Last updated: 13 May 2026 Effective date: 13 May 2026

SANTAI STAYS respects your privacy. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, how long we keep it, and the rights you have over it. It applies to www.santaistays.com (the “Website“) and any bookings, communications, or services we provide.

We comply with the Indonesian Personal Data Protection Law (UU PDP No. 27/2022) as our baseline, and — because we welcome guests from around the world — we also align our practices with the EU GDPR, UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), the Australian Privacy Act, and the New Zealand Privacy Act where applicable.

1. Who we are (Data Controller)

The data controller responsible for your personal data is:

Legal name: CV NOBLE NODE
Entity type: Indonesian CV (Commanditaire Vennootschap / Persekutuan Komanditer)
NIB: 1504260056715
NPWP: 1000000009126562
Registered address: Jl. Merta Agung, Desa/Kelurahan Kerobokan Kelod, Kec. Kuta Utara, Kab. Badung, Provinsi Bali, Kode Pos 80361
Privacy contact: reservations@santaistays.com
Website: www.santaistays.com

For the purposes of EU/UK GDPR, SANTAI STAYS is the “Controller” of personal data processed under this Policy.

2. The personal data we collect

We only collect personal data that we genuinely need. Depending on how you interact with us, we may collect:

2.1 Booking and guest data

Full name, date of birth (where required by Indonesian law at check-in), nationality, passport or government ID details (at check-in only)
Email address, phone number, WhatsApp number
Mailing or billing address
Names and ages of additional guests on your booking
Stay dates, villa preferences, special requests (e.g., dietary, accessibility)
Booking confirmation number and history with us

2.2 Payment data

Billing name and address
Payment method type and the last 4 digits of your card (provided by our processor for receipt purposes)
Transaction reference numbers

We do not store full payment card details on our systems. Card data is collected, processed, and stored by our PCI-DSS-compliant payment processors (Xendit, Midtrans, DOKU, or such other processors as we may use from time to time).

2.3 Communications data

Emails, WhatsApp messages, live-chat transcripts, and call notes between you and our team
Reviews, testimonials, photos, or content you submit to us or tag us in on social media

2.4 Website and device data

IP address, approximate location (city/country), device type, operating system, browser type and version
Pages viewed, referring URL, time on site, clicks, and scroll behaviour
Cookies and similar technologies (see Section 9)

2.5 Marketing data

Email address, marketing preferences, signup source, and engagement (opens, clicks)
Survey or feedback responses

2.6 Sensitive data

We do not intentionally collect sensitive personal data (e.g., health, religion, biometric). If you voluntarily disclose dietary, medical, or accessibility information to help us prepare your stay, we will use it only for that purpose and delete it after your stay unless you ask us to keep it for future visits.

3. How we collect your data

We collect personal data:

Directly from you — when you make an enquiry, book a stay, communicate with us, leave a review, subscribe to our newsletter, or interact with us on social media;
Automatically — through cookies and similar technologies when you use the Website;
From third parties — for example, from payment processors (transaction confirmations), online travel agencies or booking partners (where bookings come via Airbnb, Booking.com, or similar), and analytics providers.

4. Why we use your data and legal basis

We process your personal data for the purposes set out below. For guests covered by the EU/UK GDPR, we have identified the relevant legal basis.

Purpose	Legal basis (EU/UK GDPR)
To process your enquiry and provide a quote	Performance of pre-contractual steps at your request
To confirm and manage your booking, communicate before and during your stay, and handle changes/cancellations	Performance of a contract with you
To process payments, refunds, and chargebacks	Performance of a contract; legal obligation
To meet Indonesian immigration, tax, and tourism reporting obligations (e.g., guest registration)	Legal obligation
To provide concierge services and respond to special requests	Performance of a contract; your consent (for sensitive requests)
To send service emails (booking confirmation, check-in instructions, post-stay)	Performance of a contract
To send marketing emails about new villas, offers, and travel content	Your consent (you may withdraw at any time)
To improve our website, services, and guest experience	Our legitimate interests in running and improving our business
To prevent and detect fraud, abuse, and security incidents	Our legitimate interests; legal obligation
To establish, exercise, or defend legal claims	Our legitimate interests; legal obligation
To publish reviews or guest content with your consent	Your consent

