Privacy Policy

1. Identity of the Personal Data Controller

The Personal Data Controller for this service is PT Lenggara Guna Prasada, an Indonesian legal entity having its headquarter address at: CENTENNIAL TOWER, 17th Floor, Unit 17.C, Jl. Gatot Subroto Kav. 24-25, Karet Semanggi Sub-district, Setiabudi District, South Jakarta Administrative City, DKI Jakarta Province, Indonesia.

Sutasoma Hotel is a hotel business unit located at: Jl. Darmawangsa Raya, Pulo Sub-district, Kebayoran Baru District, South Jakarta, 12160, Indonesia.

For any question, request, objection, or correspondence relating to Personal Data and/or reservations, users may contact: reservation@thetribrata.com.

2. Definitions

“App” means the application, website, progressive web app, booking page, reservation feature, and/or other electronic system used to provide Sutasoma Hotel booking services.

“Personal Data” means any data relating to an identified or identifiable individual, either separately or in combination with other information, directly or indirectly through an electronic or non-electronic system.

“User” means any person who accesses, uses, registers an account, searches rooms, makes a reservation, makes a payment, contacts customer service, or uses Sutasoma Hotel services through an electronic system.

“Personal Data Controller” means the party that determines the purposes and exercises control over the processing of Personal Data.

“Personal Data Processor” means the party that processes Personal Data on behalf of the Personal Data Controller based on lawful instructions and a valid cooperation relationship.

“Processing of Personal Data” includes obtaining, collecting, processing, analyzing, storing, correcting, updating, displaying, announcing, transferring, disseminating, disclosing, deleting, and/or destroying Personal Data.

3. Categories of Personal Data Processed

We may collect and process the following Personal Data in accordance with lawful, specific, explicit, and limited processing purposes:

• Identity and account profile data: full name, email address, phone number, nationality, date of birth, optional profile photo, and other account information provided by the User.
• Reservation and booking data: check-in date, check-out date, room type, number of guests, guest names, reservation contact details, special requests, room preferences, service notes, booking history, booking status, stay voucher, and other information relevant to the reservation.
• Authentication data: email address, login credentials, session data, authentication tokens, and security data required to maintain account access integrity. Passwords are processed using applicable security mechanisms and are not displayed in plain text.
• Limited payment data: payment status, selected payment method, transaction reference number, transaction time, transaction amount, payment gateway transaction response, and other data required for payment reconciliation. We do not store full card numbers, CVV, or sensitive payment credentials processed by the payment gateway.
• Communication data: email correspondence, support requests, complaints, booking modification requests, cancellation requests, refund requests, and customer service communications.
• Technical and usage data: IP address, device type, browser, operating system, language, display preferences, access logs, app usage activity, local storage, and other technical information required for security, reliability, abuse prevention, and service improvement.
• Favorites and preference data: favorite rooms, language preference, service preferences, and account settings selected by the User.

4. Purposes of Processing Personal Data

• To create, verify, secure, and manage User accounts.
• To receive, process, confirm, modify, cancel, and manage hotel room bookings.
• To send booking confirmations, stay vouchers, transaction information, service change notices, and operational communications relating to reservations.
• To process payments through licensed and/or supervised payment gateway providers, including DOKU, and to match payment status with booking status.
• To provide customer support and handle questions, complaints, booking change requests, cancellation requests, and refund requests.
• To comply with legal, tax, accounting, audit, transaction documentation, consumer protection, and other compliance obligations.
• To maintain electronic system security, prevent unauthorized access, detect unusual transactions, prevent fraud, and protect the legitimate rights and interests of Users, the hotel, and relevant parties.
• To develop, test, maintain, improve service quality, conduct operational analysis, and resolve technical issues while observing the principle of data minimization.
• To perform rights and obligations under the electronic agreement between the User and Sutasoma Hotel.

5. Legal Bases for Processing

• Valid consent of the User for one or more specific purposes.
• Performance of an electronic agreement or pre-contractual steps for hotel room booking, including account creation, room search, reservation, payment, modification, cancellation, and refund.
• Compliance with legal obligations of the Personal Data Controller under applicable laws and regulations.
• Fulfilment of legitimate interests, provided that such interests do not override the fundamental rights of the Personal Data Subject, including system security, fraud prevention, legal claim defense, internal audit, and service improvement.
• Protection of the vital interests of the User or another person in certain circumstances, to the extent relevant and lawful.
• Performance of a task in the public interest or public service, where required by law or competent authority.

6. User Consent

By creating an account, using the App, making a booking, submitting data, completing payment, or using features that require Personal Data processing, the User represents that the User has read, understood, and given valid consent to the processing of Personal Data under this Privacy Policy, to the extent consent is required as the legal basis for processing.

The User may withdraw consent through the available mechanism or by contacting us at the email address stated in this Privacy Policy. Withdrawal of consent does not affect the lawfulness of processing carried out before such withdrawal and may affect our ability to provide certain services.

