THE LOKHA UBUD RESORT
PRIVACY & COOKIE POLICY
Effective date: 14 July 2026
Last updated: 14 July 2026
This document is a DRAFT and has been prepared as an initial framework for the Privacy & Cookie Policy of The Lokha Ubud Resort’s website (“we”, “us”, “our”, or the “Resort”). This draft should be reviewed by legal counsel prior to publication, particularly with respect to compliance with Indonesia’s Law Number 27 of 2022 on Personal Data Protection (“PDP Law”) and, where relevant, the European Union’s General Data Protection Regulation (“GDPR”).
1. Introduction
The Lokha Ubud Resort (“we”, “us”, or “our”) values and respects the privacy of every visitor to our website at www.thelokhaubud.com (the “Website”), as well as guests who make reservations through the Website or directly with us. This Privacy & Cookie Policy (“Policy”) explains the types of personal data we collect, how such data is used, stored, protected, and shared, and your rights in relation to your personal data.
By accessing and/or using the Website, making a reservation, or otherwise interacting with our services, you acknowledge that you have read, understood, and agreed to this Policy. If you do not agree with this Policy, please do not use our Website.
2. Definitions
- “Personal Data” means any data about an identified or identifiable individual, whether on its own or in combination with other information, whether directly or indirectly.
- “Processing” means any action performed on Personal Data, including but not limited to the acquisition, collection, processing, analysis, storage, correction, updating, display, announcement, transfer, dissemination, disclosure, and/or deletion of Personal Data.
- “Booking Engine” means the third-party online reservation system we use to process room bookings, located at https://booking.thelokhaubud.com.
- “Cookie” means a small text file stored on your device when you visit the Website, used to help the Website function properly and to analyze Website usage.
3. Information We Collect
3.1 Information You Provide Directly
- Full name, email address, phone number, and correspondence address;
- Identification information such as passport number, national ID (KTP), or other identity documents required for check-in purposes in accordance with applicable tourism and immigration regulations;
- Stay preferences, special requests, dietary or allergy information (if voluntarily disclosed by you), and travel details;
- Information you submit through contact forms, email, phone, live chat, or social media;
- Feedback, reviews, or other communications you send to us.
3.2 Information via Our Third-Party Booking Engine
The “Book Now” button on our Website will redirect you to our third-party Booking Engine at https://booking.thelokhaubud.com. When you make a reservation through the Booking Engine, your personal data (including payment data) will be processed directly by the Booking Engine provider in accordance with its own privacy policy. We encourage you to review the Booking Engine’s privacy policy before completing your reservation. We receive relevant booking data from the Booking Engine (such as guest name, stay dates, room type, and contact details) for reservation and guest-service purposes.
3.3 Payment Information
Payment transactions for room reservations are processed through the Booking Engine and/or third-party payment gateway providers that we work with. We do not store your full credit/debit card details on our servers. Payment data is processed in accordance with industry security standards (such as PCI-DSS) by the relevant payment gateway provider.
3.4 Information Collected Automatically
- IP address, browser type and version, operating system, and device language settings;
- Pages visited, time and duration of visit, and referral source to our Website;
- General location data (based on IP address);
- Data collected through cookies and similar tracking technologies as described in Section 7.
4. How We Use Your Information
We use your Personal Data for the following purposes:
- Processing and managing reservations, check-in, and check-out;
- Providing accommodation, facilities, and stay experiences in accordance with your requests;
- Communicating with you regarding booking confirmations, changes, or cancellations;
- Processing payments and preventing fraud;
- Complying with legal obligations, including reporting to local immigration and tourism authorities;
- Improving the quality of our services, Website, and user experience through data analysis;
- Sending marketing communications (newsletters, promotions, special offers) where you have provided consent (opt-in), and you may unsubscribe at any time;
- Responding to inquiries, complaints, or customer support requests;
- Maintaining Website security and preventing unlawful activity.
5. Legal Basis for Processing
We process your Personal Data on the basis of one or more of the following: (i) your explicit consent; (ii) the necessity of performing a contract or service you have requested (such as a room reservation); (iii) compliance with legal obligations applicable in Indonesia; and/or (iv) our legitimate interests in operating and developing our business, provided such interests do not override your fundamental rights and freedoms.
6. Cookies & Tracking Technologies
Our Website uses cookies and similar technologies (including Google Analytics and other marketing tools) to enhance Website functionality, analyze usage patterns, and personalize content and advertising.
