Skip to content
Book Ubud
ID

Privacy Policy

Last updated: 29 May 2026 · Effective date: 29 May 2026

This policy explains what personal information Book Ubud collects, why we collect it, how we use it, and the rights you have under Indonesia's Undang-Undang No. 27 Tahun 2022 tentang Perlindungan Data Pribadi (UU PDP) and Undang-Undang No. 11 Tahun 2008 jo. No. 19 Tahun 2016 tentang Informasi dan Transaksi Elektronik (UU ITE).

1. Who we are

Book Ubud is a direct-booking website for a collection of private pool villas in greater Ubud, Bali. The business is operated by I Nyoman Suardika, an Indonesian individual entrepreneur licensed as a Pondok Wisata (small-scale homestay) accommodation operator in the Republic of Indonesia under:

  • NIB (Nomor Induk Berusaha): 1602260015674
  • KBLI 55193: Penyediaan Akomodasi Jangka Pendek Lainnya (Other Short-Term Accommodation)
  • Pondok Wisata license under Peraturan Daerah Provinsi Bali, regulated by the Government of Gianyar Regency

For the purposes of UU PDP, I Nyoman Suardika (operating as Book Ubud) is the Pengendali Data Pribadi (data controller) responsible for the information processed through this website and our WhatsApp channel. If you are a resident of the European Economic Area, you also benefit from rights under the EU General Data Protection Regulation (GDPR), which we honor on a best-effort basis as a courtesy to international guests.

2. What information we collect

We only collect the information we actually need to host you:

  • WhatsApp messages: the content of messages you send to our booking number (+62 859-3524-3151), including your WhatsApp display name and phone number.
  • Booking details: your full name, nationality, passport number (only when required for guest reporting to local authorities), contact email and/or phone number, number of guests, check-in and check-out dates, and any special requests you share when confirming a booking.
  • Payment confirmations: proof-of-transfer screenshots or bank reference numbers you send us after paying a deposit or balance. We never see or store your card details; those stay with your bank or with Wise.
  • Analytics data: pages visited, approximate location (country/city), device and browser type, referrer, and time-on-page, collected through cookies and similar technologies (see Section 4).

3. How we use your information (Tujuan pemrosesan)

We use the data above only for the following purposes:

  • To respond to your booking inquiries on WhatsApp.
  • To process and confirm bookings, including issuing quotes, sending payment instructions, and providing arrival information.
  • To send booking confirmations, pre-arrival logistics, and follow-up messages relevant to your stay.
  • To improve this website, for example, by understanding which villas visitors view most and where they drop off.
  • To comply with Indonesian tax and accommodation reporting obligations, including PB1 (Pajak Hotel & Restoran) 10% filings with the Gianyar Regency Government and guest reporting to the local banjar and immigration where required.

The lawful bases for processing under UU PDP Pasal 20 are: (a) performance of the accommodation contract you enter into with us when booking; (b) compliance with legal obligations under Indonesian tax and tourism law; and (c) consent for non-essential cookies and marketing-related processing. For EEA guests, the equivalent GDPR bases (Art. 6) apply.

4. Cookies and tracking

We use a small number of cookies and similar technologies, in line with the data-protection principles of UU PDP and UU ITE Pasal 26. Non-essential cookies and trackers load only after you accept via our cookie consent banner (we use Google Consent Mode v2, which defaults to denied until you choose). We also honor your browser's Global Privacy Control (GPC) / Do Not Track signal as an automatic decline: when one of these is present, the banner is skipped and non-essential cookies stay off.

  • Google Analytics 4: anonymized site usage statistics (pages, sessions, geography at city level). Opt out via the Google Analytics opt-out browser add-on.
  • Meta Pixel: measures the effectiveness of our ads on Facebook and Instagram. You can disable activity off-Meta technologies in your Meta Accounts Center.
  • Microsoft Clarity: heatmaps and session replay provided by Microsoft, used to understand how visitors interact with our pages. It is loaded only after you consent.

You can also clear or block cookies at any time in your browser settings. Blocking strictly necessary cookies may break some parts of the site (such as remembering your preferred currency). For the full list of cookies we use, see our Cookie Policy.

