プライバシーポリシー

Effective Date: 08-Mar-2024

Last Updated: 21-July-2025

‍

INTRODUCTION

‍

This Privacy Policy outlines how Mulia Group (“Mulia”, “we”, “us”, or “our”) collects, uses, discloses, and protects your personal data when you interact with us across our websites, mobile applications, guest communications, and affiliated services.

‍

We are committed to safeguarding your privacy in accordance with the General Data Protection Regulation (GDPR), Indonesia’s Personal Data Protection Law (PDP Law – Law No. 27/2022), and other global data protection frameworks.

‍

This policy applies to:

• Mulia websites, booking engines, and guest portals;
• Official mobile applications and social media channels;
• Messaging platforms (WhatsApp, Instagram, Facebook Messenger, WeChat);
• E-commerce features (e.g. Instagram Shop, QR order systems);
• Meta Ads and Google Advertising tools;
• AI-powered concierge and chatbot platforms;
• Offline interactions (in-person stays, calls, and event enquiries).

‍

By using our services, you agree to the practices outlined below. You may be asked for explicit consent at key points, such as when subscribing to communications or participating in loyalty programmes.

‍

1. DATA CONTROLLER INFORMATION

‍

This Privacy Policy covers two entities operating under the Mulia brand:

1. PT. Mulia Intan Lestari
   Hotel Mulia Senayan, Jakarta
   Jl. Asia Afrika, Senayan, DKI Jakarta 10270, Indonesia
   ‍
2. PT. Mulia Graha Tatalestari
   The Mulia, Mulia Resort & Villas – Nusa Dua, Bali
   Jl. Raya Nusa Dua Selatan, Kawasan Sawangan, Nusa Dua 80362, Bali, Indonesia

These entities jointly determine the purpose and means of processing your personal data and are referred to collectively as “Mulia”.

‍

2. GOVERNING LAW & JURISDICTION

‍

This policy is governed by the laws of the Republic of Indonesia. Disputes arising from its application shall be subject to the exclusive jurisdiction of the Central Jakarta District Court (for Hotel Mulia Senayan) or Denpasar District Court (for The Mulia Bali).

‍

3. PERSONAL DATA WE COLLECT

‍

A. Information You Provide Voluntarily

‍

• Full name, date of birth, passport/visa details
• Contact details (postal address, email, phone number)
• Booking and stay history, loyalty programme status
• Credit/debit card information (processed via PCI DSS-compliant gateways)
• Guest preferences, dietary or health information (when provided voluntarily)
• Social media handles or user IDs
• Event or corporate travel data (e.g. RFP forms)
• Consent and communication preferences

‍

B. Automatically Collected Information

‍

• IP address, device type, browser version, location
• Session logs, referral sources, site navigation patterns
• Interaction logs with concierge bots or WhatsApp
• Behavioural data collected via cookies, pixels, and similar technologies

‍

4. HOW WE USE YOUR INFORMATION

‍

Your personal data may be used to:

• Process bookings and transactions
• Send pre-stay, in-stay, or post-stay messages via WhatsApp, WeChat, or email
• Personalise your experience and tailor offers
• Operate AI concierge platforms and digital assistants
• Conduct guest satisfaction and service improvement analysis
• Send marketing messages (subject to consent)
• Enforce regulatory obligations and enhance guest safety

‍

We may use profiling tools (AI-driven insights, segmentation models) to improve your experience — for example, by suggesting relevant room types or offers. These tools will never be used to make decisions that produce legal or similarly significant effects without human oversight. You may opt out or request manual review at any time.

‍

5. DISCLOSURE OF INFORMATION

‍

Your information may be shared with:

• Authorised Mulia staff and affiliated entities
• Booking platforms and CRM systems
• Trusted marketing and analytics providers (Meta, Google, TikTok)
• Regulators, legal authorities, or auditors (where required by law)
• Successors or acquiring entities in the event of a business restructuring

‍

All third parties are subject to binding Data Processing Agreements (DPAs). Where data is transferred internationally, Mulia ensures appropriate safeguards such as Standard Contractual Clauses (SCCs) or UK International Data Transfer Agreements (IDTA) are in place.

‍

6. INTERNATIONAL TRANSFERS

‍

Your data may be stored or processed in:

• Indonesia, the United States, the European Union, or other jurisdictions
• Data centres or cloud providers adhering to recognised data protection standards

‍

Cross-border transfers are protected by contractual and technical measures in line with GDPR and PDP Law.

‍

7. LEGAL BASIS FOR PROCESSING

‍

Depending on your location and the nature of the interaction, we rely on:

• Consent (for marketing, analytics, cookies)
• Contractual necessity (for booking and service delivery)
• Legal obligations (e.g. immigration compliance, tax reporting)
• Legitimate interests (e.g. service optimisation, fraud prevention)

‍

You may withdraw consent at any time without affecting the lawfulness of prior processing.

‍

8. YOUR RIGHTS

‍

Subject to applicable laws, you may exercise the following rights:

• Access and correct your personal data
• Request deletion (“right to be forgotten”)
• Object to direct marketing or profiling
• Withdraw prior consent
• Request data portability (in machine-readable format)

‍

Please send requests to dataprivacy@themulia.com. We may require ID verification to protect your data security.

