Privacy Policy

Last updated: 04 November 2025

This Privacy Policy explains how Sanctu (“we”, “us”, or “our”) collects, uses, discloses, and protects personal data when you use our website, applications (including PWA), and services (the “Platform”). We align with Indonesia’s Personal Data Protection Law (UU No. 27/2022) and other applicable laws.

If you do not agree with this Policy, please do not use the Platform.

1. Who We Are & Contact

Sanctu Bali, Indonesia Privacy: privacy@sanctu.app General: reach.us@sanctu.id Support: support@sanctu.app

2. Data We Collect

2.1 Data You Provide

• Identity & Contact: name, email, phone number.
• Booking Details: selected service, date/time, special notes, location for on-site service.
• Communications: messages with Providers/support, reviews/ratings.
• Verification (if applicable): documents or proofs needed for Provider onboarding.

2.2 Data We Receive/Generate

• Payment & Transaction Data: from our payment processor (e.g., Midtrans). We do not store full card numbers.
• Usage/Technical Data: IP address, device, browser, OS, app telemetry, pages viewed, session IDs, crash logs.
• Authentication & Security: tokens (e.g., JWT), login timestamps, fraud signals.
• Cookies/SDKs: for session management, analytics, personalization, and security.

3. Why We Use Your Data (Purposes)

• Provide Services: account creation, booking, Provider matching, on-site fulfillment.
• Process Payments: charge, refund, verify transactions.
• Communicate: confirmations, reminders, support, service updates.
• Improve & Secure: analyze performance, prevent fraud/abuse, debug issues.
• Legal/Compliance: respond to lawful requests and meet regulatory duties.
• Marketing (with consent where required): newsletters, promos, and personalized content.

4. Legal Bases (Indonesia PDP Law)

Depending on context, we rely on:

• Contract necessity (to provide the Platform and fulfill bookings);
• Consent (e.g., certain marketing, precise location, optional cookies);
• Legitimate interests (fraud prevention, product improvement, security);
• Legal obligations (record-keeping, regulatory requests).

You can withdraw consent at any time (see Your Rights).

5. Sharing Your Data

We do not sell personal data. We may share data with:

• Providers: to fulfill your booking (limited to what’s necessary).
• Payment Processor: e.g., Midtrans, to process payments and refunds.
• Infrastructure & Communications Partners: e.g., hosting, email/SMS/WhatsApp providers, in-app messaging.
• Analytics & Security Vendors: to monitor performance, detect fraud/abuse.
• Authorities/Regulators: when required by law or to protect rights, safety, or property.

When sharing, we aim to apply appropriate contractual and technical safeguards.

6. International Transfers

If partners store or process data outside Indonesia, we implement safeguards consistent with the PDP Law (e.g., contractual clauses, access controls, encryption) and limit transfers to what is necessary.

7. Data Retention

We retain personal data only as long as necessary for the purposes in this Policy (e.g., bookings, accounting, legal requirements) and then delete or anonymize it. Retention periods may vary by record type and legal needs.

8. Security

We use administrative, technical, and organizational measures such as TLS encryption, strict access controls, network isolation, key management, logging/monitoring, and periodic reviews. No method of transmission or storage is 100% secure.

9. Cookies & Tracking

We use cookies and similar technologies to keep you signed in, remember preferences, measure usage, and prevent fraud.

Your choices:

• Browser or device settings to block/clear cookies (some features may not work).
• In-app or site preferences for analytics/marketing where available.
• Opt-out links in marketing messages.

10. Your Rights (Hak Subjek Data Pribadi)

Subject to the PDP Law and other applicable laws, you may:

• Access your personal data and request copies;
• Correct inaccurate or incomplete data;
• Delete data or request termination of processing where applicable;
• Object/Restrict certain processing;
• Withdraw consent (does not affect prior lawful processing);
• Data portability where technically feasible;
• Lodge a complaint with the supervisory authority and seek compensation for violations.

To exercise rights, contact privacy@sanctu.app. We may need to verify your identity before responding.

11. Children

The Platform is not intended for individuals under 18. We do not knowingly collect children’s data. If you believe a minor provided data, contact us to remove it.

12. Communications

We send transactional messages (booking confirmations, reminders, service updates). For marketing messages, you can unsubscribe via the link in the message or by contacting us. Transactional messages will continue as they are part of the service.

13. Third-Party Links

Our Platform may link to third-party websites/services. Their privacy practices are governed by their own policies.

14. Changes to This Policy

We may update this Policy periodically. Material changes will be notified in-app or by email. Continued use after changes means you accept the updated Policy.

15. Contact

Sanctu Privacy Team privacy@sanctu.app reach.us@sanctu.id | support@sanctu.app