5. Data sharing (Pengungkapan data)

We do not sell your personal data. In accordance with UU PDP Pasal 47, we share data only with the following categories of recipients, and only as needed:

  • Payment processors: Bank Negara Indonesia (BNI) and Wise (Wise Payments Limited), which receive whatever information is necessary to process your transfer.
  • Indonesian authorities: Direktorat Jenderal Pajak, the Gianyar Regency Tax Office (for PB1 filings), Imigrasi (for foreign-guest reporting where required), local banjar administration, and the licensing offices of the Bali Provincial Government and Gianyar Regency, when required by law.
  • Service providers: Cloudflare (hosting and CDN), Google (analytics), and Meta (advertising), each acting as a Prosesor Data Pribadi (data processor) under their own contractual safeguards.

We never share your data with other guests, with other villas outside our group, or with marketing third parties.

6. Data retention

Retention periods reflect the storage-limitation principle of UU PDP Pasal 16(2) and Indonesian tax and bookkeeping rules:

  • Booking records: kept for 5 years after your stay, to comply with Indonesian tax and accommodation reporting law (Direktorat Jenderal Pajak retention rules).
  • WhatsApp message history: retained on our business device for as long as it is operationally useful, then deleted. You may ask us to delete your conversation at any time.
  • Analytics data: retained in Google Analytics for 14 months, then automatically deleted.
  • Payment confirmations: kept for 10 years to comply with Indonesian anti-money-laundering and corporate bookkeeping obligations.

7. Your rights (Hak Subjek Data Pribadi)

Under UU PDP Pasal 5 sampai Pasal 15 you have the following rights, which we honor regardless of where you live (EEA guests also enjoy the equivalent GDPR Art. 15–22 rights):

  • Access (akses): request a copy of the personal data we hold about you.
  • Correction (perbaikan / pembaruan): ask us to fix anything that is wrong or out of date.
  • Deletion (penghapusan): request that we delete your data, subject to the legal retention obligations described in Section 6.
  • Portability (pemindahan data): receive your data in a structured, machine-readable format and have it transmitted to another controller.
  • Object or restrict processing (penolakan / pembatasan pemrosesan): including withdrawing consent for analytics or marketing at any time.
  • Lodge a complaint: with the Lembaga Perlindungan Data Pribadi once formally established under UU PDP, or with your home-country data-protection authority if you are an EEA resident.

To exercise any of these rights, message us on WhatsApp (see below). We respond within 3 × 24 hours per UU PDP expectations and aim to resolve every request within 7 days.

8. International transfers (Transfer data ke luar negeri)

We are based in Indonesia, but some of our service providers (Google, Meta, Cloudflare) process data on servers in the United States and other jurisdictions. Per UU PDP Pasal 56 and PP No. 71 Tahun 2019, such transfers are only made where the receiving jurisdiction provides comparable data-protection standards, or where adequate contractual safeguards (such as standard contractual clauses) are in place. For EEA guests, equivalent GDPR Chapter V safeguards apply.

9. Security of your data

In line with UU ITE Pasal 26 and Peraturan Menteri Kominfo No. 20 Tahun 2016, we apply reasonable technical and organizational measures to protect your data, including HTTPS on the website, access controls on the business WhatsApp device, and limited employee access to booking records on a need-to-know basis. No system is 100% secure; we notify you and the competent authority of any qualifying personal data breach within 72 hours, as required by UU PDP.

10. Children

Our services are intended for adult travelers. Per UU PDP Pasal 25, personal data of children (under 18) is only processed with the consent of a parent or legal guardian, and only to the extent strictly necessary for the family booking. If you believe a child has provided us with data without parental consent, please contact us and we will delete it.

11. Contact for privacy requests

For any privacy question, complaint, or data-subject request, the fastest channel is WhatsApp:

12. Governing law (Yurisdiksi)

This Privacy Policy is governed by the laws of the Republic of Indonesia (Republik Indonesia). Any dispute relating to personal data falls under the jurisdiction of the competent Indonesian authority and, if litigated, the Pengadilan Negeri Gianyar (Gianyar District Court).