Privacy Policy

Effective date: Wed 8 May 2024

1) Who we are (Data Controller)

Controller (Art. 4(7) GDPR):
Her Form Bali
Bali, Indonesia
Email:hello@herformbali.com

If required by law, our Data Protection Officer (DPO) can be reached at hello@herformbali.com or by post at the address above with the note “Attn: Data Protection Officer”. (Optional—add if you have a DPO.)

2) What data we collect when you visit our website

When you just browse our site (no account, no forms), your browser automatically sends technical data so we can deliver the site and keep it secure (Art. 6(1)(f) GDPR – legitimate interests):

• IP address

• Date and time of request

• URL and pages viewed

• Referrer URL (if any)

• Amount of data transferred

• Browser, device, operating system

We store these logs for [e.g., 30 days] to detect abuse, fix errors, and secure our systems, then delete or anonymise them.

3) Other features on our website

We offer additional services—e.g., creating an account, placing orders, choosing payment methods, contacting support, or subscribing to emails. To provide these, we collect the data you enter or that is needed to perform the service. We also use trusted service providers who process data on our behalf under contract (Art. 28 GDPR). See Section 9 for the list.

If partners act as independent controllers (e.g., you pay on PayPal’s site), their privacy notices apply.

If any provider is outside the EEA, we use appropriate safeguards (e.g., EU Standard Contractual Clauses). See Section 8.

4) Contacting us and creating an account

When you contact us (email or form), we process your contact details and message to reply (Art. 6(1)(b) or (f) GDPR).
When you create an account, we process the data you provide:

• Name and (optional) title or username

• Login details (email and password)

• Contact details (postal address, phone)

• Any preferences you save in your profile

We keep account data while your account is active.

5) Shopping with us

Order data (Art. 6(1)(b) GDPR – contract):

• Items purchased, price, order number

• Billing and delivery addresses

• Delivery and payment status

• Messages about the order (e.g., support, returns)

• Return status and shipment numbers

Payments: We offer payment methods such as [Credit Card], [PayPal], [Bank Transfer] (edit list). We share the minimum necessary data with payment processors and receive confirmations from them to complete your order. Payment processors are separate controllers for most processing on their platforms. See Section 9.4 for links.

Collections (optional): If invoices remain unpaid after reminders, we may share required data with [Collection Agency Name, address, link] to collect the debt or we may sell the claim (Art. 6(1)(b) or (f) GDPR). (Delete if not used.)

6) Cookies & similar technologies

We use cookies, pixels, and local storage to run the site, understand usage, and—if you consent—measure and improve marketing. Where required, we ask for your consent via our cookie banner. You can change choices anytime via [“Manage Cookies” link in footer].

Cookie types we use:

• Strictly Necessary (cannot be turned off): core site functions, security, authentication.

• Functional (with consent): remember preferences and enhance features.

• Performance/Analytics (with consent): understand visits and improve our site.

• Advertising/Targeting (with consent): show relevant ads and measure campaigns.

Your choices: You can also control cookies in your browser settings. Blocking all cookies may impact some features.

Do Not Track: We currently do not respond to DNT signals because standards are not yet consistent.

Location data (optional): Some features may request location access; you can deny or disable this in your device/browser.

6.1 Analytics (enable only if used)

We use [Google Analytics] to understand how our site is used (Art. 6(1)(a) GDPR – consent).
Provider: Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland.
Privacy: https://policies.google.com/privacy
Opt‑out add‑on: https://tools.google.com/dlpage/gaoptout

6.2 Advertising & remarketing (enable only if used)

• Google Ads: manage ad preferences at https://www.google.com/settings/ads

• Microsoft/Bing Ads: privacy statement https://privacy.microsoft.com/

• Meta (Facebook/Instagram) Ads and pixels: manage at Facebook Ad Preferences. We may create “lookalike” audiences from hashed emails; we do not see individuals’ identities.

Delete items you don’t use.

7) Sharing your data

We only share your data when permitted by law and only with recipients who need it for the purpose.

7.1 Service providers (processors)
Examples: hosting, security, email/SMS, customer support, analytics, payment and fulfilment. They act under our instructions and contractual safeguards.

7.2 Group companies (optional)
If you belong to a group, list the entities that may access data to perform internal functions. (Delete if not applicable.)

7.3 Payment service providers & credit agencies
See Section 9.4 for the specific providers you use.

7.4 Shipping companies
We share your name, delivery address, and (if needed) email/phone with shippers to deliver your order.

7.5 Authorities & legal
We may disclose data if required by law or to establish, exercise, or defend legal claims.

8) International transfers

If data is transferred outside the EEA/UK/Switzerland to a country without an adequacy decision, we use safeguards such as EU Standard Contractual Clauses and additional measures if needed. You can request a copy of relevant safeguards at hello@herformbali.com (with limited redactions).

9) Our processors & partners (fill‑in list)

Replace or remove items you don’t use. Keep links to each provider’s privacy notice.

Analytics: [Google Analytics] – see 6.1.
Advertising: [Google Ads / Meta / Bing] – see 6.2.

10) Retention

We keep personal data only as long as needed for the purpose collected and to comply with legal duties (e.g., tax and accounting). Typical examples:

• Order and payment records: up to [10 years] for tax laws.

• Support communications: [e.g., 24 months] after case closure.

• Marketing consents: until you withdraw or your consent expires under local rules.

• Technical logs: [e.g., 30–90 days].

When retention ends, we delete or irreversibly anonymise data. If immediate deletion isn’t possible, we restrict processing until deletion is feasible.

11) Security

We use technical and organisational measures to protect your data (e.g., encryption in transit (TLS/SSL), access controls, backups, logging). No method is 100% secure, but we work to keep risk low and proportionate.

12) Your rights (GDPR)

You have the following rights under the GDPR (subject to conditions and exemptions):

• Access to your data

• Rectification of inaccurate data

• Erasure (“right to be forgotten”)

• Restriction of processing

• Data portability

• Object to processing based on our legitimate interests or for direct marketing

• Withdraw consent at any time (if processing is based on consent)

To exercise these rights, contact us at hello@herformbali.com. We may ask for proof of identity to protect your data.

If you believe your data protection rights have been infringed, you can complain to your local supervisory authority. If our controller is established in Indonesia. You may also complain to any EU authority.

13) Children

Our services are not directed to children under [13/16]. We do not knowingly collect personal data from children. If you believe a child has provided personal data, contact us to delete it.

14) Changes to this notice

We may update this notice from time to time. If we make material changes, we will notify you by posting the new version here and updating the Effective date above.

Quick Fill‑In Checklist

• 
  

Optional Local Add‑Ons (delete if not needed)

UK: We also comply with the UK GDPR and Data Protection Act 2018.
Australia: We comply with the Privacy Act 1988 (Cth) and APPs when serving Australian customers. Contact: hello@herformbali.com
Indonesia: We comply with the Personal Data Protection Law (Law No. 27/2022). Contact: hello@getherformbali.com.