The Bali Method
Free assessment

Privacy

How we look after your information.

Last updated · 2 May 2026

Template - pending legal review

This document is a working draft prepared by the team. It is intended as a starting point and will be reviewed by a qualified Australian legal practitioner before paid traffic begins. If any of the language below conflicts with the reviewed final version, the reviewed version controls.

1. Who this policy is for

This is the privacy policy for The Bali Method (thebalimethod.com), a marketing-and-concierge service that arranges hair-restoration trips from Australia to our independent partner clinic, ETERNAL Clinic, in Bali. It applies to anyone who fills in our free assessment quiz, contacts us via WhatsApp or email, books a consultation, pays a deposit, or otherwise interacts with us through this website.

The Bali Method is the entity collecting your information. We comply with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs). Where you are based in the European Union or the United Kingdom, we treat the General Data Protection Regulation (GDPR) and UK GDPR as the operating standard.

2. What we collect

The amount of information we collect depends on how far you take the process. The categories below cover everything we may have on file.

Information you give us during the quiz

  • Hair-loss profile - primary goal (hairline, crown, both, beard), Norwood stage, hair-loss duration, previous treatments.
  • Demographics - age range, Australian state of residence, preferred departure airport.
  • Budget - the indicative spend bracket you select.
  • Couple upgrade - whether you would like to bring a partner.
  • Photos - up to three photographs of your scalp, uploaded by you. These are stored in a private storage bucket and are accessible only to our team and the surgical team at ETERNAL Clinic.
  • Contact details - your name, email address and WhatsApp number, so we can send your estimate and follow up.

Information we collect automatically

  • Source attribution - the referring URL and any UTM, gclid or fbclid query parameters attached when you arrive at the site. This helps us understand where leads come from.
  • Technical data - IP address, browser type, device type, pages visited, time on page. Used in aggregate for analytics and anti-abuse rate-limiting.
  • Chat transcripts - if you speak with our AI assistant Mira, the conversation is stored against your assessment so a human team member can pick up where Mira left off.

Information we receive from third parties

  • Stripe - when you pay a deposit, we receive a payment confirmation, the last four digits of the card, and a transaction reference. We do not see or store your full card details.
  • Calendly - when you book a consultation, we receive the slot you chose and any answers you provided to Calendly's intake questions.

We do not knowingly collect information from people under 18. The procedures we facilitate are not appropriate for minors.

3. Why we collect it

  • To match you to a package and send you a non-binding estimate.
  • To prepare for your video consultation with the surgeon at ETERNAL Clinic.
  • To arrange your trip - flights from your selected airport, hotel, transfers, recovery logistics.
  • To send you nurture emails with information that may help you decide whether the program is right for you. You can unsubscribe from these at any time.
  • To improve the website and our service using aggregate analytics.
  • To meet legal obligations (such as anti-fraud measures, financial-record keeping, and responding to lawful requests).

4. The legal basis for processing

Under Australian law, we rely on your consent when you submit the quiz and on the performance of a contract or service when you ask us to organise consultations, deposits or travel. Marketing communications are sent on the basis of your consent and our legitimate interest in keeping interested patients informed; you can withdraw at any time.

For visitors based in the EU or UK, we rely on the equivalent GDPR lawful bases: consent, contract performance, and legitimate interest, depending on the activity.

5. Who we share information with

The Bali Method is a marketing-and-concierge service. The medical procedure itself is provided by our independent partner clinic. To do our job we share targeted slices of your information with the following parties.

Our partner clinic

ETERNAL Clinic in Bali, Indonesia. Receives your name, contact details, hair-loss profile, photos and any scheduling information. They are the medical provider; their own privacy practices apply once they hold your data.

Service providers (data processors)

  • Supabase (database and file storage; hosted in Sydney, Australia).
  • Vercel (website hosting).
  • Resend (transactional email delivery).
  • Anthropic (AI model that powers Mira; transcripts are sent for processing).
  • Stripe (deposit payments).
  • Calendly (consultation scheduling).
  • Meta (Facebook/Instagram) for analytics and re-marketing, where you have given consent.

Each of these vendors is bound by their own privacy and data- processing terms. We use them strictly for the purpose described.

When we are required to disclose

We will disclose information when compelled by an Australian court order, subpoena, or other binding legal process, and when necessary to investigate fraud or to protect the safety of any person.

We do not sell your personal information. We never share photographs for marketing purposes without your explicit, separate written consent.

6. International transfers

Some of the parties listed above store data outside Australia. ETERNAL Clinic operates from Indonesia. Several of our software vendors operate data centres in the United States and the European Union. When your information is transferred internationally we take reasonable steps to ensure that the recipient is bound by obligations equivalent to APP 8.

7. How long we keep it

  • Quiz answers and contact details - kept while you are an active prospect or patient, plus seven years from your last interaction (to meet AU record-keeping obligations for medical-tourism arrangements).
  • Photos - deleted on request, or 12 months after your trip if no further booking is made.
  • Mira chat transcripts - kept for 12 months for service improvement; older sessions are deleted automatically.
  • Marketing-list email - kept until you unsubscribe.
  • Aggregate analytics - kept indefinitely; cannot be used to identify you.

8. Your rights

Under the Australian Privacy Act and (where applicable) the GDPR, you can:

  • Ask for a copy of the personal information we hold about you.
  • Correct anything that is inaccurate or out of date.
  • Delete your information (subject to any record-keeping obligations we have).
  • Withdraw consent for marketing communications by clicking the unsubscribe link in any email or by writing to us at info@thebalimethod.com.
  • Object to processing based on legitimate interest.
  • Request data portability (a machine-readable copy of the information you provided).

To exercise any of these rights, email info@thebalimethod.com from the address we have on file. We will respond within 30 days.

9. Security

We use industry-standard measures to keep your information safe. Passwords (where applicable) are hashed; transport is encrypted via TLS; the photo storage bucket is private and read access is granted only via short-lived signed URLs to authorised parties. Internal access to lead data is restricted to team members who need it.

No system is perfect. If a security incident occurs that materially affects your information, we will notify you and the Office of the Australian Information Commissioner (OAIC) as required by the Notifiable Data Breaches scheme.

10. Cookies and tracking

We use a small number of strictly-necessary cookies (for example, to keep your quiz answers in place between steps). When marketing analytics tools are enabled, we will request your consent before firing them, in line with the GDPR ePrivacy Directive and the guidance of the OAIC.

11. Updates to this policy

We may update this policy from time to time. The date at the top of the page reflects the most recent change. Material changes will be flagged via email to active prospects and patients before they take effect.

12. Contact us

For privacy questions or requests, email us at info@thebalimethod.com.

If you are not satisfied with how we have handled your privacy, you can lodge a complaint with the Office of the Australian Information Commissioner. If you are based in the EU or UK, you may also lodge a complaint with your local data-protection authority.