Wisma OS
Apply for pilot

Privacy policy

Last updated: 2026-04-25

This is a plain-English summary of how we handle your data. It is not a substitute for a lawyer reviewing your contract. Pilot operators receive a more detailed Data Processing Addendum at signature.

Who we are

Wisma OS is operated by Wisma Operations (Indonesia). Our contact email is [email protected]. We are based in Bali, Indonesia.

What data we collect

From operators (you, the property owner / staff):

  • Account info: name, email, role, hashed password.
  • Property metadata: name, location, room inventory, POS catalog.
  • Tax + payment configuration you provide during onboarding.
  • Usage logs: which pages you load, which actions you trigger, for debugging and product improvement.
  • Sentry error reports — code-level errors only, no payment-card-data, no plaintext passwords.

From guests (your customers):

  • Guest profile: name, email, phone, nationality (whatever you record).
  • Reservation details: dates, room, rate plan, special requests.
  • Payment metadata: amount, method (e.g. "QRIS"), reference. No card numbers, no CVVs — those live with your gateway.
  • WhatsApp / SMS / email message content you send and receive through Wisma's inbox.
  • Audit-log entries describing who did what and when, on every booking, charge, and refund.

From marketing-site visitors (this website):

  • If you submit the pilot application form: the fields you fill in, plus your IP address and user agent (for spam filtering only).
  • Standard server logs (IP, path, status code) for security and uptime.
  • No third-party analytics tracking pixels yet.

How we use it

  • To run the product you're paying for (or piloting).
  • To debug, fix bugs, and improve features. We never look at your data without a real reason; access is logged internally.
  • To contact you about your pilot or your account. We do not sell or share your data with marketing partners.

Where it lives

Operator and guest data is stored in PostgreSQL hosted by a managed provider. Data residency: pilot data is stored in Asia-Pacific by default; customers requiring a specific region can ask. Daily backups, 7-day retention.

Subprocessors

We use the following third parties to run the product:

  • Database hosting — managed Postgres (Asia-Pacific region by default).
  • Sentry — error monitoring. Code-level errors only.
  • Payment gateways — Midtrans, Xendit, DOKU, Stripe (whichever you configure). Card data lives with them, not us.
  • WhatsApp / SMS / email providers — Fonnte, Twilio, Meta Cloud API (whichever you configure). Message content is relayed through their systems.
  • Email transport — SMTP or a transactional email provider.

We update this list when it changes. If your jurisdiction requires a formal subprocessor list with addresses and DPAs, ask and we'll provide it.

Security

  • Multi-tenant scoping enforced at the database query layer — your data is not visible to other tenants.
  • Passwords are hashed with bcrypt. Staff PINs are hashed and stored separately.
  • Webhooks verify HMAC signatures before any state mutation.
  • Audit log records every mutating action with who/when.
  • Backups are encrypted at rest by the database provider.
  • We are not SOC 2 certified. We're a small team. We'll happily walk your IT through the architecture.

Your rights

  • Access — you can request a full export of your account's data anytime.
  • Correction — most fields are editable inside the product. For anything else, email us.
  • Deletion — on contract end we deliver your data export and then permanently delete operator data within 30 days. Some logs (audit, Sentry) may persist longer for security/compliance reasons.
  • Object / restrict — message us at [email protected].

Indonesian residents have rights under PP 71/2019 and UU 27/2022. EU residents have rights under GDPR. We comply with both.

Guest data

Guest data your operator inputs into Wisma is the operator's data, not ours. We process it on their behalf (data processor / sub-processor relationship). If you are a guest with a request, contact the property directly. If the property does not respond, you can email us.

Cookies

We use first-party cookies for authentication and session management only. We do not use marketing pixels or third-party tracking on this marketing site. We may add privacy-respecting analytics (e.g. Plausible) in the future; this page will be updated when we do.

Changes to this policy

Material changes are emailed to operators at least 14 days before they take effect. The "last updated" date at the top of this page reflects the most recent change.

Contact

Questions, complaints, or data requests: [email protected].