6.1 Types of Cookies We Use
- Essential Cookies: necessary for the Website to function properly, such as page navigation and the booking process;
- Performance/Analytics Cookies: help us understand how visitors interact with the Website (e.g., through Google Analytics) so we can improve Website performance;
- Functional Cookies: remember your preferences (such as language or currency) for a more personalized experience;
- Marketing/Advertising Cookies: used to display advertising relevant to your interests on our platforms and third-party platforms (such as Meta/Facebook Pixel, Google Ads).
6.2 Managing Cookies
You may set or disable cookies through your browser settings. Please note that disabling certain cookies may affect Website functionality, including the booking process. When you first access the Website, you will see a cookie notice (cookie banner) that allows you to give or refuse consent to the use of non-essential cookies.
7. Sharing Data with Third Parties
We may share your Personal Data with third parties in the following circumstances:
- Our Booking Engine provider (https://booking.thelokhaubud.com) to process your reservation;
- Payment gateway providers to securely process payment transactions;
- Technology service providers such as Website hosting, analytics (e.g., Google Analytics), and digital marketing tools;
- Business partners, travel agents, or online travel agencies (OTAs) where you have made a reservation through them;
- Government authorities, police, or other competent authorities where required by applicable law;
- Professional advisors (legal, accounting, audit) to the extent necessary for legitimate business purposes.
8. International Data Transfers & GDPR Compliance
As the majority of our guests come from outside Indonesia, including from European Union/European Economic Area (EEA) member states, your Personal Data may be transferred, stored, and processed in countries other than your country of origin, including Indonesia and countries where our third-party service providers (such as our Booking Engine provider, payment gateway, or cloud service providers) are located.
For guests who are citizens of or resident in the EEA/United Kingdom, we endeavor to process your Personal Data in accordance with GDPR principles, including ensuring that cross-border data transfers are subject to appropriate safeguards (such as Standard Contractual Clauses or other equivalent mechanisms provided by our third-party service providers). Your rights under the GDPR are further described in Section 10.
9. Compliance with Indonesia's Personal Data Protection Law
As an entity operating in Indonesia, we are committed to complying with Law Number 27 of 2022 on Personal Data Protection (“PDP Law”) in all our personal data processing activities. We implement reasonable technical and organizational measures to protect Personal Data from unauthorized access, disclosure, alteration, or destruction, in accordance with the requirements of the PDP Law.
10. Your Rights
In accordance with applicable data protection regulations (including the PDP Law and, where relevant, the GDPR), you have the following rights in relation to your Personal Data:
- The right to know about and access the Personal Data we process about you;
- The right to correct or update Personal Data that is inaccurate or incomplete;
- The right to erase and/or destroy your Personal Data (right to be forgotten), to the extent this does not conflict with our legal obligations;
- The right to withdraw your consent to the processing of your Personal Data at any time;
- The right to restrict processing under certain circumstances;
- The right to data portability, i.e., to receive a copy of your Personal Data in a structured, commonly used, and machine-readable format;
- The right to object to the processing of your Personal Data for direct marketing purposes or other legitimate interests;
- The right to lodge a complaint with the competent data protection supervisory authority.
To exercise the rights above, please contact us using the contact information in Section 14. We will respond to your request within a reasonable period in accordance with applicable regulations.
11. Data Security
We implement reasonable technical, administrative, and physical measures to protect your Personal Data from loss, misuse, unauthorized access, disclosure, alteration, or destruction. However, no method of transmission over the internet or electronic storage is completely secure, and therefore we cannot guarantee absolute security.
12. Data Retention
We retain your Personal Data only for as long as necessary to fulfill the purposes described in this Policy, including to comply with legal, accounting, or reporting obligations. Once the retention period has expired, Personal Data will be securely deleted or anonymized.
13. Children's Data
Our Website and services are not directed at children under the age of 18 without parental or guardian supervision. We do not knowingly collect Personal Data from children under this age without the consent of a parent or legal guardian. Data of children staying with a parent/guardian is processed as part of the reservation data of the relevant parent/guardian.
14. Changes to This Policy
We may update this Policy from time to time to reflect changes in our data processing practices, technology, legal requirements, or other operational reasons. Changes will take effect once published on this Website, together with an updated “last updated” date. We encourage you to review this Policy periodically.
15. Contact Us
If you have any questions, complaints, or wish to exercise your rights regarding your Personal Data, please contact us at:
The Lokha Ubud Resort
Ubud, Bali, Indonesia
Email: reservation@thelokhaubud.com
Website: https://www.thelokhaubud.com
[Complete with full address, phone number, and/or Data Protection Officer name if applicable]
Note: This is an initial draft for internal purposes. Please conduct a legal review before publication, and complete the bracketed [ ] sections with the company’s official information.