Data is used to run the commission
Name, contact details, brief, references, messages, files, and payment status support review, production, delivery, security, and dispute handling.
Commission data transparency
This Notice explains what information the Deftrial commission service uses, why it is needed, who may receive it, how long it is kept, and how a customer can make a privacy request.
At a glance
Name, contact details, brief, references, messages, files, and payment status support review, production, delivery, security, and dispute handling.
Names, emails, phone numbers, chats, references, payment proof, and delivery files are not published in the queue.
This system is not designed to sell personal data or build advertising profiles.
Hosting, email, and payment providers may process necessary data under their own services and policies.
This Notice describes relevant processing. Information must still be used proportionately and cannot be repurposed merely because the customer read this document.
The Deftrial commission service is operated by Deftrial from Indonesia. For information collected directly through this shop, that operator determines the operational purposes and methods of processing.
This Notice covers the storefront, request form, private order workspace, optional ticket, queue, payments, files, and communications through the selected channel used to operate the commission. Privacy questions, data requests, or complaints may be sent to deftrial@gmail.com.
Back to top ↑Information may include name, email, WhatsApp/phone number, social contact username where provided, contact preference, commission title and brief, intended use, deadline, references, ticket messages where activated, attachments, review decisions, delivery files, payment status, payment proof, Terms acceptance records, and operational security logs.
Do not send passwords, PINs, OTPs, full card data, identity cards, a complete home address, health information, or other sensitive information unless it is genuinely necessary. The Artist may ask the Customer to remove or replace files containing excessive data.
Back to top ↑Information is processed as reasonably necessary to receive and assess requests, communicate, create quotations, verify payment, manage the queue, create and deliver art, administer licenses, record decisions, provide support, prevent fraud, maintain security, meet legal/accounting duties, and handle complaints or disputes.
The applicable basis may differ by activity, including steps requested before a contract, performance of the commission agreement, legal duties, proportionate legitimate interests such as security and fraud prevention, or separate consent where the law actually requires it. Acknowledging this Notice records transparency; it is not unlimited consent for every possible use.
Back to top ↑The Customer is responsible for ensuring references can lawfully be provided and do not violate another person’s privacy, copyright, dignity, or consent. References involving a real person must be limited to what the work requires and must not be used for doxxing, deceptive deepfakes, non-consensual intimate material, harassment, or another prohibited purpose.
If a file appears to contain child exploitation, a credible threat, fraud, or illegal material, access may be restricted and records may be preserved or reported where necessary and lawful.
Back to top ↑The Workspace stores the payment/order ID, selected method, USD contract value, exchange-rate snapshot, checkout amount and currency, displayed destination and recipient name, status, time, transaction reference, evidence, and verification outcome. For DANA, ShopeePay, or BCA, the record may include the destination number and recipient name configured by the operator.
The shop does not request or store account passwords, PINs, OTPs, verification codes, remote access, balances, unrelated transaction history, PayPal passwords, or complete card data. Evidence should be limited to the relevant transaction, and the Customer should conceal unrelated information.
QRIS providers, banks, acquirers, Midtrans, PayPal, DANA, ShopeePay, card issuers, and other providers may process transaction data under their own services and policies. Only information needed for the transaction, verification, refund, fraud prevention, accounting, or dispute should be used.
Back to top ↑The public queue should display only anonymized operational information such as general status and position. Identity, contact details, brief, references, chat, payments, and deliveries must not be shown there.
The customer workspace is protected by a private token. Anyone with the token may be able to open it, so the Customer must protect it like a confidential link and report suspected exposure promptly.
Back to top ↑Current operational targets are approximately 180 days for inactive requests and 730 days for completed orders. Limited longer retention may be needed for accounting, tax, transaction evidence, licenses, security, chargebacks, claims, backups, or legal obligations.
Deletion from the active application may not immediately remove rotating backup copies or records that must still be kept. Backup data must not be reused for a new purpose and should disappear through a reasonable backup cycle.
Back to top ↑Controls include protected file storage, MIME validation, server-assigned filenames, size limits, private tokens, administrator sessions, CSRF protection, password hashing, rate limits, and operational records. HTTPS and hosting-server protection must still be correctly configured on the production domain.
No online system can promise absolute security. The Customer should use a secure device and email account, avoid sharing tokens, and report suspicious access or files promptly. Material incidents will be handled according to the facts and applicable legal duties.
Back to top ↑Subject to applicable law and proportionate identity verification, the Customer may request information, access, correction, updating, restriction, withdrawal of consent where consent is actually the basis, or deletion. A request does not necessarily mean every record can immediately be erased; transaction evidence, security, claims, and legal obligations may require retention.
A request should include the order number, email used, the type of request, and enough information for verification without sending excessive identity data. An initial response will be provided within a reasonable period through deftrial@gmail.com.
Back to top ↑This real-money service is intended for a person who is at least 18 and legally capable, or for a transaction genuinely managed by an authorized parent/guardian. A child must not independently submit sensitive information, payment, or private material.
If the operator learns that a child’s data was submitted without an adequate basis or guardian involvement, the request may be stopped and the information reviewed for deletion, protection, or another action required by law.
Back to top ↑The shop uses a session cookie needed for form security and administrator login. The browser may also store the selected theme locally. The system is not designed with third-party advertising trackers.
The hosting server, firewall, CDN, or payment provider may log IP addresses, user agents, access times, and security metadata under their configurations. The application’s order-acceptance record does not store a raw IP address, but that does not mean the hosting infrastructure has no technical logs.
Back to top ↑To prevent the form from being lost after a refresh, the browser keeps a temporary draft in sessionStorage for that tab. The Customer may choose to keep it for up to seven days in localStorage on the same device. This data remains in the browser and is not sent to the server until the form is submitted.
A draft may contain the nickname, email, contact details, commission choices, and brief. Legal-consent checkboxes, security tokens, and reference files are not restored. Do not enable seven-day storage on a shared device. The Clear Draft button removes the application’s copy; browser settings, extensions, browser sync, or device backups remain outside the application’s control.
Back to top ↑When the Artist enables this feature, a Customer’s title, brief, and ticket messages may be sent over HTTPS to the DeepSeek API provider to flag observable risks such as threats, harassment, hate, payment manipulation, doxxing, spam, or prohibited requests. Passwords, PINs, OTPs, payment credentials, and file attachments are not intended to be sent to this text analysis.
The AI result is visible only to the administrator as a second opinion and requires human review. It is not used for advertising, credit scoring, automated legal decisions, personality diagnosis, or factual claims about hidden intent. AI can be wrong, miss context, or misread language. A Customer may request human review or contact deftrial@gmail.com if a decision was influenced by an inaccurate result.
For documented repeated abuse, an email, phone number, or handle may be transformed into a one-way HMAC fingerprint on an internal watch/block list. The list is not public, does not permanently blacklist IP addresses, and must not be used to punish honest criticism or a good-faith dispute.
Back to top ↑The version of this Notice is recorded so changes can be tracked. Material changes operate prospectively and do not unilaterally alter the license, price, or duties of an accepted order.
A complaint should first be sent to deftrial@gmail.com. The Customer remains free to use an available complaint mechanism or competent authority under applicable law. This Notice is read together with the Commission Terms and Conditions.
Back to top ↑These official sources are provided for transparency. Application of a particular provision still depends on the facts, party roles, and provider setup.