‍

9. SECURITY MEASURES

‍

We implement technical and organisational safeguards, including:

• SSL encryption, firewall protection
• Role-based access control and audit logging
• Staff training and secure onboarding procedures
• Regular review of privacy practices (“privacy by design”)

‍

10. DATA RETENTION

‍

Your personal data is retained for:

• The duration necessary to fulfil bookings, marketing preferences, or legal obligations
• As long as you are an active loyalty programme member

‍

Once no longer required, your data will be securely deleted or anonymised.

‍

11. CHILDREN’S PRIVACY

‍

We do not knowingly collect personal data from individuals under the age of 18 without parental or legal guardian consent. If data is collected for family stays, it is processed solely for service provision.

‍

12. COOKIES & TRACKING TECHNOLOGIES

‍

We use cookies to:

• Enhance site performance and personalise guest journeys
• Analyse browsing behaviour and improve usability
• Deliver personalised ads via trusted platforms

‍

Cookie Consent Management:

We use a certified consent management platform (CMP) that allows you to:

• Accept all cookies
• Reject non-essential cookies
• Customise cookie preferences by category

‍

By default, only essential cookies are enabled. Consent logs are retained for at least 6 months. You may change your preferences via the “Cookie Settings” link in the website footer.

‍

‍‍

13. LOYALTY PROGRAMME (MULIA PRIVILEGE)

‍

If you are a Mulia Privilege member, we use your data to:

• Manage your tier status and redemptions
• Send member-specific offers or anniversary rewards
• Enable recognition across properties

‍

All safeguards and rights described in this policy apply equally to loyalty programme data.

‍

14. MARKETING CONSENT (EMAIL, WHATSAPP, SMS)

‍

By providing your contact details and opting in, you agree to receive:

• Service and transactional communications
• Promotional messages via WhatsApp, SMS, push notifications, and email

‍

You may unsubscribe at any time by replying STOP or contacting dataprivacy@themulia.com.

‍

15. THIRD-PARTY LINKS

‍

Our website may contain links to third-party platforms (e.g. Instagram Shop, e-ticketing, Meta Ads). We are not responsible for the privacy practices or security of these external sites. Please review their privacy policies before submitting personal data.

‍

16. LIMITATION OF LIABILITY

‍

We adopt reasonable measures to protect your personal data. However, no system can guarantee absolute security.

‍

To the extent permitted by applicable law, Mulia shall not be liable for:

• Unauthorised access due to cyberattacks, force majeure, or user negligence
• Indirect, incidental, or consequential losses unless arising from gross misconduct or fraud

‍

17. INDEMNITY

You agree to indemnify and hold harmless Mulia, its affiliates, owners, directors, employees, and representatives from any claims, liabilities, damages, losses, or expenses (including reasonable legal fees) arising from your use of the Site, breach of these Terms, or violation of any law or third-party rights.

‍

18. CHANGES TO THIS POLICY

‍

We may update this Privacy Policy from time to time. The “Last Updated” date above reflects the latest version. Material changes will be communicated via our website or other appropriate means.

‍

19. CONTACT US

‍

Data Protection Officer – Mulia Group

Email: dataprivacy@themulia.com

‍

Please include:

• Your full name
• Your preferred contact details
• Nature of your request
• Supporting documents (if applicable)

‍

Privacy for Mobile Application Users

‍

Mulia Hotels is committed to protecting your personal information, including how we manage data through our official mobile application ("the App"). This section outlines how your information is collected, used, and protected when you use the App.

‍

1. Data Collection & Use

‍

When using the Mulia Hotels App, certain personal information may be collected to enhance your experience and facilitate services:

• We collect valid identification (ID) photos as part of the check-in process.
• While we do not actively collect biometric data, the App may utilise your device’s built-in biometric features (e.g., facial recognition or fingerprint) to provide secure access to the App. Mulia Hotels does not store or access this biometric information.

‍

2. Data Storage & Deletion

‍

All ID and personal data collected via the App is managed and stored by OKKAMI, our third-party technology partner.

• Guest ID photos are retained securely and deleted upon request.
• In addition, we are in the process of implementing an automatic deletion protocol, whereby ID photos will be permanently deleted after 30 days in accordance with GDPR compliance.

‍

For more information, please review OKKAMI’s data handling practices:

• OKKAMI GDPR Compliance, read here.
• Manage Your Data with OKKAMI, read here.

‍

3. Data Hosting Location

‍

All guest data is stored in accordance with regulations and hosted within Indonesia.

‍

4. Payments via the App

‍

Payments made through the App are processed securely using the same trusted payment gateway as our website.

‍

5. Age Restrictions

‍

To register or make a reservation through the App, users must be at least 17 years old. While there is no restriction for downloading the App, only eligible users may create a booking.

‍

6. Data Protection Officer

‍

If you have any questions or would like to make a request related to your personal data, please contact our Data Protection Officer at:

Email: dataprivacy@themulia.com

‍