Contents
- 1. Introduction & Controller
- 2. Personal Data We Collect
- 3. Legal Bases for Processing
- 4. How We Use Your Data
- 5. Sharing & Disclosure
- 6. International Transfers
- 7. Data Retention
- 8. Security
- 9. Cookies & Tracking
- 10. Your Rights (UU PDP / GDPR)
- 11. Children's Privacy
- 12. Automated Decisions
- 13. Indonesia UU PDP Addendum
- 14. EEA/UK GDPR Addendum
- 15. California Addendum (CCPA)
- 16. Changes to This Policy
- 17. Contact & DPO
1. Introduction & Data Controller
The Luxury Bali ("Platform", "we", "us", "our") is operated by The Luxury Leisure Group — a private limited company registered in Indonesia. This Privacy Policy explains how we collect, use, store, and protect your personal data when you access or use our platform, website, mobile experiences, and related services (collectively, the "Services").
This policy complies with:
- Indonesia: Undang-Undang Perlindungan Data Pribadi Nomor 27 Tahun 2022 ("UU PDP")
- European Economic Area & United Kingdom: General Data Protection Regulation (EU 2016/679) and UK GDPR
- California: California Consumer Privacy Act (CCPA / CPRA)
- Japan: Act on the Protection of Personal Information (APPI)
Data Controller: The Luxury Leisure Group, Bali, Indonesia. Contact: privacy@theluxurybali.com.
2. Personal Data We Collect
2.1 Data you provide directly
| Category | Examples | Purpose |
|---|---|---|
| Identifiers | Full name, email, phone, country | Account, booking, contact |
| Booking data | Dates, guest count, special requests | Process reservations |
| Payment data* | Card data handled by Xendit/Stripe (PCI-DSS); we store only last 4 digits + masked ref | Payment, refund, fraud prevention |
| Host data | Business name, address, NPWP, NIB, bank details for payouts | Host onboarding, tax compliance |
| Content | Messages, reviews, photos you upload | Service delivery, platform listings |
| Identity docs** | Passport scan, KTP (if hosting) | KYC, fraud prevention, legal compliance |
* We never store your full credit card number or CVV. Payment processing is delegated to PCI-DSS Level 1 certified providers (Xendit, Stripe).
** Identity documents are encrypted at rest and retained only as long as required by Indonesian tax/AML law.
2.2 Data collected automatically
- Device: Browser type, OS, screen size, device model
- Usage: Pages visited, search queries, clicks, session duration, referrer URL
- Approximate location: Derived from IP address (country + region level only, never precise GPS unless you grant location permission)
- Cookies: Session tokens, preferences, analytics IDs (see Section 9)
2.3 Data from third parties
- Social login: If you sign in with Google, we receive name, email, and profile photo (no other Google account data)
- Fraud prevention: We may receive risk signals from payment processors to detect fraudulent bookings
- Host channel managers: Airbnb/Booking.com calendars for sync (date occupancy only, no guest PII)
3. Legal Bases for Processing (GDPR Art. 6 / UU PDP Art. 20)
| Processing Activity | Legal Basis |
|---|---|
| Booking fulfilment, payments | Contract performance |
| Account management, support | Contract performance |
| Marketing emails (after opt-in) | Consent |
| Analytics cookies (optional) | Consent |
| Fraud detection, AML/KYC | Legal obligation + legitimate interest |
| Platform improvement | Legitimate interest |
| Defence of legal claims | Legitimate interest |
4. How We Use Your Data
- Deliver the Service: Process bookings, match guests to properties, coordinate with hosts
- Communicate: Booking confirmations, travel reminders, host replies, support responses
- Personalise: Show relevant villa recommendations (with your consent for cookie-based personalisation)
- Improve: Analyse aggregated usage to improve features, performance, search relevance
- Protect: Detect fraud, enforce Terms, defend legal claims
- Legal: Comply with tax reporting, AML, and Indonesian tourism regulations (NIB, KBLI 55130)
We do not sell your personal data to third parties.
5. Sharing & Disclosure
5.1 Property hosts
When you book, we share your name, contact details, arrival date, guest count, and any special requests with the host fulfilling your reservation. Hosts are contractually bound to use this data only for your stay and to delete it after 90 days post-departure.
5.2 Service providers (sub-processors)
| Provider | Purpose | Location |
|---|---|---|
| Vercel Inc. | Platform hosting, CDN | USA, Singapore |
| Supabase | Database, authentication | Singapore (ap-southeast-1) |
| Xendit | Payment processing (Indonesia) | Indonesia, Singapore |
| Stripe (optional) | International card payments | USA, Ireland |
| Resend | Transactional email | USA |
| Twilio / Meta WhatsApp Business | Messaging | USA, Ireland |
| Google Analytics 4 | Usage analytics (with consent) | USA |
| Meta Pixel | Advertising (with consent) | USA, Ireland |
| Anthropic (Claude API) | AI concierge (messages processed; no storage beyond session) | USA |
| Sentry | Error monitoring | USA |
All sub-processors are bound by Data Processing Agreements meeting GDPR Art. 28 standards.
