Legal Notices Volume I of III

The Sanctuary
of Trust.

How Sang Spa Signature collects, safeguards, and honours the personal information you entrust to us — written in the same hand that holds the door, prepares the linen, and remembers your name.

Document
Privacy Policy
Effective
01 March 2025
Version
3.2 · Earthen Sanctuary
Jurisdiction
Republic of Indonesia
Preamble

A quiet covenant.

At Sang Spa Signature, the same discretion we extend to your body within our treatment rooms is the discretion we extend to your data within our systems. This Privacy Policy is the written form of that promise. It explains, in plain language, what information we receive when you reserve a ritual, complete a health intake, walk through our doors at Jl. Suweta No.26, Ubud, Kecamatan Ubud, Kabupaten Gianyar, Bali 80571, or simply browse sangspa.com. It explains why we hold that information, who is permitted to see it, how long it remains in our care, and the rights you may exercise over it at any moment.

We have written this document to be read — not endured. Where the law requires precision, we have given it; where plain words will serve, we have used them. If anything below is unclear, our Data Protection Officer is reachable directly, by name, at the address set out at the close of this volume.

We hold your trust the way our therapists hold a hand at the close of a treatment — gently, with both palms, and only for as long as you wish.

Contents

In this volume.

Fourteen Articles
  1. Scope & Identity of the Controller p. 01
  2. Information We Collect p. 02
  3. Lawful Basis for Processing p. 03
  4. How We Use Your Information p. 04
  5. Sharing & Disclosure p. 05
  6. International Transfers p. 06
  7. Data Retention Schedule p. 07
  8. Your Rights as a Data Subject p. 08
  9. Security of Your Information p. 09
  10. Cookies & Web Tracking p. 10
  11. Children & Minors p. 11
  12. Automated Decisions & Profiling p. 12
  13. Changes to this Policy p. 13
  14. Contact, DPO & Supervisory Authority p. 14
I.
Article I

Scope & Identity of the Controller.

This Privacy Policy is issued by Sang Spa Signature (hereafter "we", "us", or "Sang Spa"), the controller of personal data collected from guests, prospective guests, website visitors, correspondents, and gift-voucher recipients. Our principal place of business is Jl. Suweta No.26, Ubud, Kecamatan Ubud, Kabupaten Gianyar, Bali 80571, and we operate the website published at the domain sangspa.com together with associated booking, telephony, and electronic messaging channels.

This Policy applies to all personal information we hold about you, regardless of whether that information was given to us at our reception desk, written into a paper intake form, captured by our electronic booking platform, exchanged by email or WhatsApp, recorded by our publicly-posted closed-circuit cameras, or observed by a therapist during the course of a treatment. Where a particular collection channel imposes additional notices (for example, our cookies notice for the website, or our consent flow within the online booking form), those notices supplement — but never override — the protections established here.

Our processing is governed primarily by the law of the Republic of Indonesia, including Undang-Undang Nomor 27 Tahun 2022 tentang Pelindungan Data Pribadi (the Personal Data Protection Law, "UU PDP"). Where you reside in the European Economic Area or the United Kingdom, we treat your data in a manner consistent with the General Data Protection Regulation (GDPR) and the UK GDPR; where you reside in California, we treat it in a manner consistent with the California Consumer Privacy Act (CCPA) as amended. Specific rights under those regimes are addressed in Article VIII below.

Definitions. "Personal data" means any information that identifies you or could reasonably be combined to identify you. "Special category data" or "sensitive data" includes information about your health, physical condition, pregnancy, mental wellbeing, or any other category given heightened protection under applicable law. "Processing" means any operation performed on personal data — collection, storage, consultation, disclosure, anonymisation, or deletion. "Therapist" means any qualified Sang Spa practitioner who delivers a treatment. "Guest" means any person who has made, received, or is the intended beneficiary of a reservation.

II.
Article II

Information We Collect.

We collect only the personal information genuinely required to receive you as a guest, deliver our rituals safely, account for what we have done, and — with your permission — keep in touch. The categories below describe the full universe of personal data Sang Spa may hold about you. In any individual relationship with us, the actual data held will be a subset of this list.

