Last updated: February 2026
VillaTax is committed to protecting personal data in accordance with the General Data Protection Regulation (EU 2016/679) and the Indonesian Personal Data Protection Law (UU PDP No. 27/2022). This page details our comprehensive data protection practices.
PT. Asiah Legal Jaya (Registration No. 1446293), Benoa Square lantai 3 suite 4.3, Jalan By Pass Ngurah Rai No 21 A, Badung, Bali, Indonesia. Data Protection contact: commercial@operium.store. WhatsApp: +6281387983316. We respond to all data protection inquiries within 72 hours.
We collect and process data under the following legal bases: (a) Contract performance (Article 6(1)(b) GDPR): account data, booking data, property data, and staff data necessary to deliver the VillaTax service. (b) Legitimate interest (Article 6(1)(f) GDPR): security logging, service improvement, fraud prevention. (c) Legal obligation (Article 6(1)(c) GDPR): tax-related record keeping as required by applicable law. (d) Consent (Article 6(1)(a) GDPR): optional newsletter subscription, if applicable. We apply the principle of data minimization: we collect only what is strictly necessary for the stated purposes.
Primary data storage: Hetzner GmbH, Germany (EU). All data encrypted in transit using TLS 1.2+ (SSL). Database access restricted to application layer via firewall rules. Server access requires SSH key authentication (password authentication disabled). Automated daily database backups at 03:00 UTC with 14-day encrypted retention. Passwords hashed using bcrypt with 12 salt rounds (irreversible). Application protected by rate limiting, CSRF protection, and httpOnly secure cookies.
Guest passport images are automatically and permanently deleted 24 hours after the guest checkout date. This deletion is performed by an automated server cron job running daily. Once deleted, the data is irrecoverably removed from both the filesystem and database references. No manual intervention is required, and no copies are retained.
You can export all your personal data at any time through self-service tools: CSV export of all bookings, tax breakdowns, staff records, Banjar payments, and property data is available from the dashboard. ZIP export packages all documents and generated reports into a single downloadable archive. These exports require no support request — they are available directly in the application. We also honor formal data portability requests received at commercial@operium.store.
You may request complete deletion of your account and all associated data by emailing commercial@operium.store. Upon receiving a verified request, we will permanently delete: all personal account information, all properties and associated booking data, all staff records and payroll calculations, all uploaded documents and generated reports, all Banjar payment records, all activity logs. Deletion is completed within 30 calendar days. You will receive confirmation once the process is complete.
Stripe Inc. (San Francisco, USA) — Payment processing. PCI DSS Level 1 certified. EU-US Data Privacy Framework participant. Privacy policy: stripe.com/privacy. Resend Inc. (USA) — Transactional email delivery. Data Processing Agreement available upon request. Hetzner GmbH (Gunzenhausen, Germany) — Server hosting and physical data storage within the European Union. ISO 27001 certified. Data processed by US-based sub-processors is protected by Standard Contractual Clauses (SCCs) approved by the European Commission, and where applicable, the sub-processor certification under the EU-US Data Privacy Framework.
Primary data storage is within the European Union (Germany). When personal data is transferred to sub-processors located outside the EU/EEA (specifically Stripe and Resend in the United States), such transfers are safeguarded by: Standard Contractual Clauses (SCCs) as approved by the European Commission; the sub-processor participation in the EU-US Data Privacy Framework where applicable; technical and organizational measures ensuring an adequate level of data protection.
In the event of a personal data breach that poses a risk to your rights and freedoms, we will: notify the relevant supervisory authority within 72 hours of becoming aware of the breach (Article 33 GDPR); notify affected individuals without undue delay if the breach poses a high risk (Article 34 GDPR); document all breaches, their effects, and remedial actions taken.
Under GDPR and UU PDP, you have the right to: access all personal data we process about you (Article 15); rectify inaccurate data (Article 16); erasure of your data (Article 17); restrict processing (Article 18); data portability in machine-readable format (Article 20); object to processing based on legitimate interest (Article 21); not be subject to automated decision-making (Article 22). To exercise any right, contact commercial@operium.store with your registered email address.
This page is reviewed quarterly. Material changes are communicated via email to all registered users at least 14 days before taking effect. The date at the top of this page reflects the last update.