5. Who we share your data with

We do not sell your personal data. We share it only with the categories of recipients below, and only as needed:

5.1 Service providers (processors)

Payment processors: Xendit, Midtrans, DOKU, and similar
Email and marketing platforms: Klaviyo, Mailchimp, or similar (newsletter delivery, transactional emails)
Live chat / messaging: WhatsApp Business and similar messaging platforms
Analytics and advertising: Google Analytics (Google LLC), Meta Pixel (Meta Platforms, Inc.)
Hosting and infrastructure: Our website host, CRM, and booking management software providers
Property operations: Cleaning, maintenance, concierge, transportation, and on-site staff at the relevant villa
Professional advisers: Lawyers, accountants, auditors, insurers — only on a need-to-know basis

5.2 Government and regulators

We may share data with Indonesian authorities (immigration, tax, tourism, police) where required by law — for example, the mandatory guest registration form (“Kartu Tamu“) completed at check-in.

5.3 Online travel agents and partners

If your booking is made through a partner (e.g., Airbnb, Booking.com), we share booking-related data with that platform as needed to fulfil the booking. Their privacy policies apply to data they collect.

5.4 Business transfers

If SANTAI STAYS is involved in a merger, acquisition, restructuring, or sale of assets, your data may be transferred to the relevant successor entity, subject to the same protections.

All processors are bound by contract to process your data only on our instructions and to maintain appropriate security.

6. International data transfers

SANTAI STAYS is based in Indonesia. Several of our service providers (such as Google, Meta, Stripe, Klaviyo) process data outside Indonesia, including in the United States and the European Union.

When transferring personal data of guests located in the EEA, UK, or other regulated regions outside Indonesia, we rely on appropriate safeguards such as:

Standard Contractual Clauses (SCCs) approved by the European Commission;
UK International Data Transfer Addendum where applicable;
The service provider’s own certifications (e.g., EU-US Data Privacy Framework, where applicable).

You may request a copy of the safeguards in place by emailing reservations@santaistays.com.

7. How long we keep your data

We keep personal data only for as long as we need it, and in line with our legal and tax obligations.

Data category	Typical retention period
Booking and guest records	Up to 10 years after the end of the stay, in line with Indonesian tax and commercial record-keeping rules
Check-in ID copies (where retained)	As required by Indonesian regulation; typically deleted shortly after the stay
Marketing data	Until you unsubscribe, plus a short suppression record to honour your unsubscribe
Website analytics	Up to 26 months (Google Analytics default)
Live chat / WhatsApp logs	Up to 24 months, unless needed for a longer period to resolve a dispute
Legal/dispute records	For the duration of the limitation period applicable to the relevant claim

When personal data is no longer needed, we securely delete or anonymise it.

8. Your privacy rights

Depending on your country of residence, you have the following rights over your personal data.

8.1 For all guests (Indonesia / UU PDP and similar)

Right of access — confirm what data we hold about you and request a copy.
Right of correction — ask us to correct inaccurate or incomplete data.
Right of deletion — ask us to delete your data (subject to our legal retention obligations).
Right to withdraw consent — where we rely on consent, you can withdraw it at any time.
Right to lodge a complaint — with the Indonesian Ministry of Communication and Information Technology (Kominfo).

8.2 For EU / UK / EEA guests (GDPR / UK GDPR)

In addition to the above, you have the:

Right to restrict processing in certain circumstances;
Right to object to processing based on legitimate interests or for direct marketing;
Right to data portability — receive your data in a structured, commonly used, machine-readable format;
Right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects.

You may lodge a complaint with your local supervisory authority. In the UK that is the Information Commissioner’s Office (ICO) at ico.org.uk.

