Privacy Policy

Privacy Policy

Body Studio Bali — operated by PT New Beginnings Retreat

Effective date: 28 April 2026 Version: 1.0 (English)

This English text is provided for the convenience of international clients. The Bahasa Indonesia version of this Privacy Policy is the legally controlling version in accordance with Law of the Republic of Indonesia No. 24 of 2009 (UU 24/2009). In case of any inconsistency between the two versions, the Bahasa Indonesia version prevails.

1. Who we are (Data Controller)

The Data Controller for personal data processed in connection with bodystudiobali.com and the services offered at the premises of Body Studio Bali is:

PT New Beginnings Retreat, trading as Body Studio Bali Uluwatu St No.184, Ungasan, South Kuta, Badung Regency, Kuta Selatan, 80361, Bali, Indonesia Email: info@bodystudiobali.com WhatsApp: +62 822-2160-0336 Indonesian business classification: SPA / Salon Kecantikan (KBLI). Registration details available on request.

Questions about this Privacy Policy or about your data can be sent to info@bodystudiobali.com.

2. Scope and applicable law

This Privacy Policy applies to:

  • your use of the website bodystudiobali.com;
  • bookings made online, by WhatsApp, by telephone, or in person;
  • services delivered at our premises;
  • the Health Intake & Informed Consent Form you complete and sign on first visit and before each new service type;
  • our hiring and recruitment processes (including any application form on our website).

We process personal data in accordance with:

  • Law of the Republic of Indonesia No. 27 of 2022 on Personal Data Protection (“UU PDP” / Indonesian PDP Law);
  • Law of the Republic of Indonesia No. 8 of 1999 on Consumer Protection (UU 8/1999), to the extent applicable;
  • the EU General Data Protection Regulation 2016/679 (GDPR), where it applies to clients located in the European Economic Area or the United Kingdom; and
  • all other applicable Indonesian laws and regulations.

3. Categories of personal data we collect

We collect and process the following categories of personal data, depending on how you interact with us.

3.1 Identification and contact data

  • full name, date of birth, sex, nationality;
  • passport / national ID number (for our records and for compliance with Indonesian regulation that may apply to certain bookings);
  • address (your address while in Bali, or your home address);
  • email address;
  • mobile / WhatsApp number;
  • emergency contact name and phone number.

3.2 Booking, transaction, and service-history data

  • the services, combos, and packages you book and receive;
  • session dates, times, and the practitioner who served you;
  • prices paid, payment method, payment-processor reference (we do not store full card numbers);
  • vouchers and packages you hold and have used;
  • any notes our practitioners record about your service preferences.

3.3 Health data (sensitive / specific category)

When you complete the Health Intake & Informed Consent Form, you disclose health-related information including: medical conditions, current medications, pregnancy status, surgical history, implants and medical devices, allergies, and any other health information relevant to the service you are about to receive.

Under Indonesian PDP Law, health data is specific personal data (“data pribadi yang bersifat spesifik”) and under GDPR it is a special category of personal data. We process it on a strict need-to-know basis (Section 5).

3.4 Photographs and audio-visual data

  • “before / after” photographs of treatment areas, only with your prior written, opt-in consent as recorded on the Intake & Consent Form or on a separate consent form;
  • security CCTV footage at the entrance of our premises, if applicable, retained for short periods.

3.5 Recruitment / job-application data

If you apply for a job with us through our website or by other means, we collect: name, age, marital status, email, phone, education, previous workplaces, area of residence, and any photo / CV you submit. This data is processed by our bsb-applications plugin and stored in our Supabase database (Section 7).

3.6 Website usage data

When you visit bodystudiobali.com we may collect:

  • IP address, approximate geo-location, device and browser type, language preference;
  • pages viewed, time spent, referring URL, search terms used to reach us;
  • cookies and similar technologies (see Section 9).

3.7 Communication data

  • messages you send us via WhatsApp, email, our contact form, or social media;
  • our written replies to you.

4. How we collect personal data

We collect personal data:

  • directly from you — when you fill in our website forms (booking, contact, hiring), make a booking by WhatsApp or telephone, attend the premises and complete the Intake & Consent Form, or otherwise communicate with us;
  • automatically — when you visit bodystudiobali.com (cookies, server logs, analytics);
  • from third parties — for example, payment processors confirming a transaction, or referrals if you tell us a friend recommended us.

5. Why we process your data (purposes and legal basis)

Purpose Categories used Legal basis (UU PDP / GDPR)
Confirming and delivering a booking identification, contact, booking, health performance of a contract (Art. 20(2)(b) UU PDP / Art. 6(1)(b) GDPR)
Pre-service health screening (Intake form) identification, health client’s explicit consent on the Intake & Consent Form (Art. 20(2)(a) UU PDP / Art. 9(2)(a) GDPR)
Issuing receipts, processing payments, and complying with tax / accounting law identification, transaction legal obligation (Art. 20(2)(c) UU PDP / Art. 6(1)(c) GDPR)
Communicating with you about appointments, vouchers, and packages identification, contact, booking performance of a contract / our legitimate interest in operational communication
Marketing communications (only if you have opted in) identification, contact your consent (Art. 20(2)(a) UU PDP / Art. 6(1)(a) GDPR), withdrawable at any time
Publishing “before / after” photographs photographs your written, opt-in consent on the Intake & Consent Form, withdrawable at any time
Processing job applications recruitment data steps to enter into an employment contract / your consent
Operating, securing, and improving our website usage data, cookies our legitimate interest in operating a functional website (subject to consent for non-essential cookies — Section 9)
Defending or pursuing legal claims as relevant legitimate interest / establishment, exercise, or defence of legal claims

We do not sell your personal data, and we do not use it for automated decision-making with legal or similarly significant effects on you.