A. Booking & Reservation Data

When you reserve a treatment — by telephone, WhatsApp, email, concierge referral, third-party platform, or our online booking form — we collect your full name, contact telephone number, email address, country of residence, party size, the treatments and time-slots requested, the names and ages of any accompanying guests where treatments require them, and any contextual notes you provide (for example, an anniversary, a birthday, mobility considerations, or a request that we prepare a particular oil or temperature).

B. Health Intake & Special Category Data

Because our treatments involve direct, sustained physical contact, manipulation of soft tissue, application of essential oils, exposure to heat and steam, and — in some rituals — the ingestion of botanical infusions, we are obliged to ask you a short series of health intake questions before your first treatment and at intervals thereafter. These questions cover, where relevant: pregnancy and trimester; recent surgery or injury; cardiovascular conditions including hypertension; diabetes and circulatory conditions; allergies and skin sensitivities; current prescription medications; dietary restrictions; and any other matter that may contraindicate a particular technique, oil, or pressure. This information constitutes special category data under applicable law and is processed only on the lawful bases identified in Article III.

C. On-Property Observations & Treatment History

During and after each treatment, your therapist will record a brief, factual treatment note — for example, the pressure you preferred, the area of tension addressed, the oil chosen, any comfort accommodation made, and any observation you shared that affects future visits ("a recurrent shoulder issue", "sensitive to citrus oils"). These notes form your internal treatment history and allow each subsequent therapist to prepare for you with quiet familiarity rather than ask you the same questions twice. We also operate closed-circuit video recording in public reception, corridor, and exterior areas only — never inside treatment rooms, changing rooms, or sanitary facilities — for the security of our guests and team.

D. Payment, Fiscal & Identity Verification Data

Payments are processed by a PCI-DSS compliant payment service provider; we do not retain full card numbers on our systems. We do retain the last four digits of the card, the transaction reference, the billing name, the amount, and the currency. Where you request a tax invoice (faktur pajak), or where Indonesian fiscal regulation otherwise requires, we may also collect your tax identification number (NPWP) or, for non-resident guests, a passport or KITAS identifier solely for the purpose of issuing the invoice.

E. Communications & Correspondence

We retain the content and metadata of substantive correspondence with you — emails, WhatsApp messages, contact form submissions, and where called for, a brief written summary of telephone calls — so that the next member of our team to speak with you arrives in the conversation already informed. We do not record voice calls.

F. Technical & Device Data

When you visit sangspa.com we automatically receive certain technical information from your browser: IP address, approximate geo-location derived from that IP, the type and version of your browser and operating system, the referring URL, the pages you view, the time spent, and the actions you take. The cookies and similar technologies used to collect this information are described in our separate Cookies Policy, which forms part of this notice by reference.

G. Marketing Preferences

Where you have asked to hear from us — at booking, by ticking a newsletter checkbox, or by any other clear act of subscription — we record your consent status, the date and source of that consent, the channels you have opted into (email, WhatsApp, SMS), and any thematic preferences you indicate (for example, "I am interested in retreats" or "Please contact me only for new ritual launches"). Withdrawing consent is always one click or one reply away.

III.
Article III

Lawful Basis for Processing.

Every category of data we hold has a defined lawful basis on which we process it. The ledger below sets out each basis, the categories of data to which it applies, and the corresponding article of UU PDP, GDPR Article 6 (and Article 9, where special-category data is involved), so that you may verify the lawful basis on which any given operation rests.

Performance of Contract
We process your booking and reservation data, payment data, and communications because doing so is necessary to take, confirm, prepare for, and deliver the treatments you have asked us to perform — that is, to honour the contract you have entered into with us. (GDPR Art. 6(1)(b); UU PDP Art. 20(2)(b).)
Explicit Consent
We process your health intake and special category data only on the basis of your explicit consent given at the time the intake is completed, and only for the purpose of safely tailoring your treatment. We process your marketing preferences on the basis of opt-in consent that you may withdraw at any time. (GDPR Art. 9(2)(a) for special category data; Art. 6(1)(a) for marketing; UU PDP Art. 20(2)(a) and Art. 21.)
Legal Obligation
We retain fiscal records, tax invoices, and supporting transaction data because Indonesian tax and accounting law (including UU KUP and the relevant Director-General regulations) require us to keep such records for a defined period — currently ten (10) years from the close of the relevant fiscal year. (GDPR Art. 6(1)(c); UU PDP Art. 20(2)(c).)
Vital Interest
In a medical emergency on our premises, we may process and disclose your health information to emergency responders, hospital staff, or your declared emergency contact, where we judge in good faith that doing so is necessary to protect your life or physical integrity or the life of another person. (GDPR Art. 6(1)(d) and Art. 9(2)(c); UU PDP Art. 20(2)(d).)
Legitimate Interest
We rely on legitimate interest, balanced against your rights and reasonable expectations, to operate perimeter and public-area CCTV for the security of guests and property; to analyse aggregated, de-identified website usage in order to improve our service; to prevent fraud and abuse of our reservation systems; and to enforce our terms. (GDPR Art. 6(1)(f); UU PDP Art. 20(2)(f).)
IV.
Article IV

How We Use Your Information.

We use your information for the limited, defined purposes that follow. We do not use your information for any purpose materially different from those for which it was collected without first informing you and, where required, securing your renewed consent.

  • To confirm, schedule, and prepare your reservation, including allocating a therapist, room, and supplies suited to the treatment booked.
  • To safely tailor each treatment to your body, your contraindications, your stated preferences, and the observations recorded from prior visits.
  • To process payment, issue receipts and tax invoices, and meet our accounting and audit obligations.
  • To communicate with you about your booking — confirmations, reminders, directions to the property, weather notes, and post-treatment care instructions.
  • To respond to enquiries, gift-voucher requests, complaints, and feedback, and to maintain a coherent record of those exchanges.
  • To maintain the security and integrity of our premises, our digital systems, and our reservation pipeline against fraud and abuse.
  • To comply with applicable law, regulatory requests, and lawful orders of a competent authority.
  • Where you have consented, to send a curated newsletter, ritual launch notices, retreat invitations, and discreet milestone gestures (for example, an anniversary remembrance).
  • To improve our service through aggregated, de-identified analysis of treatment outcomes, scheduling patterns, and guest feedback.

We do not use your information to make automated decisions that produce legal effects on you or that significantly affect you; the limited personalisation we apply to our newsletter is described in Article XII.

V.
Article V

Sharing & Disclosure.

Sang Spa does not sell, rent, lease, or otherwise monetise your personal data. We share it only in the limited circumstances described below, and we share only the minimum data necessary to the recipient to fulfil their role. Each external recipient acting as our processor is bound by a written data-processing agreement that mirrors the protections set out in this Policy.

  • Therapists and on-property practitioners have access to the parts of your record genuinely necessary to deliver your treatment safely — your name, the treatment booked, relevant health intake answers, and prior treatment notes. They do not have access to your payment data.
  • Reception, concierge, and reservation staff have access to the booking, payment, and communication record needed to coordinate your visit.
  • Our reservation and customer-record platform vendor, who hosts the digital system in which bookings and treatment notes are stored, processes data only on our written instructions.
  • Our payment service provider, a PCI-DSS compliant gateway, processes card data on our behalf at the moment of payment.
  • Our cloud hosting and email provider, currently a major international provider, hosts our website, our email, and our shared files under standard-contract clauses.
  • Our certified accountant and tax adviser receives the fiscal records necessary to file accurate returns under Indonesian law.
  • Our legal counsel may receive your information under privilege where we genuinely require advice in connection with a matter in which you are involved.
  • Emergency medical services and your declared emergency contact may receive relevant health information where we judge in good faith that disclosure is necessary to protect a life.
  • Competent regulatory, fiscal, or law-enforcement authorities may receive your information where compelled by lawful order or where disclosure is otherwise required by Indonesian law.
  • A successor entity may receive your information if Sang Spa is acquired, merged, or otherwise reorganised; in any such event we will notify you in advance and you will retain the rights set out in Article VIII.
VI.
Article VI

International Transfers.

The principal seat of our processing is in Indonesia. However, because our guests come from every continent and several of our digital service providers are headquartered outside Indonesia, certain personal data may be processed in, or transferred to, the United States, the European Union, the United Kingdom, Singapore, or Australia.

Where personal data is transferred out of Indonesia, we comply with Article 56 of UU PDP by ensuring that the destination country provides equivalent or higher protection, that adequate and binding safeguards are in place between us and the recipient, or that the transfer is supported by your specific consent. Where personal data of EEA or UK residents is transferred to a destination outside the EEA or UK, we rely on the Standard Contractual Clauses approved by the European Commission and, where applicable, the UK International Data Transfer Addendum, supplemented by such technical and organisational measures as the recipient and we jointly determine to be appropriate.

You may request a copy of the safeguards in place for any specific transfer of your data by contacting our Data Protection Officer at privacy@sangspa.com. Sensitive contractual content may be redacted in the copy provided.

VII.
Article VII

Data Retention Schedule.

We retain personal data only for as long as necessary to fulfil the purpose for which it was collected, to satisfy a continuing legal obligation, or to establish, exercise, or defend a legal claim. The schedule below states our default retention periods. Where law or genuine necessity calls for a different period in an individual case, the longer of the two will apply.

Booking & Fiscal Records
Ten (10) years from the close of the relevant fiscal year, in line with Indonesian tax and accounting law, after which records are securely destroyed or fully anonymised.
Health Intake Forms
Five (5) years from your last visit, after which the record is destroyed or — where retained for statistical purposes — irreversibly anonymised. Earlier destruction at your request is honoured unless an active insurance, regulatory, or liability matter requires otherwise.
Therapist Treatment Notes
Five (5) years from your last visit. Notes relating to a treatment that gave rise to a complaint or insurance claim are retained for the limitation period applicable to that claim.
CCTV Footage
Thirty (30) days on a rolling, automatically overwritten basis, except where a specific clip has been set aside in connection with a security incident or lawful request.
Marketing Records
For as long as you remain subscribed, plus a ninety (90) day grace window after withdrawal of consent to evidence the withdrawal itself, after which records are destroyed.
Website Analytics
Twenty-six (26) months at the longest, with raw IP truncation applied at collection where the analytics provider supports it.
General Correspondence
Three (3) years from the date of last substantive interaction, except where the correspondence is relevant to a continuing matter.
VIII.
Article VIII

Your Rights as a Data Subject.

The personal data we hold about you remains, in every meaningful sense, yours. The following rights are recognised by us for every guest, regardless of nationality. Some of these rights are subject to lawful exceptions — for example, we may not be able to delete records that we are obliged by tax law to retain — and where any such exception applies we will explain its basis to you in writing.

  • Right of access. You may request a copy of the personal data we hold about you, together with information on how it is being processed.
  • Right of rectification. You may request that we correct any inaccurate or incomplete information.
  • Right to erasure ("right to be forgotten"). You may request the deletion of personal data that is no longer necessary for the purpose for which it was collected.
  • Right to restrict processing. You may ask us to pause processing of your data while a query is resolved.
  • Right to data portability. You may request a copy of the personal data you have provided to us in a commonly used, machine-readable format.
  • Right to object. You may object to processing carried out on the basis of legitimate interest or for direct marketing.
  • Right to withdraw consent. Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.
  • Right to lodge a complaint. You may lodge a complaint with the supervisory authority identified in Article XIV.
  • Rights specific to California residents. Where the CCPA applies to you, you have the right to know what personal information is collected, sold, or disclosed; the right to delete; the right to correct; the right to limit the use of sensitive personal information; and the right not to be discriminated against for exercising those rights. Sang Spa does not sell or "share" personal information for cross-context behavioural advertising.

To exercise any of these rights, write to our Data Protection Officer using the details in Article XIV. We respond to requests within thirty (30) days and, in any event, within the period required by applicable law. We do not charge a fee for the exercise of these rights, save in the rare circumstance where a request is manifestly unfounded or excessive, in which case the fee, if any, will be explained before any charge is incurred.

IX.
Article IX

Security of Your Information.

We protect your information with the same seriousness with which we protect the room you lie in and the linen we draw over you. Our technical and organisational measures include, without limitation: transport-layer encryption (TLS) for all data in transit; encryption at rest for databases that hold guest records; role-based access control under a least-privilege principle; multi-factor authentication for administrative access; physical security of paper intake forms in locked cabinets; segregated handling of payment data by a PCI-DSS certified processor; periodic backups stored in a separate physical region; mandatory privacy and information- security training for all staff at induction and annually thereafter; and an incident-response procedure that notifies the supervisory authority within seventy-two (72) hours of becoming aware of a personal data breach that meets the applicable threshold, together with affected data subjects where the breach is likely to result in high risk to their rights.

No system is impregnable, and we will not pretend otherwise. What we will do is treat any incident with the candour, speed, and care that the trust you have placed in us deserves.

X.
Article X

Cookies & Web Tracking.

Our website uses a small number of cookies and equivalent technologies. Strictly necessary cookies are set to keep the site functioning — for example, to remember the contents of a booking in progress. Analytics and marketing cookies are set only with your prior, granular consent, gathered through the consent banner that appears on your first visit and which you may revisit at any time from the footer of the site.

The full register of cookies in use, their purpose, their lifetime, and the third parties (if any) involved is set out in our separate Cookies Policy, which forms part of this notice by reference.

XI.
Article XI

Children & Minors.

Our website and our marketing communications are directed at adults. We do not knowingly collect personal data from children under thirteen (13) years of age. Where a treatment is offered to a minor — for example, a gentle reflex session for a child travelling with a parent — booking, consent to the health intake, and presence during the treatment must be provided by the minor's parent or legal guardian. The personal data of the minor is then held under the same safeguards as that of an adult guest, and the guardian retains and exercises the rights set out in Article VIII on the minor's behalf until the minor reaches the age of majority.

If you believe that a child under thirteen has provided personal data to us without the involvement of a guardian, please write to our Data Protection Officer and we will delete that data promptly.

XII.
Article XII

Automated Decisions & Profiling.

We do not subject you to automated decision-making that produces legal effects on you, or that significantly affects you in a similar manner. Reservations are accepted, declined, or rescheduled by a human member of our team. Health intake review is performed by a qualified therapist or, where the answers warrant, by our spa lead.

The only light personalisation we apply is to the editorial direction of our newsletter — for example, presenting a guest who has previously chosen restorative rituals with content about restorative rituals first. This personalisation is applied only with your marketing consent, has no legal or comparable effect, and may be switched off entirely from any of our newsletters' footers without affecting your subscription.

XIII.
Article XIII

Changes to this Policy.

This Policy is reviewed at least annually, and ad-hoc whenever a change in our practices, our processors, or the law requires it. The version, version date, and a brief changelog are recorded at the close of every revision.

Where a revision materially affects your rights or the ways we process your data, we will notify you in advance — by email, where we have an active address for you, and by a clear notice on the website footer for at least thirty (30) days before the revised Policy takes effect. Non-material changes (corrections of typography, clarifications of language, updates to processor names without change of role) are made silently and reflected in the version history. The historical versions of this Policy are available on written request.

XIV.
Article XIV

Contact, DPO & Supervisory Authority.

Questions, concerns, requests to exercise rights, or formal complaints about the handling of your personal data should be addressed in the first instance to our Data Protection Officer at the contact set out below. If, having spoken with us, you remain dissatisfied, you have the right to lodge a complaint with the supervisory authority of your place of residence or the place of the alleged infringement.

Data Protection Officer

Sang Spa Signature

Postal
Jl. Suweta No.26, Ubud, Kecamatan Ubud, Kabupaten Gianyar, Bali 80571
Email (DPO)
privacy@sangspa.com
Telephone
+62-82-1313-3711
Hours
Daily · 9:00 AM – 10:00 PM
Supervisory Authorities

Where to escalate.

Indonesia
The personal-data protection authority designated under UU PDP No. 27 of 2022; until that authority is fully operational, complaints may be addressed to the Ministry of Communication and Digital Affairs (Kementerian Komunikasi dan Digital).
European Economic Area
The data protection authority of the EEA member state in which you reside, work, or where the alleged infringement took place. A directory is maintained by the European Data Protection Board (edpb.europa.eu).
United Kingdom
The Information Commissioner's Office (ico.org.uk).
California
The California Privacy Protection Agency (cppa.ca.gov) and the Attorney General's Office (oag.ca.gov).
In Witness

Signed in the spirit
of quiet care.

This Privacy Policy has been issued by Sang Spa Signature and shall remain in force from the effective date below until superseded by a duly published revision. Each guest, in placing their trust in us, becomes the reason this document exists.

Effective 01 March 2025 v 3.2 · Earthen Sanctuary

Live in Harmony & Balance