Privacy Policy

1. Introduction and Scope

Welcome to Stay in Pattaya ("we," "our," "us," or "the Company"). We are a property booking platform operating in Thailand, committed to protecting your privacy and personal data in accordance with Thailand's Personal Data Protection Act B.E. 2562 (2019) ("PDPA") and other applicable data protection laws.

This Privacy Policy explains how we collect, use, process, store, share, and protect your personal information when you:

• Visit our website at stayinpattaya.com
• Make bookings or reservations through our platform
• Participate in our affiliate program
• Contact us via email, phone, or other communication channels
• Interact with our social media accounts or marketing materials

By using our services, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree with our privacy practices, please do not use our services.

2. Controller Information

Stay in Pattaya is the data controller responsible for your personal data. Our contact details are:

3. Legal Basis for Processing

We process your personal data based on the following legal grounds under the PDPA:

3.1 Consent — Where you have given clear and specific consent for us to process your personal data for specific purposes, such as marketing communications or analytics tracking.

3.2 Contract Performance — Processing is necessary for the performance of a contract to which you are a party, such as processing your booking, payment, and providing accommodation services.

3.3 Legal Obligation — Processing is necessary for compliance with legal obligations, such as tax reporting, anti-money laundering requirements, or law enforcement requests.

3.4 Legitimate Interest — Processing is necessary for our legitimate business interests, such as fraud prevention, security monitoring, business analytics, and improving our services, provided these interests do not override your fundamental rights and freedoms.

4. Categories of Personal Data We Collect

4.1 Identity and Contact Data — Full name, title, gender, date of birth; Email address, phone number, postal address; Government-issued ID information; Emergency contact information; Profile pictures or avatars

4.2 Booking and Transaction Data — Booking details; Payment information; Billing address; Transaction history; Refund and cancellation records

4.3 Technical and Usage Data — IP address, browser type; Device information; Log files; Website usage patterns; Search queries; Referral sources and marketing campaign interactions

4.4 Location Data — Approximate location based on IP address; Precise location data (only with explicit consent and when necessary); Travel destinations and booking locations

4.5 Communication Data — Customer service interactions and support tickets; Email correspondence and chat logs; Survey responses and feedback; Social media interactions

4.6 Marketing and Preference Data — Marketing preferences and consent records; Newsletter subscriptions and communication preferences; Survey responses and feedback; Social media profile information (when linking accounts)

4.7 Affiliate Program Data — Business information and website details; Bank account and payment details for commissions; Tax identification numbers; Referral and conversion tracking data; Performance analytics and earnings history

4.8 Sensitive Personal Data — We may collect certain sensitive personal data only when necessary and with explicit consent: Health information (only for accessibility requirements or special assistance); Dietary restrictions or religious preferences (for catering services); Financial information related to credit checks (for extended stays)

5. How We Collect Your Data

5.1 Directly From You — When you create an account or make a booking; When you fill out forms on our website; When you contact our customer service; When you participate in surveys or promotions; When you apply for our affiliate program

5.2 Automatically Through Technology — Cookies and similar tracking technologies; Web server logs and analytics tools; Device fingerprinting and session recording; Social media plugins and integrations

5.3 From Third Parties — Payment processors and financial institutions; Identity verification services; Social media platforms (when you connect your accounts); Marketing partners and affiliate networks; Property owners and management companies; Government databases (for legal compliance)

6. How We Use Your Personal Data

6.1 Essential Service Provision (Legal Basis: Contract Performance, Legitimate Interest) — Processing and managing bookings, reservations, and cancellations; Facilitating payments, refunds, and billing; Providing customer support and responding to inquiries; Verifying your identity and preventing fraud; Communicating about your bookings and account; Managing property access and check-in procedures

6.2 Business Operations and Improvement (Legal Basis: Legitimate Interest) — Analyzing website usage and user behavior to improve our services; Conducting market research and customer satisfaction surveys; Developing new features and enhancing user experience; Managing our affiliate program and processing commissions; Maintaining security and preventing misuse of our platform; Backup and disaster recovery

6.3 Marketing and Communications (Legal Basis: Consent, Legitimate Interest for existing customers) — Sending promotional emails and newsletters (with consent); Displaying personalized advertisements and offers; Conducting marketing campaigns and measuring their effectiveness; Social media marketing and engagement; Remarketing to previous visitors (with consent)

6.4 Legal and Regulatory Compliance (Legal Basis: Legal Obligation, Legitimate Interest) — Complying with tax and accounting requirements; Meeting anti-money laundering and KYC obligations; Responding to legal requests and court orders; Reporting to regulatory authorities when required; Maintaining records for audit and compliance purposes

6.5 Security and Fraud Prevention (Legal Basis: Legitimate Interest, Legal Obligation) — Monitoring for suspicious activities and fraud; Investigating security incidents and breaches; Implementing access controls and authentication; Maintaining system security and integrity; Blocking or restricting access for policy violations

7. Data Sharing and Disclosure

We may share your personal data with third parties in the following circumstances. We ensure all recipients are bound by appropriate confidentiality and data protection obligations.

7.1 Service Providers and Business Partners — Property Owners and Managers; Payment Processors; Technology Partners (cloud hosting, email services, analytics, security); Customer Service Providers; Marketing Partners (with consent); Identity Verification Services

7.2 Legal and Regulatory Requirements — Government authorities and regulators when required by law; Law enforcement agencies for criminal investigations; Tax authorities for tax compliance and reporting; Courts and legal advisors in connection with legal proceedings; Regulatory bodies for licensing and compliance matters

7.3 Business Transfers — In the event of a merger, acquisition, sale of assets, or bankruptcy, your personal data may be transferred to the acquiring entity, subject to the same privacy protections.