6. Data sharing (recipients)

We share personal data only with the recipients listed below, on a need-to-know basis and under appropriate confidentiality and data-processing arrangements.

  • Our staff and beauty therapists — only the data necessary for them to deliver your service safely (name, booking, health intake).
  • Payment processors — to process payments. Card details are handled directly by the processor; we do not store card numbers.
  • WordPress / WooCommerce hosting provider — to host bodystudiobali.com.
  • Supabase, Inc. — provides the database that stores submissions from our hiring form (and may process other operational data). Supabase acts as our processor.
  • Email and messaging providers — to deliver booking confirmations and communications.
  • Tax, accounting, and legal advisers — to comply with Indonesian law and to defend legal claims, under professional confidentiality.
  • Public authorities — when required by Indonesian law or by a lawful request from a competent authority.

We do not disclose your data to advertisers, brokers, or other third parties for their own marketing purposes.

7. International transfers

Some of our processors are based outside Indonesia. In particular, Supabase, Inc. (and the cloud infrastructure on which it relies) processes data outside Indonesia. Where personal data is transferred outside Indonesia, we apply the safeguards required by Article 56 of UU PDP and, for clients to whom GDPR applies, the safeguards required by Chapter V of GDPR (such as adequacy decisions, standard contractual clauses, or your explicit informed consent for the specific transfer).

You may request more information about the transfer mechanism applicable to your data by writing to info@bodystudiobali.com.

8. Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, and as required by applicable law:

  • Booking and transaction records — for the duration of our service relationship with you and thereafter for the period required by Indonesian tax, accounting, and consumer-protection law (typically up to 10 years for accounting records).
  • Health Intake & Informed Consent Form data — for as long as you remain an active client and, after your last service, for the period required to defend possible legal claims, after which it is securely destroyed or anonymised.
  • Marketing-consent records and “before / after” photographs — until you withdraw your consent; once withdrawn, removed from active use within a reasonable period and from public-facing channels where reasonably practicable.
  • Job-application data — if you are not hired, for up to 12 months after the application, unless you ask us to delete it sooner; if you are hired, kept under our HR retention rules.
  • Website server logs and analytics — for short periods, typically not exceeding 14 months.

After the applicable retention period, we securely delete or anonymise your data.

9. Cookies and similar technologies

bodystudiobali.com uses cookies and similar technologies to:

  • make the site work (essential cookies — for example, session and security cookies);
  • remember your preferences (functional cookies);
  • understand how visitors use the site so we can improve it (analytics cookies, e.g. Google Analytics);
  • enable embedded content from social media or video platforms when you choose to view it.

Essential cookies are set automatically. Non-essential cookies (analytics, social-media embeds) are only set with your consent through our cookie banner. You can change or withdraw your consent at any time via the cookie banner or your browser settings. Blocking essential cookies may affect the functionality of the website.

A more detailed Cookie Notice may be published in due course; until then, this Section sets out our cookie practice.

10. Your rights

Subject to the conditions and limitations in UU PDP and, where it applies, GDPR, you have the right to:

  • be informed about our processing of your personal data (this Privacy Policy);
  • access the personal data we hold about you;
  • correct inaccurate or incomplete data;
  • delete your data (“right to erasure”), subject to our legal retention obligations;
  • restrict or object to certain processing;
  • withdraw consent for any processing based on consent (such as marketing or photo publication) at any time, without affecting the lawfulness of processing carried out before withdrawal;
  • data portability — receive your data in a structured, commonly used, machine-readable format, where applicable;
  • lodge a complaint with the competent Indonesian supervisory authority for personal-data protection (and, for clients in the EU/EEA, with your local data-protection authority).

To exercise any of these rights, write to info@bodystudiobali.com. We will respond within 30 (thirty) days and may ask you to verify your identity before we act on your request.

11. How we keep your data secure

We apply reasonable organisational and technical safeguards to protect personal data against unauthorised access, loss, alteration, or disclosure. These include access controls (only authorised staff can access intake forms and booking data), secure storage of paper forms, encryption in transit for online communication, application passwords for our WordPress administration, and role-based access to our Supabase database.

No system is perfectly secure. If we become aware of a personal-data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the competent authority as required by UU PDP and (where applicable) GDPR.

12. Children

Our services are not directed at children under 13. Clients between 13 and 18 are minors under our Terms of Use; their data is processed only with parental / guardian consent (Section 9 of the Terms of Use).

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The current version is the version published at bodystudiobali.com/privacy-policy/. For material changes, we will notify you at your next booking confirmation or by email.

14. Governing law and language precedence

This Privacy Policy is governed by the laws of the Republic of Indonesia. It is issued in English and in Bahasa Indonesia; the Bahasa Indonesia version is the legally controlling version in accordance with UU 24/2009. The English version is provided for the convenience of international clients only.

15. Contact

PT New Beginnings Retreat — Body Studio Bali Uluwatu St No.184, Ungasan, South Kuta, Badung Regency, 80361, Bali, Indonesia Email: info@bodystudiobali.com WhatsApp: +62 822-2160-0336

End of Privacy Policy.