Cube Apartments Privacy Policy
Effective date: 9 June 2025

This Privacy Policy (the “Policy”) explains how PT THE CUBE GROUP (the “Company”, “we”, “us”, “our”) processes and protects personal data of users of the website https://cube.apartments/ (the “Site”).
Registered address: Jalan Pantai Suluban, Desa Kelurahan Pecatu, Bali, 80361, Indonesia.
A separate Cookie Policy explains what cookies and tracking technologies we use. See the document “Cube Apartments Cookie Policy”.

1. Definitions

“Personal data” means any information relating to an identified or identifiable natural person (“Data Subject”).
“Processing” means any operation performed on data (collection, recording, storage, transfer, etc.).
“Controller” means a person who determines the purposes and means of processing; “Processor” means a person who processes data on behalf of the controller (GDPR Art.4).

2. Controller and Contact Details

  • Data Controller: PT THE CUBE GROUP
  • Address: Jalan Pantai Suluban, Desa Kelurahan Pecatu, Bali 80361, Indonesia
  • Email: privacy@cubebali.com
3. What Data We Collect

Contact
  • Examples: email address, phone number
  • Source: provided by you
Technical
  • Examples: IP address, device type, operating‑system version, browser, log files
  • Source: collected automatically
Interaction
  • Examples: pages viewed, clicks, time on page
  • Source: collected via cookies/pixels
Marketing
  • Examples: mailing‑list history, responses, consent status
  • Source: provided by you
We do not request or process special categories of personal data (GDPR Art. 9) unless explicitly necessary and based on separate consent (e.g., accessibility requirements).

4. Purposes and Legal Bases of Processing

Site improvement, fraud prevention, security
  • Legal basis: Art.6(1)(f) — legitimate interest
  • Note: technical cookies set on this basis
Marketing communications (email, messengers)
  • Legal basis: Art.6(1)(a) — consent
  • Note: you can withdraw consent at any time
Web analytics & advertising via cookies
  • Legal basis: Art. 6(1)(a) — consent
  • Note: see details in the Cookie Policy
For California residents, CPRA rights apply; the Company does not sell your personal data.

5. Data Sources

  • Directly from you— contact forms, feedback, subscriptions.
  • Automatically— server log files, cookies, pixels.

6. Data Recipients

Tilda Publishing
  • Role: hosting / processor
  • Country/Region: Ireland / UAE
Cloudflare
  • Role: content‑delivery network & security
  • Country/Region: USA / EU
Stripe, PayPal
  • Role: payment processors
  • Country/Region: USA / EU
Google Analytics 4
  • Role: web analytics (processor)
  • Country/Region: USA / EU
Meta Ads / TikTok Ads
  • Role: marketing (joint controller)
  • Country/Region: USA / Singapore
Widget partners (e.g., maps, chat, email)
  • Role: processors
  • Country/Region: various
Transfers are limited to what is necessary and are governed by Data Processing Agreements (DPAs) and the Standard Contractual Clauses (2021).

7. International Data Transfers

Personal data may be transferred outside the EU/EEA, including to Indonesia, the USA and Australia. We use the following safeguards:

  • SCCs (Commission Implementing Decision 2021/914) for countries without an adequacy decision;
  • Data Privacy Framework— for US providers that are certified;
  • Encryption in transit and at rest, plus processor audits for compliance.

8. Retention Periods

Marketing contacts
  • Retention period: until consent is withdrawn or 24 months of inactivity
Security logs
  • Retention period: 12 months
Aggregated analytics data
  • Retention period: 26 months
After expiry, data are deleted or anonymised.
9. Your Rights
GDPR (EU/EEA)
  • Access
  • Rectification
  • Erasure
  • Restriction
  • Portability
  • Objection
  • Withdraw consent
  • Lodge complaint with a supervisory authority
CCPA/CPRA (California)
  • Know
  • Delete
  • Correct
  • Limit use of sensitive data
  • Opt‑out of sale/sharing
Australian Privacy Act
  • Access
  • Correction
  • Lodge complaint
Indonesian PDP Law
  • Consent/withdrawal
  • Access
  • Correction
  • Deletion
  • Restriction
  • Breach notification
Send requests to privacy@cubebali.com. We will respond within 30 days (45 days under CPRA).

10. Data Security

We implement technical and organisational measures: AES‑256 encryption at rest, TLS 1.3, firewalls, multi‑factor authentication, EU‑region backups, regular security audits and penetration tests.

11. Automated Decision‑Making

The Company does not make decisions based solely on automated processing that produce legal or similarly significant effects for you (GDPR Art. 22).

12. Cookies and Similar Technologies

We use cookies and pixels for Site functioning, analytics and marketing. Details of cookie categories, retention and how to manage them are in the “Cube Apartments Cookie Policy”.

13. Children

The Site is not intended for persons under 13 years of age. We do not knowingly collect data from children. If you believe a child provided data without parental consent, please contact us and we will delete it.

14. Changes to This Policy

We may update this Policy by posting a new version on the Site. If changes are material, we will notify you by email or banner at least 7 days before they take effect.

15. Supervisory Authorities

If you are in the EU/EEA, you may lodge a complaint with your local Data Protection Authority. In Indonesia — Kominfo; in the USA — Federal Trade Commission (FTC); in Australia — OAIC.

Last update: 9 June 2025