Privacy & Data Protection Policy

This Policy sets out how JVTO collects, uses, protects, and retains personal data, and what rights guests, partners, and other data subjects have in relation to that data.

By contacting us, requesting a quotation, creating a booking, or travelling with JVTO, you acknowledge that you have read and understood this Privacy & Data Protection Policy.

The latest version of this Policy published through JVTO’s official channels is the only version deemed valid and enforceable.

Legal Entity: PT Java Volcano Rendezvous

Brand / Trading Name: Java Volcano Tour Operator (JVTO)

Business Nature: Licensed, specialist private tour operator focusing on volcano, nature, and overland journeys in Java and surrounding regions.

Registered Address: Jl. Khairil Anwar No.102 A, Badean, Bondowoso, East Java 68217, Indonesia

Official Contact Channels:

WhatsApp: +62 822-4478-8833

Email: hello@javavolcano-touroperator.com

Official Website & Booking Portals as published by JVTO

JVTO operates only private, all-inclusive tours under its own management. JVTO does not operate open join-in group tours and does not sell standalone "transport-only" services as its core product.

For the purposes of data protection, PT Java Volcano Rendezvous acts as the Data Controller for personal data processed in the course of JVTO’s operations.

This Policy applies to:

Individuals who contact JVTO via official channels (WhatsApp, email, web forms, booking portals).

Individuals or groups who place bookings or travel with JVTO.

Group organisers providing data on behalf of other participants.

Suppliers, crew, and service partners whose personal data is processed in the context of cooperation with JVTO.

Visitors using JVTO’s website and any official customer or booking portals.

If you use third-party services (e.g. online travel agencies, payment gateways, insurance providers), your data is also subject to their respective privacy policies.

JVTO collects only the data reasonably required to operate safe, compliant, and personalised private tours.

4.1 Enquiries & Bookings

We may collect:

Full name;

Mobile number and WhatsApp contact;

Email address;

Nationality and passport details when required for permits, tickets, or regulatory compliance;

Date of birth where required for age-based policies, permits, or safety screening;

Group size and composition (including children/infants where applicable);

Arrival and departure information (flight/train numbers, arrival times, hotels, meeting points);

Rooming preferences and accommodation requirements;

Travel preferences and special requests related to the itinerary;

Dietary requirements and allergies voluntarily disclosed;

Relevant health or fitness information voluntarily disclosed where it may affect participation in high-exertion or high-altitude activities;

Emergency contact details;

Travel history and past bookings with JVTO.

We also maintain operational records necessary to deliver your tour, such as:

Allocation of hotels, vehicles, jeeps, ferries, and guides;

Permit and ticket references;

Pickup, drop-off, and routing instructions.

4.2 Health & Safety Information

For certain destinations and activities (for example, volcano hikes or sulphur gas environments), local regulations and responsible travel standards may require basic health screening.

JVTO may, where appropriate and lawful:

Collect limited health information relevant to your ability to safely join specific activities;

Coordinate medical clearance processes arranged by authorised providers;

Use such information strictly to protect your safety, comply with regulations, and support you in an emergency.

JVTO does not use health information for unrelated marketing or profiling.

4.3 Payment Information

To confirm and manage bookings, JVTO processes payment-related information in a secure and controlled manner.

JVTO may process:

Payment status and transaction references (such as authorisation codes, payment IDs, and success/failed indicators) received from authorised payment gateway and banking partners;

Evidence of bank transfers or other authorised payments (such as transfer slips or remittance confirmations) to reconcile payments with specific bookings;

Limited, non-sensitive card metadata (such as card brand and last four digits) where required to identify a transaction, assist support, or investigate suspected fraud.

Payment security standards

All online deposit and card payments for JVTO bookings are processed through a secure, SSL-encrypted checkout integrated with JVTO’s authorised payment gateway;

Card processing is operated in line with PCI DSS requirements by the payment gateway provider;

PT Java Volcano Rendezvous (JVTO) does not store full credit or debit card numbers, CVV codes, or online banking passwords on JVTO systems. Sensitive cardholder data is tokenised and processed directly by the payment gateway;

JVTO and its payment partners apply monitoring and risk controls designed to help detect and reduce unauthorised or suspicious transactions.

Prohibited practices

JVTO will never:

Ask you to provide full card numbers, CVV codes, or online banking credentials via email, SMS, social media, or other unsecured channels;

Instruct you to make payments to personal bank accounts or channels that are not listed as official in JVTO’s Booking, Payment & Cancellation Policy or Official Booking Guide.

If you receive any such request, you should treat it as suspicious and verify directly through JVTO’s official WhatsApp number or email address.

4.4 Website, Portal & System Usage Data

When you use JVTO’s website or portals, we may collect:

IP address and general geolocation;

Browser type, device type, operating system, and language settings;

Access times, visited pages, and basic interaction logs (e.g. accessing vouchers, viewing itineraries).

This information is used to:

Maintain security and integrity of our systems;

Prevent fraud and abuse;

Improve usability and service reliability.

4.5 Communications & Service Records

JVTO may retain:

Messages and correspondence via WhatsApp, email, forms, or portals;

Notes necessary for quality assurance, dispute resolution, and safety;

Feedback and reviews that you voluntarily provide.

