Protecting your privacy doesn’t have to be complicated, but it isn’t a single tip either. The most effective approach is to close gaps surface by surface: your devices, your accounts, and your documents and personal data such as your national ID. Each surface has a short checklist below, plus a plan for when data has already leaked and an explanation of your rights as a data owner under Indonesia’s Personal Data Protection Law (Law No. 27 of 2022), now in full force. Start with the highest-impact items: lock your device, use unique passwords, and turn on 2FA.
Reviewed as of July 2026. The legal basis and its effective date were matched against official sources (Indonesia’s national law database and the Ministry of Communication and Digital Affairs) that month. The security practices are general; adapt them to the devices and services you use.
Devices: the checklist
An unlocked device exposes everything on it. Make sure:
- A screen lock is on with a strong PIN/password plus biometrics (fingerprint or face). Avoid simple patterns.
- Automatic updates are enabled for the operating system and apps. Security patches close holes that are actively exploited.
- App permissions are reviewed regularly. Open the permissions settings and revoke location, contacts, camera, microphone, or storage access that isn’t relevant to the app. Prefer “only while using the app”.
- Find-my-device is active (Find My iPhone / Find My Device) so you can lock and wipe it remotely if lost.
- Device encryption is on (the default on modern phones) with a secure backup.
- Sign out of sessions you don’t recognise. Check the active-devices/sessions list in your accounts and browser, and log out anything unfamiliar.
- Wipe data before selling or servicing a device. Do a factory reset, sign out of all accounts, and remove the SIM and memory card.
- Avoid sensitive logins on public Wi-Fi. If you must, use mobile data or a trusted network for banking and important accounts.
Accounts: the checklist
Your email account is the master key: whoever controls it can reset your other accounts. Secure it first.
- A unique, strong password for each account. Never reuse one. A leak at one service immediately endangers the others.
- Use a password manager to generate and store long, random passwords without memorising them.
- Enable two-factor authentication (2FA). Prefer an authenticator app or a passkey over SMS 2FA, because SMS is vulnerable to number hijacking (SIM swap).
- Review third-party app access. Check the “connected apps” list in your Google/Apple/social accounts and revoke anything you don’t recognise or no longer use.
- Check whether your data has leaked. Use a breach-checking service (such as Have I Been Pwned) to see if your email appears in a known breach, then change any affected passwords.
- Never log in through a link. Fake login pages are the most common way passwords are stolen. Open the official app or type the address yourself; don’t log in from a link in an email or SMS.
- Keep a separate email for important accounts. Use one address for banking and critical accounts, apart from the email you use for everyday sign-ups and subscriptions.
- Secure your recovery email and phone number, since both are common reset paths. Protect them with 2FA and treat them as your most important accounts.
National ID & personal data: the checklist
In Indonesia, the National Identity Number (NIK), Family Card (Kartu Keluarga / KK), and a photo of the national ID card (KTP) are the data most often abused — for illegal loans or fake accounts opened in your name.
- Share only what’s needed. Give your NIK/KK only to authorised, legitimate parties (a bank, a government office, or a licensed service) and only when the process is clear.
- Watermark any ID copy you’re asked to upload. Write text across the image, for example “For [service name] verification only, [date]”, so the copy can’t be reused for another purpose.
- Never post documents publicly. ID cards, family cards, certificates, and boarding passes contain exploitable data (a boarding-pass barcode stores booking details). Don’t show them off on social media or open groups.
- Question who is asking and why. A legitimate service explains its purpose, legal basis, and how long it keeps data. If the reason is vague, hold off.
- Cut down on oversharing on social media. A full date of birth, home address, mother’s maiden name, and real-time location are often used to guess security answers or for social engineering.
If your data has already leaked
Acting fast limits the damage:
- Change passwords on affected accounts, starting with email, then financial accounts and anything sharing that password.
- Enable 2FA on all important accounts if you haven’t.
- Contact your bank/e-wallet if the leak involves financial data; ask for monitoring or a block, and watch for unfamiliar transactions.
- Monitor accounts and statements for several weeks, including incoming emails that try to reset your accounts.
- Report the breach to the service that suffered the incident, and keep the evidence. If it’s tied to financial fraud, also use channels such as OJK’s IASC and patrolisiber.id.