7.4 Affiliate Program Participants — Conversion and referral data necessary for commission calculations; Performance analytics and reporting (anonymized where possible); Fraud prevention and program integrity monitoring

7.5 With Your Consent — We may share your data with other third parties when you have given explicit consent for specific purposes.

8. Data Retention Periods

8.1 Account and Profile Data — Active Accounts: as long as your account remains active; Inactive Accounts: 3 years after last activity, then anonymized or deleted; Closed Accounts: 30 days for account recovery, then permanent deletion

8.2 Booking and Transaction Data — Booking Records: 7 years for tax and accounting purposes; Payment Data: as required by payment card industry standards (typically 2-7 years); Financial Records: 7 years as required by Thai tax law

8.3 Marketing and Communication Data — Marketing Consents: Until consent is withdrawn, then 30 days for processing; Email Records: 2 years for campaign performance analysis; Survey Responses: 3 years for service improvement purposes

8.4 Technical and Security Data — Server Logs: 90 days for security monitoring; Analytics Data: 26 months (anonymized after 14 months); Security Incident Records: 5 years for investigation and prevention

8.5 Legal and Compliance Data — Legal Documentation: as required by statute of limitations (typically 6-10 years); Regulatory Reports: as required by applicable regulations; Audit Records: 7 years from the end of the relevant financial year

9. International Data Transfers

Your personal data may be transferred to, stored, and processed in countries outside Thailand, including countries that may not have equivalent data protection laws. When we transfer data internationally, we implement appropriate safeguards including Standard Contractual Clauses, adequacy decisions, and Binding Corporate Rules.

10. Cookies and Tracking Technologies

We use cookies and similar tracking technologies. Essential cookies are always active and necessary for the website to function. Analytics and Marketing cookies require consent. We implement Google Consent Mode v2 to ensure all Google services respect your privacy choices and operate with default consent denial until you explicitly grant permission.

11. Data Security Measures

We implement comprehensive technical, organizational, and physical security measures including SSL/TLS encryption, role-based access controls, firewalls, intrusion detection, regular security assessments, staff training, and secure data centers. In the event of a data breach, we will notify the relevant supervisory authority within 72 hours and inform affected individuals without undue delay.

12. Your Data Protection Rights

Under Thailand's PDPA and applicable data protection laws, you have the following rights:

12.1 Right to Access (Right to Know) — Request a copy of all personal data we hold about you. We will respond within 30 days.

12.2 Right to Rectification (Right to Correct) — Request correction of inaccurate or incomplete personal data. Corrections made within 7 days, complex cases within 30 days.

12.3 Right to Erasure (Right to be Forgotten) — Request deletion of your personal data when: data is no longer necessary for the original purpose; you withdraw consent and there's no other legal basis; you object to processing and there are no overriding legitimate grounds; the data has been unlawfully processed. Limitations apply for legal obligations, tax records, and completed bookings.

12.4 Right to Restrict Processing — Request that we limit how we use your data while we resolve disputes or concerns.

12.5 Right to Data Portability — Receive your data in machine-readable format (JSON, CSV, or XML). Applies to data processed with consent or for contract performance.

12.6 Right to Object — Object to processing based on legitimate interests, and you have an absolute right to object to direct marketing (promotional emails, targeted advertising, remarketing, profiling for marketing purposes).

12.7 Right to Withdraw Consent — Withdraw consent at any time for processing based on consent (e.g. marketing communications, analytics cookies). Withdrawal doesn't affect the lawfulness of processing before withdrawal.

12.8 Right Not to be Subject to Automated Decision-Making — We ensure human oversight for all significant decisions affecting our users.

12.9 How to Exercise Your Rights — Submit a data access request through our Data Request Portal at /data-request; Email: privacy@stayinpattaya.com with "Data Rights Request" in the subject. Response: Acknowledgment within 3 business days, full response within 30 days. Exercising your rights is always free of charge.

12.10 Complaints and Appeals — Contact privacy@stayinpattaya.com for internal appeal. You may also file a complaint with the Personal Data Protection Commission of Thailand.

13. Children's Privacy Protection

Our services are not intended for individuals under 18 years of age. Users aged 16-17 require verifiable parental consent. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided personal data to us, contact us immediately at privacy@stayinpattaya.com. We will respond to parental requests within 24 hours.

14. Third-Party Services and Links

Our website may contain links to third-party websites. We are not responsible for the privacy practices of third parties. We integrate with Google Analytics, Google Ads, Google Tag Manager, payment processors, maps and location services, social media platforms, and customer support tools.

15. Affiliate Program Specific Provisions

Participants in our affiliate program provide additional information including business information, financial data, performance data, and compliance information. This data is used for commission calculations, performance monitoring, fraud prevention, and tax reporting.

16. Privacy Policy Updates and Changes

We may update this Privacy Policy from time to time. When we make significant changes, we will post a prominent notice on our website and send emails to registered users. Changes become effective 30 days after notification. Continued use of our services constitutes acceptance of changes.

17. Regulatory Compliance and Jurisdiction

This Privacy Policy complies with Thailand's Personal Data Protection Act B.E. 2562 (2019), applicable international data protection laws, Payment Card Industry (PCI) Data Security Standards, and tourism and hospitality industry regulations. Governing Law: Thai law. Jurisdiction: Thai courts.

18. Accessibility and Language

This Privacy Policy is originally written in English. Thai language version available upon request. In case of conflicts, the English version prevails.

19. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data protection rights:

• Email: privacy@stayinpattaya.com
• Address: Pattaya, Thailand
• For data requests, use subject line: "PDPA Data Request - [Your Request Type]"
• General Inquiries: Response within 5 business days
• Data Rights Requests: Acknowledgment within 3 business days, full response within 30 days
• Privacy Complaints: Priority handling with response within 7 business days