Cookie & Data Consent. By accessing or continuing to use this website, you automatically consent to our use of cookies and similar tracking technologies and to the collection and processing of your personal data as described in this Privacy Policy. If you do not agree, please discontinue use of the website.
PT Onyx Production Indonesia (“Orchestra Experience”, “we”, “us”, or “our”) is committed to protecting your privacy in compliance with the Personal Data Protection Law of the Republic of Indonesia (Law No. 27 of 2022 — UU PDP) and applicable regulations.
This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you visit orchestra-experience.id, purchase tickets, or interact with our events.
1. Personal Data We Collect
When you purchase tickets or interact with our services, we collect:
- Contact information: full name, email address, mobile phone number (WhatsApp).
- Transaction data: ticket type, quantity, event date, total amount, promo code used.
- Payment data: processed exclusively by our payment gateway Xendit. We do not store credit card or bank account numbers.
- Technical data: IP address, browser type, device type, operating system, referring URL, cookies and similar tracking technologies.
- Marketing attribution: source of visit (UTM parameters, ad click identifiers from Meta, Google, TikTok).
2. Legal Basis for Processing (Pasal 20 UU PDP)
We process your personal data based on:
- Contractual necessity — to fulfill ticket purchase orders, deliver tickets, provide event entry.
- Your consent — for marketing communications and analytics.
- Legitimate interest — to prevent fraud, improve our services, and ensure security.
- Legal compliance — to comply with Indonesian tax, consumer protection, and law enforcement requirements.
3. How We Use Your Data
- Process and confirm your ticket order, generate QR-coded tickets, send confirmation emails.
- Provide customer support via WhatsApp and email.
- Notify you about event changes, cancellations, or important updates.
- Send marketing communications about future concerts (with your consent — you may opt out at any time).
- Analyze website traffic and ad campaign performance through Google Analytics, Meta Pixel, and TikTok Pixel.
- Comply with Indonesian tax and accounting obligations.
4. Third-Party Sharing
We share your data only with trusted partners necessary to provide our services:
- Xendit — payment processing (PCI DSS certified).
- Brevo (Sendinblue) — transactional and marketing email delivery.
- Google (Analytics, Tag Manager, Ads) — website analytics and ad measurement.
- Meta (Facebook, Instagram) — ad campaign measurement and audience targeting.
- TikTok — ad campaign measurement.
- Ticketmelon and Loket — when you choose to pay by credit/debit card through these partner channels, their respective Privacy Policies and Terms also apply.
- GoDaddy (Managed WordPress) — website hosting.
- Government authorities — when required by Indonesian law or court order.
We do not sell your personal data to any third party.
5. Cross-Border Data Transfer (Pasal 56 UU PDP)
Some of our service providers (Google, Meta, Xendit, Brevo) may process data outside Indonesia. We ensure these transfers comply with UU PDP requirements through standard contractual clauses and adequate protection measures.
6. Data Retention
- Ticket purchase records: retained for at least 10 years as required by Indonesian tax law.
- Marketing email subscriptions: retained until you unsubscribe.
- Analytics data: aggregated and anonymized after 26 months (Google Analytics default).
- Account/transaction inquiries: retained for 3 years after last contact.
7. Your Rights (Pasal 5–15 UU PDP)
You have the right to:
- Access a copy of personal data we hold about you.
- Rectify inaccurate or incomplete data.
- Request deletion of your data (subject to legal retention requirements).
- Withdraw consent for marketing communications.
- Object to processing for specific purposes.
- Request data portability in a structured, machine-readable format.
- Lodge a complaint with the Indonesian Personal Data Protection Authority.
To exercise these rights, contact us at office@orchestra-experience.id. We will respond within 30 days.
8. Data Security
We implement reasonable technical and organizational measures to protect your data, including HTTPS encryption, secure password hashing, access controls, and regular security reviews. However, no system is 100% secure — we cannot guarantee absolute security.
9. Data Breach Notification (Pasal 46 UU PDP)
If a personal data breach occurs that may significantly impact your rights, we will notify you and the relevant Indonesian authority within 72 hours of becoming aware of the breach.
10. Cookies and Tracking
Our website uses cookies and similar technologies for:
- Essential website functionality (session, language preference).
- Analytics (Google Analytics).
- Marketing attribution (Meta Pixel, TikTok Pixel, Google Ads).
You can manage cookie preferences through your browser settings. Disabling cookies may affect site functionality.
11. Children’s Privacy
Our services are not intended for children under 17 without parental supervision. Minors require parental consent and accompaniment to attend our events.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email and a notice on our website. The “Last updated” date at the top reflects the latest revision.
13. Contact Us
← Back to Homepage