Legal

Privacy Policy

Last updated: 2026-05-06

Heads up: we wrote this plainly so you can read it. pawpado is a new product and Indonesia's Personal Data Protection Law (UU PDP) is recent — review by qualified counsel may flag specifics for your operations. Email privacy@pawpado.com with concerns.

1.The short version

  • We collect the minimum data needed to run the service: your email and name (from Huudis), payment metadata (from Plugipay), and operational state (your instance ID, session timestamps, wallet balance).
  • We don't look inside your instance — your installed games, save files, and screenshots are yours.
  • We share data only with the providers that actually run the service: AWS (compute), Plugipay (payments), Huudis (auth), Tailscale (mobile networking).
  • You can delete everything we have about you from Settings → Danger zone. The cascade is genuine — DB rows + EBS volume + EC2 instance all get destroyed.

2.What we collect, and why

Account data (from Huudis)

  • Email + name — contact you, address support emails, route invoices.
  • Huudis user ID — primary key for everything we store about your account. Also used to scope your instance to your own Tailscale identity (mobile path).

Operational data

  • Subscription state — current tier (Starter / Standard / Pro / Heavy), billing period, status. Cached locally to avoid round- tripping Plugipay on every page load.
  • Wallet + transactions — balance, top-ups, per-session debits. Append-only audit trail for billing transparency.
  • Session events — timestamps when you start / stop, accumulated cost, EC2 instance ID, failure reasons. Used for the cron meter, idle auto-stop, and the activity history shown on the dashboard.
  • User settings — your idle auto-stop preference and similar.
  • Generated credentials — per-user Apollo admin password and Windows RDP password, stored in our database so we can re-assert them on the instance every Start. These are shown to you in the Connect panel; nobody else has access.

What we don't collect

  • Anything inside your instance — games, save files, screenshots, browser history.
  • Your password. Auth is handled by Huudis; we never see it.
  • Stream content. Video / audio of your gameplay flows directly between your client and your instance over the Tailscale or public-IP network path; it never traverses pawpado's servers.
  • Tracking analytics, third-party advertising trackers, or similar. pawpado runs no such code.

3.Where data lives

  • pawpado portal database — runs on dev-machine in Singapore (DigitalOcean). SQLite with WAL for closed beta; will move to managed Postgres for production scale.
  • Your EBS volume — AWS Jakarta (ap-southeast-3). Encrypted at rest with AWS-managed keys.
  • Plugipay — payment data per Plugipay's privacy policy.
  • Huudis — auth data (email, name, login history) per Huudis's privacy policy.

4.Who we share data with

Strictly the providers needed to operate the service:

  • AWS — EC2 + EBS for instance hosting; CloudWatch for idle detection; SSM for credential rotation
  • Plugipay — processes payments, holds card / VA / QRIS data
  • Huudis — authentication and identity
  • Tailscale — private networking (only invoked on your behalf when you opt in via the Mobile tab)

We don't sell or rent your personal data. We don't share it with marketing partners, analytics platforms, or ad networks.

Where required by Indonesian law (Personal Data Protection Law / UU PDP) or another applicable regulation, we may disclose data in response to a valid legal request. We'll tell you about the request unless legally barred from doing so.

5.Your rights

You can:

  • Access the data we hold about you — much of it is visible on the dashboard. Email privacy@pawpado.com for a full export.
  • Correct inaccurate data — most account fields are editable on Huudis.
  • Delete everything — Settings → Danger zone runs the cascade (subscription cancel, EC2 terminate, EBS delete, DB rows hard-deleted). Your Huudis identity is preserved separately; delete that on huudis.com if desired.
  • Object to specific processing or restrict it. Email privacy@pawpado.com to discuss.

6.Cookies and tracking

pawpado uses one cookie: pawpado_session — an HMAC-signed session token that holds your logged-in state. It expires when your Huudis access token does (about 15 minutes; refresh extends it). HttpOnly, Secure, SameSite Lax.

We don't use third-party tracking cookies, fingerprinting scripts, or marketing pixels. The site does not call out to external analytics services from your browser.

7.Data retention

  • Active accounts — we keep operational data as long as your account is open
  • Cancelled subscription — EBS volume held for 7 days for self-service recovery, then deleted permanently
  • Deleted account — DB rows hard-deleted immediately; logs retained for up to 90 days for security investigation, then purged
  • Billing records — Plugipay retains transaction history per its own policy; we keep wallet transaction summaries for 7 years to comply with Indonesian tax law

8.Changes and contact

We may update this policy. Material changes will be announced via email at least 14 days before they take effect.

Questions, requests, or concerns? privacy@pawpado.com.