Privacy policy
<p><strong>Last updated: 3 May 2026</strong></p>
<p>Nithya Boutique ("we," "us," "our") is a rattan furniture manufacturer and wholesale exporter registered and operating in Medan, North Sumatra, Indonesia. This Privacy Policy explains how we collect, use, store, and disclose personal data in connection with our website at nithyaboutique.com and our wholesale business activities.</p>
<p>This policy is governed by the laws of the Republic of Indonesia, including <strong>Law No. 27 of 2022 on Personal Data Protection (Undang-Undang Perlindungan Data Pribadi / UU PDP)</strong>. Where we deal with buyers, agents, or contacts located in the European Economic Area (EEA) or United Kingdom, we also comply with the General Data Protection Regulation (GDPR) and UK GDPR as applicable.</p>
<h2>1. Who We Are</h2>
<p>
<strong>Nithya Boutique</strong> (Data Controller)<br>
Jl. Iskandar Muda No.127, Sei Sikambing D<br>
Kec. Medan Petisah, Kota Medan<br>
Sumatera Utara 20111, Indonesia<br>
Phone: +62 831-5003-6902<br>
Email: <a href="mailto:info@nithyaboutique.com">info@nithyaboutique.com</a>
</p>
<h2>2. What Personal Data We Collect</h2>
<p>Because we operate primarily as a B2B wholesale supplier, most of the personal data we handle relates to business contacts rather than individual consumers. We collect the following categories of personal data:</p>
<ul>
<li><strong>Business contact information:</strong> Name, job title, company name, business address, telephone number, and email address of buyers, agents, and enquiry contacts.</li>
<li><strong>Transaction data:</strong> Order details, invoices, payment records, and shipping documentation.</li>
<li><strong>Communication records:</strong> Emails, enquiries, sample requests, and customer support correspondence.</li>
<li><strong>Website usage data:</strong> IP address, browser type, pages visited, and session duration, collected automatically via cookies and analytics tools.</li>
<li><strong>Financial data:</strong> Bank transfer details required to process payments. We do not store payment card numbers.</li>
</ul>
<h2>3. Lawful Basis for Processing</h2>
<p>Under UU PDP and, where applicable, the GDPR, we process personal data on the following lawful bases:</p>
<ul>
<li><strong>Contract:</strong> Processing necessary to enter into or fulfil a wholesale order, issue invoices, arrange shipping, or respond to a sample or quotation request.</li>
<li><strong>Legitimate interests:</strong> Processing necessary for our legitimate business interests, including maintaining business relationships, improving our website, preventing fraud, and keeping records of commercial transactions — where these interests are not overridden by your rights.</li>
<li><strong>Legal obligation:</strong> Processing required to comply with applicable Indonesian law, tax regulations, customs requirements, or export control obligations.</li>
<li><strong>Consent:</strong> Where we send marketing communications to contacts who have opted in, or where we place non-essential cookies. You may withdraw consent at any time.</li>
</ul>
<h2>4. How We Use Your Personal Data</h2>
<p>We use personal data for the following purposes:</p>
<ul>
<li>Processing and fulfilling wholesale orders, including production, quality control, shipping, and documentation.</li>
<li>Responding to enquiries, quotation requests, and sample requests.</li>
<li>Issuing invoices and processing payments.</li>
<li>Maintaining records of commercial transactions as required by Indonesian tax and commercial law.</li>
<li>Sending product updates, catalogue releases, and trade communications to existing and prospective wholesale buyers who have expressed interest or consented.</li>
<li>Improving our website and understanding how visitors use it.</li>
<li>Detecting and preventing fraud or misuse of our services.</li>
<li>Complying with legal and regulatory obligations.</li>
</ul>
<h2>5. Cookies and Tracking Technologies</h2>
<p>Our website uses cookies and similar technologies to operate correctly and to understand visitor behaviour. These include:</p>
<ul>
<li><strong>Essential cookies:</strong> Required for the website and shopping functions to work. These cannot be disabled.</li>
<li><strong>Analytics cookies:</strong> Used to understand how visitors interact with our website (e.g. pages visited, session duration). We use this data in aggregate to improve the site.</li>
<li><strong>Marketing cookies:</strong> Used only where you have given consent, to show relevant advertising.</li>
</ul>
<p>You can manage cookie preferences through your browser settings. Disabling certain cookies may affect website functionality.</p>
<h2>6. Sharing Personal Data with Third Parties</h2>
<p>We do not sell your personal data. We may share it with the following categories of third parties, only to the extent necessary:</p>
<ul>
<li><strong>Shopify Inc.:</strong> Our website and e-commerce platform is provided by Shopify. Shopify processes data on our behalf in accordance with its own privacy policy and data processing agreements.</li>
<li><strong>Freight forwarders and shipping agents:</strong> To arrange export documentation, container booking, and delivery.</li>
<li><strong>Payment processors:</strong> To process bank transfers and validate transactions.</li>
<li><strong>Professional advisers:</strong> Including lawyers, accountants, and auditors, under obligations of confidentiality.</li>
<li><strong>Indonesian government and regulatory authorities:</strong> Where required by law, including customs, tax authorities, and export control bodies.</li>
