Privacy Policy

1.Who We Are

This Privacy Policy describes how PT Manta Dive Komodo ("Manta Dive Komodo", "we", "our", "us") collects, uses and protects your personal data.

We are a registered company in Indonesia with offices at Jalan Soekarno Hatta, Labuan Bajo, NTT 86754, Indonesia. We act as the data controller for personal data processed in connection with our diving services.

This policy applies to data we collect through our website mantadivekomodo.com, by email, by WhatsApp, by phone, in person at our office, and during our diving activities.

2.Data We Collect

Data you provide directly

• Identity and contact data: full name, date of birth, nationality, email address, phone number, WhatsApp number, postal address.
• Booking data: trip selection, dates, group size, special requests, payment confirmation.
• Diving qualification data: certification level, certification number, certification agency (PADI, SSI, etc.), number of logged dives.
• Health data: information disclosed in the PADI Medical Statement, including any conditions you declare. This is sensitive data and is handled with extra care.
• Emergency contact: name, relationship and phone number of a person to contact in case of emergency.
• Identity document: passport details when required by Komodo National Park authorities for park entry registration.

Data collected automatically

• Website usage data: pages visited, time on page, device type, browser, approximate location based on IP — collected via Google Analytics 4 (GA4) and Google Tag Manager.
• Photos and videos: images and footage taken during trips by our staff (with the option to opt out — see Photos section in our Terms).

3.How We Use Your Data

We use your personal data for the following purposes:

• To process and confirm your bookings and take payment.
• To communicate with you before, during and after your trip (logistics, pick-up details, weather updates, post-trip thanks).
• To verify your diving qualification and ensure your safety on the water.
• To comply with Komodo National Park entry requirements and local regulations.
• To respond to your enquiries and customer service requests.
• To improve our website, services and customer experience based on aggregated analytics.
• To send marketing communications, only if you have given explicit consent (you can withdraw consent at any time).
• To meet our legal, accounting and tax obligations under Indonesian law.

4.Legal Basis for Processing

Where the European Union General Data Protection Regulation (GDPR) applies (if you are a resident of the European Economic Area or the United Kingdom), we rely on the following legal bases:

• Performance of a contract (Article 6(1)(b)): for processing your booking and providing the diving services you have requested.
• Legal obligation (Article 6(1)(c)): for tax records, park authority requirements and safety regulations.
• Legitimate interests (Article 6(1)(f)): for improving our services and ensuring website security and analytics.
• Consent (Article 6(1)(a)): for marketing communications and use of your image in marketing materials.
• Vital interests (Article 6(1)(d)): for handling medical and emergency contact data in case of an incident.

For health data (Article 9), we rely on your explicit consent given when you sign the PADI Medical Statement.

5.Sharing With Third Parties

We do not sell your data. We share it only when necessary, with the following categories of recipients:

• Booking platform: DiveHQ, our booking management system, processes your booking and contact data on our behalf.
• Payment processors: card payments are handled directly by the payment processor (we do not store full card details). Bank transfer details are visible only to our finance team.
• Komodo National Park authorities: for park entry registration, we share name, nationality and passport number as required by law.
• Insurance and emergency services: in case of a diving incident, we share necessary medical and emergency contact data with hyperbaric chambers, hospitals, evacuation services (e.g. DAN) and your emergency contact.
• PADI: for course registration and certification purposes, we share your name, date of birth and contact details to issue your PADI certification.
• Government and tax authorities: when required by Indonesian law.
• Professional advisers: accountants, auditors and lawyers under confidentiality obligations.

6.International Transfers

We are based in Indonesia. If you are based outside Indonesia (in the EU, UK, or elsewhere), your personal data is transferred to and processed in Indonesia when you book or interact with us.

Indonesia has its own data protection framework under Law No. 27 of 2022 on Personal Data Protection (PDP Law). We apply security measures consistent with both Indonesian and GDPR requirements where applicable.

Some of our service providers (e.g. Google Analytics) are based in the United States. We rely on their respective contractual safeguards for international transfers.

7.How Long We Keep Your Data

• Booking and payment records: 5 years after your last booking, for accounting and tax purposes under Indonesian law.
• Medical statements and liability releases: 7 years, for legal protection in case of dispute.
• Marketing data: until you withdraw consent or after 3 years of inactivity, whichever comes first.
• Website analytics: in accordance with Google Analytics 4 default retention (typically 14 months for user-level data).
• Photos and videos: archived indefinitely unless you request removal of your image.

8.Your Rights

If GDPR applies to you (or under similar protections of the Indonesian PDP Law), you have the following rights regarding your personal data:

• Right of access: request a copy of the personal data we hold about you.
• Right to rectification: ask us to correct inaccurate or incomplete data.
• Right to erasure: ask us to delete your data, subject to legal retention obligations.
• Right to restriction: ask us to limit the processing of your data.
• Right to data portability: receive your data in a structured, commonly used format.
• Right to object: object to processing based on legitimate interests, including direct marketing.
• Right to withdraw consent: where processing is based on consent, you can withdraw it at any time.
• Right to lodge a complaint: with your local data protection authority.

To exercise any of these rights, contact us at info@mantadivekomodo.com. We will respond within 30 days.

9.Cookies and Analytics

Our website uses cookies and similar tracking technologies to function properly and to understand how visitors use our site.

Essential cookies

Required for the website to function (session management, security). These cannot be disabled.

Analytics cookies

We use Google Analytics 4 via Google Tag Manager to collect anonymous usage statistics. This helps us improve the site. IP addresses are anonymised before storage.

Managing cookies

You can manage cookies through your browser settings. Disabling cookies may affect site functionality. We do not currently use third-party advertising or remarketing cookies.

10.Data Security

We take reasonable technical and organisational measures to protect your data, including:

• Encrypted website connection (HTTPS/TLS).
• Restricted access to booking and customer data on a need-to-know basis.
• Secure third-party providers (DiveHQ, payment processors) with their own security standards.
• Regular backups of customer records.

However, no method of internet transmission or storage is 100% secure. In the unlikely event of a data breach affecting your data, we will notify you and the relevant authorities as required by law.

11.Children's Privacy

Our services are not directed at children under 10. PADI courses have minimum age requirements (10 for Junior Open Water, 12 for Open Water). When children participate, parental or guardian consent and signature are required for the medical statement and liability release.

We do not knowingly collect personal data from children under 13 through our website without parental consent. If you believe we have collected such data inadvertently, contact us and we will delete it.

12.Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page shows the most recent version. For significant changes, we will notify you by email or a prominent notice on our website.

13.Contact

This Privacy Policy is written in good faith to comply with Indonesian PDP Law and GDPR principles. It does not constitute formal legal advice. For specific data protection enquiries, contact us directly.