Privacy Policy

2.1 Personal Information

When you create an account or make a booking, we collect:

• Identity Information: Full name, date of birth, nationality
• Contact Information: Email address, phone number, WhatsApp number, Telegram username (optional)
• Identification Documents: Passport number and photo, driver's license information
• Emergency Contact: Name and phone number of your emergency contact
• Address Information: Home address, delivery/pickup addresses in Bali
• Profile Information: Profile photo (optional), helmet size preferences

2.2 Booking and Transaction Data

For each rental, we collect:

• Vehicle selection and rental dates
• Pickup and return locations with GPS coordinates
• Special requirements or requests
• Payment information (we do not store credit card details)
• Rental history and transaction records
• Vehicle condition documentation (photos and videos)

2.3 Authentication Data

When you use our website, we collect:

• Login credentials (managed by Supabase, our authentication provider)
• OAuth information if you sign in with Google
• Session tokens and authentication cookies
• Password reset tokens (temporary)

2.4 Vehicle Documentation Data

During vehicle delivery and return, we document:

• Comprehensive video recording of vehicle condition
• Photos of exterior surfaces, mechanical components, and accessories
• Documentation of existing damage or wear
• GPS coordinates and timestamp of delivery/return
• Customer acknowledgment and acceptance records

This documentation protects both parties and is stored securely in your customer profile for dispute resolution purposes.

2.5 Technical Data

We automatically collect:

• IP address and approximate location
• Browser type and version
• Device information (type, operating system)
• Website usage data (pages visited, time spent, clicks)
• Referral source (how you found our website)

3.1 Service Delivery

We use your information to:

• Process your vehicle rental bookings
• Deliver and collect vehicles at specified locations
• Verify your identity and driving eligibility
• Contact you about your rental (confirmations, reminders, updates)
• Provide customer support via WhatsApp or email
• Send important notifications (return reminders, booking updates)

3.2 Legal and Safety

We process your data for:

• Compliance with Indonesian rental and transportation laws
• Insurance documentation and claims processing
• Accident or incident reporting to authorities when required
• Protecting our vehicles and business from fraud
• Enforcing our Terms & Conditions

3.3 Business Operations

We analyze data to:

• Improve our website and user experience
• Optimize our delivery routes and service areas
• Understand rental patterns and vehicle preferences
• Maintain and improve our fleet based on usage data
• Develop new features and services
• Use AI responsibly: We use AI tools to assist with support and content generation. We do not allow third‑party AI providers to train on your personal data or conversations. Any AI processing is performed with minimal data, and where possible, with anonymized or aggregated information.

4.1 Service Providers

We share your information with trusted third-party service providers:

• Intercom: Customer support messenger and helpdesk. We use Intercom with Messenger Security (JWT) enabled so your identity is verified by our server. We send only minimal identifiers (user_id, name, email, created_at). Your messages and profile are not used to train Intercom models.
• Supabase: Authentication and database services
• Directus: Content management system for booking data
• Render: Website hosting and deployment services
• Cloudflare: CDN, DDoS protection, and website security services
• SendGrid (Twilio): Email delivery and newsletter services
• Google Services: Maps API, Analytics, and location services
• Social Media Platforms: Facebook Pixel, TikTok Pixel, Twitter/X Pixel for advertising and analytics
• Email Marketing: Newsletter subscription and marketing automation services

4.2 Legal Requirements

We may disclose your information when required by:

• Indonesian law enforcement agencies
• Court orders or legal proceedings
• Government authorities for regulatory compliance
• Insurance companies for claims processing

4.3 Business Transfers

If our business is sold or merged, your information may be transferred to the new owners to continue providing services to you.

5.1 Security Measures

We implement the following security measures:

• SSL/TLS encryption for all data transmission
• Encrypted storage of sensitive information
• Secure authentication through Supabase
• Regular security audits and updates
• Access controls limiting data access to authorized personnel
• Secure file storage with access restrictions

5.2 Data Breach Response

In the unlikely event of a data breach, we will:

• Notify affected users within 72 hours
• Provide details about what information was compromised
• Take immediate steps to secure our systems
• Cooperate with authorities as required

6.1 Access and Correction

You have the right to:

• Access your personal data through your account dashboard
• Request a copy of all data we hold about you
• Correct or update inaccurate information
• Request deletion of your account and associated data

6.2 Communication Preferences

You can control communications by:

• Adjusting notification settings in your account
• Unsubscribing from marketing emails
• Requesting to opt-out of WhatsApp messages (except essential rental communications)

6.3 Data Portability

You can request your data in a portable format (JSON or CSV) for transfer to another service.