8.3 For California residents (CCPA / CPRA)

You have the right to:

Know what personal information we collect, use, disclose, and (if applicable) sell or share;
Request deletion or correction of your personal information;
Opt out of sale or sharing of personal information for cross-context behavioural advertising (we do not “sell” personal information in the traditional sense, but use of advertising cookies may be considered “sharing” under the CPRA — see Section 9);
Limit use of sensitive personal information;
Be free from discrimination for exercising your rights;
Designate an authorised agent to make a request on your behalf.

To exercise these rights, email reservations@santaistays.com with the subject line “CCPA Request”. We will verify your identity before processing.

8.4 For Australian / New Zealand guests

You have rights to access and correct your data under the Australian Privacy Act 1988 (Australian Privacy Principles) and the Privacy Act 2020 (NZ). Complaints may be lodged with the Office of the Australian Information Commissioner (OAIC) or the NZ Office of the Privacy Commissioner.

8.5 How to exercise your rights

Email reservations@santaistays.com with a description of your request. We will respond within 30 calendar days (extendable to up to 90 days for complex requests, in line with applicable law). We may ask you for proof of identity before acting.

There is no fee for exercising your rights unless your request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse.

9. Cookies and tracking

The Website uses cookies and similar technologies to make it work, understand how it’s used, and (with your consent where required) personalise your experience and our marketing.

9.1 Categories of cookies we use

Strictly necessary cookies — for site security, payment, and core functionality. Always on.
Performance / analytics cookies — Google Analytics, used to understand visitor behaviour in aggregate.
Marketing / advertising cookies — Meta Pixel and similar, used to measure ad effectiveness and serve relevant ads on third-party platforms.

9.2 Consent

If you are visiting from the EEA, UK, or another region requiring prior consent, we will ask for your consent through a cookie banner before setting non-essential cookies. You can change or withdraw your consent at any time by clicking the cookie settings link in our footer.

9.3 Managing cookies

You can also manage cookies through your browser settings. Blocking some cookies may affect your experience on the Website. To opt out of Google Analytics across all sites, install the Google Analytics Opt-out Browser Add-on.

10. Marketing communications

If you sign up for our newsletter or check the marketing opt-in box during booking, we may send you emails about new villas, special offers, travel content, and SANTAI STAYS updates.

You can unsubscribe at any time by clicking the “unsubscribe” link in any marketing email, or by emailing reservations@santaistays.com. We may still send you essential service communications related to your bookings.

We do not send marketing SMS or WhatsApp messages without your explicit consent.

11. Security

We take the security of your personal data seriously and implement appropriate technical and organisational measures, including:

TLS/SSL encryption for data in transit on the Website and in our booking flow;
Restricted internal access on a need-to-know basis;
Reputable, PCI-DSS-compliant payment processors;
Reasonable controls over staff devices and accounts.

No system is 100% secure. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority in line with applicable law.

12. Children

The Website and our services are not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16 other than as part of a parent’s or guardian’s booking. If you believe we have inadvertently collected such data, please contact us and we will delete it.

13. Automated decision-making

We do not use your personal data for automated decision-making (including profiling) that produces legal or similarly significant effects on you.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will post the updated version on the Website and update the “Last updated” date at the top. Where the changes are material, we will take reasonable steps to notify you (e.g., a banner on the Website or an email).

15. Contact us

For any questions, requests, or complaints about this Privacy Policy or our handling of your personal data:

Email: reservations@santaistays.com
Postal: Jl. Merta Agung, Desa/Kelurahan Kerobokan Kelod, Kec. Kuta Utara, Kab. Badung, Provinsi Bali, Kode Pos 80361
Website: www.santaistays.com

We aim to respond to privacy enquiries within 30 days. If you are not satisfied with our response, you may complain to your local data protection authority (see Section 8).

This Privacy Policy is a template draft prepared for SANTAI STAYS and should be reviewed by Indonesian-qualified legal counsel (and, where relevant, EU/UK privacy counsel) before being published.