Legal
Privacy Policy
How we collect, use, and protect your personal information.
Last updated: April 2026
1. Introduction
This Privacy Policy describes how we collect, use, disclose, and safeguard your personal information when you visit our Website, make an enquiry, reserve a villa, or otherwise engage with us.
We take steps to comply with applicable data protection laws, including:
- Indonesia's Personal Data Protection Law (Law No. 27 of 2022) (PDP Law);
- the EU General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR);
- the UK GDPR and the Data Protection Act 2018;
- the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs);
- the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA); and
- other applicable data protection laws in jurisdictions in which we operate or from which we collect personal information.
This Privacy Policy should be read together with our Terms & Conditions and Cookie Notice.
2. Who we are (Controller Identity)
The controller of your personal information is:
- PT Saraya Resort Lombok (the PT PMA project entity), a foreign investment (PMA) limited liability company registered in the Republic of Indonesia, NIB 1411250065654, NPWP 1000000006760818, with its registered office at Jalan Sunset Road Nomor 88, Kuta, Kab. Badung, Bali 80361, Indonesia; together, where relevant, with
- Kinnara Capital Limited, registered in Hong Kong, with its registered office at Unit 2, LG1, Mirror Tower, 61 Mody Road, Tsim Sha Tsui, Hong Kong.
Where both entities are involved in processing your personal information, they act as joint controllers within the meaning of GDPR Article 26 and the equivalent provisions of the PDP Law. The allocation of responsibilities between them is described in a joint-controller arrangement, the essence of which is available on request.
2.1 Data Protection Officer
We have appointed a Data Protection Officer (DPO) in accordance with PDP Law Article 53 and, where applicable, GDPR Article 37. You can contact the DPO at [email protected].
2.2 EU and UK Representatives
Where we process personal information of data subjects in the European Union or the United Kingdom in connection with offering goods or services to them, we have appointed representatives under GDPR Article 27 and UK GDPR Article 27:
- EU Representative: Julie Noorman, [email protected]
- UK Representative: Julie Noorman, [email protected]
3. Definitions
- Personal Information / Personal Data means any information relating to an identified or identifiable natural person.
- Specific Personal Data / Sensitive Information means data that attracts heightened protection under the PDP Law (Article 4), the APPs (s 6 of the Privacy Act), or special categories under GDPR Article 9. It includes financial data, health data, biometric data, genetic data, and data relating to children.
- Processor means any entity that processes personal information on our behalf.
- Supervisory Authority means the relevant data protection authority in your jurisdiction, including the Indonesian data protection authority under the PDP Law, the Office of the Australian Information Commissioner (OAIC), the UK Information Commissioner's Office (ICO), and EU Member State authorities.
- Personal Data Breach has the meaning given in GDPR Article 4(12).
4. Scope
This Privacy Policy applies to personal information we collect through:
- our Website and any subdomains;
- email, telephone, and WhatsApp communications with us;
- the reservation and deposit process;
- KYC/AML verification conducted by us or our processors; and
- any offline interaction with our team.
5. Information We Collect
We collect the following categories of personal information.
5.1 Identification information
Full name, nationality, date of birth, residential address, telephone number, and email address.
5.2 Financial and transaction information
Payment card details (via Stripe; we do not store full card numbers), bank account details, deposit records, and transaction history. This is Specific Personal Data under the PDP Law.
5.3 KYC / AML information
Passport or government-issued identification, source of funds and source of wealth documentation, PEP and sanctions screening results, and — where required for identity verification — biometric data (liveness check and facial match). Biometric data is Specific Personal Data under the PDP Law and a special category of personal data under GDPR Article 9.
We process biometric data for KYC only on the basis of your explicit consent, which is obtained separately at the point of collection. You may decline to provide biometric data, in which case we will offer an alternative verification method where available; if no alternative is available, we may be unable to proceed with your reservation.
5.4 Communication records
Emails, contact-form submissions, WhatsApp messages, and call notes.
5.5 Technical usage data
IP address, device identifiers, browser type, operating system, referring URLs, pages viewed, and cookies and similar technologies (see clause 13).
5.6 Information about children
Our services are intended for individuals aged 18 and over. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will delete it promptly.
6. Legal Bases for Processing
We rely on the following legal bases:
| Purpose | Legal basis (GDPR / UK GDPR) | Legal basis (PDP Law) |
|---|---|---|
| Managing your enquiry and responding to you | Legitimate interests (Art. 6(1)(f)) | Legitimate interests (Art. 20(2)(f)) |
| Processing reservations, payments, and contracts | Contract (Art. 6(1)(b)) | Contract (Art. 20(2)(b)) |
| KYC / AML / sanctions screening | Legal obligation (Art. 6(1)(c)) and, for biometric data, explicit consent (Art. 9(2)(a)) | Legal obligation (Art. 20(2)(c)) and, for specific personal data, explicit consent (Art. 20(2)(a)) |
| Fraud prevention and security | Legitimate interests (Art. 6(1)(f)) | Legitimate interests (Art. 20(2)(f)) |
| Marketing communications | Consent (Art. 6(1)(a)), or legitimate interests for existing customers | Consent (Art. 20(2)(a)) |
| Website analytics (non-essential cookies) | Consent (Art. 6(1)(a)) | Consent (Art. 20(2)(a)) |
| Compliance with legal and tax obligations | Legal obligation (Art. 6(1)(c)) | Legal obligation (Art. 20(2)(c)) |
For data subjects in Australia, collection and use of personal information is governed by APP 3 and APP 6, and this table indicates the primary purpose of collection.