- Check for loans in your name. If you’re worried your national ID number has been misused for an illegal loan, check your credit history for free through OJK’s credit information system (SLIK) at idebku.ojk.go.id. It is free and doesn’t affect your credit score; anyone charging a fee to “check your SLIK” is a scammer.
Your rights under the PDP Law
Indonesia’s Law No. 27 of 2022 on Personal Data Protection has been in full force since 17 October 2024, after a two-year transition period. This means all provisions, including administrative sanctions, now apply. Anyone processing personal data (a data controller) must safeguard it, process it lawfully and only for the agreed purpose, and protect it from leaks.
As a data owner, your rights include:
- Access — obtain information about the personal data being processed about you and its purpose.
- Correction — fix or complete inaccurate data.
- Erasure — request deletion (the right to be forgotten) when data is no longer needed or is processed unlawfully.
- Withdraw consent you previously gave for processing.
- Object to decisions made solely by automated processing that have a legal or significant effect on you.
- Compensation for a violation in the processing of your personal data.
The PDP Law also places duties on data controllers when a leak happens: they must notify you as the data owner and the relevant authority in writing within 3 x 24 hours of a personal-data protection failure. So a service that leaks your data but stays silent isn’t just acting badly — it may be breaching a legal obligation.
To exercise these rights, send your request directly to the service provider (the data controller). One honest caveat: the PDP supervisory authority has not yet been fully established as of mid-2026, and the oversight function is temporarily handled by the Ministry of Communication and Digital Affairs (Komdigi). (The PDP Law says this body is established by, and answerable to, the President; it does not describe it as “independent”.) So if a request goes unanswered, document the correspondence and use the available complaint channels.
The IsonAI angle
IsonAI is built with privacy in mind: data is processed in-country, and an incognito mode is available that keeps conversations out of your history and unused for personalisation. To be honest about what it does: incognito conversations are still processed and stored on IsonAI’s servers — merely hidden from your history and recall, not un-stored or immediately deleted. This gives you more control over your data footprint, but it is no substitute for the safe habits above. You can read the details at isonai.net/privacy.
Priority action by surface
| Surface | Highest-impact action |
|---|---|
| Devices | Screen lock + biometrics, auto-updates, review app permissions |
| Accounts | Unique passwords via a manager, 2FA (app/passkey), secure recovery email |
| ID & data | Share sparingly, watermark ID copies, don’t post publicly |
| After a breach | Change passwords, enable 2FA, contact your bank, monitor activity |
| Legal rights | Use access/correction/erasure/withdraw-consent rights (PDP Law) |
Frequently asked questions
Is SMS 2FA safe?
Better than no 2FA, but the weakest of the options. SMS codes can be hijacked through number takeover (SIM swap) or phishing. Where a service supports it, use an authenticator app or a passkey. Keep SMS only as a fallback.
Is a password manager safe?
Yes, and for most people it is far safer than reusing passwords or memorising weak ones. A password manager stores your data encrypted and unlocks only with your master password. Choose a strong master password and protect it with 2FA.
Do I always have to give my ID number when asked?
No. Give your national ID number only to authorised, legitimate parties and only when the process is clear. Ask about the purpose, legal basis, and retention period. For an ID copy you must upload, add a watermark stating the purpose and date so it can’t be reused.
What should I do if my data leaks?
Immediately change passwords on affected accounts (starting with email), enable 2FA, and contact your bank if finances are involved. Monitor accounts and statements, report the incident to the service provider, and use official fraud channels if you suffered a financial loss.
Can I ask a company to delete my data?
Yes. Under Law No. 27 of 2022 you can request deletion of data that is no longer needed or is processed unlawfully, and you can withdraw consent. Send a written request to the provider and keep the evidence. If it’s ignored, document it and use the complaint channels — noting that the PDP supervisory authority is still being established.
Does contacting IsonAI affect my privacy?
IsonAI processes data in-country and offers an incognito mode: conversations are kept out of your history and unused for personalisation (they are still stored on the servers, just hidden — not deleted). The general rule still applies: never share an OTP, PIN, or card number inside any conversation. For policy details, see isonai.net/privacy.
Need help planning the steps?
Not sure where to start, or want to review the privacy settings of a specific account? Ask IsonAI for a step list tailored to the devices and services you use. IsonAI helps you build the plan, while you make the actual changes in each of your own accounts.
Sources & review
This guide was reviewed in July 2026 against the following official sources.
Last updated:
IsonAI