Privacy Policy

The data controller responsible for your personal data is: JavaRoutes Jl. Sembuh Wetan, Sidokarto, Godean District Sleman Regency, Special Region of Yogyakarta 55294, Indonesia Email: [email protected] WhatsApp: +62 851-2350-7474

We collect the following categories of personal data: Information you provide directly: • Full name, email address, phone number (booking and contact forms) • Travel preferences, dietary requirements, medical conditions (tour planning) • Passport details (when required for domestic flights or permits) • Payment information (processed securely via PayPal/Wise/Midtrans — we do not store card details) Information collected automatically: • IP address, browser type, device information • Pages visited, time spent, referral source (via analytics cookies) • Language preference and geographic region Information from third parties: • Payment confirmation from PayPal, Wise, or Midtrans (transaction ID, payment status)

We process your personal data for the following purposes: • Booking management: To process, confirm, and manage your tour bookings • Communication: To respond to inquiries, send booking confirmations, and provide travel updates • Payment processing: To facilitate secure payments through PayPal, Wise, or Midtrans • Service improvement: To analyze website usage and improve our services • Legal compliance: To comply with tax, accounting, and regulatory obligations • Marketing: Only with your explicit consent — to send newsletters or promotional offers Legal bases for processing: contract performance, legitimate interest, legal obligation, and consent (where applicable).

We share your personal data only when necessary: • Service providers: Hotels, airlines, local guides, and transport companies (only information needed to fulfill your booking) • Payment processors: PayPal, Wise, Midtrans (PCI-DSS compliant) • Analytics: Anonymous, aggregated data for website analytics • Legal requirements: When required by law, court order, or government authority We do NOT sell your personal data to third parties. We do NOT share your data for advertising purposes.

Your data may be transferred to and processed in Indonesia, the European Economic Area (EEA), and the United States. Where data is transferred outside the EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or adequacy decisions by the European Commission.

We retain your personal data for the following periods: • Booking data: 7 years after the tour date (tax and accounting requirements) • Contact form submissions: 2 years after last communication • Website analytics: 26 months (anonymized) • Marketing consent: Until you withdraw consent After the retention period, data is securely deleted or anonymized.

Under the GDPR and applicable laws, you have the following rights: • Right of access: Request a copy of your personal data • Right to rectification: Request correction of inaccurate data • Right to erasure: Request deletion of your data ("right to be forgotten") • Right to restrict processing: Request limitation of data processing • Right to data portability: Receive your data in a structured, machine-readable format • Right to object: Object to processing based on legitimate interest or for marketing • Right to withdraw consent: Withdraw consent at any time To exercise your rights, contact us at [email protected]. We will respond within 30 days.

Our website uses cookies to enhance your experience. Please see our Cookie Consent banner for detailed information about the cookies we use and how to manage your preferences. Essential cookies: Required for website functionality (session, language preference) Analytics cookies: Help us understand how visitors use our website (opt-in only) You can manage your cookie preferences at any time through the cookie settings on our website.

We implement appropriate technical and organizational measures to protect your personal data, including: • SSL/TLS encryption for all data in transit • Secure payment processing via PayPal, Wise, and Midtrans • Access controls and authentication for staff systems • Regular security reviews and updates While we strive to protect your data, no method of transmission over the internet is 100% secure.

Our services are not directed to children under 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. We encourage you to review this policy periodically.

For questions about this Privacy Policy or to exercise your data rights: JavaRoutes Email: [email protected] WhatsApp: +62 851-2350-7474 If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority (e.g., Autoriteit Persoonsgegevens in the Netherlands, ICO in the UK, CNIL in France).