Privacy Policy

Last updated: 13 May 2026

Jasa ERP Mobile (“the App”) is published by CV. Webtocrat Motion (“we”, “us”). This Privacy Policy explains what data the App collects, how it is used, and what choices you have. By using the App you consent to the practices described below.

What we collect

• Site URL. The Frappe/ERPNext site you connect to. Stored locally on your device so you do not have to re-enter it on each launch.
• Login credentials. Your email address and password are sent over HTTPS to the site URL you provided in order to authenticate. Credentials are stored locally on your device using Android’s encrypted storage (flutter_secure_storage) so the App can refresh your session silently. We never transmit your credentials to any server other than the site URL you explicitly chose to log into.
• OAuth tokens. Access and refresh tokens issued by your Frappe site after successful login. Stored in the same encrypted storage as your credentials, used to authorise API calls on your behalf.
• Firebase Cloud Messaging (FCM) registration token. A per-device push-notification identifier issued by Google’s FCM service. We forward this token to a dedicated notification-bridge server we operate so the bridge can route your site’s notifications to your device. The bridge sees only your FCM token, the email address you logged in with, and the site URL you connected to.
• Device information. Basic, non-personal device data (Android version, device model, OS locale) is sent alongside the FCM token so the bridge can apply OEM-specific delivery workarounds (Xiaomi, Oppo, Vivo, Huawei). No advertising identifiers, no IMEI, no contacts.
• Application caches. The App caches non-sensitive data locally (workspace lists, doctype metadata, recent navigation history) to reduce network usage. All caches are cleared when you log out.

What we do not collect

• No advertising identifiers, no analytics SDKs, no third-party trackers.
• No contacts, calendar, SMS, call logs, or microphone data.
• No location data. The App declares no location permission.
• No camera or photo-library access except when you explicitly attach a file or scan a barcode using a feature that requests permission in-context.

How your data is used

• Credentials and tokens are used only to authenticate API calls to the Frappe site you logged into.
• The FCM token is used only to deliver push notifications you would otherwise receive in your Frappe Notification Log.
• Device info is used only to improve push-notification delivery on specific Android OEMs and is not stored for any other purpose.

Who we share with

• Your Frappe/ERPNext site — all API calls go directly from the App to the site URL you specified. We are not an intermediary for your business data.
• Google Firebase Cloud Messaging — receives the push payload we send to your device. Google’s privacy policy applies.
• Our notification bridge server — receives your FCM token, login email, and site URL so it can poll your site’s Notification Log on your behalf and forward new entries to your device. The bridge does not retain notification content beyond delivery.

We do not sell, rent, or trade any user data with third parties.

Data retention

• Locally stored data (credentials, tokens, caches) is held on your device only and is cleared when you tap Logout in the App, or when you uninstall the App.
• FCM registration data on the bridge is unregistered when you logout from the App; if you uninstall without logging out, the registration becomes inactive automatically once Google reports the token as invalid.

Security

• All network traffic between the App and your Frappe site uses HTTPS (TLS).
• Credentials and tokens at rest on the device are stored using the Android Keystore via flutter_secure_storage.
• The notification bridge runs over HTTPS and authenticates each device request against the registered FCM token.

Your rights

• Access & correction. Your Frappe/ERPNext site is the system of record for your business data. To access or correct it, contact your site administrator.
• Deletion. You can remove all locally cached data at any time by tapping Logout in the App or by uninstalling the App. To request deletion of your FCM registration on the bridge, email us at the address below.

Children

The App is a business productivity tool and is not directed at children under 13. We do not knowingly collect personal information from children.

Changes to this policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page reflects the most recent revision. Material changes will be announced through the App’s release notes.