7.1 Retention Periods

We retain your information for:

• Active accounts: As long as your account remains active
• Booking records: 7 years for legal and tax compliance (Indonesian law requirement)
• Identification documents: 2 years after last rental for verification purposes
• Vehicle condition videos: 90 days after rental completion for dispute resolution
• Financial records: 10 years for tax compliance and auditing
• Marketing data: Until you opt-out or request deletion
• Accident reports: 5 years for insurance and legal purposes
• Customer support communications: 2 years for service improvement

7.2 Deletion Process

When you request account deletion:

• We delete your personal information within 30 days
• Some data may be retained for legal compliance
• Anonymized data may be kept for analytics

8.1 Cookies and Tracking

We use different types of cookies and tracking technologies:

• Essential Cookies: Required for user authentication, session management, and website security
• Security Cookies: Cloudflare cookies for DDoS protection, bot filtering, and CDN security
• Analytics Cookies: Google Analytics to understand website performance and user behavior
• Marketing Pixels: Facebook Pixel, TikTok Pixel, Twitter/X Pixel for advertising optimization and retargeting
• Authentication Tokens: Supabase session tokens for secure login state
• Email Tracking: Newsletter engagement and email marketing performance monitoring
• Functional Cookies: Remember your preferences and settings

You can control cookies through your browser settings, but disabling essential cookies may affect website functionality.

8.2 Age Restrictions and Children's Privacy

Our vehicle rental services are restricted to individuals 21 years of age or older. We do not rent vehicles to minors and do not knowingly collect personal information from individuals under 21.

If we discover that someone under 21 has provided us with personal information, we will delete it immediately and terminate any associated bookings or accounts.

Parents or guardians who believe their child under 21 has provided us with personal information should contact us immediately for account deletion.

8.3 International Data Transfers

Your information may be transferred to and processed in countries other than Indonesia by our service providers:

• Supabase (USA): Authentication and database services with SOC 2 Type II compliance
• Render (USA): Website hosting and deployment with GDPR compliance measures
• Cloudflare (USA): CDN and security services with enterprise data protection standards
• SendGrid/Twilio (USA): Email and communication services with ISO 27001 certification
• Google Services (USA): Maps, Analytics, and location services with enterprise-grade security
• Social Media Platforms (USA): Facebook, TikTok, Twitter/X with respective privacy frameworks

All service providers implement appropriate technical and organizational measures to protect your data during international transfers.

8.4 Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page, updating the "Last updated" date, and sending email notifications for significant changes.

8.5 Contact Us

If you have questions about this Privacy Policy or how we handle your data:

We aim to respond to all privacy inquiries within 48 hours during business hours (8:00 AM - 6:00 PM Bali Time).

8.6 Consent

By using our website and services, you consent to our Privacy Policy and agree to its terms. If you do not agree with this policy, please do not use our services.

8.7 Legal Basis for Processing

We process your personal data based on the following legal grounds:

• Contract Performance: Processing necessary to fulfill our rental services
• Legal Obligations: Compliance with Indonesian transportation and tax laws
• Legitimate Interests: Fraud prevention, business analytics, and service improvement
• Consent: Marketing communications and optional data processing
• Vital Interests: Emergency situations and safety concerns

8.8 Indonesian Privacy Law Compliance

As an Indonesian company, we comply with applicable Indonesian privacy and data protection regulations:

• UU ITE 2008: Indonesian Electronic Information and Transaction Law
• Government Regulation No. 71/2019: Electronic System and Transaction Implementation
• Permenkominfo 20/2016: Personal Data Protection in Electronic Systems
• Financial Services Authority Regulations: For payment processing compliance

8.9 Marketing and Communications

We may send you marketing communications about:

• Special offers and promotions
• New vehicle additions to our fleet
• Service area expansions
• Important updates to our services

You can opt-out of marketing communications at any time through unsubscribe links or by contacting us directly.

8.10 Automated Decision Making

We use automated systems for:

• Booking Processing: Automatic availability checking and pricing calculation
• Risk Assessment: Fraud detection and booking validation
• Service Optimization: Route planning and delivery scheduling

These automated decisions do not significantly affect your rights. You can always request human review of any automated decision.

8.11 Data Minimization

We follow data minimization principles by:

• Collecting only data necessary for our services
• Limiting data access to authorized personnel only
• Regularly reviewing and purging unnecessary data
• Using anonymization where possible for analytics

8.12 Emergency and Incident Response

In emergency situations, we may:

• Share location data with emergency services
• Provide contact information to authorities for safety purposes
• Access rental data for accident investigation
• Coordinate with medical services if required

Emergency data sharing is limited to what's necessary for immediate safety and assistance.