Legal

Privacy Policy

Last updated: 2026-05-14

The privacy of your data and the data of guests you manage is our priority. This document explains what data we collect, why, and how we protect it. We comply with Indonesia's Personal Data Protection Law (UU PDP No. 27/2022) and relevant international data protection practices.

1. Data We Collect

We collect three categories of data:

  • Account data: name, email, phone number, business name, password (hashed).
  • Operational data: properties, rooms, prices, bookings, and transactions you input into the dashboard.
  • Guest data: guest names, contact info, ID/passport (if entered), stay history. As the user, you are responsible for obtaining guest consent to store this data.
  • Technical data: IP address, browser type, access logs — for security and debugging.

2. Processing Purpose

Data is used to:

  • Provide and operate HuniStay's features.
  • Process subscription payments via third-party payment providers.
  • Send important notifications (bookings, billing, security alerts).
  • Improve the product through aggregate analytics (not per-individual).
  • Meet legal obligations, e.g. data requests from competent authorities.

4. Sharing With Third Parties

We share your data only with:

  • Cloud infrastructure providers (server hosting, databases) bound by confidentiality agreements.
  • Midtrans as our payment processor for transactions.
  • OTA providers (Traveloka, Agoda, Booking.com) only for relevant booking data, per integrations you enable.
  • Competent authorities, when required by court order or regulation.

We do NOT sell your data or guest data to any third party for advertising or commercial purposes.

5. Storage & Server Location

Primary data is stored on servers located in Indonesia or Singapore, depending on our cloud provider's configuration. Encrypted backups are taken on a schedule.

Active account data is retained for the lifetime of the account. After termination, data is permanently deleted within 30 days (except data legally required to be retained, e.g. tax transaction records).

6. Security

Our security measures:

  • TLS encryption for all connections (HTTPS).
  • Passwords hashed with industry-standard algorithms (bcrypt/argon2).
  • Production database access restricted to authorized engineers with 2FA.
  • Audit logs for critical data changes.
  • Scheduled, encrypted backups.

7. Your Rights (UU PDP)

As a data subject, you have the right to:

  • Access personal data we hold about you.
  • Correct inaccurate data.
  • Request deletion (right to be forgotten), except for data legally required to be retained.
  • Restrict or object to certain processing.
  • Port data to another service (export).
  • Withdraw consent at any time, with the consequence that the account may no longer be usable.

To exercise these rights, contact us via email or the Contact page. We respond within 14 business days.

8. Cookies & Tracking

We use functional cookies (session, language preference) essential to the Service. We also use aggregate analytics (e.g. page view counts) without cross-site tracking. We don't run third-party advertising.

9. Children's Privacy

HuniStay is not intended for users under 18. If as a property owner you store data about minor guests (children staying with parents), make sure you only retain strictly necessary data and have parental/guardian consent.

10. Changes to This Policy

This policy may be updated from time to time. Material changes will be announced at least 30 days before taking effect.

11. Data Controller Contact

Questions, complaints, or requests about personal data can be sent to the email or WhatsApp on the Contact page. For data breaches, we'll notify per UU PDP requirements — within 3×24 hours of awareness.

Questions? Reach us at athaillah@neuraworks.id or WhatsApp +62 821 8281 2645.