Privacy and Data Protection Policy

Effective Date: October 23, 2025

Service Provider:
PT Bali Data Insights
Bali, Indonesia
Contact: privacy@indo.rent
Website: https://indo.rent

1. Introduction

PT Bali Data Insights (hereinafter: "Provider") is committed to protecting personal data and respecting privacy. This Privacy Policy (hereinafter: "Policy") describes how we collect, use, store, transfer, and protect your personal data when using the indo.rent Platform (hereinafter: "Platform").

By using the Platform, you accept the data processing practices described in this Policy.

2. Data Controller and Contact Information

Data Controller:
PT Bali Data Insights
Headquarters: Bali, Indonesia
Privacy Contact: privacy@indo.rent
General Contact: support@indo.rent

3. Categories of Personal Data Collected

During Platform operation, we collect and process the following personal data:

3.1. Registration and Identification Data

- Name (first name, last name)
- Email address
- Phone number (optional but recommended)
- Country code or residence location
- User ID
- Password (stored in encrypted form)

3.2. Company Data (for listers, optional)

- Company name
- Tax number or registration number

3.3. Property Listing Data (for listers)

- Property type (villa, apartment, house, etc.)
- Address details (city, district, street – optional)
- Pricing and currency
- Property description, amenities
- Uploaded photos

3.4. Communication and Inquiry Data

- Messages, inquiries sent to listers
- Saved properties list (for logged-in seekers)

3.5. Subscription and Payment Data

- Selected subscription plan (Free, Start, Premium)
- Payment cycle (monthly, annual)
- Midtrans transaction IDs
- Bank transfer receipts (only as necessary, for accounting purposes)
- We do not collect bank card data – these are processed directly by Midtrans

3.6. Technical and Usage Data

- IP address
- Browser type and version
- Device information (operating system, screen resolution)
- Cookie identifiers
- Visit times, viewed pages
- Log files

4. Purposes and Legal Basis for Data Processing

The purposes and legal bases for data processing are as follows:

4.1. Performance of Contract (GDPR Article 6(1)(b))

- Registration and login: Creating and managing user accounts
- Publishing listings: Displaying and editing properties
- Facilitating contact: Connecting listers and seekers
- Managing subscriptions: Payment processing, providing service levels

4.2. Compliance with Legal Obligation (GDPR Article 6(1)(c))

- Billing and accounting: Complying with Indonesian tax and accounting regulations
- Data retention obligations: Financial and transaction records
- Fulfilling regulatory requests: When legally required

4.3. Legitimate Interest (GDPR Article 6(1)(f))

- System security and abuse prevention: Protection against hacking, spam, fraud
- Development and statistics: Improving Platform performance, optimizing user experience
- Customer relationship management: Processing complaints and feedback

4.4. Consent (GDPR Article 6(1)(a))

- Marketing and newsletters: Promotional emails, notifications about updates (revocable at any time)
- Non-essential cookies: Marketing and analytics cookies (see Section 10)

5. Data Processors and Recipients

The Provider uses the following third-party service providers (data processors):

5.1. Hosting Services

- Amazon Web Services (AWS S3): File and image storage
- PostgreSQL database: User and listing data storage

5.2. Payment Processing

- Midtrans (PT Midtrans): Online payment processing (Snap integration)
- Bank card data is processed directly on Midtrans' secure servers; we do not store it

5.3. Authentication and Session Management

- Indo OIDC: Login system
- Session storage: PostgreSQL-based session management with HTTP-only cookies

5.4. Map Services

- Google Maps API: Displaying properties on maps
- When using Google Maps, IP address and browser data are transmitted to Google

5.5. Analytics and Statistics

- Google Analytics: Visitor statistics, user behavior analysis
- More information: [Google Privacy Policy](https://policies.google.com/privacy)

Contractual agreements are in place with all data processors to guarantee data security.

6. International Data Transfers

As the Platform is globally accessible and uses international infrastructure, data may be transferred outside the European Union:

6.1. Legal Basis for Data Transfers

- AWS regions: Data may be stored outside the European Union (e.g., Singapore, USA)
- Compliance measures:
- EU-approved Standard Contractual Clauses (SCC)
- Adequacy decisions
- GDPR-compliant security measures

6.2. Data Security in International Context

The Provider ensures that even when data is stored outside the EU, the same level of protection applies as within the European Union.