You may request that we limit the use of such records for promotional purposes.

4.6 Third-Party Personal Data

If you provide data on behalf of other participants, you are responsible for ensuring that:

The information is accurate; and

Those individuals are informed that their data may be shared with JVTO for the purpose of operating their tour.

If you are named as an emergency contact or participant by another person, JVTO may process your data solely for operational or emergency-related purposes.

JVTO uses personal data for the following purposes:

Contract Fulfilment

To design and operate the tour you have requested or booked;

To coordinate accommodation, transportation, guides, permits, tickets, and schedules.

Regulatory Compliance

To comply with Indonesian and relevant local regulations, including national park rules, tourism licensing, immigration requirements, taxation, and safety obligations.

Safety & Emergency Management

To assess suitability for specific activities;

To respond appropriately in case of incidents or emergencies.

Official Communication

To send confirmations, invoices, official tour vouchers, itineraries, meeting-point details, operational updates, and service notices.

Fraud Prevention & Risk Management

To verify payments and booking authenticity;

To investigate and manage potential misuse, chargebacks, or fraudulent activity.

Service Improvement & Insights

To evaluate, improve, and develop JVTO’s products, operational standards, and guest experience.

JVTO does not sell personal data.

Depending on your jurisdiction, our processing of personal data is based on one or more of the following legal grounds:

Performance of a Contract: Where processing is necessary to provide the services you requested or booked.

Legitimate Interests: Including ensuring guest safety, preventing fraud, managing operations efficiently, and improving services in ways that do not override your rights.

Legal Obligations: Where we are required to retain or disclose data under Indonesian or other applicable laws.

Vital Interests: In emergency situations where processing data is necessary to protect life or physical safety.

Consent: For specific optional purposes, such as certain health disclosures, use of images for marketing, or receiving promotional communications.

If you choose not to provide information that is strictly required for safety, regulatory, or contractual purposes, JVTO may be unable to accept or continue your booking for certain services.

JVTO shares personal data only where necessary, proportionate, and subject to appropriate safeguards.

We may share relevant data with:

Internal operations and guest relations teams;

Accommodation partners, transportation providers, and licensed local guides directly involved in your confirmed itinerary;

National park authorities or government agencies where required for permits, safety, or regulatory compliance;

Medical professionals or emergency services where needed to protect vital interests;

Payment gateways, banks, or financial institutions processing payments to PT Java Volcano Rendezvous;

Technology and infrastructure providers who host our systems or communication tools, under confidentiality and data protection obligations.

We do not sell personal data to third parties.

Some technical services, cloud infrastructure, or partners involved in providing JVTO services may be located outside Indonesia.

Where personal data is transferred internationally, JVTO takes reasonable steps to:

Limit access to authorised purposes only;

Implement appropriate technical and organisational security measures;

Work with providers who are subject to suitable data protection or contractual safeguards.

JVTO retains personal data only for as long as reasonably necessary to:

Deliver confirmed services and provide appropriate after-sales support;

Comply with legal, tax, accounting, audit, and regulatory obligations;

Manage claims, disputes, incident reports, and risk;

Demonstrate the legality and quality of services provided.

Retention periods may vary depending on the type of data and applicable regulation. Data that is no longer required is securely deleted or anonymised.

JVTO applies technical, organisational, and physical safeguards to protect personal data against:

Unauthorised or unlawful access;

Accidental loss, destruction, or damage;

Misuse or unauthorised disclosure.

Key measures include:

Use of SSL/TLS encryption on official booking pages and customer portals;

Access controls to ensure only authorised personnel and systems can access booking and customer data;

Separation of roles between operations, finance, and technology teams where appropriate;

Use of reputable third-party providers for hosting, infrastructure, and payment processing, subject to contractual confidentiality and data protection obligations;

Monitoring for unusual or unauthorised activity and prompt investigation of suspected misuse.

Guests are strongly advised:

Not to send full card numbers or sensitive banking credentials through unsecured or unofficial channels;

To inform JVTO promptly via official channels if they suspect any misuse of their data linked to JVTO services.

When required by law, JVTO will assess and respond to any personal data breach and, where appropriate, notify affected parties and/or relevant authorities.

Subject to applicable law, you may have the right to:

Request confirmation of whether JVTO processes your personal data;

Request access to a copy of your personal data;

Request correction of inaccurate or incomplete data;

Request deletion of certain data, where legally permissible;

Request restriction of specific types of processing;

Object to processing based on legitimate interests or for direct marketing;

Withdraw consent where processing is based on your consent.

To exercise your rights, please contact JVTO using the details in Section 12. We may need to verify your identity before processing your request. Where we cannot comply (for example, due to legal obligations), we will inform you of the reason.

For any questions, requests, or concerns about this Policy or our handling of personal data, please contact:

PT Java Volcano Rendezvous (Java Volcano Tour Operator)

Jl. Khairil Anwar No.102 A, Badean, Bondowoso, East Java 68217, Indonesia

WhatsApp: +62 822-4478-8833

Email: hello@javavolcano-touroperator.com

All privacy-related communications received through official channels will be reviewed and handled in a timely and appropriate manner.