<li><strong>Business successors:</strong> In the event of a merger, acquisition, or sale of business assets, personal data may be transferred to the successor entity.</li>
</ul>
<h2>7. International Data Transfers</h2>
<p>As an Indonesian company exporting worldwide, we transfer personal data internationally in the ordinary course of business — for example, when sharing shipping documentation with freight forwarders or buyers in other countries. We take reasonable steps to ensure that any international transfer of personal data is subject to appropriate safeguards consistent with UU PDP requirements.</p>
<p>For buyers or contacts located in the EEA or United Kingdom, international transfers are conducted in accordance with GDPR requirements, including the use of Standard Contractual Clauses where applicable.</p>
<h2>8. Data Retention</h2>
<p>We retain personal data only for as long as necessary for the purposes set out in this policy, or as required by Indonesian law. Specific retention periods are as follows:</p>
<ul>
<li><strong>Commercial transaction records</strong> (orders, invoices, shipping documents): 10 years, in accordance with Indonesian commercial and tax law.</li>
<li><strong>Customer and enquiry correspondence:</strong> 3 years from the date of last contact, unless a longer period is required by law.</li>
<li><strong>Website analytics data:</strong> Up to 26 months, in aggregate and anonymised form where possible.</li>
<li><strong>Marketing contact lists:</strong> Until you withdraw consent or opt out, or after 3 years of inactivity.</li>
</ul>
<p>When personal data is no longer required, it is securely deleted or anonymised.</p>
<h2>9. Data Security</h2>
<p>We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction. These include access controls, encrypted communications, and secure data storage practices.</p>
<p>In the event of a personal data breach that is likely to harm your rights or interests, we will notify the relevant Indonesian supervisory authority and, where required, affected individuals within <strong>14 days</strong> of becoming aware of the breach, in accordance with UU PDP Article 46.</p>
<p>No method of electronic transmission or storage is completely secure. While we take all reasonable precautions, we cannot guarantee absolute security.</p>
<h2>10. Children's Data</h2>
<p>Our website and services are directed exclusively at business buyers and are not intended for individuals under the age of 18. We do not knowingly collect personal data from persons under 18. If we become aware that we have inadvertently collected data from a minor, we will delete it promptly.</p>
<h2>11. Your Rights</h2>
<p>Under UU PDP (Law No. 27 of 2022), you have the following rights in relation to your personal data:</p>
<ul>
<li><strong>Right to access:</strong> Request a copy of the personal data we hold about you.</li>
<li><strong>Right to rectification:</strong> Request correction of inaccurate or incomplete personal data.</li>
<li><strong>Right to erasure:</strong> Request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, subject to our legal retention obligations.</li>
<li><strong>Right to restriction:</strong> Request that we limit the processing of your personal data in certain circumstances.</li>
<li><strong>Right to data portability:</strong> Request that we provide your personal data in a structured, commonly used format.</li>
<li><strong>Right to object:</strong> Object to processing based on legitimate interests, including for direct marketing purposes.</li>
<li><strong>Right to withdraw consent:</strong> Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.</li>
<li><strong>Right to seek compensation:</strong> Seek redress for harm caused by unlawful processing of your personal data.</li>
</ul>
<p>To exercise any of these rights, please contact us using the details in Section 13. We will respond within 30 days. We may need to verify your identity before acting on a request.</p>
<p><strong>EEA and UK residents</strong> may also lodge a complaint with their local data protection authority. A list of EEA authorities is available at <a href="https://www.edpb.europa.eu" target="_blank">edpb.europa.eu</a>.</p>
<h2>12. Supervisory Authority (Indonesia)</h2>
<p>The supervisory authority responsible for personal data protection in Indonesia is the <strong>Ministry of Communication and Information Technology (Kementerian Komunikasi dan Informatika / Kominfo)</strong> and, for matters of cybersecurity, the <strong>National Cyber and Crypto Agency (Badan Siber dan Sandi Negara / BSSN)</strong>. If you have concerns about how we handle your personal data that we have been unable to resolve, you have the right to lodge a complaint with Kominfo.</p>
<h2>13. Contact Us</h2>
<p>For any questions about this Privacy Policy, to exercise your rights, or to report a concern, please contact us:</p>
<p>
<strong>Nithya Boutique</strong><br>
Jl. Iskandar Muda No.127, Sei Sikambing D<br>
Kec. Medan Petisah, Kota Medan<br>
Sumatera Utara 20111, Indonesia<br>
Phone: +62 831-5003-6902<br>
Email: <a href="mailto:info@nithyaboutique.com">info@nithyaboutique.com</a>
</p>
<h2>14. Changes to This Policy</h2>
<p>We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. The date at the top of this page indicates when it was last revised. We encourage you to review this policy periodically. Continued use of our website after a revision constitutes acceptance of the updated policy.</p>