7. How We Use Your Data
We use your personal information to:
- respond to your enquiries and manage our relationship with you;
- process villa reservations, deposits, and related payments;
- conduct KYC, AML, and sanctions screening;
- prepare, execute, and administer the Reservation Agreement and Share Transfer Documents;
- provide project updates during construction and operations;
- send marketing communications (where you have consented or where permitted by law);
- maintain security and prevent fraud;
- comply with legal, tax, and regulatory obligations; and
- analyse Website usage and improve our services.
We do not use personal information for automated decision-making that produces legal or similarly significant effects. Sanctions screening is reviewed by a human before any decision is made to decline a reservation.
8. Data Sharing
We share personal information with the following categories of recipient:
| Category | Examples | Jurisdiction |
|---|---|---|
| KYC service provider | Personr.co | Australia |
| Payment processor | Stripe, Inc. | United States, with EU and other affiliates |
| Cloud hosting | AWS | United States, EU |
| Analytics | Google, Go High Level | United States, EU |
| Email and CRM | Go High Level, Google | United States, EU |
| Messaging | WhatsApp (Meta Platforms) | United States, Ireland |
| Banks and financial institutions | Project banking partners | Indonesia, Australia |
| Professional advisors | Lawyers, accountants, auditors, notaries | Indonesia, Australia, Hong Kong |
| Construction and project partners | Architects, contractors, project managers | Indonesia |
| Government authorities | Tax, AML, land-titling, and law-enforcement authorities (where required by law) | Indonesia, and other relevant jurisdictions |
We do not sell personal information within the meaning of the CCPA/CPRA or equivalent laws.
All processors are engaged under a written data processing agreement that requires them to process personal information only on our instructions and to implement appropriate security measures.
9. International Data Transfers
Your personal information may be transferred to, and processed in, Indonesia, Hong Kong, Singapore, Australia, the European Union, the United Kingdom, and the United States.
9.1 Transfers out of the EU / UK
For transfers from the EU or UK to third countries without an adequacy decision, we rely on:
- EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914);
- the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs; and
- supplementary measures where required following a transfer impact assessment.
9.2 Transfers out of Indonesia
For transfers from Indonesia to other jurisdictions, we rely on the mechanisms permitted under Article 56 of the PDP Law, namely: (a) confirmation that the receiving country provides an adequate level of protection, (b) binding and enforceable data protection safeguards, or (c) your consent.
9.3 Transfers out of Australia (APP 8)
Where we disclose personal information collected in Australia to an overseas recipient, we take reasonable steps to ensure the recipient does not breach the APPs, as required by APP 8.1. You acknowledge that, in some cases, we may rely on APP 8.2(a) (you have consented after being informed that APP 8.1 will no longer apply) or another exception.
A copy of the relevant transfer safeguards is available on request.
10. Data Retention
We retain personal information only for as long as necessary. Our general retention periods are:
| Category | Retention period | Basis |
|---|---|---|
| Unsuccessful enquiries | 24 months from last contact | Legitimate interests |
| Marketing consent records | Until consent is withdrawn, plus 2 years (audit) | Accountability under GDPR Art. 5(2) |
| Reservation and purchase records | Term of the contract plus 7 years | Contract and limitation periods |
| KYC / AML records | 7 years from the end of the business relationship | Indonesian AML law (PPATK) and Australian AML/CTF Act |
| Tax records | 10 years | Indonesian tax law |
| Website analytics | 14 months | Analytics platform default |
| Contact form submissions | 24 months | Legitimate interests |
When retention periods expire, personal information is securely deleted or irreversibly anonymised.
11. Your Rights
Depending on your jurisdiction, you have rights in relation to your personal information, including:
- access — to obtain confirmation of processing and a copy of your personal information;
- rectification — to correct inaccurate or incomplete personal information;
- erasure / deletion — to request deletion, subject to legal retention requirements;
- restriction — to restrict processing in certain circumstances;
- objection — to object to processing based on legitimate interests or direct marketing;
- portability — to receive your personal information in a structured, commonly used, machine-readable format;
- withdrawal of consent — without affecting the lawfulness of prior consent-based processing;
- not to be subject to automated decision-making producing legal or similarly significant effects;
- complaint — to lodge a complaint with a Supervisory Authority in your jurisdiction.
11.1 How to make a request
Submit requests to [email protected].
We may need to verify your identity before actioning your request (for example, by asking you to confirm details already held by us).
11.2 Response times
- GDPR / UK GDPR: within one month of receipt, extendable by a further two months for complex requests (with notice to you).
- PDP Law (Indonesia): within 3 x 24 hours (72 hours) for requests within scope of Articles 5–15, unless a longer period is permitted by law.
