Legal

Privacy Policy

HITA Indonesia is committed to protecting your personal data in accordance with Indonesian law and international best practices.

Effective: February 28, 2026 IndonesiaUU No. 27/2022 Compliant

Overview

HITA Indonesia (Hotel Information Technology Association Indonesia), a non-profit professional association registered in Indonesia, operates the website https://hita-id.org and related digital services (collectively, the "Platform").

This Privacy Policy explains how we collect, use, disclose, retain, and protect your personal information when you access or use our Platform. By using the Platform, you agree to the practices described in this policy.

This policy complies with Indonesian Law No. 27 of 2022 on Personal Data Protection (Undang-Undang Perlindungan Data Pribadi / UU PDP) and the European Union General Data Protection Regulation (GDPR). It is also aligned with internationally recognized data protection principles, including those required by Google's OAuth 2.0 API Services.

1. Data We Collect

We collect the following categories of personal data:

A. Account & Identity Data

Full name, email address, phone number
Profile photo (if provided)
Google account ID and email (when using Google Sign-In via OAuth 2.0)
Membership status, regional chapter affiliation

B. Professional & Membership Data

Current employer (hotel/property name), job title
Technology stack and professional skills
Work experience and educational background
Membership registration form responses

C. Usage & Technical Data

IP address, browser type, operating system
Pages visited, time spent, click behaviour
Authentication session tokens (stored as HTTP-only cookies)
Activity logs for member portal access

D. Communications & AI Interactions Data

Messages sent via the Contact form and email correspondence
Text chat logs with the MHITA.AI Assistant
Voice and video streams during MHITA.AI sessions (processed in real-time via WebRTC, not permanently stored)

Google OAuth 2.0: When you sign in using Google, we access only your basic profile (name, email address, profile picture) as permitted by the OAuth scopes you authorize. We do not access your Google Drive, Gmail, Contacts, or any other Google service data.

2. How We Use Your Data

We use your personal data for the following lawful purposes:

Membership management: Registering and managing your HITA Indonesia membership account.

Authentication: Verifying your identity when you log in via email/password or Google OAuth 2.0.

Communication: Sending membership confirmations, event announcements, and organizational updates relevant to your chapter.

Platform operation: Displaying member directories (only to verified members), publishing news and events, and maintaining the gallery.

Security & fraud prevention: Monitoring access logs to detect unauthorized access, suspicious activity, and using CAPTCHA to prevent bot abuse.

AI Assistant Services: Processing your text and voice inputs in real-time to provide automated responses via MHITA.AI.

Legal compliance: Fulfilling obligations under Indonesian law (UU No. 27/2022) and the GDPR.

Organizational analytics: Generating anonymized statistics about membership growth and regional engagement (no individual identification).

We do not use your personal data for targeted advertising, sell your data to third parties, or use automated decision-making that produces legal effects about you.

4. Google API Services — Limited Use Disclosure

HITA Indonesia's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

We only request access to data that is necessary to provide member authentication and basic profile display.
We do not use Google user data to develop, improve, or train generalized AI or machine-learning models.
We do not share Google user data with third parties except as necessary to provide our service, as described above.
We do not use Google user data for advertising purposes.
Humans at HITA Indonesia do not read your Google data unless you explicitly provide it for support purposes.

5. Data Retention

We retain your personal data for as long as:

Your membership account remains active, or
It is necessary to comply with our legal obligations, resolve disputes, or enforce our policies.

Upon account deletion or membership withdrawal, we will delete or anonymize your personal data within 30 days, except where retention is required by applicable Indonesian law (e.g., financial records may be kept for up to 5 years per Indonesian tax regulations).

6. Your Rights

Under UU No. 27/2022 (Indonesian PDP Law) and the provisions of the GDPR, you have the right to:

Access: Request a copy of your personal data we hold.

Rectification: Correct inaccurate or incomplete data.

Erasure: Request deletion of your data (subject to legal limitations).

Restriction: Request we restrict processing of your data.

Portability: Receive your data in a structured, machine-readable format.

Objection: Object to processing based on legitimate interests.

Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.

Lodge a Complaint: File a complaint with Indonesia's National Personal Data Protection Agency (BPPDP).

To exercise your rights, contact us at [email protected]. We will respond within 14 business days.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

HTTPS/TLS encryption for all data in transit
Encrypted relational database storage at rest (Supabase PostgreSQL, AES-256)
Row Level Security (RLS) policies on our database to prevent unauthorized cross-tenant data access
Session management via HTTP-only, Secure cookies
Cloudflare Turnstile integration to prevent automated brute-force attacks and abuse
Role-Based Access Control (RBAC) limiting internal data access by job function

While we take data security seriously, no method of transmission over the internet is 100% secure. If you suspect a data breach, please contact us immediately at [email protected].

8. Cookies & Tracking

We use the following types of cookies:

Essential Cookies: Session authentication cookies required for the Platform to function. These cannot be disabled.

Analytics Cookies: Anonymized usage statistics to understand how the Platform is used (no cross-site tracking or advertising profiles).

You may disable non-essential cookies via your browser settings. Disabling essential cookies will prevent you from logging in.

9. Children's Privacy

The Platform is intended for professional adults (18 years and older). We do not knowingly collect personal data from individuals under the age of 18. If you believe we have inadvertently collected such data, please contact us at [email protected] and we will promptly delete it.

10. International Data Transfers

Our database and authentication infrastructure (Supabase) is hosted in Singapore and our web application is hosted on a Dedicated VPS. By using the Platform, you consent to the transfer of your personal data to these locations. We ensure that all data processors maintain adequate data protection standards using standard contractual clauses and adequacy mechanisms consistent with Indonesian law and the GDPR.

11. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices or applicable law. When we make material changes, we will update the Effective Date at the top of this page and notify active members via email or a prominent notice on the Platform. Your continued use of the Platform after the effective date constitutes your acceptance of the updated policy.