Privacy Policy
How we collect, use, store, and protect your personal data when you apply for an Indonesia eVOA through our service.
Last reviewed: 2026-05-08. Effective date: 2026-05-08.
1. Introduction
Welcome to Indonesia eVisa. We are a visa application assistance platform operated by Travel Rox, Inc. We help travellers apply for the Indonesia Electronic Visa on Arrival (eVOA) by collecting the necessary information, processing payments, and submitting applications on their behalf.
This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and your rights regarding your data. By using our website and services, you agree to the practices described in this policy.
If you have questions about this policy or your data, contact us at inq@indonesiaevisa.id.
2. Data controller
Travel Rox, Inc. is the data controller responsible for your personal data processed through indonesiaevisa.id.
Contact for privacy matters:
Email: inq@indonesiaevisa.id
WhatsApp: +1-707-606-0634
Phone: +1-415-800-4485
Postal: 169 Madison Ave STE 2883, New York, NY 10016, US
3. What personal data we collect
3.1 Information you provide directly
When you use our visa application service, we collect the following categories of personal data:
Primary contact information:
Full name (first name and last name).
Email address.
Phone number.
WhatsApp number (optional).
Traveller information (for each traveller in your application):
Full name as it appears on the passport.
Date of birth.
Nationality.
Passport number, issue date, and expiry date.
Any additional information required by the Indonesian eVOA application form (such as address, occupation, travel purpose, and intended port of entry).
Minor applicant information: If you are applying on behalf of a minor (a person under 18 years of age), we collect the same traveller information for the minor. By submitting an application for a minor, you confirm that you are the parent or legal guardian of that minor and have the authority to provide their personal data and consent to its processing.
Supporting documents:
Passport scan or photograph (data page).
Passport-style photograph of the applicant.
Hotel or accommodation booking confirmation.
Inbound and outbound flight booking confirmations.
Any other documents required for your specific application.
Payment information:
We do not directly collect or store your credit card or debit card numbers. All payment processing is handled by our third-party payment processor. We receive and store:
A unique customer identifier from the payment processor.
Transaction reference numbers.
Payment amount and currency (USD).
Payment status (successful, failed, refunded).
3.2 Information collected automatically
When you visit our website, we automatically collect:
Technical data:
IP address (collected at checkout for consent verification).
Browser type and version (user agent string).
Device type.
Pages visited and time spent on each page.
Referring website.
Cookies and similar technologies:
Session cookies for website functionality.
Language preference cookies.
Analytics cookies (see Cookie Policy for details).
3.3 Information from third parties
We may receive the following data from our service providers:
Payment confirmation and transaction status from our payment processor.
Email delivery status (delivered, bounced, opened) from our email service provider.
4. How we use your personal data
We process your personal data for the following purposes:
| Purpose | Data used | Legal basis |
|---|---|---|
| Processing your eVOA application | Name, DOB, passport number, nationality, supporting documents, contact details | Performance of contract |
| Processing payments | Payment transaction data, email, order details | Performance of contract |
| Communicating with you about application status, required actions, and updates | Email address, phone number, name | Performance of contract |
| Sending transactional emails (payment confirmations, application updates, eVOA delivery) | Email address, name, application details | Performance of contract |
| Verifying your identity when checking application status (OTP verification) | Email address, application reference number | Legitimate interest (security) |
| Preventing fraud and abuse, including rate limiting, account lockout, and duplicate detection | IP address, email, phone number | Legitimate interest (security) |
| Recording consent for terms of service and privacy policy acceptance at checkout | IP address, user agent, timestamp | Legal obligation |
| Maintaining audit trails of administrative actions on your application | Application data, admin action logs | Legitimate interest (accountability) |
| Improving our services through analytics and website performance monitoring | Anonymised usage data, page views, device info | Consent (via cookie consent banner) |
| Advertising and remarketing (if you consent to marketing cookies) | Anonymised identifiers, conversion events | Consent |
We do not use your personal data for automated decision-making or profiling that produces legal effects concerning you. All eVOA decisions are made by the Indonesian Directorate General of Immigration, not by our platform.
