Privacy Policy — Boat Komodo Trip

Boat Komodo Trip ("we", "us") is the controller of the personal data processed through this website, in the sense of Art. 4(7) of the EU General Data Protection Regulation (GDPR) and equivalent laws including the UK GDPR and Indonesia's Personal Data Protection Law (UU PDP 27/2022).

• Postal address: Labuan Bajo, East Nusa Tenggara, Indonesia
• Email: [email protected]
• WhatsApp: +62 851-9009-6797
• Data protection contact: [email protected] (subject line: GDPR Data Request)

Effective date: 2026-04-20. Version 2.0.

We process the minimum data necessary for each purpose below. Each category is tied to a specific legal basis under Art. 6(1) GDPR.

Category	Examples	Purpose	Legal basis	Retention
Identification & contact	Name, email, phone, WhatsApp number, country	Responding to enquiries, issuing charter quotes, confirming bookings	Art. 6(1)(b) — contract / pre-contract	3 years after last contact, or as required by Indonesian tax law
Booking details	Travel dates, guest count, dietary needs, passport copy (when boarding requires it)	Trip execution, vessel manifest, government clearance	Art. 6(1)(b) — contract; Art. 6(1)(c) — legal obligation	10 years (Indonesian commercial record retention)
Usage data	IP (truncated), browser, device, referring URL, pages viewed, session recordings (via Clarity)	Measuring site performance, fixing bugs, improving content	Art. 6(1)(a) — consent (via banner)	GA4: 14 months · Clarity: 12 months
Marketing & remarketing	Google Ads / Meta pixel events (only if consent granted)	Showing relevant ads on other platforms	Art. 6(1)(a) — consent	Until consent withdrawn or 12 months

We do not collect special-category data (Art. 9 GDPR) — religion, health, sexuality — unless you voluntarily share dietary or medical requirements necessary for your charter. In that case we process under Art. 9(2)(a) (explicit consent) and delete after the trip.

We share the data listed above only with the following processors, each under a written Data Processing Agreement compliant with Art. 28 GDPR.

• Google LLC (Google Analytics 4, Google Tag Manager) — USA — data transfer under EU Standard Contractual Clauses + Data Privacy Framework (DPF).
• Microsoft Corporation (Clarity heatmaps & session replay) — USA — DPF certified.
• Cloudflare Inc. (hosting & CDN) — EU & USA — DPF certified.
• WhatsApp (Meta Platforms Ireland) — your messages are end-to-end encrypted between your device and ours; Meta holds metadata (your phone number, message timestamps). See WhatsApp's policy.
• Payment providers — when you pay a deposit, the provider (e.g. Xendit, Stripe, Wise) processes card/bank data directly. We receive only a confirmation token.

We never sell, rent, or trade your personal data.

Some of our processors are based outside the EEA / UK / Indonesia. Transfers are safeguarded by: (i) EU Commission adequacy decisions where available; (ii) Standard Contractual Clauses (2021/914) with supplementary measures; (iii) the EU–US Data Privacy Framework where applicable. A copy of the safeguards is available on request.

If you are in the EEA, UK, or Indonesia you have the following rights regarding your data:

• Access (Art. 15) — obtain a copy of the data we hold about you.
• Rectification (Art. 16) — correct inaccurate or incomplete data.
• Erasure / right to be forgotten (Art. 17) — delete data no longer necessary, unless we are legally required to keep it.
• Restriction (Art. 18) — pause processing while a dispute is resolved.
• Portability (Art. 20) — receive your data in a machine-readable format.
• Objection (Art. 21) — stop processing based on legitimate interest or direct marketing.
• Withdraw consent (Art. 7.3) — at any time, via the Cookie settings link in the footer, or by emailing us.
• Lodge a complaint (Art. 77) — with your local supervisory authority (e.g. CNIL in France, ICO in the UK, BfDI in Germany, or KOMINFO in Indonesia).
• Not be subject to solely automated decisions (Art. 22) — we do not make automated decisions that produce legal effects on you.

To exercise any right, email [email protected]. We reply within 30 days (Art. 12.3).

We use Google Consent Mode v2 — analytics and marketing cookies are blocked by default until you grant consent via the banner. Full inventory is listed in our Cookie Policy. You can change your choice any time via the Cookie settings link.

This site is served over TLS 1.3 with HSTS pre-load, enforced via our Cloudflare Pages configuration. Sensitive workflows (passport uploads, payments) run on separate encrypted-at-rest channels. Should a breach occur that poses a risk to your rights, we will notify the competent supervisory authority within 72 hours (Art. 33 GDPR) and, where required, notify you without undue delay (Art. 34).

Our services are not directed to children under 16 (EU) / 13 (US) / 17 (Indonesia). We do not knowingly collect data from minors without parent/guardian consent. If you believe a child has provided data to us, email us and we will delete it.

We may update this policy. Material changes will be highlighted at the top of the page for at least 30 days, and where appropriate communicated via email. The "Effective date" above reflects the latest version.