Privacy

Bor & co. (the studio listed in our imprint) is the data controller for personal data collected via the website and at the studio. Questions, rights requests, and privacy complaints reach us at info@borandco.id.

Information you give us. When you submit the appointment form we collect your name, email, phone number, and the brief you write. If you contact us by email or via WhatsApp, we receive whatever you send. WhatsApp messages are routed through Meta’s infrastructure and subject to WhatsApp’s own privacy policy.

Information from the studio (biometric / specific personal data). When you visit the studio for a fitting, we may capture a 3D dental scan or take a physical impression of your teeth. Under UU PDP Art. 4 §1(b), this is classified as specific personal data and is processed only on your specific written or recorded consent, taken in person at the studio before the scan.

Information we collect automatically. When you visit the site we collect basic access logs (IP address, user agent, referrer, pages viewed) for security and abuse prevention, and aggregated cookieless traffic statistics. If something errors on the page, we capture an anonymised error trace so we can fix it.

We rely on the following legal bases:

• Performance of a contract for fitting bookings, order processing, and warranty servicing — appointment-form data, name, contact details, order history.
• Specific explicit consent for processing biometric / specific personal data — 3D scans and impression files. You can withdraw consent at any time; withdrawal does not affect lawful processing already performed and may make warranty servicing impossible.
• Legitimate interest for security, fraud prevention, and platform integrity — access logs, error traces, Cloudflare Turnstile signals.
• Legal obligation for tax records, invoices, and any data we are required by Indonesian law to retain.
• Cookieless aggregated analytics are not based on personal data; no consent or alternative basis is required.

• To schedule and confirm fittings, fabricate and warranty your piece, and follow up on enquiries.
• To monitor and improve site reliability, security, and performance.
• To detect, prevent, and respond to fraud, abuse, and unauthorised access.
• To meet our obligations under Indonesian law (tax, accounting, regulatory reporting).

We do not run targeted advertising campaigns from this site, do not set marketing cookies, and do not share your contact details with third parties for their marketing.

We rely on a small number of third-party processors. We have data-processing agreements (DPAs) in place with each. They process data on our instructions only.

• Vercel — hosting, cookieless analytics, and Web Vitals measurement (United States). See Vercel’s privacy policy.
• Sentry — error monitoring (United States). Captures stack trace, browser/OS, page URL, error breadcrumbs, and a truncated IP. No form input or scan data is sent to Sentry. See Sentry’s privacy policy.
• Cloudflare Turnstile — bot/abuse protection on the appointment form (global edge). See Cloudflare’s privacy policy.

The site is built to function without setting tracking cookies. Essential cookies may be set by hosting infrastructure for security and load-balancing; you can clear or block them in your browser settings without impairing core site functionality. Locale preference is stored in a first-party cookie (NEXT_LOCALE) when you switch language.

Server-side access logs (IP address, user agent, referrer, pages viewed) are not cookies but are personal data. They are kept for short operational windows and are used solely for security, abuse prevention, and resolving incidents.

Appointment requests are kept while the enquiry is active and for a reasonable period afterwards for follow-up and record-keeping — typically up to 24 months. Order records and invoices are kept for the period required by Indonesian tax and accounting law (currently 10 years). Access logs and error logs are retained for shorter operational windows (typically 30–90 days).

3D scans and impression files are retained for the longer of (a) the active warranty period for your piece (lifetime for stone-setting; 30 days for workmanship) plus a reasonable look-back window for fit adjustments, or (b) 24 months from collection. They are deleted earlier on your request and securely destroyed at end-of-retention.

Some of our processors operate outside Indonesia. Vercel and Sentry process data in the United States; Cloudflare uses a global edge network. Under UU PDP Art. 56 and Komdigi PerMen No. 20/2022 we transfer personal data only where (a) the destination country has substantially equivalent protection, OR (b) the processor is bound by Standard Contractual Clauses or equivalent contractual safeguards, OR (c) you have given explicit consent. We rely on contractual safeguards (a/b above) for our processors today; biometric data (scans/impressions) does not leave Indonesia.

Under UU PDP you have the following rights regarding your personal data:

• Right to information about how we process your data (this policy).
• Right of access to a copy of the data we hold about you.
• Right to correction of inaccurate or incomplete data.
• Right to deletion of data that is no longer needed, processed unlawfully, or where you have withdrawn consent.
• Right to restrict processing in specific circumstances.
• Right to object to processing based on legitimate interest.
• Right to data portability — receive your data in a structured, machine-readable format.
• Right to withdraw consent at any time, without it affecting the lawfulness of processing carried out before withdrawal.
• Right not to be subject to automated decision-making that produces legal effects (we do not perform any — see §11).
• Right to file a complaint with the supervisory authority (see §12).

To exercise any of these rights, email info@borandco.id. We respond within 30 days. We will not discriminate against you for exercising these rights.

We do not knowingly process personal data of children under 18 without verifiable parental or guardian consent (UU PDP Art. 25). Our terms of service require an adult guardian for any fitting booked on behalf of a minor; the guardian is the contracting party and the consent-giver for any biometric data captured.

For the avoidance of doubt:

• We do not sell personal data.
• We do not perform automated decision-making or profiling that produces legal or similarly significant effects on you.
• We do not run targeted advertising or share data with ad networks for their own purposes.
• We do not engage in cross-context behavioural tracking or sell access to such tracking.
• We do not transfer biometric data (scans / impressions) outside Indonesia.

If you believe we have processed your personal data in breach of UU PDP, you can lodge a complaint with the Indonesian supervisory authority. Pending the establishment of KPDP (Komisi Perlindungan Data Pribadi), the interim authority is the Ministry of Communication and Digital Affairs (Komdigi, formerly Kemenkominfo). We would prefer to resolve concerns directly first — please contact us at info@borandco.id.

We may update this policy from time to time. The “Last updated” date at the top of this page reflects the most recent change. Material changes affecting how we process your data will be flagged on the site. Continued use of the site or services after a change indicates acceptance of the updated policy.

Bor & co.
Jl. Karang Suwung No. 2, Tibubeneng, Kuta Utara
Canggu, Bali 80361, Indonesia
info@borandco.id
WhatsApp · +62 877 2274 3010

See our imprint for business registration details (NPWP, NIB) and the studio address.