1. Information We Collect

Personal Data

When you register for an account, list a property, or make a booking, we may collect:

Usage Data

We automatically collect certain information when you visit, use, or navigate our platform. This information may include:

2. How We Use Your Information

We use your information for various purposes, including:

3. Sharing Your Information

We may share your information with:

We do not sell your personal information to third parties.

4. Matching Notifications

Our platform includes a matching feature that helps connect hosts with potential tenants based on property listings and tenant inquiries.

By using our service, you acknowledge and consent to the following:

We implement appropriate safeguards to ensure this personal information is processed securely and in accordance with applicable data protection laws.

5. AI Features and CRM

We use AI-powered tools to assist with customer relationship management (CRM) and communication features on our platform.

AI Service Provider

We use OpenAI's API to power certain CRM and communication features. Where AI features process your data, we share only the minimum information necessary with OpenAI. OpenAI acts as a data processor on our behalf and is bound by a Data Processing Agreement. OpenAI's own privacy policy governs how they handle data on their infrastructure.

What Data Is Used

AI features may process: messages and inquiries you send via the platform, listing content, and basic account information. We do not use AI for automated decision-making that produces legal or similarly significant effects on individual users without human oversight.

CRM Data

We maintain a CRM system to manage communications and relationships with users of the platform. CRM records may include contact details, communication history, and interaction preferences. This data is used solely for the purpose of improving our service to you and is not shared with or sold to third parties for marketing.

6. Payment Processing and Escrow Services

When you make a booking through our platform, we use Xendit as our primary payment service provider to securely handle payments, payouts, and refunds.

Payment Processing

Payment card information (credit/debit card numbers, CVV, expiration dates) is collected and processed directly by our payment processors. We do not store or have access to your full payment card details. Payment processors may store your payment method information (tokenized) for future transactions with your consent.

Escrow and Payment Holding

For direct bookings, Livuma holds guest payments in an escrow-like arrangement until check-in or as otherwise specified in the booking terms. Payment amounts, minus the platform fee, are then released to the host's Indonesian bank account according to our payout schedule. This process requires us to share booking and payment information with both guests and hosts, as well as with Xendit.

Host Payout Data

To process payouts, hosts must provide their Indonesian bank account details (bank name, account holder name, account number). This information is shared with Xendit to facilitate payout transfers. Bank account details are verified before the first payout is processed. We retain payout records as described in the Financial Data Retention section below.

Data Shared with Payment Processor

When processing payments, we share with Xendit: your name, email address, billing address, payment amount, booking details, and device/IP information for fraud prevention. Xendit collects and processes your payment card information directly; we do not store full card numbers. Xendit's own privacy policy and terms of service govern how they handle your data.

Financial Data Retention

We retain payment and transaction records for a minimum of 7 years as required by applicable tax and accounting laws. This includes booking amounts, service fees, refunds, and payout records. Host payout information is retained for the same period for tax reporting purposes.

7. Identity Verification (KYC)

To ensure the safety and security of our platform, we require identity verification (Know Your Customer - KYC) for users making direct bookings. This verification is conducted through third-party KYC providers.

KYC Provider

We use Didit as our identity verification provider. Didit collects and processes your ID documents and selfie solely for verification purposes. We receive the verification outcome (approved / declined / in review) and, upon successful verification, your verified full legal name as confirmed by the identity document. We store your verified name to display your verified identity on the platform and to satisfy our anti-money-laundering record-keeping obligations. We do not store copies of your identity documents, selfie photos, or raw biometric data — those remain with Didit in accordance with their privacy policy. By completing identity verification, you acknowledge that your data may be processed outside Indonesia with appropriate data protection safeguards in place.

Biometric and Special-Category Data

The KYC process involves collection of biometric data (selfie photographs and/or live video) by Didit for the purpose of identity verification. Biometric data is classified as special-category (sensitive) personal data under applicable data protection law. By proceeding with KYC verification, you provide explicit consent to this processing. You may withdraw consent at any time by contacting us, however this will prevent you from making direct bookings on the platform.

Information Collected for KYC

To complete identity verification, you may be asked to provide:

How KYC Data is Processed

KYC providers analyze your documents and biometric data to verify your identity. This verification result (approved/rejected) is shared with us, along with your verified legal name. KYC providers may store your verification documents and biometric data in accordance with their own privacy policies and legal requirements, including anti-money laundering (AML) and counter-terrorism financing (CTF) regulations.

KYC Data Retention

KYC verification records (outcome, verified name, session reference) are retained for a minimum of 5 years from the date of verification, or as required by applicable AML/CTF regulations in Indonesia and other jurisdictions where we operate. This retention period may be extended if required by law or if your account is involved in any disputes or investigations.

Access to KYC Data

We do not have direct access to your full identity documents or biometric data. We only receive verification status and confirmation of your verified legal name. Full KYC documents are stored securely by Didit. In certain circumstances, such as legal investigations or disputes, we may request access to verification records from Didit.

8. WhatsApp Integration

Our platform uses WhatsApp to send booking notifications, payment reminders, and operational updates to users.

WhatsApp Service Provider

We use Meta's WhatsApp Cloud API to send WhatsApp messages. Meta acts as a data processor on our behalf.

