Legal
Privacy Policy
Last updated: 28 April 2026
BASK Gili Meno ("BASK", "we", "us", "our") respects your privacy. This Privacy Policy explains what personal data we collect through baskgilimeno.com and our resort operations on Gili Meno, Indonesia, why we collect it, who we share it with, and the rights you have over it. This policy is designed to comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, and Indonesia's Personal Data Protection Law (UU 27/2022).
1. Who we are (the data controller)
The data controller responsible for your personal data is:
- BASK Gili Meno
- Jl. Gili Meno, Gili Indah, Lombok Utara, NTB 83352, Indonesia
- Email: privacy@baskgilimeno.com
- General enquiries: info@baskgilimeno.com
- WhatsApp: +62 812-3764-7471
For any privacy-related question or to exercise the rights set out in Section 8, please contact us at the email above. We aim to respond within 30 days.
2. What personal data we collect
2.1 Information you give us
When you contact us, fill out a form, make a booking, chat with us through the website, or stay with us, we may collect:
- Identity data: first name, last name, date of birth (for stays), nationality, passport number (legally required for hotel registration in Indonesia).
- Contact data: email address, phone number, postal address.
- Reservation data: arrival and departure dates, room preferences, guest count, special requests, dietary requirements.
- Payment data: cardholder name and last four digits (full card numbers are processed by our payment provider, we do not store them).
- Communications: messages sent via the contact form, the on-site chat widget, WhatsApp, email, or SMS.
- Marketing preferences: opt-in choices for our newsletter or promotional updates.
- On-property: dining and spa preferences, in-stay service requests, feedback you give us.
2.2 Information we collect automatically
When you visit baskgilimeno.com we automatically collect:
- Device and browser information (type, version, operating system, screen size).
- IP address and approximate location (country / city level).
- Usage data: pages viewed, time spent, referring URL, click paths, search terms.
- Cookies and similar identifiers (see Section 4).
2.3 Information from third parties
- Any online travel agent (OTA) or other intermediary when you reserve through them.
- Social media platforms when you interact with our pages or click on our ads.
- Review platforms (e.g. Google, TripAdvisor) when you leave feedback that mentions you by name.
3. Why we use your data and our lawful basis
Under the GDPR we must have a lawful basis for processing your personal data. The table below summarises the main purposes and the basis we rely on.
| Purpose | Lawful basis (GDPR Art. 6) |
|---|---|
| Manage reservations, check-in/out, and your stay. | Contract performance (Art. 6(1)(b)) |
| Respond to enquiries sent via forms, chat, email, or WhatsApp. | Legitimate interests / Contract steps (Art. 6(1)(f) / (b)) |
| Process payments and prevent fraud. | Contract performance / Legal obligation |
| Comply with hotel registration, tax, and accounting laws in Indonesia. | Legal obligation (Art. 6(1)(c)) |
| Send marketing emails, newsletters, or SMS about offers. | Consent (Art. 6(1)(a)), you can withdraw at any time |
| Analytics, site improvement, content personalisation. | Consent (analytics & marketing cookies) / Legitimate interests (essential analytics) |
| Defend against legal claims and protect our property. | Legitimate interests (Art. 6(1)(f)) |
4. Cookies and tracking technologies
We and our service providers use cookies, pixels, and similar technologies. You can manage non-essential cookies through our cookie banner or your browser settings. The categories we use:
- Strictly necessary: required for the site to function (e.g. session, security). These do not require consent.
- Analytics: Google Analytics 4 (Google Tag Manager, ID G-YGS3N737VQ), measures page views, traffic sources, and engagement. Loaded only with your consent.
- Functional / chat: the Open Doors chat widget (see Section 5) lets you message our team directly from the site and stores your conversation history.
- Marketing / remarketing: where activated, advertising platforms may set cookies to show you relevant ads on third-party sites. Loaded only with your consent.
You can opt out of Google Analytics by installing the official Google opt-out browser add-on.
