Updated: May 2026
Effective date: May 2026
Last updated: May 2026
Bali Protocol Service (operated by PT Juara Holding Group, the controlling entity, hereafter “Bali Protocol Service”, “we”, “us”, or “our”) respects your privacy. This Privacy Policy explains how we collect, use, store, share, and protect personal information when you visit https://baliprotocolservice.com, request quotes, make bookings, or otherwise interact with us. By using this site you agree to the practices described below.
1. Who we are
Bali Protocol Service is an Indonesia-based luxury tourism curator. The legal controller of personal data on this site is PT Juara Holding Group, registered in the Republic of Indonesia. Contact: bd@juaraholding.com.
We are registered as an Electronic System Operator (Penyelenggara Sistem Elektronik / PSE) with the Indonesian Ministry of Communications and Informatics (Kementerian Komunikasi dan Informatika, “Kominfo”) in accordance with Indonesia Government Regulation No. 71/2019 and Ministerial Regulation 5/2020 on Private Scope Electronic System Operators.
2. What information we collect
- Information you give us: name, email address, phone number, country of residence, passport country, travel dates, party size, accommodation preferences, dietary requirements, and any free-text message you send via our contact or quote-request forms.
- Booking-related information: when you confirm a booking, additional details such as full passport name, date of birth, emergency contact, dietary or medical considerations relevant to safe execution of the trip, and arrival/departure flight details.
- Payment information: we do not collect or store full credit card numbers on this website. Payments are processed by third-party payment gateways (Xendit, Midtrans, or international card processors). We retain only the transaction reference, timestamp, currency, and amount necessary for booking reconciliation.
- Automatically collected data: IP address, approximate geolocation (country/region), browser type and version, device type, referrer URL, pages viewed, time on page, and similar technical telemetry collected via standard server logs and analytics tools.
- Cookies and similar technologies: see Section 7 below.
3. Lawful basis for processing
Where applicable under Indonesian law (UU No. 27 Tahun 2022 tentang Pelindungan Data Pribadi / Personal Data Protection Law) and the EU General Data Protection Regulation 2016/679 (“GDPR”), our lawful bases for processing are:
- Consent — for marketing communications, optional cookies, and any sensitive data processing.
- Contract — to provide the booking and travel-curation services you have requested.
- Legal obligation — to retain transaction records under Indonesian tax law (Undang-Undang Pajak) and accounting regulations.
- Legitimate interests — to operate the website, prevent fraud, and improve our service in a manner that does not override your rights and freedoms.
4. How we use your information
- Respond to enquiries, send proposals, and execute bookings.
- Coordinate with on-the-ground partners (hotels, vessel owners, ground transport, dive masters, captains) strictly to the extent necessary to deliver the requested service.
- Issue invoices, process refunds, and meet legal record-keeping obligations.
- Communicate operational updates (itinerary changes, weather advisories, pickup confirmations).
- With your separate opt-in, send occasional marketing communications about new destinations or seasonal offers. You can unsubscribe at any time using the link in any marketing email.
- Detect, investigate, and prevent fraud, abuse, or violations of our Terms of Service.
5. Sharing your information
We do not sell, rent, or trade your personal information. We share it only with:
- Travel suppliers required to deliver your booking (e.g. the specific yacht, hotel, dive operator, or driver assigned to your trip).
- Payment processors (Xendit, Midtrans, Stripe, Wise) under their own data-processing agreements.
- Government authorities when legally compelled (e.g. immigration manifests for vessels, mandatory tourism reporting under Peraturan Menteri Pariwisata).
- Professional advisors (legal, accounting, audit) under confidentiality obligations.
Where suppliers are located outside Indonesia, transfers are governed by appropriate safeguards under Indonesian and (for EU residents) GDPR Chapter V cross-border transfer rules.
6. International visitors — GDPR & CCPA notice
EU/EEA/UK visitors (GDPR): you have rights of access, rectification, erasure, restriction of processing, data portability, objection, and to withdraw consent at any time. Contact bd@juaraholding.com to exercise these rights. You may also lodge a complaint with your national supervisory authority.
California residents (CCPA / CPRA): you have the right to know what categories of personal information we collect, to request deletion, to opt out of any “sale” or “sharing” (we conduct neither), and to non-discrimination for exercising these rights.
Children (COPPA & UU PA): we do not knowingly collect personal information from children under 13. If a parent or guardian believes we hold such information they should contact us immediately and we will delete it.
7. Cookies
This site uses functional cookies (session, security, language preference), analytics cookies (visit counts, page paths, anonymised aggregates), and — only with your consent — marketing cookies (re-marketing pixels). You can manage cookie preferences in your browser; rejecting non-essential cookies will not prevent you from browsing or contacting us.
8. Data retention
We retain enquiry records for 24 months, executed booking records for 10 years (to satisfy Indonesian tax law retention requirements), and accounting records for the period required under Undang-Undang No. 28 Tahun 2007 about General Provisions and Tax Procedures. Marketing-list data is retained until you unsubscribe.
9. Security
We use industry-standard transport security (HTTPS / TLS 1.3), restricted database access, encrypted backups, and strict role-based access for staff. No system can be guaranteed 100% secure; in the event of a personal-data breach affecting you we will notify the relevant authority and affected individuals within 72 hours where required under applicable law.
10. Refund & cancellation
Refund and cancellation handling is governed primarily by our Terms of Service. Personal information related to refunds is processed for the purpose of completing the refund and meeting tax obligations.
11. Force majeure
Operation of this site, the bookings transacted through it, and the personal data processed for those bookings may be affected by force-majeure events including but not limited to natural disasters, volcanic activity, public-health emergencies, civil unrest, government action, or maritime advisory closures. Our handling of personal data in such events follows the principles set out in this policy with reasonable adjustments dictated by safety and legal obligations.
12. Your rights — Indonesia UU PDP
Under Indonesia’s Personal Data Protection Law (UU No. 27/2022) you have the rights of: information, access, correction, deletion, restriction of processing, data portability, withdrawal of consent, objection to automated decision-making, and right to compensation. Requests should be sent to bd@juaraholding.com and we will respond within 30 calendar days as required by Article 7 of UU PDP.
13. Changes to this policy
We may revise this Privacy Policy from time to time. The “last updated” date at the top of this page indicates the latest revision. Material changes will be communicated by a banner on the home page or by email to active customers.
14. Contact
Privacy questions, requests, complaints: bd@juaraholding.com
Postal: PT Juara Holding Group, Bali, Indonesia. Phone: +62 811 3941 4563.