Last updated: April 2026
Privacy Policy
This policy explains what personal data we collect when you use Revasi to make a reservation at our partner restaurants and bars, how we use it, and what rights you have. It applies to guests booking through our platform and to visitors of revasi.net.
1. Who we are
This Privacy Policy applies to the reservation services operated by PT Locavore Nusantara Indonesia (“Locavore Group”, “we”, “us”, “our”), accessible via revasi.netand the venue booking pages of our partner restaurants and bars (collectively, the “Service”).
For questions about this policy or to exercise your data rights, contact us at privacy@revasi.net.
2. Personal data we collect
When you make or manage a reservation, we collect:
- Identity data: first name, last name, salutation
- Contact data: email address, phone number, country
- Reservation data: date, time, party size, dining preferences, special occasions, accommodation type
- Dietary information: allergies, dietary restrictions, and food preferences you choose to share (see Section 4)
- Payment data: masked card number and payment reference (full card details are handled by our payment processor, Xendit — we never store your full card number)
- Spending data: transaction history from our point-of-sale system (Moka POS), linked to your reservations
- Marketing preferences: your opt-in or opt-out status for email communications from each venue
- Guest profile data: categories and notes recorded by venue staff to personalise your experience, such as VIP status, visit frequency, cancellation history, and labels (e.g. “returning guest”, “influencer”). You have the right to access and object to this categorisation — see Section 8.
- Usage data: pages visited on our platform (collected via server logs)
3. Why we process your data and our legal basis
| Purpose | Legal basis (GDPR) | Legal basis (Indonesian PDP) |
|---|---|---|
| Processing and managing your reservation | Contract (Art. 6(1)(b)) | Contractual necessity (Art. 20(2)(b)) |
| Sending transactional emails (confirmation, reminder, cancellation) | Contract (Art. 6(1)(b)) | Contractual necessity (Art. 20(2)(b)) |
| Preparing your dining experience (dietary & special occasions) | Explicit consent (Art. 9(2)(a)) | Explicit consent (Art. 20(2)(a)) |
| Sending marketing emails about Locavore Group venues | Consent (Art. 6(1)(a)) | Consent (Art. 20(2)(a)) |
| Guest profiling by venue staff (VIP status, visit labels, preferences) to personalise service | Legitimate interests (Art. 6(1)(f)) | Legitimate interests (Art. 20(2)(f)) |
| Improving our service and analysing venue performance | Legitimate interests (Art. 6(1)(f)) | Legitimate interests (Art. 20(2)(f)) |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c)) | Legal obligation (Art. 20(2)(c)) |
4. Dietary and health-related information
Dietary restrictions you provide (such as allergies, halal, coeliac, or other food preferences) may reveal information about your health or religious beliefs. Under GDPR Article 9 and Indonesian PDP Article 4, this is treated as sensitive personal data. We collect it only to prepare your dining experience and do not share it with any third party outside of the kitchen team at the venue you are visiting. You are not required to provide this information to complete your booking.
5. Who we share your data with
We share your personal data only with the following processors, each bound by a Data Processing Agreement:
- Brevo (Sendinblue SAS, France) — sends transactional and marketing emails on our behalf. We share your name, email, and phone number only if you have opted in to marketing communications.
- Xendit (PT Xendit Pembayaran Indonesia) — processes credit card payments and deposit authorisations. We share the minimum data required to create a payment request.
- Moka POS (PT Moka Teknologi Indonesia) — our point-of-sale provider, used to link reservation and spending data for service improvement at the venue level.
- Clerk (Clerk, Inc., USA) — manages authentication for our administrative staff. Guest personal data is not shared with Clerk.
- Supabase (Supabase Inc., USA) — our database and infrastructure provider. All data described in this policy is stored on Supabase-managed servers.
We do not sell your personal data. We do not share your data with advertisers or data brokers.
6. International data transfers
Some of our service providers are located outside Indonesia and the European Economic Area (EEA). Where personal data is transferred internationally, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and, for transfers from Indonesia, we ensure safeguards equivalent to those required by Indonesian PDP Law (UU No. 27/2022) Article 56. Specifically: Brevo operates under EU GDPR with SCCs for transfers; Clerk and Supabase are US-based and covered by SCCs. If you would like a copy of the applicable transfer mechanism, contact us at privacy@revasi.net.
7. How long we keep your data
We retain personal data only as long as necessary:
- Reservation records: 3 years from the reservation date, after which records are anonymised or deleted
- Marketing contact lists: until you withdraw consent or request deletion
- Payment references: 5 years, as required by Indonesian tax regulations
- Activity logs: 12 months
8. Your rights
Under GDPR and Indonesian PDP Law (UU No. 27/2022), you have the following rights regarding your personal data:
- Right to access: request a copy of the personal data we hold about you
- Right to rectification: ask us to correct inaccurate or incomplete data
- Right to erasure: request deletion of your personal data (“right to be forgotten”), subject to legal retention requirements
- Right to portability: receive your data in a structured, machine-readable format
- Right to withdraw consent: withdraw marketing consent at any time via the unsubscribe link in any email, or by contacting us
- Right to object: object to processing based on legitimate interests
- Right to restrict processing: request that we limit how we use your data
To exercise any of these rights, email privacy@revasi.net with your name, email address, and the right you wish to exercise. We will respond within 30 days. Indonesian residents may also lodge a complaint with the Badan Siber dan Sandi Negara (BSSN). EU/EEA residents may lodge a complaint with their local data protection authority.
10. Security
We implement technical and organisational measures to protect your personal data, including row-level security on our database, encrypted connections (TLS), and access controls limiting data access to authorised staff only. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within the timeframe required by law (72 hours under GDPR; 14 hours under Indonesian PDP) and will inform affected individuals without undue delay.
11. Children
Our Service is not directed at children under the age of 17. We do not knowingly collect personal data from minors. If you believe a minor has submitted data through our platform, please contact us at privacy@revasi.net and we will delete it promptly.
12. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date below and, where required by law, notify affected users by email. Continued use of the Service after a change constitutes acceptance of the updated policy.
Questions? Email privacy@revasi.net.