5. Who we share your data with
We share personal data with the following categories of recipients, all of whom act as our processors or independent controllers under appropriate written agreements:
- Open Doors: our customer-relationship and communications platform. Stores your contact details, conversation history, booking enquiries, and pipeline status. Provider servers are located in the United States.
- Google LLC: Google Analytics, Google Tag Manager, Google Maps, and Google Ads (if running). May process your data in the United States.
- Vercel Inc.: hosts and serves baskgilimeno.com. Processes server logs, IP addresses, and request data.
- ResDiary: third-party restaurant reservation engine for the Beach Club. Subject to their own privacy policy.
- Payment providers: process card payments under PCI-DSS. We do not store full card numbers.
- Booking partners: any online travel agent (OTA) or other reservation intermediary, when you reserve through them.
- Independent service partners: dive operators, transfer providers, helicopter and boat operators, when you ask us to coordinate a service. Each is an independent controller for their own processing.
- Professional advisers: accountants, auditors, and lawyers, where required.
- Government authorities: Indonesian immigration / tax / police where required by law.
We do not sell your personal data and we do not share it for independent third-party advertising purposes.
6. International data transfers
BASK is based in Indonesia, which is outside the European Economic Area (EEA) and the United Kingdom. Our service providers listed above are based in the United States and other jurisdictions. When we transfer personal data of EEA / UK residents outside those regions, we rely on appropriate safeguards, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission;
- Adequacy decisions where they apply;
- Supplementary technical and contractual measures where required.
You can request a copy of the safeguards in place by emailing privacy@baskgilimeno.com.
7. How long we keep your data
We keep personal data only for as long as necessary for the purpose for which it was collected, then we either delete it or anonymise it. Typical retention periods:
- Reservation and stay records: 10 years (Indonesian tax and accounting law).
- Guest registration / passport copies: as required by Indonesian regulations, then deleted.
- Marketing contact data: until you withdraw consent or after 3 years of inactivity, whichever is sooner.
- Website enquiries that did not result in a booking: 2 years.
- Server logs and analytics: 14 months for granular data.
- Chat-widget conversations: 3 years from last interaction.
8. Your rights
If you are in the EEA, the UK, or Indonesia, you have the following rights in relation to your personal data:
- Access: request a copy of the personal data we hold about you.
- Rectification: ask us to correct inaccurate or incomplete data.
- Erasure ("right to be forgotten"): ask us to delete your data, subject to legal retention obligations.
- Restriction: ask us to pause processing in certain circumstances.
- Portability: receive your data in a structured, machine-readable format.
- Objection: object to processing based on our legitimate interests, including direct marketing.
- Withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting prior lawful processing.
- Lodge a complaint: with your national supervisory authority, for example, the Information Commissioner's Office in the UK, your local Data Protection Authority in the EEA, or the Ministry of Communication and Informatics (Kominfo) in Indonesia.
To exercise any of these rights, email privacy@baskgilimeno.com. We may need to verify your identity before responding.
9. Children's data
We do not knowingly collect personal data directly from children under 16. Where children stay with us as part of a family booking, the booking adult is responsible for providing the child's details. If you believe a child has provided us with personal data, please contact us and we will delete it.
10. How we protect your data
We use industry-standard technical and organisational measures to protect personal data, including HTTPS encryption in transit, encryption at rest where available, role-based access control, audit logging, and contractual safeguards with our processors. No system is perfectly secure; if we become aware of a personal data breach affecting your rights, we will notify you and the relevant supervisory authority in line with the GDPR's 72-hour rule.
11. Changes to this policy
We may update this policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. Material changes will be communicated through the website or by email where appropriate.
12. Governing Law
This Privacy Policy is governed exclusively by the laws of the Republic of Indonesia, with the express exclusion of the laws of any other country. Nothing in this clause limits the rights you have under the EU GDPR, the UK GDPR, or any mandatory data-protection law that applies to you in your country of residence.
13. Contact
If you have any questions about this Privacy Policy or how we handle your personal data, please contact us at privacy@baskgilimeno.com.
See also our Terms & Conditions and Cancellation Policy.