Last updated: February 2026
VillaTax is operated by PT. Asiah Legal Jaya, a company registered in Indonesia (Registration No. 1446293), with its registered office at Benoa Square lantai 3 suite 4.3, Jalan By Pass Ngurah Rai No 21 A, Badung, Bali, Indonesia. For any privacy-related inquiries, contact us at commercial@operium.store or WhatsApp +6281387983316.
Account data: email address, full name, company name, and a securely hashed password (bcrypt, 12 rounds). Booking data: guest names, check-in and check-out dates, gross revenue amounts, platform source (Airbnb, Booking.com), and tax breakdowns. Property data: property names, addresses, regency classification, and legal entity information. Staff data: employee names, salary amounts, and BPJS contribution flags. Guest data: passport photographs uploaded via secure portal links, which are automatically and irrecoverably purged 24 hours after the guest checkout date. Payment data: processed exclusively by Stripe. We never store, access, or transmit credit card numbers, CVVs, or bank account details on our servers.
We process your personal data for the following purposes: (a) contract performance β providing the VillaTax service including tax calculations, report generation, booking management, and compliance tracking; (b) legitimate interest β improving our service, preventing fraud, and ensuring platform security; (c) legal obligation β maintaining records as required by applicable tax and commercial regulations. We do not process data for marketing purposes without your explicit consent, and we never sell, rent, or trade your personal data to third parties.
All data is stored on European servers (Hetzner GmbH, Germany) with TLS/SSL encryption for all data in transit. Database access is restricted to the application layer through firewalled connections. Server access requires SSH key authentication. Automated daily backups are performed at 03:00 UTC with 14-day retention. Passwords are hashed using bcrypt with 12 salt rounds β we cannot read or recover your password.
Account and booking data is retained for the duration of your active subscription plus 90 days after cancellation to allow for reactivation. Guest passport images are automatically and permanently deleted 24 hours after the checkout date via an automated server process. Upon account deletion request, all personal data, properties, bookings, staff records, and uploaded documents are permanently removed within 30 days.
We use strictly essential cookies for authentication (httpOnly, secure, sameSite: lax). We use browser localStorage exclusively for user interface preferences: language selection and light/dark theme. We do not use any tracking cookies, analytics cookies, advertising pixels, or third-party scripts that collect personal data.
Under the General Data Protection Regulation (GDPR) and Indonesian data protection law (UU PDP No. 27/2022), you have the right to: access all personal data we hold about you; rectify inaccurate data via your Settings page; export your data at any time in CSV and ZIP formats directly from the dashboard; request complete erasure of your account and all associated data; object to processing based on legitimate interest; lodge a complaint with a supervisory authority. To exercise any of these rights, contact commercial@operium.store. We respond within 72 hours and process requests within 30 days.
Stripe Inc. (San Francisco, USA) β payment processing, PCI DSS Level 1 certified, EU-US Data Privacy Framework participant. Resend Inc. (USA) β transactional email delivery, Data Processing Agreement available upon request. Hetzner GmbH (Gunzenhausen, Germany) β server hosting and physical data storage within the European Union. All sub-processors maintain their own GDPR compliance programs. Data processed by US-based sub-processors is governed by Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework where applicable.
Your primary data is stored within the European Union (Germany). When data is transferred to sub-processors outside the EU (Stripe, Resend), such transfers are protected by Standard Contractual Clauses and, where applicable, the sub-processorβs certification under the EU-US Data Privacy Framework.
We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be communicated via email to registered users at least 14 days before taking effect. The current version is always available at this URL.