AND THIRD PARTIES

We do not sell, trade, or rent your personal data to any third party. We only share data with the following parties:

6.1 Technical Service Providers

• Discord Inc. — as required by the Discord API for bot functionality
• Roblox Corporation — as required by the Roblox API for purchase verification
• Midtrans (Gojek Group) — payment processor for fiat transactions; stores production/sandbox API keys provided by server owners

6.2 Discord Server Owners

Server owners using our Service may configure Discord webhooks to receive purchase notifications. These notifications may contain the buyer's Roblox username and Discord username, but will NEVER include the buyer's email address.

6.3 Legal Authorities

We may disclose your data to government authorities or law enforcement agencies where required by applicable Indonesian law or to protect our legitimate rights.

7. DATA RETENTION

We retain your personal data for as long as necessary to provide the Service:

• Active account data: For the duration your account is active
• Transaction records: Minimum 5 (five) years per applicable accounting and legal requirements
• Session/JWT data: Until the session ends or you log out
• Roblox OAuth tokens: Deleted when you unlink your Roblox account

After the retention period ends or upon a valid deletion request, we will securely delete or anonymize your personal data.

8. YOUR RIGHTS OVER YOUR PERSONAL DATA

Under UU PDP Articles 5–15 (and the GDPR for EU/EEA users), you have the following rights:

• Right to Access: Know what personal data we hold about you
• Right to Rectification: Request correction of inaccurate data
• Right to Erasure (Right to be Forgotten): Request deletion of your data when it is no longer necessary or processing is unlawful
• Right to Withdraw Consent: Revoke consent at any time without affecting the lawfulness of prior processing
• Right to Data Portability: Receive your personal data in a structured, machine-readable format (EU/EEA users)
• Right to Object: Object to processing based on our legitimate interests

To exercise any of these rights, contact us at: apasihsh@gmail.com

We will respond to your request within 30 days of receipt. Please note that deleting your data may result in loss of access to previously purchased files or support services.

9. DATA SECURITY

We implement appropriate technical and organizational security measures to protect your personal data, including:

• Encryption of OAuth tokens
• HTTP-only cookies for JWT storage
• Role-based access control on internal data
• Webhook data restrictions (email addresses never included in notifications)

However, no method of data transmission over the internet is 100% secure. We cannot guarantee absolute security.

10. INTERNATIONAL DATA TRANSFERS

Our Service integrates third-party services that may process data outside Indonesia (Discord — United States; Roblox — United States). These transfers are conducted with appropriate safeguards consistent with international security standards. For users in the EU/EEA, international data transfers are subject to applicable GDPR transfer mechanisms.

11. CHILDREN'S PRIVACY

Our Service interfaces with Roblox, a platform also used by minors. We do not knowingly collect personal data from children under the age of 13 beyond what is strictly necessary for OAuth authentication. If you are a parent or guardian and believe your child has provided us with data without your consent, please contact us for prompt deletion.

12. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time as our Service evolves. Material changes will be communicated via a notice on our website or Discord bot. Your continued use of the Service after changes take effect constitutes acceptance of the updated Privacy Policy.

13. CONTACT US

For questions, data rights requests, or privacy-related reports, contact:

We are committed to responding within 30 business days.