- APPs (Australia): within a reasonable period, and in any event within 30 days for access requests under APP 12.
- CCPA/CPRA: within 45 days, extendable by a further 45 days with notice.
Requests are generally handled free of charge. For manifestly unfounded or excessive requests, we may charge a reasonable fee or decline to act, in which case we will explain why and inform you of your right to complain.
11.3 Supervisory authorities
You may lodge a complaint with:
- the Indonesian data protection authority under the PDP Law;
- the OAIC (Australia) — oaic.gov.au;
- the ICO (United Kingdom) — ico.org.uk;
- the data protection authority in the EU Member State of your residence, place of work, or alleged infringement; or
- the California Attorney General or California Privacy Protection Agency (for CCPA/CPRA matters).
We would appreciate the opportunity to address your concerns before you contact a Supervisory Authority.
12. Complaints
If you have a concern about how we handle your personal information, please contact us at [email protected].
We will:
- acknowledge your complaint within 7 business days;
- investigate the complaint and respond substantively within 30 days (or sooner where required by law); and
- if you remain dissatisfied, provide details of the relevant Supervisory Authority.
13. Cookies and Similar Technologies
We use cookies and similar technologies on the Website. Cookie categories:
- Strictly necessary — required for the site to function (authentication, session management). These cannot be switched off.
- Analytics — to understand how the Website is used.
- Marketing / retargeting — to show relevant advertising, where applicable.
Non-essential cookies are only set with your consent. You can manage your preferences through our cookie preference centre, accessible from the cookie banner and from the footer of the Website at any time. You can also control cookies through your browser settings, though some Website functionality may be affected.
A detailed list of the specific cookies we use, their purpose, duration, and whether they are first-party or third-party is available in our Cookie Notice.
14. KYC and AML Processing
Certain transactions require mandatory identity verification under Indonesian AML law (Law No. 8 of 2010, administered by PPATK), the AML/CTF laws of your home jurisdiction, and applicable international sanctions.
KYC is conducted by Personr.co (Australia) on our behalf as a processor under a data processing agreement. Personr.co processes:
- identification documents;
- biometric data (liveness and facial-match);
- PEP and sanctions screening results; and
- source of funds documentation.
KYC data is used solely for identity verification, regulatory compliance, fraud prevention, and eligibility assessment. It is retained as set out in clause 10.
Biometric data is processed only on the basis of your explicit consent and is deleted once verification is complete, except where longer retention is required to evidence compliance with AML law.
15. Data Security
We implement appropriate technical and organisational measures to protect personal information, including:
- TLS encryption for data in transit;
- encryption at rest for sensitive data categories;
- access controls and multi-factor authentication for staff;
- regular security reviews and vendor due diligence; and
- staff training on privacy and information security.
While we take data security seriously, no system is completely secure. We cannot guarantee absolute security.
16. Data Breach Notification
In the event of a Personal Data Breach, we will:
- notify the relevant Supervisory Authority: within 72 hours under GDPR / UK GDPR where the breach is likely to result in a risk to the rights and freedoms of natural persons; within 3 x 24 hours under the PDP Law; and as soon as practicable under the Australian Notifiable Data Breaches scheme, where the breach is an "eligible data breach" under Part IIIC of the Privacy Act;
- notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms (or an eligible data breach under the APPs); and
- document all breaches internally for accountability purposes.
17. Marketing Communications
We send marketing communications only where we have a lawful basis to do so:
- Australia: in accordance with the Spam Act 2003 (Cth), on the basis of consent (express or inferred from an existing business relationship), with clear sender identification and a functional unsubscribe facility honoured within 5 business days.
- EU/UK: on the basis of consent under the ePrivacy Directive and PECR, or in reliance on the soft opt-in for existing customers.
- Indonesia: on the basis of consent under the PDP Law.
You can unsubscribe at any time by clicking the unsubscribe link in any marketing email or by contacting us at [email protected]. Unsubscribe requests are actioned within 5 business days.
18. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have additional rights under the CCPA/CPRA, including the rights to know, to delete, to correct, to opt out of the sale or sharing of personal information, and to limit the use of sensitive personal information.
We do not sell or share personal information within the meaning of the CCPA/CPRA. To exercise your CCPA/CPRA rights, contact [email protected]. We will not discriminate against you for exercising these rights.
19. Changes to this Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent amendment.
Where changes are material, we will take reasonable steps to notify you, including by email (if we hold your email address) or a prominent notice on the Website.
20. Language
This Privacy Policy is published in English. An Indonesian-language version is available on request. In the event of any inconsistency, and to the extent permitted by Indonesian law, the Indonesian version will prevail for data subjects located in Indonesia; for data subjects in other jurisdictions, the English version will prevail.
21. Contact
Privacy enquiries and rights requests: [email protected] Data Protection Officer: [email protected]
Kinnara Capital Limited (Hong Kong) Unit 2, LG1, Mirror Tower, 61 Mody Road, Tsim Sha Tsui, Hong Kong
Telephone: +62 813 39775503 Website: www.sarayalombok.com
Related Documents
Review our terms of service, cookie notice, and other legal information.