Legal

Privacy Policy

How we collect, use, and protect your personal information.

Last updated: January 2025

1. Introduction

Saraya Lombok operates as a trading name of Kinnara Capital, registered in Indonesia and Hong Kong. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or engage with our services. This policy complies with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), Indonesia's Personal Data Protection Law (Law No. 27 of 2022), and any other applicable data-protection regulations.

2. Definitions

Personal Data refers to any information relating to an identified or identifiable natural person. Controller means Kinnara Capital, which determines the purposes and means of processing Personal Data. Processor refers to entities processing data on the controller's behalf, including but not limited to Personr.co and Stripe Inc.

3. Scope

This Privacy Policy applies to all users, clients, partners, developers, and agents interacting with Saraya Lombok through our website, email, WhatsApp, or any other communication channels. This policy covers both online and offline data collection methods.

4. Information We Collect

We may collect the following categories of information: Personal Identification Information Name, nationality, date of birth, residential address, phone number, and email address. Financial and Transaction Data Payment details, bank information, deposit records, and transaction history. Technical Usage Data IP address, device identifiers, browser type, cookies, and analytics data. Communication Records Emails, chat logs, form submissions, and WhatsApp messages. KYC/AML Data Passport or government-issued ID, biometric data (where required), and sanctions screening results.

5. Legal Basis for Processing

We process your Personal Data based on the following legal grounds: Contractual Necessity — Processing required to fulfil reservations, payments, and service delivery. Legal Obligations — Compliance with AML/CTF regulations, tax laws, and other statutory requirements. Legitimate Interests — Security measures, fraud prevention, and service improvements. Consent — Marketing communications and certain cookie-based tracking (where required by law).

6. How We Use Your Data

We use your Personal Data to: • Process villa reservations and payments • Verify your identity and conduct KYC checks • Perform AML/CTF compliance screening • Respond to enquiries and manage customer relationships • Provide property project updates and investment information • Comply with legal and regulatory requirements • Analyse website usage and improve our services • Send marketing communications (with your consent)

7. Data Sharing

We may share your information with: • Property developers and construction partners • Personr.co for KYC verification services • Payment processors (Stripe and approved gateways) • Banks and financial institutions • Accountants, auditors, and legal advisers • Cloud hosting and IT service providers • Government regulators and law enforcement (when required) We do NOT sell Personal Data to third parties.

8. International Data Transfers

Your data may be transferred to and processed in Indonesia, Hong Kong, Singapore, Australia, the European Union, the United Kingdom, and the United States. For transfers outside the EU/UK, we implement Standard Contractual Clauses (SCCs) or other approved safeguards. Transfers involving Indonesian data subjects comply with the requirements of the PDP Law.

9. Data Retention

Personal Data is retained only for as long as necessary to fulfil the purposes outlined in this policy. Generally, we retain data for 5-7 years to meet AML/accounting requirements and contractual obligations. When data is no longer required, it is securely deleted or anonymised in accordance with industry best practices.

10. Your Rights

Depending on your jurisdiction, you may have the right to: • Access your Personal Data held by us • Correct inaccurate or incomplete information • Delete your data (subject to legal retention requirements) • Object to certain processing activities • Restrict processing in specific circumstances • Port your data to another service provider • Withdraw consent where processing is based on consent To exercise any of these rights, please contact us at [email protected].

11. Cookies

We use cookies and similar technologies to support: • Authentication and session management • Analytics and performance monitoring • Advertising and retargeting (only with consent where required) You may configure your browser to reject cookies; however, some website functionality may be affected.

12. KYC and AML Processing

Certain transactions require mandatory identity verification under Indonesian, Hong Kong, and international AML/CTF laws. Personr.co handles KYC data collection on our behalf, including biometric verification where required. This data is used solely for: • Identity verification • Regulatory compliance • Fraud prevention • Eligibility assessment

13. Data Security

We implement appropriate technical and organisational measures to protect your Personal Data, including: • SSL/TLS encryption for data in transit • Secure cloud infrastructure • Strict access controls and authentication • Regular security audits and assessments While we strive to protect your information, no system is completely secure. We cannot guarantee absolute security of data transmitted to or stored by us.

14. Data Breach Notification

In the event of a data breach likely to result in risk to your rights and freedoms, we will notify affected individuals and relevant authorities within the statutory timeframes required under GDPR and the Indonesian PDP Law.

15. Children's Data

Our services are intended for individuals aged 18 and above. We do not knowingly collect Personal Data from minors. If we become aware that we have collected data from a child, we will take steps to delete such information promptly.

16. Marketing Communications

We may send you marketing communications about our properties, investment opportunities, and related services where you have provided consent or where permitted by law. You may unsubscribe from marketing emails at any time by clicking the unsubscribe link in any email or by contacting us directly.

17. Policy Updates

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. The latest version will always be available on our website with the effective date noted. We encourage you to review this policy regularly.

18. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact: Kinnara Capital — Saraya Lombok Email: [email protected] General Enquiries: [email protected]