5. How we store and protect your data
5.1 Data storage
Your personal data is stored on secure cloud infrastructure with reputable US-based providers. Supporting documents (passport scans, photographs, and similar files) are stored in encrypted cloud storage with access controlled through time-limited signed URLs that expire within minutes.
5.2 Security measures
We implement the following security measures to protect your data:
Encryption in transit: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS.
Password security: Administrative accounts are protected with industry-standard bcrypt hashing.
Session security: HTTP-only, Secure, and SameSite cookies prevent unauthorised session access.
Access control: Role-based access control (RBAC) ensures only authorised personnel can access your data.
Account lockout: Automatic lockout after repeated failed login attempts.
Rate limiting: API rate limiting prevents abuse and brute-force attacks.
Payment security: We never store your card details; all payment data is handled by a PCI DSS-compliant processor.
Webhook verification: All incoming data from payment and email providers is cryptographically verified.
Document access: Uploaded documents are accessible only through temporary signed URLs, not permanent links.
Audit logging: All administrative actions are logged in an append-only audit trail.
256-bit SSL: Bank-grade encryption on all data transmission.
5.3 Data breach notification
In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and inform affected individuals without undue delay, in accordance with applicable law.
6. Third-party service providers
We share your personal data with the following trusted third-party processors, each operating under a Data Processing Agreement (DPA):
6.1 Payment processor
Headquarters: United States.
Data shared: Email address, order amount, currency (USD), transaction metadata (application ID).
Purpose: To process your payment securely.
Note: Our processor is PCI DSS Level 1 certified. Your card details are processed entirely by the processor and never touch our servers.
6.2 Email delivery service
Headquarters: United States.
Data shared: Email address, email content (application status updates, payment confirmations, OTP codes).
Purpose: To deliver transactional emails about your application.
Email tracking: The provider may track email delivery status, opens, and clicks to ensure reliable delivery.
6.3 Cloud document storage
Headquarters: United States.
Data shared: Uploaded documents (passport scans, photographs, supporting documents).
Purpose: To securely store your application documents in encrypted cloud storage.
Access control: Documents are stored with private access and are only accessible through time-limited signed URLs.
6.4 Analytics and tag management
Services used: Google Analytics 4, Google Tag Manager.
Data shared: Anonymised usage data, page views, device information, conversion events.
Purpose: To understand how visitors use our website and improve our services.
Privacy policy: policies.google.com/privacy
Opt-out: Decline analytics cookies via our cookie consent banner, or install the Google Analytics Opt-out Browser Add-on.
6.5 Advertising
Service used: Meta Pixel and Google Ads conversion tracking.
Data shared: Anonymised page view events, conversion events (for example, completed applications).
Purpose: To measure the effectiveness of our advertising campaigns.
Opt-out: Decline marketing cookies via our cookie consent banner.
6.6 Government authorities
Data shared: All information required for your eVOA application (name, passport details, date of birth, nationality, supporting documents, and any other information required by the Indonesian eVOA form).
Purpose: To submit your application to the Indonesian Directorate General of Immigration for processing.
Note: Once submitted, the processing of your data by Indonesian government authorities is governed by their own privacy policies and applicable Indonesian law.
We do not sell your personal data to any third party.
7. Cookies and tracking technologies
Our website uses cookies and similar tracking technologies to improve user experience, analyse site usage, and measure advertising effectiveness. For the full list of cookies we set, the third-party services that may set cookies, your consent options, and how to disable cookies in your browser, please see our dedicated Cookie Policy.
You can change your cookie preferences at any time through the "Cookie Settings" link in the website footer.
8. International data transfers
Our service providers (payment processor, email delivery, cloud storage, Google, Meta) are headquartered in the United States. When your data is transferred to these providers, it may be processed outside of your country of residence.
These transfers are protected by:
Standard Contractual Clauses (SCCs) approved by relevant data protection authorities.
