Last updated: April 2026
Who we are
Kitas VIP is a private concierge service for Indonesian KITAS visa applications, operating at https://kitas.vip. In this policy, "we", "us" and "Kitas VIP" refer to the Kitas VIP service. "You" refers to the person whose personal data is being processed, usually a current or prospective applicant.
What personal data we collect
To prepare and file a KITAS application, we collect the following categories of personal data.
- Identity data: full name, date of birth, nationality, passport number, home address, Indonesian address (if any), phone number and email address.
- Document scans: passport bio page, photograph, and category-specific supporting documents such as employment contracts, pension letters, bank statements, marriage certificates, birth certificates, insurance policies, academic records and criminal record checks.
- Application details: KITAS category, sponsor information, intended dates of stay, family members included in the application.
- Status and audit data: timestamps for each stage of your case, communications history, IP address at submission time, and records of any admin access to your file.
- Payment data: we do not currently process payments directly. If we add payment in future, it will be through a regulated payment processor and this policy will be updated.
Why we collect this data (legal basis)
We collect and process your personal data to perform the service you are asking us to provide: preparing and filing an Indonesian KITAS application on your behalf. The legal bases for processing under the GDPR and the Indonesian Personal Data Protection Law (UU PDP, Law No. 27/2022) are:
- Performance of a contract: processing is necessary to carry out the concierge service you have engaged us for.
- Legal obligation: certain data must be shared with Indonesian immigration authorities to comply with immigration law.
- Legitimate interest: security logging, fraud prevention and service improvement.
- Consent: where required, for example when we keep data beyond the service period for your future renewal.
How we protect your data
Every piece of personally identifiable information you give us is encrypted at rest with AES-256-GCM. All network traffic uses TLS 1.3. Admin passwords are stored as scrypt hashes. Email addresses used for status lookups are stored as HMAC-SHA256 hashes rather than plaintext. Every admin access to your file is logged in an append-only audit log. Full technical details are on our security page.
Who we share your data with
We share your data only with parties that are essential to providing the KITAS service.
- Indonesian immigration authorities, specifically the Directorate General of Immigration and the Ministry of Manpower where relevant, through the official eVisa portal and related channels. This is required by law.
- Your nominated sponsor, where the KITAS category requires a sponsor. For Working KITAS this is your employer; for Retirement, Digital Nomad or Second Home visas it may be Kitas VIP acting as the licensed local sponsor.
- Licensed Indonesian immigration providers who assist with formal filings.
- Infrastructure providers who host our platform (currently Vercel for compute and Turso for database). These providers are SOC 2 Type II certified and bound by data processing agreements.
We do not sell your data. We do not share your data with advertisers, data brokers, analytics providers, or AI training services. Ever.
International transfers
Some of our infrastructure providers operate across multiple countries. Where your data crosses a border, it is protected by the same encryption and contractual terms that apply inside Indonesia. We use standard contractual clauses and comparable mechanisms where required.
How long we keep your data
We keep active case data for as long as you are a client and for a reasonable period after case completion so that renewal cycles remain possible. Typically this is the duration of your KITAS plus a rolling 12 month window. Audit log entries are kept for longer, for legal and security reasons. You can ask us to delete your data at any time, subject to any legal retention obligations we still have.
Your rights
Under the GDPR and UU PDP, you have the following rights regarding your personal data:
- Access: ask for a copy of the data we hold about you.
- Correction: ask us to correct inaccurate data.
- Deletion: ask us to delete your data.
- Objection: object to certain kinds of processing.
- Restriction: ask us to limit how we process your data.
- Portability: receive a machine-readable copy of your data to move to another service.
- Withdraw consent: where processing is based on consent.
- Complaint: lodge a complaint with your local data protection authority.
To exercise any of these rights, email privacy@kitas.vip. We respond within 30 days.
Cookies and tracking
Kitas VIP uses only strictly necessary cookies for session management. We do not run third party analytics, advertising or tracking scripts. See our cookie policy for details.
Children
Kitas VIP is not directed at children. We process data about minors only when they are included as dependents in a family KITAS application, with the consent and under the authority of their parent or guardian.
Changes to this policy
We may update this privacy policy from time to time to reflect changes in our practices or in the law. The "Last updated" date at the top of this page shows when it was last revised. Material changes are announced on the home page for at least 30 days.
Contact us
For any privacy-related questions, data access requests or complaints, email us at privacy@kitas.vip. For general enquiries, hello@kitas.vip.