5.3 Legal
We may disclose personal data when required by law, court order, or to protect the rights, property, or safety of our users, staff, or the public.
6. International Data Transfers
Your data may be processed in Indonesia (primary), Singapore, the United States, and the European Union. For transfers from the EEA/UK, we rely on the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework.
For transfers from Indonesia under UU PDP Art. 56, we ensure the receiving country has an adequate level of protection, or we implement contractual safeguards with sub-processors.
7. Data Retention
| Data Category | Retention Period | Reason |
|---|---|---|
| Booking records | 10 years post-stay | Indonesian tax law (PER-02/PJ/2019) |
| Host financial records | 10 years | Accounting law |
| Enquiry (no booking) | 12 months | Remarketing + dispute handling |
| Support tickets | 3 years | Quality assurance |
| Account data | Duration of account + 24 months after deletion | Fraud prevention window |
| KYC documents | 5 years post-relationship | AML Act |
| Marketing consent records | 3 years after withdrawal | Proof of compliance |
| Analytics (aggregated) | Indefinite (anonymised) | Platform improvement |
8. Security
- TLS 1.3 encryption in transit, AES-256 at rest
- Passwords hashed with scrypt / Argon2id with per-user salts
- JWT authentication with short-lived tokens (8 hours) and rotation
- Row-Level Security (RLS) at the database layer so hosts can only access their own data
- Rate limiting on all public and authenticated endpoints
- Content Security Policy (strict), HSTS (preload), X-Frame-Options
- Annual third-party penetration testing and quarterly vulnerability scans
- Breach notification to DPO + affected users within 72 hours (UU PDP Art. 46 + GDPR Art. 33)
9. Cookies & Similar Technologies
We use four categories of cookies:
| Category | Purpose | Opt-in required? |
|---|---|---|
| Strictly Necessary | Session, CSRF, login | No (essential) |
| Preferences | Currency, language, dark mode | No (essential) |
| Analytics | GA4 aggregated usage | Yes |
| Marketing | Meta Pixel, remarketing | Yes |
On first visit, you see our cookie consent banner with granular controls. You can change preferences anytime via the "Cookie Preferences" link in our footer. Setting your browser Do Not Track header will be honoured for analytics and marketing cookies.
10. Your Rights
You have these rights over your personal data, exercisable at any time by emailing privacy@theluxurybali.com. We respond within 30 days (GDPR) or 72 hours for urgent requests (UU PDP Art. 7).
- Access: Obtain a copy of all personal data we hold about you
- Rectification: Correct inaccurate or incomplete data
- Erasure ("right to be forgotten"): Request deletion (subject to legal retention requirements in Section 7)
- Portability: Receive your data in a structured, machine-readable format (JSON)
- Restriction: Limit processing to storage only while we resolve a dispute
- Objection: Object to processing based on legitimate interest or direct marketing
- Withdraw consent: Revoke previously granted consent at any time (does not affect past lawful processing)
- Lodge a complaint: With your supervisory authority — see Section 13 / Section 14
11. Children's Privacy
Our Service is intended for users aged 18 and above. We do not knowingly collect personal data from individuals under 18. If we become aware we have inadvertently collected data from a minor, we will delete it promptly. Bookings that include minors as guests are made by the adult booker; we collect only name and age band (e.g. "child 0–12").
12. Automated Decision-Making
We do not subject users to purely automated decisions with legal or similarly significant effect (GDPR Art. 22 / UU PDP Art. 10). Fraud scoring is reviewed by a human before any account or booking is declined. AI-assisted villa recommendations are advisory only — you make the final choice.
13. Indonesia (UU PDP) Addendum
Under UU PDP 27/2022, you have the rights listed in Article 5–15. To exercise them, contact our Data Protection Officer (see Section 17). If we cannot resolve your concern, you may lodge a complaint with:
Lembaga Pengawas Pelindungan Data Pribadi (data protection supervisory authority under the Ministry of Communication and Information Technology — kominfo.go.id).
14. EEA/UK (GDPR) Addendum
Our EU representative (GDPR Art. 27), if required, will be appointed upon reaching the threshold. For now, direct all enquiries to dpo@theluxurybali.com. You may lodge a complaint with your local data protection authority (e.g. the CNIL in France, ICO in the UK, or the authority where you live).
15. California (CCPA / CPRA) Addendum
California residents have the right to know what personal information we collect, request deletion, and opt out of "sale" or "sharing" of personal information. We do not sell personal information. Contact privacy@theluxurybali.com with subject "CCPA Request" to exercise your rights.
16. Changes to This Policy
We may update this policy to reflect legal, technical, or business changes. Material changes will be communicated via email to active users and via a banner on the Platform at least 30 days before taking effect. Continued use after that date signifies acceptance.
17. Contact & Data Protection Officer
Data Protection Officer: dpo@theluxurybali.com
Privacy enquiries: privacy@theluxurybali.com
Postal: The Luxury Leisure Group, c/o The Luxury Bali, Seminyak, Badung, Bali 80361, Indonesia
For urgent data breach notifications, please mark your email subject "URGENT — Data Breach".