Data Processing Agreements with each provider.
Appropriate security measures implemented by each provider (encryption, access controls, certifications).
Where required by applicable privacy laws (including the EU GDPR, the UK GDPR, the California Consumer Privacy Act / CCPA, and similar regimes), we ensure adequate protections are in place for any cross-border transfer of personal data.
9. Data retention
We retain your personal data for the following periods:
| Data category | Retention period | Reason |
|---|---|---|
| Application data (name, passport, DOB, form answers) | Duration of the eVOA validity period plus 3 years, or until you request deletion | Legal and contractual obligation; supports reapplication and dispute resolution |
| Supporting documents (passport scans, photos) | Same as application data | Required for application processing and potential government inquiries |
| Payment records (transaction IDs, amounts) | 7 years from the transaction date | Tax and accounting obligations |
| Email communication logs | 7 years | Regulatory compliance and accountability |
| Analytics data | As per Google/Meta retention settings (up to 26 months) | Website improvement |
| Consent records (IP, timestamp, accepted terms) | 7 years | Proof of consent for legal compliance |
| Draft applications (not submitted) | Automatically deleted after 30 days | No ongoing purpose |
After the retention period expires, your data will be securely deleted or anonymised.
10. Your rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
10.1 Common rights
Right to access: Request confirmation of whether we process your data and obtain a copy of it.
Right to correction: Request that we correct inaccurate or incomplete personal data.
Right to deletion: Request deletion of your data, subject to legal or contractual restrictions.
Right to data portability: Request your data in a commonly used machine-readable format.
Right to withdraw consent: Withdraw consent for processing based on consent at any time.
10.2 Rights under GDPR (for EU/EEA and UK residents)
If you are located in the European Economic Area or the United Kingdom, you additionally have the right to:
Restriction of processing: Request that we limit how we use your data.
Object to processing: Object to processing based on legitimate interest.
Lodge a complaint: File a complaint with your local data protection supervisory authority.
10.3 Rights under US state privacy laws
Residents of California (CCPA), Virginia (VCDPA), and other US states with similar laws have rights including the right to access, delete, and opt out of the sale or sharing of personal information. We do not sell your personal data.
10.4 How to exercise your rights
To exercise any of these rights, contact us at:
Email: inq@indonesiaevisa.id
Subject line: "Data Privacy Request: [Your Name]"
We will respond to your request within 30 days. We may need to verify your identity before processing your request, which may require you to provide your application reference number and the email address used at purchase.
11. Children's privacy
Our visa application services may be used by parents or legal guardians to apply for eVOAs on behalf of minors (persons under 18 years of age).
We do not knowingly collect personal data directly from children. All applications for minors must be submitted by a parent or legal guardian.
By submitting an application for a minor, you confirm that you are the parent or legal guardian and consent to the processing of the minor's personal data as described in this policy.
The personal data of minors is subject to the same security measures and retention policies as adult applicant data.
Parents and legal guardians may exercise data rights on behalf of the minor by contacting us at inq@indonesiaevisa.id.
If we become aware that we have collected personal data from a child without parental consent, we will take steps to delete that data promptly.
12. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
Update the "Last Reviewed" date at the top of this page.
Post the revised policy on this page.
For significant changes, notify you by email (if we have your email address) or through a prominent notice on our website.
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.
13. Data Protection contact
For any privacy-related concerns or grievances, please contact us:
Email: inq@indonesiaevisa.id
WhatsApp: +1-707-606-0634
Response time: We will acknowledge your enquiry within 24 hours and resolve it within 30 days from the date of receipt.
Questions about your privacy?
Our team is here to help with any questions regarding your personal data.
Email: inq@indonesiaevisa.id
WhatsApp: +1-707-606-0634
Phone: +1-415-800-4485
Postal: Travel Rox, Inc. , 169 Madison Ave STE 2883, New York, NY 10016, US
Indonesia eVisa is operated by Travel Rox, Inc. All rights reserved.