Privacy

Bor & co. (the studio listed in our imprint) is the data controller for personal data collected via the website and at the studio. Questions, rights requests, and privacy complaints reach us at info@borandco.id.

Information you give us. When you submit the appointment form we collect your name, email, phone number, and the brief you write. If you contact us by email or via WhatsApp, we receive whatever you send. WhatsApp messages are routed through Meta’s infrastructure and subject to WhatsApp’s own privacy policy.

Information from the studio (biometric / specific personal data). When you visit the studio for a fitting, we may capture a 3D dental scan or take a physical impression of your teeth. Under UU PDP Art. 4 §1(b), this is classified as specific personal data and is processed only on your specific written or recorded consent, taken in person at the studio before the scan.

Information we collect automatically. When you visit the site we collect basic access logs (IP address, user agent, referrer, pages viewed) for security and abuse prevention, and aggregated cookieless traffic statistics. If something errors on the page, we capture an anonymised error trace so we can fix it.

We rely on the following legal bases:

• Performance of a contract for fitting bookings, order processing, and warranty servicing — appointment-form data, name, contact details, order history.
• Specific explicit consent for processing biometric / specific personal data — 3D scans and impression files. You can withdraw consent at any time; withdrawal does not affect lawful processing already performed and may make warranty servicing impossible.
• Legitimate interest for security, fraud prevention, and platform integrity — access logs, error traces, Cloudflare Turnstile signals.
• Legal obligation for tax records, invoices, and any data we are required by Indonesian law to retain.
• Consent for analytics and marketing cookies — Google Analytics, Google Ads, and Meta Pixel set cookies for measurement and ad attribution. You can accept or decline these via the cookie banner, or block them in your browser settings. Withdrawal does not affect lawful processing already performed.

• To schedule and confirm fittings, fabricate and warranty your piece, and follow up on enquiries.
• To monitor and improve site reliability, security, and performance.
• To detect, prevent, and respond to fraud, abuse, and unauthorised access.
• To meet our obligations under Indonesian law (tax, accounting, regulatory reporting).

We run paid acquisition campaigns on Google and Meta — these set cookies to measure ad effectiveness (see §06). We do not share your contact details with third parties for their own marketing and do not sell personal data.

We rely on a small number of third-party processors. We have data-processing agreements (DPAs) in place with each. They process data on our instructions only.

• Vercel — hosting, cookieless Web Analytics, and Speed Insights (United States). Speed Insights sets _vercel_* cookies for performance measurement. See Vercel’s privacy policy.
• Google Analytics 4 — measurement of page views, configurator interactions, and purchases (United States). Sets _ga, _ga_*, and _gid cookies. See Google’s privacy policy.
• Google Ads — conversion attribution and remarketing for our paid campaigns (United States). Sets _gcl_au and _gcl_aw cookies (the latter only if you arrived from a Google ad). See Google’s privacy policy.
• Meta Pixel — conversion attribution and audience matching for our Facebook and Instagram campaigns (United States). Sets _fbp and (if you arrived from a Meta ad) _fbc cookies; events are also relayed server-side via the Conversions API. See Meta’s privacy policy.
• Sentry — error monitoring (United States). Captures stack trace, browser/OS, page URL, error breadcrumbs, and a truncated IP. No form input or scan data is sent to Sentry. See Sentry’s privacy policy.
• Cloudflare Turnstile — bot/abuse protection on the appointment form (global edge). See Cloudflare’s privacy policy.

We use cookies in three categories:

• Essential — NEXT_LOCALE (your language pick), Cloudflare (security and load-balancing), Cloudflare Turnstile (bot protection on the appointment form). Always set; required for the site to work.
• Analytics — _ga, _ga_*, _gid (Google Analytics), _vercel_* (Vercel Speed Insights). Set when you accept consent through the cookie banner.
• Marketing — _gcl_au, _gcl_aw (Google Ads), _fbp, _fbc (Meta Pixel). Set when you accept consent through the cookie banner.

You can change your consent at any time via the cookie-settings link in the footer. You can also block or clear all cookies via your browser settings; essential cookies will be re-set on next visit.

Server-side access logs (IP address, user agent, referrer, pages viewed) are not cookies but are personal data. They are kept for short operational windows and are used solely for security, abuse prevention, and resolving incidents.

Appointment requests are kept while the enquiry is active and for a reasonable period afterwards for follow-up and record-keeping — typically up to 24 months. Order records and invoices are kept for the period required by Indonesian tax and accounting law (currently 10 years). Access logs and error logs are retained for shorter operational windows (typically 30–90 days).

3D scans and impression files are retained for the longer of (a) the active warranty period for your piece (lifetime for stone-setting; 30 days for workmanship) plus a reasonable look-back window for fit adjustments, or (b) 24 months from collection. They are deleted earlier on your request and securely destroyed at end-of-retention.

Some of our processors operate outside Indonesia. Vercel and Sentry process data in the United States; Cloudflare uses a global edge network. Under UU PDP Art. 56 and Komdigi PerMen No. 20/2022 we transfer personal data only where (a) the destination country has substantially equivalent protection, OR (b) the processor is bound by Standard Contractual Clauses or equivalent contractual safeguards, OR (c) you have given explicit consent. We rely on contractual safeguards (a/b above) for our processors today; biometric data (scans/impressions) does not leave Indonesia.

Under UU PDP you have the following rights regarding your personal data:

• Right to information about how we process your data (this policy).
• Right of access to a copy of the data we hold about you.
• Right to correction of inaccurate or incomplete data.
• Right to deletion of data that is no longer needed, processed unlawfully, or where you have withdrawn consent.
• Right to restrict processing in specific circumstances.
• Right to object to processing based on legitimate interest.
• Right to data portability — receive your data in a structured, machine-readable format.
• Right to withdraw consent at any time, without it affecting the lawfulness of processing carried out before withdrawal.
• Right not to be subject to automated decision-making that produces legal effects (we do not perform any — see §11).
• Right to file a complaint with the supervisory authority (see §12).

To exercise any of these rights, email info@borandco.id. We respond within 30 days. We will not discriminate against you for exercising these rights.

We do not knowingly process personal data of children under 18 without verifiable parental or guardian consent (UU PDP Art. 25). Our terms of service require an adult guardian for any fitting booked on behalf of a minor; the guardian is the contracting party and the consent-giver for any biometric data captured.

For the avoidance of doubt:

• We do not sell personal data.
• We do not perform automated decision-making or profiling that produces legal or similarly significant effects on you.
• We do not share contact details or scan data with ad networks for their own purposes, and do not sell personal data.
• We do not transfer biometric data (scans / impressions) outside Indonesia.

If you believe we have processed your personal data in breach of UU PDP, you can lodge a complaint with the Indonesian supervisory authority. Pending the establishment of KPDP (Komisi Perlindungan Data Pribadi), the interim authority is the Ministry of Communication and Digital Affairs (Komdigi, formerly Kemenkominfo). We would prefer to resolve concerns directly first — please contact us at info@borandco.id.

We may update this policy from time to time. The “Last updated” date at the top of this page reflects the most recent change. Material changes affecting how we process your data will be flagged on the site. Continued use of the site or services after a change indicates acceptance of the updated policy.

Bor & co.
Jl. Karang Suwung No. 2, Tibubeneng, Kuta Utara
Badung, Bali 80361, Indonesia
info@borandco.id
WhatsApp · +62 877 2274 3010

See our imprint for business registration details (NPWP, NIB) and the studio address.