Legal
Privacy Policy
How Svarga Resort Lombok collects, uses, and protects your personal data, in accordance with Undang-Undang No. 27 Tahun 2022 about Personal Data Protection (UU PDP) of the Republic of Indonesia.
Effective Date and Controller
This Privacy Policy is effective from 1 January 2026. The data controller is PT Svarga Resort Lombok (Jalan Pantai Sira, Lombok Tengah, NTB 83573, Indonesia). Data Protection Officer (DPO) contact: reservations@svargaresort.com / +62 370 123 456.
Data We Collect
When you make a booking, register, or contact us, we collect: full name, email address, phone number, country of residence, government-issued identification (KTP/NIK or passport — for check-in compliance), payment details (processed by certified PCI-DSS gateways, never stored on our servers), stay preferences and special requests, marketing attribution (UTM parameters, referrer), and technical data (IP address, browser, device).
Lawful Basis and Purpose
We process your data on the basis of: (a) contract performance — to fulfill bookings, process payments, deliver hospitality services; (b) legal obligation — government guest reporting, tax invoicing (faktur pajak), and record retention required by Indonesian regulations; (c) explicit consent — marketing communications and optional features; (d) legitimate interest — fraud prevention, security, service improvement.
Sharing with Third Parties
Your data is shared only with: payment gateways (Faspay, Midtrans) for processing payments; communication providers (email, WhatsApp via Fonnte) for booking confirmations; channel managers (SiteMinder) when you book through OTAs; tax authorities as required by Indonesian law. Third parties are bound by confidentiality and process data solely on our instructions.
Data Retention
Booking records: 10 years per Indonesian tax regulations. Guest profile data: 5 years after last booking, then anonymized. Marketing consent: until withdrawn. Audit logs: 2 years. Payment events: 7 years. You may request deletion of data not subject to retention obligations.
Your Rights Under UU PDP
You have the right to: access your data, correct inaccurate data, request deletion (when no retention obligation applies), object to processing, withdraw consent at any time, request data portability, and lodge a complaint with the Indonesian Personal Data Protection Authority. Send requests to reservations@svargaresort.com — we respond within 14 business days.
Security Measures
We protect your data through: HTTPS/TLS encryption in transit, encryption at rest for sensitive fields, access controls limited to authorized personnel, audit logging, regular security reviews, and personally identifiable information (PII) redaction on internal logs. Staff handling guest data sign confidentiality agreements.
International Transfers
Some service providers (cloud hosting, email delivery) may process data outside Indonesia. We ensure such transfers comply with UU PDP via contractual safeguards equivalent to Indonesian standards.
Cookies and Tracking
Our website uses cookies for essential functionality (session, CSRF protection), analytics (anonymized usage data), and marketing attribution. See our Cookie Policy for details and how to manage preferences.
Children
Our services are intended for guests aged 18 and above. If a child accompanies a booking, the booking adult is the data controller for the child's information shared with us.
Changes to This Policy
We may update this Privacy Policy as our practices evolve or as required by law. Material changes are communicated via email to affected guests. The "Effective Date" above always reflects the current version.
Contact and Complaints
Questions, requests, or complaints about your personal data: email reservations@svargaresort.com or write to PT Svarga Resort Lombok, Jalan Pantai Sira, Lombok Tengah, NTB 83573, Indonesia. If unsatisfied with our response, you may escalate to the Indonesian Personal Data Protection Authority once established under UU PDP.