๐Ÿ‘ค Login๐Ÿ“ Jln Sawe Batu Riti II, Kuta Lombok
The Spot Lombok logo
โ† Back to Blog

Privacy Policy

How The Spot collects, uses, stores, and protects the personal information of guests, members, and website visitors.

1. Who We Are

The Spot is operated from Kuta Lombok, Indonesia. We run a coworking space, accommodation, an all-day cafรฉ, and a customer-facing website at https://me.thespot.id. This Privacy Policy explains what personal information we collect about you, how we use it, who we share it with, and the rights you have over it.

Questions about this policy or your data should go to [email protected].

2. What We Collect

We collect personal information directly from you when you create an account, book a coworking pass, membership, room, equipment rental, scooter, or transport, order food or drinks via our online menu, or contact us by email, WhatsApp, or in person at reception.

The categories of personal information we collect are identity and contact details (first name, last name, email, optional secondary email, WhatsApp number, phone number, nationality, optional date of birth), reservation details (booking dates, room or pass type, dietary preferences, special requests, internal notes added by our staff), payment metadata (payment method, transaction reference, surcharge, paid status โ€” card numbers themselves are processed by Stripe and never stored on our systems), account and login data (hashed password, one-time email codes, magic-link tokens, last login timestamp), loyalty (points balance and history tied to your account), and technical data (IP address, browser user-agent, and basic request metadata used for rate limiting and abuse prevention).

We do not knowingly collect personal information from children under 13.

3. Why We Use It

We use your personal information to:

  • Process and confirm your bookings, orders, and payments.
  • Send you transactional emails โ€” booking confirmations, OTP login codes, magic links, cancellation links, receipts.
  • Run our coworking and accommodation operations โ€” check-in, desk assignment, room cleaning, returning-guest recognition.
  • Administer your loyalty points.
  • Respond to your enquiries and complaints.
  • Prevent fraud, abuse, and unauthorized access (for example, login throttling).
  • Comply with applicable Indonesian laws and tax obligations.

We do not sell or rent your personal information to anyone.

4. Who We Share It With

We share personal information only with the service providers necessary to operate our business, and only the minimum data each provider needs to perform its function:

  • **Stripe** โ€” card payment processing. We share your email, name, and the billing address you enter at checkout. Full card details are handled directly by Stripe and never reach our systems.
  • **Brevo** โ€” sending transactional emails. We share your email, first name, and the contents of the message itself.
  • **Hostinger and Cloudflare** โ€” website hosting and content delivery. They process IP addresses and request logs as part of normal operation.
  • **Indonesian tax authorities** โ€” only aggregated transaction data, where required by law.
  • **Indonesian law enforcement** โ€” only when compelled by valid legal process, and only the data specifically requested.

We may also share data with our own staff who need it to do their job (for example, reception confirming a cash payment), under internal access controls.

5. Where Your Data Is Stored

Our primary database is hosted in Singapore on infrastructure operated by Hostinger. Backups are stored encrypted on the same provider. Some data is processed by Stripe (United States and EEA) and Brevo (France) under their own privacy policies. By using our Services you understand that your information may cross borders.

6. How Long We Keep It

  • Active account and customer records โ€” for as long as you maintain an account, plus the periods required by Indonesian tax and accounting law (typically 10 years for transactional records).
  • Inactive accounts (no login or booking for 24 months) โ€” anonymized or deleted on request; loyalty balance forfeited.
  • Failed login attempts โ€” 24 hours, then deleted.
  • Browser session cookies โ€” cleared after 10 minutes of inactivity.
  • Web server logs โ€” 30 days.
  • Email magic-link tokens โ€” 7 days, single-use.
  • One-time login codes (OTPs) โ€” 15 minutes, single-use.

If you ask us to delete your account, we will do so subject to the legal retention periods above.

7. Cookies

We set the minimum cookies needed to operate the website โ€” a session cookie to keep you logged in, and a CSRF token cookie to protect form submissions. We do not use third-party advertising or tracking cookies. We do not embed Google Analytics, Facebook Pixel, or similar trackers on our customer portal.

8. Your Rights

You have the following rights over your personal information:

  • Access โ€” ask us for a copy of what we hold about you.
  • Correction โ€” ask us to update inaccurate or incomplete information.
  • Deletion โ€” ask us to delete your account and the data tied to it, subject to the retention periods in Section 6.
  • Withdrawal of consent โ€” if we ever rely on your consent to process your data (for example, for marketing emails), you can withdraw it at any time.
  • Complaint โ€” contact us first; if unresolved, you may complain to the Indonesian data protection authority under UU PDP (Law No. 27 of 2022).

To exercise any of these rights, email [email protected] from the address tied to your account.

9. Security

We protect your personal information with industry-standard practices โ€” TLS encryption between your browser and our servers, bcrypt-hashed passwords, IP-based login throttling and lockout after repeated failures, restricted staff access on a need-to-know basis, regular software updates and security patches, and encrypted nightly database backups.

No system is perfectly secure. If we ever suffer a data breach that affects you, we will notify you and the relevant authorities as required by law.

10. Changes to This Policy

We may update this Privacy Policy from time to time. The current version is always available at https://thespotlombok.com/blog/privacy/ with the date at the top of this page. Material changes will be communicated by email to the address on your account.

11. Contact

The Spot Kuta Lombok, Indonesia. Phone: +62 878-6401-3961. Email: [email protected].

For the related General Terms & Conditions, see [our Terms](/blog/general-terms-conditions/).

โ† All PostsCoworking Passes โ†’