Data Shared via WhatsApp

When messages are sent via WhatsApp, we share:

Message Log Retention

We retain WhatsApp message delivery logs (recipient phone number, template name, delivery status, and message parameters) for 24 months for audit, support, and dispute resolution purposes. After 24 months these logs are deleted or anonymized.

WhatsApp Privacy

Meta (Facebook) has its own privacy policy that governs how it handles data sent through its WhatsApp Cloud API service. By using our messaging features, you acknowledge that your phone number and message content may be processed by Meta in accordance with their privacy policy and terms of service.

Opt-Out

You can opt out of non-essential WhatsApp notifications (news, promotions, matching alerts) in your account notification settings. Critical booking and payment communications — such as payment links, booking confirmations, check-in reminders, and refund notifications — may still be sent via WhatsApp as they are necessary to fulfil the services you have requested and cannot be disabled without cancelling active bookings.

9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect and track information about your browsing activities. These technologies help us deliver a better and more personalized service, analyze usage patterns, and target ads.

You can set your browser to refuse all or some browser cookies or to alert you when cookies are being sent. However, some parts of the site may not function properly without cookies.

For more information about our cookie practices, please see our Cookie Policy.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. However, no method of transmission over the Internet or electronic storage is 100% secure, and we cannot guarantee absolute security.

11. Your Rights

Depending on your location, you may have certain rights regarding your personal information, including:

Limitation on Data Deletion

Where you have completed bookings or payment transactions on our platform, we are legally required to retain financial and transaction records for a minimum of 7 years under applicable Indonesian tax and accounting law (and a minimum of 5 years for KYC records under AML/CTF regulations). In such cases, we can anonymize non-essential personal data (such as communications and profile details) but cannot fully erase records linked to financial transactions. You will be informed at the time of any deletion request if this limitation applies.

To exercise these rights, please contact us at [email protected].

12. GDPR Compliance for European Users

For users in the European Economic Area (EEA), we comply with the General Data Protection Regulation (GDPR).

Legal Basis for Processing

We process your personal data on the following legal bases:

Your Enhanced GDPR Rights

As an EEA resident, you have additional rights including:

EU Representative

As a company established outside the EEA that offers services to EEA residents, we are in the process of appointing an EU representative as required by GDPR Article 27. Until our representative is formally designated, EEA residents may direct data protection queries to: [email protected]. We will update this policy once our EU representative is appointed.

Data Transfers

When we transfer your data outside the EEA (to Singapore or Indonesia), we implement appropriate safeguards in accordance with GDPR requirements. These safeguards include Standard Contractual Clauses (SCCs) approved by the European Commission with our data processors. Singapore is not on the EU's adequacy list; accordingly, SCCs form the primary transfer mechanism for all EEA-origin data transferred to our Singapore infrastructure.

Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including legal, accounting, or reporting requirements. Specific retention periods are set out in Section 11 above.

Data Protection Contact

If you have any concerns about how we handle your personal data or wish to exercise your GDPR rights, please contact our Data Protection Contact at [email protected].

13. Indonesia PDP Law Compliance

For users in Indonesia, we comply with Law No. 27 of 2022 on Personal Data Protection (PDP Law/UU PDP).

Your Rights Under PDP Law

As an Indonesian resident, you have the following rights regarding your personal data:

Data Processing Location

Your personal data is processed on servers operated by Hetzner Online GmbH located in Singapore. We implement appropriate safeguards — including contractual data processing agreements — to ensure adequate protection of your data when transferred or stored across borders in accordance with PDP Law requirements.

Breach Notification

In the event of a data breach that may harm your personal data, we will notify the competent data protection authority under Indonesian PDP Law within 72 hours (3x24 hours) and affected users as soon as practicable, in accordance with PDP Law requirements.

Consent

We obtain your explicit consent before processing your personal data for purposes such as marketing communications. You have the right to withdraw your consent at any time via your account notification settings. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Data Protection Contact

For questions about PDP Law compliance, to exercise your rights, or to report concerns about how we handle your personal data, please contact us at [email protected].

14. International Data Transfers

Your information may be transferred to, and maintained on, computers located outside of your state, province, country, or other governmental jurisdiction where the data protection laws may differ from those in your jurisdiction.

We use service providers that process data outside Indonesia, including our payment processor (Xendit), identity verification provider (Didit), AI services (OpenAI), and analytics services. Our primary server infrastructure is hosted by Hetzner in Singapore. Where such transfers occur, we implement appropriate safeguards — including Standard Contractual Clauses and Data Processing Agreements — to ensure an adequate level of protection for your data in accordance with applicable Indonesian data protection law.

If you are located outside Indonesia and choose to provide information to us, please note that we transfer the data to Singapore for processing. Your consent to this Privacy Policy followed by your submission of such information represents your agreement to that transfer.

15. Children's Privacy

Our service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we learn we have collected or received personal information from a child under 18, we will delete that information.

16. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page, updating the version number and "Last Updated" date at the top, and — where required by applicable law — notifying you directly by email.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

17. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact the data controller:

PT LIVUMA HOME MARKET (PMDN)
Jl. Raya Uluwatu, Gg. Sakhen No. 108 A, Pecatu, Kuta Selatan,
Kabupaten Badung, Bali 80362, Indonesia
Email: [email protected]