7. Disclosure to Processors and Third Parties

We may disclose Personal Data on a limited basis to third parties and/or Personal Data Processors where necessary for lawful purposes and based on an appropriate legal relationship, including:

• Supabase, for database hosting, authentication, and management of account and reservation records.
• DOKU, for payment processing through a payment gateway. Payments are processed on DOKU systems and we do not store Users' full card data.
• Resend or other transactional email service providers, for the delivery of booking confirmation emails, vouchers, and operational notices.
• Vercel, for web app hosting.
• Cloudflare, for domain, DNS, security, performance, and network distribution services.
• Legal advisers, auditors, consultants, security providers, technology providers, and other professional parties where necessary for compliance, audit, security, dispute resolution, or protection of legal interests.
• Government authorities, regulators, law enforcement agencies, courts, or other competent authorities where required by applicable laws or lawful requests.

Any disclosure will be carried out based on necessity, proportionality, purpose limitation, confidentiality, security, and compliance with applicable law.

8. International Data Transfer and Processing

Certain technology service providers that we use may store or process Personal Data on servers located outside Indonesia. Where Personal Data is transferred to or processed outside Indonesia, we will take reasonable and necessary steps to ensure that such Personal Data remains protected at a level consistent with this Privacy Policy and applicable laws and regulations.

Cross-border transfer may occur where necessary for service provision, security, hosting, authentication, email delivery, payment processing, technical support, and/or legal compliance, while observing Personal Data protection principles.

9. Retention, Deletion, and Destruction

We retain Personal Data for as long as necessary to fulfil the processing purposes, while the account remains active, while required to provide services, or while required by legal, tax, accounting, audit, legal claim defense, and transaction documentation obligations.

Where Personal Data is no longer required, we will delete, destroy, or anonymize such data in accordance with internal procedures, technical system capabilities, and applicable legal requirements. Certain booking and payment records may be retained for a reasonable period where necessary for accounting, tax, audit, dispute resolution, or legal evidentiary purposes.

10. Rights of Personal Data Subjects

Under the Indonesian PDP Law, Users as Personal Data Subjects have rights that may be exercised in accordance with applicable law, including the right to:

• Obtain information regarding the clarity of identity, legal basis, purposes of requesting and using Personal Data, and accountability of the party requesting Personal Data.
• Access and obtain a copy of their Personal Data through the available mechanism.
• Complete, update, and/or correct errors or inaccuracies in Personal Data.
• Terminate processing, delete, and/or destroy Personal Data in accordance with applicable laws and regulations.
• Withdraw consent for the processing of Personal Data where such processing is based on consent.
• Object to decisions based solely on automated processing that produce legal effects or significant impact on the User, where applicable.
• Postpone or restrict Personal Data processing proportionally in accordance with processing purposes.
• Sue and receive compensation for violations of Personal Data processing in accordance with applicable laws and regulations.
• Obtain and/or use Personal Data in a commonly used or machine-readable format, where applicable and technically feasible.

Requests to exercise rights may be submitted through available account features, including an account deletion option where available, or by emailing reservation@thetribrata.com. We may request reasonable identity verification before processing such requests to protect Personal Data security.

11. Personal Data Security

We implement reasonable technical and organizational measures to protect Personal Data from unauthorized access, unauthorized disclosure, unauthorized alteration, misuse, loss, damage, and/or unlawful processing. These measures may include encryption in transit, access controls, internal access limitation, authentication, system monitoring, logging, segregation of duties, use of trusted technology providers, and periodic security evaluations.

However, no electronic system is entirely risk-free. Users must keep account credentials confidential, not share account access with others, and promptly contact us if they know or suspect unauthorized account use.

12. Personal Data Breach

In the event of a Personal Data protection failure that is relevant and notifiable under applicable law, we will take necessary steps, including investigation, mitigation, remediation, documentation, and notification to Users and/or competent authorities in accordance with applicable laws and regulations.

13. Children

This service is intended for adults and is not specifically directed to children under 18 years of age. We do not knowingly collect Personal Data of children without a valid legal basis. If a parent or guardian becomes aware that a child has submitted Personal Data through the App without the required consent, please contact us so that we may handle the matter in accordance with applicable law.

14. Cookies, Local Storage, and Similar Technologies

As a web-based/progressive web app, we may use cookies, local storage, session storage, and similar technologies to maintain login sessions, remember language preferences, store favorites, improve performance, maintain security, and ensure proper functioning of the service. We do not sell Users' Personal Data to third parties.

15. Changes to this Privacy Policy

We may amend or update this Privacy Policy from time to time to reflect changes in services, technology, operational needs, or applicable laws. Material changes will be notified through the App, website, email, or other reasonable means. Continued use of the service after changes become effective will be deemed acceptance of the updated Privacy Policy, to the extent permitted by law.

16. Contact

For questions regarding this Privacy Policy, Personal Data, reservations, or requests to exercise Personal Data Subject rights, Users may contact Sutasoma Hotel by email at: reservation@thetribrata.com.

Hotel business unit address: Jl. Darmawangsa Raya, Pulo Sub-district, Kebayoran Baru District, South Jakarta, 12160, Indonesia.

Legal entity headquarter address: CENTENNIAL TOWER, 17th Floor, Unit 17.C, Jl. Gatot Subroto Kav. 24-25, Karet Semanggi Sub-district, Setiabudi District, South Jakarta Administrative City, DKI Jakarta Province, Indonesia.

Language

The English version is prepared as an operational translation of the Indonesian legal drafting. In the event of conflict between the Indonesian version and the English version, the Indonesian version should prevail for interpretation under Indonesian law, unless the Company expressly determines otherwise in a final published version.