Privacy Policy

Last updated: April 18, 2026

1. Who We Are

Indahnesia is a curated travel marketplace operated by PT Adikarya Wisata Indah Nesia, founded in 2014 and based in Labuan Bajo, East Nusa Tenggara, Indonesia. This Privacy Policy explains how we collect, use, share, and protect your personal data when you use indahnesia.net (the "Platform").

2. Data We Collect

2.1 Information You Provide

  • Account registration: Name, email address, password (hashed), profile photo (optional).
  • Booking details: Travel dates, guest count, cabin preferences, special requests.
  • Guest form: Full name, phone number, nationality, ID number (KTP/passport), gender, date of birth, emergency contact, dietary requirements, medical conditions, diving certification (if applicable).
  • Payment information: Processed by Xendit — we do not store credit card numbers or bank account details. We receive transaction confirmations only.
  • Communication: Messages sent through our in-app messaging system, feedback and reviews.

2.2 Information Collected Automatically

  • Device data: Browser type, operating system, screen resolution.
  • Usage data: Pages visited, time spent, click patterns, search queries.
  • Location data: Country-level location from IP address (used for currency detection only — we do not track precise location).
  • Cookies: See Section 7 below.

3. How We Use Your Data

  • Process bookings: Confirm reservations, generate invoices, manage guest manifests.
  • Communicate: Send booking confirmations, pre-trip information, post-trip feedback requests.
  • Improve the Platform: Analyze usage patterns, fix issues, enhance user experience.
  • Safety & compliance: Share guest manifests with port authorities (KSOP) as required by Indonesian maritime law.
  • Marketing: Send newsletters and promotional offers — only with your explicit consent. You can unsubscribe at any time.

4. Who We Share Data With

We share your data only as necessary to provide our services:

  • Tour Operators: Your name, contact details, and trip-relevant information (dietary needs, medical conditions, ID for manifests) are shared with the Operator fulfilling your booking.
  • Payment processor: Xendit (PT Xendit Teknologi Indonesia) processes all payments. Their privacy policy applies to payment data.
  • Hosting & infrastructure: Vercel (hosting), Supabase (database), Resend (transactional email). All are GDPR-compliant service providers.
  • Analytics: Google Analytics (anonymized, with consent).
  • Government authorities: Passenger manifests shared with KSOP (Syahbandar) as required by Indonesian law.

We never sell your personal data to third parties for advertising or marketing purposes.

5. Data Retention

  • Account data: Retained while your account is active. Deleted within 30 days of account deletion request.
  • Booking records: Retained for 5 years for tax and legal compliance (Indonesian tax law requires minimum 5-year retention).
  • Guest manifests: Retained for 2 years (maritime safety records).
  • Messages: Retained for 1 year after thread resolution, then anonymized.
  • Analytics data: Aggregated and anonymized after 14 months.

6. Your Rights

You have the right to:

  • Access: Request a copy of your personal data.
  • Correction: Update inaccurate or incomplete data via your account settings.
  • Deletion: Request deletion of your data, subject to legal retention requirements.
  • Portability: Request your data in a machine-readable format.
  • Opt-out: Unsubscribe from marketing communications at any time.
  • Withdraw consent: Withdraw cookie consent via the cookie settings banner.

To exercise any of these rights, contact us at hello@indahnesia.net.

7. Cookies

7.1 Essential Cookies

Required for the Platform to function. These include authentication session cookies (Supabase Auth) and currency preference cookies. You cannot opt out of essential cookies.

7.2 Analytics Cookies

Google Analytics cookies help us understand how visitors use the Platform. These are only set with your consent via the cookie banner. You can change your preference at any time.

7.3 No Advertising Cookies

We do not use advertising or tracking cookies. We do not participate in ad networks or retargeting programs.

8. Data Security

We implement industry-standard security measures including:

  • HTTPS encryption on all pages.
  • Row Level Security (RLS) on all database tables.
  • Hashed passwords via Supabase Auth (bcrypt).
  • Service role separation — client applications never access admin-level data.
  • Regular security audits of our codebase.

While we take every reasonable precaution, no system is 100% secure. We encourage you to use strong, unique passwords and report any security concerns to us immediately.

9. International Data Transfers

Our servers are located in Singapore (AWS ap-southeast-1 via Supabase). If you access the Platform from outside Singapore, your data is transferred internationally. We ensure all service providers maintain adequate data protection standards.

10. Children's Privacy

The Platform is not intended for children under 18. We do not knowingly collect data from minors. If we discover we have collected data from a child under 18, we will delete it promptly. Minors may travel on bookings made by their parent or legal guardian.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via the Platform or email. The "Last updated" date at the top indicates when the policy was last revised.

12. Contact

For privacy-related questions or data requests:

  • Email: hello@indahnesia.net
  • Company: PT Adikarya Wisata Indah Nesia
  • Address: Labuan Bajo, East Nusa Tenggara, Indonesia

See also: Terms & Conditions