7. Data Retention Periods

7.1. Account Data

- Active account: Data retained until account deletion
- After account deletion: Permanently deleted within 30 days, except data required by law

7.2. Listing Data and Images

- Active listing: Duration of listing publication
- Inactive/deleted listing: Deleted within 90 days, unless required by law

7.3. Billing and Financial Data

- Indonesian regulations: Generally 8 years (accounting and tax requirements)

7.4. Log Data

- General logs: Maximum 1 year
- Security incidents: Longer retention if necessary, with notification

7.5. Cookie Data

- Session cookies: Until browser closure
- Persistent cookies: Maximum 2 years (Google Analytics)
- Marketing cookies: Revocable by user at any time

8. Data Subject Rights (GDPR Rights)

Under the EU General Data Protection Regulation (GDPR), you have the following rights:

8.1. Right of Access (GDPR Article 15)

You have the right to information about:
- What personal data we process
- For what purposes and legal basis
- Who are the data processors and recipients
- How long we retain the data

Request method: Write to privacy@indo.rent

8.2. Right to Rectification (GDPR Article 16)

You can request correction or completion of inaccurate or incomplete data.

8.3. Right to Erasure – "Right to be Forgotten" (GDPR Article 17)

You can request deletion of your data if:
- Data is no longer necessary for the original purpose
- You withdraw consent and there is no other legal basis
- You object to data processing
- Data processing was unlawful

Exceptions: We cannot delete certain data for legal obligations, legal claims, or public interest.

8.4. Right to Restriction of Processing (GDPR Article 18)

You can request restriction (e.g., suspension) of data processing if:
- You contest data accuracy
- Processing is unlawful but you do not want data deletion
- You objected to processing and investigation is pending

8.5. Right to Data Portability (GDPR Article 20)

You can request to receive your data in structured, machine-readable format and transfer it to another service provider.

Format: JSON or CSV file

8.6. Right to Object (GDPR Article 21)

You can object to:
- Processing based on legitimate interest
- Marketing communications (at any time, without reason)

8.7. Automated Decision-Making and Profiling (GDPR Article 22)

The Platform does not apply automated decision-making (e.g., algorithmic customer scoring) with significant legal consequences.

8.8. Withdrawal of Consent (GDPR Article 7)

If we process your data based on consent (e.g., newsletter), you can withdraw it at any time without penalty. Withdrawal does not affect the lawfulness of previous processing.

Newsletter unsubscribe: Unsubscribe link at the bottom of every marketing email

9. Right to Lodge a Complaint with Supervisory Authority

If you believe our data processing violates your rights, you can file a complaint:

For Indonesian users:

- Kominfo (Kementerian Komunikasi dan Informatika / Ministry of Communication and Information Technology)
- Website: [https://www.kominfo.go.id](https://www.kominfo.go.id)
- Email: humas@kominfo.go.id
- Data protection complaints: https://www.kominfo.go.id/layanan-informasi

For EU/EEA users:

- Hungary: National Authority for Data Protection and Freedom of Information (NAIH)
- Website: [https://naih.hu](https://naih.hu)
- Email: ugyfelszolgalat@naih.hu
- Other EU member state: National data protection authority of your residence

10. Use of Cookies

10.1. What is a Cookie?

A cookie is a small text file that a website stores in your browser. Cookies help website functionality and improve user experience.

