Privacy Policy

Last updated: February 15, 2026.

This policy is provided for general information and may not constitute legal advice.

1. Introduction

Balé Sampan is a boutique hotel and restaurant in Gili Trawangan, Lombok, Indonesia. This Privacy Policy explains how we handle personal data when you use our website and contact channels.

This policy is designed for international visitors and references EU/EEA data protection rules (GDPR principles) and the Indonesia Personal Data Protection Law (Law No. 27 of 2022), fully effective 17 October 2024.

2. What data we collect

Depending on how you interact with the website, we may handle the following:

  • Information you provide: contact inquiry details and booking-request details, such as request type, title, first name, last name, phone, email, and message content.
  • Communication data: messages you send through WhatsApp or other direct communication channels.
  • Technical data: IP address, browser/device information, and basic server/network logs generated when you access the website.
  • Payment data: this website does not directly process card payments. Payment information is handled by third-party booking/payment providers after you leave our website.

3. How we use your data

  • To respond to inquiries and booking requests.
  • To provide customer service and follow up on guest communication.
  • To operate and improve website performance and user experience.
  • To protect website security and help prevent abuse or fraud.
  • To meet applicable legal and regulatory requirements.

4. Legal bases (GDPR-friendly)

Where GDPR-style legal bases apply, we rely on one or more of the following:

  • Consent: where you clearly choose to provide data (for example, inquiries).
  • Contract or pre-contractual steps: to handle availability checks or booking-related requests.
  • Legitimate interests: to keep the site secure and technically reliable, and to run essential operations.
  • Legal obligations: where we must process data to comply with law.

5. Sharing your data

We may share relevant data with service providers only where needed, including:

  • Hosting and infrastructure/CDN providers.
  • Messaging platforms (for example, WhatsApp) when you contact us there.
  • Booking platforms you choose to use (for example, our external BookDirect booking provider).
  • Professional advisers when legally necessary (for example, legal/accounting).

We do not sell personal data.

6. International transfers

Because website infrastructure and communication tools may operate globally, personal data may be processed outside your country. When this happens, we aim to use reputable providers and appropriate contractual and organizational safeguards.

7. Data retention

  • Inquiry and booking-related communications: typically kept for 12 to 24 months.
  • Technical and security logs: typically kept for 30 to 90 days.
  • Third-party platform records: retained under those providers' own policies and settings.

We may keep data longer when required for legal claims, regulatory obligations, or dispute resolution.

8. Your rights

Depending on your location, you may have rights including:

  • Access to your personal data.
  • Correction/rectification of inaccurate data.
  • Deletion/erasure in certain circumstances.
  • Restriction of processing in certain circumstances.
  • Data portability (where applicable).
  • Objection to certain processing.
  • Withdrawal of consent where processing is based on consent.

Under the Indonesia Personal Data Protection Law / PDP Law, you may also request access, correction, deletion, and withdrawal of consent, subject to legal limits.

To exercise your rights, contact us using the details in Section 13. We may ask for identity verification before completing a request.

9. Cookies and tracking

We use technical functionality necessary for website operation. We do not currently run a dedicated marketing or analytics-cookie stack on this site.

Some pages load third-party resources to provide functionality (for example, external map tile services). Those providers may process technical data such as IP address under their own privacy terms.

You can control cookies through your browser settings and can block third-party requests with privacy extensions if preferred.

10. Security

We use reasonable technical and organizational measures to protect personal data. However, no internet transmission or storage system can be guaranteed 100% secure.

11. Children's privacy

This website is not directed to children, and we do not knowingly collect personal data from children.

12. Changes to this policy

We may update this Privacy Policy from time to time. Any update will be posted on this page with a revised "Last updated" date.

13. Contact

For privacy questions or requests, contact: