Legal Notices Volume III of III

Quiet
Footprints.

How our website remembers you, why it does so, and the soft instruments — cookies, beacons, local storage — by which the digital threshold of Sang Spa Signature is kept as considered as the timber one in Ubud.

Document
Cookies Policy
Effective
01 March 2025
Version
3.2 · Earthen Sanctuary
Companion to
Privacy Policy & Terms
Preamble

A short note on small files.

This Cookies Policy is the third and final volume in the Sang Spa Signature legal trilogy, and the most technical of the three. It describes — in plain English — what cookies and similar technologies our website (sangspa.com) uses, why they are present, how long they stay, and the precise instruments by which you may accept, decline, or revoke them at any moment.

We have written it as a companion to our Privacy Policy ("The Sanctuary of Trust"), to which it should be read as an annex. Where this Policy speaks of the legal basis for processing the personal data that cookies collect, the fuller treatment is in the Privacy Policy. Where this Policy is silent on a question of personal-data rights, the Privacy Policy answers it.

We collect only what we need; we keep it only as long as we need it; and you remain, throughout, the keeper of the key.

Contents

Fifteen Articles.

A reading map
  1. What a Cookie Is (and is not) p. 01
  2. Why We Use Cookies & Similar Technologies p. 02
  3. Categories of Cookies We Set p. 03
  4. First-Party vs. Third-Party Cookies p. 04
  5. Detailed Cookie Register p. 05
  6. Beacons, Pixels, Local Storage & Server Logs p. 06
  7. Lawful Basis & Consent p. 07
  8. Managing Your Preferences p. 08
  9. Browser-Level Controls p. 09
  10. Do-Not-Track & Global Privacy Control p. 10
  11. International Transfers via Third-Party Tools p. 11
  12. Retention Periods of Cookies p. 12
  13. Children & Cookies p. 13
  14. Changes to this Policy p. 14
  15. Contact, DPO & Cross-References p. 15
I.
Article I

What a Cookie Is (and is not).

A cookie is a small text file — typically no larger than a few kilobytes — that a website asks your browser to store on your device when you visit it. The file holds a short string of information. On your next visit, your browser returns that string to the website that wrote it, allowing the site to recognise the device (not, in itself, the person at it) and to behave accordingly: keeping you signed in, remembering your language, retaining a draft, measuring how a page is used.

A cookie is not a programme; it cannot execute code on your device, read other files, or access your camera, microphone, or contacts. It is text — and text only — and it is governed by the strict isolation rules that modern browsers enforce between websites.

Alongside cookies, modern websites use a small family of related technologies that perform similar functions: local storage and session storage (browser-side data stores that persist without being sent back to the server with each request), web beacons and tracking pixels (transparent images used to measure delivery), and server-side logs (records your browser is required to send merely to receive a page at all). For brevity we refer to the whole family collectively as "cookies" in this Policy, save where a specific instrument is described in Article VI.

II.
Article II

Why We Use Cookies & Similar Technologies.

We are a small wellness sanctuary, not a digital advertising company. Our use of cookies is consequently modest. We deploy only those instruments that fall into one of the following four purposes:

  • To allow the website to function — to hold your place in a booking enquiry, to balance load between our servers, to honour the consent decisions you have already made, and to keep authenticated administrators signed in.
  • To remember preferences you have expressed, such as your chosen language or display currency, so that we do not greet you in an unfamiliar register on each return.
  • To understand, in the aggregate, which pages of our website are being read, how long Guests linger on a given ritual page, and where the journey from curiosity to enquiry breaks down — so that we can improve the substance of what we publish.
  • To measure the effectiveness of the small number of paid advertising campaigns we run from time to time with Google and Meta, so that we can decide whether a campaign is worth continuing or should be retired.

We do not use cookies to construct behavioural profiles of individuals, to sell or share data with information brokers, or to deliver personalised pricing. These are uses we reject as inconsistent with the trust that brings you to a sanctuary in the first place.

III.
Article III

Categories of Cookies We Set.

For ease of reference and to mirror the structure of our consent banner, we group cookies into four categories. The first category is loaded on every visit; the remaining three load only with your express consent and may be disabled or revoked at any time without consequence to your ability to read, browse, or reserve.

Category 01

Strictly Necessary.

Essential for the website to function. They keep the booking module responsive, balance traffic between our servers, honour your previous consent choices, and keep signed-in administrators in their session.

Disabling these cookies would cause significant parts of the site — including the reservation module and the consent banner itself — to fail. They are exempt from the requirement of consent under Article 5(3) of EU Directive 2002/58/EC and analogous Indonesian provisions.

Consent
Always active
Category 02

Functional.

Remember preferences you have expressed — language, currency display, recently viewed rituals, and the resumption of an unfinished enquiry — so that your experience on return feels considered rather than generic.

These cookies are useful, but the site remains fully browsable without them. We load them only with your consent.

Consent
Opt-in
Category 03

Analytics.

Aggregate, de-identified statistics on how the site is used — page-views, average time on page, sources of traffic — that allow us to understand what is read and what is not. We have configured Google Analytics 4 with IP-anonymisation enabled and have disabled the sharing of data for ad-personalisation.

We do not use analytics cookies to identify you personally, and we do not combine analytics data with booking records.

Consent
Opt-in
Category 04

Marketing.

Allow our small advertising programme on Google and Meta to measure whether a campaign has reached new guests and resulted in a booking enquiry. They also permit a limited form of frequency-capping so that you are not shown the same advertisement repeatedly.

These cookies are loaded only with your consent. If you decline, you may still see our advertisements on those platforms, but their delivery will not be measured against your specific browser.

Consent
Opt-in
IV.
Article IV

First-Party vs. Third-Party Cookies.

Cookies are usefully distinguished by who places them.

A. First-party cookies

Cookies set by sangspa.com directly. We are the data controller in respect of these cookies; we determine their purpose, their lifetime, and what is read from them. Our first-party cookies are listed in the register at Article V and are confined to the strictly-necessary and functional categories.

B. Third-party cookies

Cookies set by domains other than sangspa.com — typically because we have embedded a script (analytics, advertising-measurement, video) or an interactive element (an Instagram embed, a YouTube ritual film) that is served from that third party. The third party is the data controller for those cookies; we recommend you read its own cookie and privacy notices, links to which are provided in the register at Article V.

C. Embedded media as a special case

When a journal page on our site includes an embedded YouTube ritual film or Instagram reel, the corresponding third-party domain may write cookies as soon as the embed loads, even if you do not press play. Where practicable, we have configured embeds to use "no-cookie" or "privacy-enhanced" variants of the respective service; where this is not technically possible, the embed is loaded only after you have given consent, by means of a "click to load" placeholder.

V.
Article V

Detailed Cookie Register.

The register below is the canonical, line-by-line description of every cookie we routinely set. From time to time, third-party services may introduce new cookies of their own; where we become aware, we update this register at the next quarterly review and re-publish the document with a new effective date. The version in force on the date of your visit is recorded in the seal at the foot of this page.

Category
Cookie / Token
Provider
Purpose
Duration & Type
Strictly Necessary
PHPSESSID
sangspa.com (first-party)
Maintains the integrity of your session as you move between pages — for example, holding the contents of a booking enquiry until it is submitted.
HTTP Cookie
Session — deleted when the browser closes.
Strictly Necessary
sss_consent
sangspa.com (first-party)
Records the cookie-preference selections you have expressed via our consent banner so that we do not ask the same question twice.
HTTP Cookie
Twelve (12) months from the date of selection.
Strictly Necessary
wordpress_logged_in_*
sangspa.com (first-party)
Set only for authenticated administrators and editors of the website. Not set for ordinary guests.
HTTP Cookie
Two (2) weeks, or until log-out.
Functional
sss_locale
sangspa.com (first-party)
Remembers the language and currency display preference you have selected for your visit.
HTTP Cookie
Six (6) months.
Functional
sss_recent_rituals
sangspa.com (first-party)
Stores a short list of the rituals you have recently viewed so the menu can suggest related experiences on subsequent visits.
Local Storage
Thirty (30) days.
Analytics
_ga, _ga_*
Google LLC (third-party) — google-analytics.com
Distinguishes unique visitors, aggregates page-view data, and measures the performance of editorial and ritual pages. Configured with IP-anonymisation enabled.
HTTP Cookie
Up to thirteen (13) months.
Analytics
_gid
Google LLC (third-party) — google-analytics.com
Distinguishes unique visitors over a 24-hour window for short-term traffic measurement.
HTTP Cookie
Twenty-four (24) hours.
Marketing
_fbp
Meta Platforms, Inc. (third-party) — facebook.com
Enables measurement of campaigns delivered via the Meta advertising network and the attribution of completed booking enquiries to those campaigns.
HTTP Cookie
Three (3) months.
Marketing
_gcl_au
Google LLC (third-party) — google.com
Used by Google AdSense / Google Ads conversion tracking to attribute bookings to advertising touch-points across the Google network.
HTTP Cookie
Three (3) months.
Marketing
IDE, test_cookie
Google LLC (third-party) — doubleclick.net
Used by Google to deliver, measure, and limit the frequency of advertisements relating to Sang Spa Signature on partner sites.
HTTP Cookie
Up to thirteen (13) months.
Embedded Media
VISITOR_INFO1_LIVE, YSC, PREF
YouTube / Google LLC (third-party) — youtube.com
Set when an embedded YouTube video appears on the page. Maintain playback statistics and remember user-interface preferences.
HTTP Cookie
Session up to six (6) months.
Embedded Media
datr, sb
Meta Platforms, Inc. (third-party) — facebook.com
Set if you interact with an embedded Instagram or Facebook element on our journal pages. Used by Meta for security and platform integrity.
HTTP Cookie
Up to two (2) years.
VI.
Article VI

Beacons, Pixels, Local Storage & Server Logs.

For completeness, four further classes of digital instrument are described below. Each is governed, for the purposes of consent, by the same category in which the underlying purpose falls.

Web Beacons & Tracking Pixels
Tiny, transparent images (typically 1×1 pixel) embedded in a page or in an outgoing email. When the image is requested by your device, the request itself confirms that the page or email has been opened. We use a single beacon for our newsletter — to measure opens in aggregate — and the standard Meta and Google conversion pixels described in the register above. Beacons are governed by the consent category of the cookie they accompany.
Local Storage & Session Storage
Browser-side stores in which a website may keep small amounts of data without sending the data back to the server with each request. We use local storage for the sss_recent_rituals token (functional) and for ephemeral form-state during a booking enquiry (strictly necessary). Local storage is cleared when you clear your browser's site-data for sangspa.com.
Server-Side Logs
Records that any web server keeps for ordinary operational reasons: the IP address from which a request originated, the page requested, the date and time, the user-agent string, and the response code. We retain logs for thirty (30) days for security and abuse-investigation purposes, after which they are automatically purged. Server-side logs do not depend on a cookie and therefore cannot be opted out of without ceasing to use the site.
Fingerprinting
The construction of a unique identifier from passive characteristics of a browser (fonts, screen size, plug-ins). We do not use device-fingerprinting techniques and we do not knowingly contract with any third-party tool that does so for the purpose of cross-site tracking.
VII.
Article VII

Lawful Basis & Consent.

The lawful bases on which we set cookies are aligned with the categories described in Article III.

A. Strictly necessary cookies

Loaded on the basis of legitimate interest under Article 6(1)(f) GDPR (and equivalent provisions of Indonesian Law No. 27 of 2022 on Personal Data Protection, "UU PDP"), and on the express exemption from consent in Article 5(3) of EU Directive 2002/58/EC for communications strictly necessary to provide a service expressly requested.

B. Functional, Analytics & Marketing cookies

Loaded only on the basis of your specific, informed, freely-given consent, expressed via our consent banner. Consent is sought at first visit, recorded with a timestamp, and refreshed every twelve (12) months or whenever our use of cookies materially changes. You may modify or revoke consent at any time, prospectively, via the "Cookie Preferences" link in the website footer.

C. The status of consent

Consent given is granular — you may accept any one category and decline another. Consent withheld is honoured immediately for any cookie not yet placed; for cookies already on your device, you may delete them via your browser's site-settings (see Article IX). Declining non-essential cookies has no effect on the rituals available to you, the prices we offer, or the substance of your visit to the Sanctuary.

VIII.
Article VIII

Managing Your Preferences.

You may manage your cookie preferences at three layers, listed below from the most specific to the most general. Any layer overrides those above it.

A. The on-site consent banner

On your first visit you are presented with a consent banner offering "Accept all", "Decline non-essential", and "Manage preferences". The granular preferences page allows you to accept or decline each of the Functional, Analytics, and Marketing categories independently. Your selections are recorded in the sss_consent cookie and are honoured for twelve (12) months.

B. The persistent footer link

The link "Cookie Preferences" appears in the footer of every page on the website. Clicking it re-opens the granular preferences panel at any time, allowing you to upgrade, downgrade, or revoke consent. Changes take effect at the next page-load.

C. Withdrawal of consent for already-set cookies

Where you have previously consented and now wish to revoke, the consent banner immediately ceases to set further cookies in the affected category. Cookies already written to your device may be removed via your browser's site-settings — see Article IX, below — and are in any event subject to the maximum retention periods set out in Article XII.

IX.
Article IX

Browser-Level Controls.

Independently of any choice you make on our website, every modern browser exposes its own controls over cookies. You may, at any time, instruct the browser to refuse all cookies, to refuse third-party cookies, to delete cookies already stored, or to ask for permission for each cookie individually. The relevant settings are typically found under "Privacy", "Security", or "Site Settings".

Apple Safari
Settings → Safari → Privacy & Security; or, on macOS, Safari → Preferences → Privacy. Apple's "Prevent cross-site tracking" is enabled by default and we support it.
Google Chrome
Settings → Privacy and security → Third-party cookies (or Cookies and other site data). Granular per-site controls are available under "See all site data and permissions".
Mozilla Firefox
Settings → Privacy & Security → Cookies and Site Data. Firefox's "Total Cookie Protection" is supported on our site.
Microsoft Edge
Settings → Cookies and site permissions → Manage and delete cookies and site data.
Mobile browsers
The corresponding settings appear under your device's Settings application (iOS) or in the browser's menu (Android). Refer to the manufacturer's documentation for the precise path on your build.

Note. Disabling cookies at the browser level may affect the operation of websites generally, including ours. The strictly-necessary category of our cookies cannot be replaced by any other instrument; their absence will, in particular, prevent the booking module from working as intended.

X.
Article X

Do-Not-Track & Global Privacy Control.

Two browser-level signals communicate a user's preference not to be tracked: the older "Do-Not-Track" (DNT) header, and the newer "Global Privacy Control" (GPC) signal recognised under California Consumer Privacy Act regulations and certain US state-level privacy statutes.

A. Our treatment of GPC

Where your browser sends a Global Privacy Control signal, we treat the signal as an authoritative withdrawal of consent for the Analytics and Marketing categories of cookies. We will not load those cookies on the visit, we will not "sell" or "share" personal information within the meaning of the CCPA, and we will record the signal in the sss_consent cookie so that subsequent visits within the same browser are similarly treated.

B. Our treatment of DNT

Because the Do-Not-Track standard never achieved regulatory force and has been deprecated in modern browsers, we do not rely on DNT alone. We do, however, treat a DNT signal as a positive indication of preference — equivalent to declining the consent banner — for the duration of the session in which it is presented.

XI.
Article XI

International Transfers via Third-Party Tools.

The third-party providers listed in the register at Article V — principally Google LLC and Meta Platforms, Inc. — process the data their cookies collect on infrastructure located in multiple jurisdictions, including the United States. Where you visit our site from the European Economic Area, the United Kingdom, or another jurisdiction whose laws provide a level of protection that differs from that of the recipient jurisdiction, your data may, in consequence, be transferred to and processed in a country whose data protection regime is not deemed equivalent.

Our third-party providers represent that they rely on one or more of the following lawful transfer mechanisms: the European Commission's Standard Contractual Clauses (in their 2021 form), the EU–US Data Privacy Framework (where applicable), supplementary technical and organisational measures, and where relevant, UK International Data Transfer Agreements. Detail on each provider's transfer mechanism is published in its own privacy notice, to which we direct you in the register.

For Guests in Indonesia, Article 56 of UU PDP permits cross-border transfer where the recipient jurisdiction provides an adequate level of protection, where contractual safeguards are in place, or where the data subject has consented to the transfer with full knowledge of its consequences. Our contractual relationships with the providers above include the corresponding processor commitments.

XII.
Article XII

Retention Periods of Cookies.

Each cookie has a maximum lifetime, after which the browser deletes it automatically. We have aligned our maximum retention periods with the principle of data minimisation in the GDPR and UU PDP, and have shortened them, where practicable, below the defaults proposed by our third-party providers.

Session cookies
Deleted automatically when you close the browser. Used for session-state, load balancing, and the temporary holding of in-progress booking enquiries.
Strictly necessary (persistent)
Up to twelve (12) months for the consent record (sss_consent); up to two (2) weeks for the administrator authentication cookie (wordpress_logged_in_*).
Functional
Up to six (6) months for language and currency preferences; up to thirty (30) days for the recently-viewed-rituals token.
Analytics
Up to thirteen (13) months for Google Analytics 4 cookies, in line with the maximum permitted under the GDPR Article 29 Working Party's guidance, configured at the property level.
Marketing
Up to three (3) months for the Meta and Google Ads conversion cookies; up to thirteen (13) months for the DoubleClick / Google advertising domain cookies, where the third-party provider does not permit a shorter horizon.
Server-side logs
Thirty (30) days, after which they are deleted automatically by our hosting provider's log-rotation policy.
XIII.
Article XIII

Children & Cookies.

Our website is intended for an adult audience. We do not knowingly collect data through cookies from children under the age of sixteen (16) in line with the higher of the thresholds applied by the GDPR and UU PDP. If you are a parent or legal guardian and you believe a child has set, accepted, or been recorded by cookies on our site without appropriate consent, please write to privacy@sangspa.com and we will, within fifteen (15) Working Days, take reasonable steps to delete the relevant data and to suppress further collection from the device in question.

XIV.
Article XIV

Changes to this Policy.

This Cookies Policy is reviewed at least quarterly and ad-hoc whenever we add, replace, or remove a tool that affects the cookies we set. The version, version date, and a brief changelog are recorded at the close of every revision.

Where a revision materially changes the categories of cookies, the lawful basis on which they are set, or the international transfers they entail, we will (i) re-display the consent banner so that your consent is sought afresh against the new register, and (ii) post a clear notice in the website footer for at least thirty (30) days before the revised Policy takes effect. Non-material changes (corrections of typography, the renaming of a cookie by a third-party provider, the addition of a new browser to the controls list) are made silently and reflected in the version history.

XV.
Article XV

Contact, DPO & Cross-References.

Questions about cookies — including requests for the detail behind any line in the register, requests to exercise rights against a specific third-party processor, or formal complaints about our practices — should be addressed to our Data Protection Officer in the first instance. Where a question concerns the broader handling of personal data, our Privacy Policy ("The Sanctuary of Trust") provides the fuller answer; where a question concerns the conduct of a Reservation, our Terms & Conditions ("The Covenant") govern.

Data Protection Officer

Sang Spa Signature

Postal
Jl. Suweta No.26, Ubud, Kecamatan Ubud, Kabupaten Gianyar, Bali 80571
Email (DPO)
privacy@sangspa.com
Cookies-specific
cookies@sangspa.com
Telephone
+62-82-1313-3711
Hours
Daily · 9:00 AM – 10:00 PM
Companion Documents

Read alongside.

Volume I
Privacy Policy — The Sanctuary of Trust. Governs all collection, use, and rights in respect of personal data, including data collected via cookies.
Volume II
Terms & Conditions — The Covenant. Governs the reservation, delivery, and conduct of every Ritual at the Sanctuary.
Volume III
Cookies Policy — Quiet Footprints (this document). Annex to the Privacy Policy.
Statutory references
UU PDP No. 27/2022 (Indonesia); GDPR (EU) 2016/679; UK GDPR & Data Protection Act 2018; CCPA / CPRA (California).
In Witness

Issued in the spirit
of light footing.

This Cookies Policy has been issued by Sang Spa Signature as an annex to its Privacy Policy and shall remain in force from the effective date below until superseded by a duly published revision. We collect what we need; we keep it as briefly as we may; and the threshold remains, in every sense, yours to cross.

Effective 01 March 2025 v 3.2 · Earthen Sanctuary

Live in Harmony & Balance