Privacy Policy
§ 01Data controller
The data controller responsible for personal data processed in connection with this website and our wholesale operations is PT Next Step Advisory, with registered office at Jalan Raya Semat No. 1, Tibubeneng Village/Sub-district, North Kuta District, Badung Regency, Bali Province, 80361, Indonesia. You may write to us at info@next-step-advisory.com on any matter covered by this Policy.
This Policy explains what we process, on what bases, with whom we share it, and the rights available to you under the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the United Kingdom GDPR, and the Indonesian Law No. 27 of 2022 on Personal Data Protection ("UU PDP").
§ 02Scope of this Policy
This Policy applies to personal data processed when you visit this website, when you contact us through any channel listed on this site, and when we engage with you in connection with prospective or active wholesale orders. It does not cover the websites of third parties to which we may link, each of which operates under its own privacy regime.
§ 03Categories of personal data we process
We deliberately collect a small set of personal data, only what is necessary to do useful work. The categories are:
- Identification and contact data — name, employer, role, email address and any phone number you choose to share.
- Communication content — the substance of the messages you send to us, including any documents you attach.
- Order data — quotation requests, purchase orders, shipping addresses, billing details and supporting paperwork during an active engagement.
- Technical data — IP address, browser type, language preference, page-level navigation events and approximate location, processed at the server-log level for security and operations.
- Cookie and consent data — your consent state, captured by the consent banner and stored locally in your browser. See our Cookie Policy.
§ 04Purposes and legal bases
We process personal data for the following purposes, on the following lawful bases. The Article references are to the GDPR; UU PDP equivalents apply to processing within Indonesia.
| Purpose | Legal basis |
|---|---|
| Responding to enquiries you initiate | Article 6(1)(b) — pre-contractual steps; Article 6(1)(f) — legitimate interests |
| Performing customer orders under contract | Article 6(1)(b) — performance of contract |
| Maintaining records, audit and tax compliance | Article 6(1)(c) — legal obligation |
| Securing the website and detecting abuse | Article 6(1)(f) — legitimate interests |
| Setting analytics or marketing cookies | Article 6(1)(a) — consent (currently none active) |
Where we rely on legitimate interests, we have weighed those interests against your rights and concluded that the processing is proportionate. You may object to that balancing at any time using the contact details in §13.
§ 05Recipients of personal data
We share personal data only with parties we trust and only when there is a defensible reason. Specifically:
- Service providers acting as processors — hosting, email, document management, written contracts in place that bind them to our instructions.
- Logistics and customs brokers — carriers, freight forwarders and customs brokers necessary to ship goods you have ordered, with the minimum data required to perform that role.
- Public authorities — only where compelled by law and only to the extent strictly necessary.
- Successors — in the event of a merger, acquisition or sale of assets, on terms no less protective than this Policy.
We do not sell personal data, and we do not share it for the marketing purposes of any third party.
§ 06International transfers
Our operations are based in Indonesia and we may transfer personal data outside the EEA, the United Kingdom or Indonesia in connection with our service-provider relationships and shipping operations. Where we do, we rely on transfer mechanisms permitted under Articles 45 and 46 GDPR (including adequacy decisions and Standard Contractual Clauses), the equivalent UK transfer instruments, and the cross-border provisions of UU PDP. A summary of the safeguards in place for any specific transfer is available on request.
§ 07Retention periods
We hold personal data for the minimum period required for each purpose, after which we delete or pseudonymise it.
| Category | Retention |
|---|---|
| Enquiry data (no order) | 24 months from last contact |
| Customer order records | 10 years from delivery, for tax, customs and audit purposes |
| Website technical logs | 12 months |
| Cookie consent state | 12 months in your browser |
§ 08Your rights
Under the GDPR, UK GDPR and UU PDP — and subject to limited exceptions — you have the right to access your personal data, to request rectification of inaccurate data, to request erasure, to request restriction of processing, to data portability, to object to processing based on legitimate interests, and to withdraw consent where processing is based on consent. Withdrawal does not affect the lawfulness of prior processing.
You also have the right to lodge a complaint. In the European Economic Area you may approach the supervisory authority of your country of residence. In the United Kingdom, the Information Commissioner's Office (ICO). In Indonesia, the supervisory authority designated under UU PDP. We would, of course, prefer the chance to address your concern first — write to us at info@next-step-advisory.com.
§ 09Security
We apply technical and organisational measures proportionate to the data we hold: access controls, encryption in transit, encrypted backups, written policies on credential handling, and routine reviews of vendor security postures. No system is infallible, and we will notify affected individuals and, where applicable, supervisory authorities of any breach in accordance with Articles 33–34 GDPR and the equivalent UU PDP obligations.
§ 10Children and minors
This website and our services are directed to businesses. We do not knowingly process personal data of individuals under the age of 16. If you believe we have done so, please write to us and we will delete the data without delay.
§ 11Automated decision-making
We do not engage in automated decision-making, including profiling, that produces legal or similarly significant effects concerning you within the meaning of Article 22 GDPR. Decisions on quotations, orders and shipping are made by named human members of our trade desk.
§ 12Changes to this Policy
We may update this Policy from time to time. The effective date at the top of the page reflects the most recent revision. Where a change is material we will give reasonable notice through the website and, for active customers, by direct communication.
§ 13How to contact us
For any matter arising under this Policy — questions, requests to exercise rights, or notice of suspected breach — write to us at info@next-step-advisory.com or by post to PT Next Step Advisory, Jalan Raya Semat No. 1, Tibubeneng Village/Sub-district, North Kuta District, Badung Regency, Bali Province, 80361, Indonesia. We will respond within the periods required by applicable law and in good faith earlier where we can.