10.2. Types of Cookies Used on the Platform

A) Strictly Necessary Cookies (cannot be disabled)

These cookies are essential for the Platform's basic operation:
- Session cookie: Maintaining login status
- CSRF protection: Security token against attacks
- Language and preferences: Remembering chosen language

Legal basis: Performance of contract (GDPR Article 6(1)(b))

B) Statistical Cookies (Google Analytics)

- Purpose: Visitor statistics, page views, user behavior analysis
- Provider: Google LLC
- Lifespan: Maximum 2 years
- Data: IP address (anonymized), browser, device, geographic location (city level)

Legal basis: Consent (GDPR Article 6(1)(a)) or legitimate interest

Google Analytics privacy: [Google Privacy Policy](https://policies.google.com/privacy)

C) Marketing Cookies (optional, consent required)

- Purpose: Targeted advertising, remarketing campaigns
- Lifespan: 30 days - 1 year
- Usage: Currently not active, but may be introduced in the future

Legal basis: Consent (GDPR Article 6(1)(a))

10.3. Managing and Rejecting Cookies

- Cookie banner: Appears on first visit, where you can accept or reject non-essential cookies
- Browser settings: You can delete or disable cookies at any time
- Disable Google Analytics: [Google Analytics Opt-out](https://tools.google.com/dlpage/gaoptout)

Important: Disabling necessary cookies may limit Platform functionality (e.g., unable to log in).

10.4. Third-Party Cookies

The Platform uses only Google Analytics third-party cookies. We do not use other third-party cookies.

11. Data Security and Protection Measures

The Provider prioritizes data security. We apply the following technical and organizational measures:

11.1. Technical Protection

- HTTPS encryption: Entire website protected with SSL/TLS encryption
- Password protection: Bcrypt algorithm encrypted passwords (non-reversible)
- HTTP-only cookies: Protection against JavaScript attacks
- CSRF protection: Cross-Site Request Forgery protection
- SQL injection protection: Parameterized queries
- XSS protection: Cross-Site Scripting attack protection

11.2. Access Restriction

- Role-Based Access Control (RBAC): Only authorized persons access data
- Principle of least privilege: Staff access only data necessary for their work
- Confidentiality agreements: All staff and partner companies sign confidentiality declarations

11.3. Data Backup

- Regular backups: Daily automatic backup to AWS S3
- Geo-redundancy: Data stored in multiple geographic locations
- Disaster recovery: Recovery plan exists

11.4. Incident Management

In case of data breach (e.g., data leak):
- Immediate investigation
- Within 72 hours notification to supervisory authority (GDPR requirement)
- Affected users notified by email if high risk exists

12. Protection of Children's Data

Platform use is not permitted for persons under 18 years without legal guardian consent.

If we learn that a child under 18 has registered, we immediately delete their data and suspend the account.

13. Contact and Privacy Requests

13.1. Privacy Contact

For questions and requests, contact us:

Email: privacy@indo.rent
General customer service: support@indo.rent

13.2. Submitting Requests

To exercise your privacy rights (access, deletion, rectification, etc.), send an email to privacy@indo.rent with the following information:
- Subject: Privacy Request
- Name and email address (used in registered account)
- Request type (e.g., deletion, data portability)
- Detailed description

Response time: We process and respond to your request within 30 days.

13.3. Identity Verification

For data protection purposes, we must ensure the request is submitted by the authorized person. We may request identity verification if necessary (e.g., ID copy).

14. Modification of Privacy Policy

The Provider reserves the right to modify this Policy, especially:
- In case of legislative changes
- When introducing new features
- When data processing practices change

14.1. Notification of Modifications

For material changes, we notify users through:
- Email notification (to registered users)
- Notice on the Platform
- Modification date at the top of the document

Modifications take effect within 15 days of publication.

14.2. Acceptance of Modifications

If you do not agree with the changes, you have the right to terminate your account and Platform use. Continued Platform use indicates acceptance of the modified Policy.

15. Final Provisions

15.1. Language Versions

This Policy is available in Hungarian, English, and Indonesian. In case of interpretation questions, the English version prevails.

15.2. Applicable Law

Indonesian law applies to this Policy, but we strive to comply with EU GDPR requirements for European users.

15.3. Related Documents

- Terms and Conditions: [https://indo.rent/terms](https://indo.rent/terms)
- Cookie Policy: Integrated into this document (Section 10)

Last Updated: October 23, 2025

Privacy Contact: privacy@indo.rent
Website: https://indo.rent

Thank you for your trust and using indo.rent!

The Provider is committed to handling your data with the highest level of protection. If you have any questions about privacy, please do not hesitate to contact us.

Download PDF version: Privacy Policy (PDF)