Privacy Policy

1. Introduction and Scope

Welcome to Stay in Pattaya ("we," "our," "us," or "the Company"). We are a property booking platform operating in Thailand, committed to protecting your privacy and personal data in accordance with Thailand's Personal Data Protection Act B.E. 2562 (2019) ("PDPA") and other applicable data protection laws.

This Privacy Policy explains how we collect, use, process, store, share, and protect your personal information when you:

• Visit our website at stayinpattaya.com
• Make bookings or reservations through our platform
• Participate in our affiliate program
• Contact us via email, phone, or other communication channels
• Interact with our social media accounts or marketing materials

By using our services, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree with our privacy practices, please do not use our services.

2. Controller Information

Stay in Pattaya is the data controller responsible for your personal data. Our contact details are:

3. Legal Basis for Processing

We process your personal data based on the following legal grounds under the PDPA:

3.1 Consent

Where you have given clear and specific consent for us to process your personal data for specific purposes, such as marketing communications or analytics tracking.

3.2 Contract Performance

Processing is necessary for the performance of a contract to which you are a party, such as processing your booking, payment, and providing accommodation services.

3.3 Legal Obligation

Processing is necessary for compliance with legal obligations, such as tax reporting, anti-money laundering requirements, or law enforcement requests.

3.4 Legitimate Interest

Processing is necessary for our legitimate business interests, such as fraud prevention, security monitoring, business analytics, and improving our services, provided these interests do not override your fundamental rights and freedoms.

4. Categories of Personal Data We Collect

We collect and process various categories of personal data depending on how you interact with our services:

4.1 Identity and Contact Data

• Full name, title, gender, date of birth
• Email address, phone number, postal address
• Government-issued ID information (passport, national ID for verification)
• Emergency contact information
• Profile pictures or avatars (if provided)

4.2 Booking and Transaction Data

• Booking details (property, dates, number of guests, special requests)
• Payment information (credit/debit card details, bank transfer information)
• Billing address and payment preferences
• Transaction history and receipts
• Refund and cancellation records

4.3 Technical and Usage Data

• IP address, browser type, version, and settings
• Device information (type, operating system, unique device identifiers)
• Log files and server data
• Website usage patterns (pages visited, time spent, click-through rates)
• Search queries and filters used
• Referral sources and marketing campaign interactions

4.4 Location Data

• Approximate location based on IP address
• Precise location data (only with explicit consent and when necessary)
• Travel destinations and booking locations

4.5 Communication Data

• Customer service interactions and support tickets
• Email correspondence and chat logs
• Survey responses and feedback
• Social media interactions

4.6 Marketing and Preference Data

• Marketing preferences and consent records
• Newsletter subscriptions and communication preferences
• Survey responses and feedback
• Social media profile information (when linking accounts)

4.7 Affiliate Program Data

• Business information and website details
• Bank account and payment details for commissions
• Tax identification numbers
• Referral and conversion tracking data
• Performance analytics and earnings history

4.8 Sensitive Personal Data

We may collect certain sensitive personal data only when necessary and with explicit consent:

• Health information (only for accessibility requirements or special assistance)
• Dietary restrictions or religious preferences (for catering services)
• Financial information related to credit checks (for extended stays)

5. How We Collect Your Data

5.1 Directly From You

• When you create an account or make a booking
• When you fill out forms on our website
• When you contact our customer service
• When you participate in surveys or promotions
• When you apply for our affiliate program

5.2 Automatically Through Technology

• Cookies and similar tracking technologies
• Web server logs and analytics tools
• Device fingerprinting and session recording
• Social media plugins and integrations

5.3 From Third Parties

• Payment processors and financial institutions
• Identity verification services
• Social media platforms (when you connect your accounts)
• Marketing partners and affiliate networks
• Property owners and management companies
• Government databases (for legal compliance)

6. How We Use Your Personal Data

We process your personal data for specific, legitimate purposes based on the legal grounds described in Section 3. The table below outlines our main processing activities:

6.1 Essential Service Provision

Legal Basis: Contract Performance, Legitimate Interest

• Processing and managing bookings, reservations, and cancellations
• Facilitating payments, refunds, and billing
• Providing customer support and responding to inquiries
• Verifying your identity and preventing fraud
• Communicating about your bookings and account
• Managing property access and check-in procedures

6.2 Business Operations and Improvement

Legal Basis: Legitimate Interest

• Analyzing website usage and user behavior to improve our services
• Conducting market research and customer satisfaction surveys
• Developing new features and enhancing user experience
• Managing our affiliate program and processing commissions
• Maintaining security and preventing misuse of our platform
• Backup and disaster recovery

6.3 Marketing and Communications

Legal Basis: Consent, Legitimate Interest (for existing customers)

• Sending promotional emails and newsletters (with consent)
• Displaying personalized advertisements and offers
• Conducting marketing campaigns and measuring their effectiveness
• Social media marketing and engagement
• Remarketing to previous visitors (with consent)

6.4 Legal and Regulatory Compliance

Legal Basis: Legal Obligation, Legitimate Interest

• Complying with tax and accounting requirements
• Meeting anti-money laundering and KYC obligations
• Responding to legal requests and court orders
• Reporting to regulatory authorities when required
• Maintaining records for audit and compliance purposes

6.5 Security and Fraud Prevention

Legal Basis: Legitimate Interest, Legal Obligation

• Monitoring for suspicious activities and fraud
• Investigating security incidents and breaches
• Implementing access controls and authentication
• Maintaining system security and integrity
• Blocking or restricting access for policy violations

7. Data Sharing and Disclosure

We may share your personal data with third parties in the following circumstances. We ensure all recipients are bound by appropriate confidentiality and data protection obligations.

7.1 Service Providers and Business Partners

• Property Owners and Managers: To facilitate bookings and provide accommodation services
• Payment Processors: To process transactions, refunds, and verify payment methods
• Technology Partners: Cloud hosting, email services, analytics, and security providers
• Customer Service Providers: Third-party support and communication platforms
• Marketing Partners: Advertising networks and email marketing services (with consent)
• Identity Verification Services: To verify user identity and prevent fraud

7.2 Legal and Regulatory Requirements

• Government authorities and regulators when required by law
• Law enforcement agencies for criminal investigations
• Tax authorities for tax compliance and reporting
• Courts and legal advisors in connection with legal proceedings
• Regulatory bodies for licensing and compliance matters

7.3 Business Transfers

In the event of a merger, acquisition, sale of assets, or bankruptcy, your personal data may be transferred to the acquiring entity, subject to the same privacy protections.

7.4 Affiliate Program Participants

• Conversion and referral data necessary for commission calculations
• Performance analytics and reporting (anonymized where possible)
• Fraud prevention and program integrity monitoring

7.5 With Your Consent

We may share your data with other third parties when you have given explicit consent for specific purposes.

8. Data Retention Periods

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, and protect our legitimate interests.

8.1 Account and Profile Data

• Active Accounts: As long as your account remains active
• Inactive Accounts: 3 years after last activity, then anonymized or deleted
• Closed Accounts: 30 days for account recovery, then permanent deletion

8.2 Booking and Transaction Data

• Booking Records: 7 years for tax and accounting purposes
• Payment Data: As required by payment card industry standards (typically 2-7 years)
• Financial Records: 7 years as required by Thai tax law

8.3 Marketing and Communication Data

• Marketing Consents: Until consent is withdrawn, then 30 days for processing
• Email Records: 2 years for campaign performance analysis
• Survey Responses: 3 years for service improvement purposes

8.4 Technical and Security Data

• Server Logs: 90 days for security monitoring
• Analytics Data: 26 months (anonymized after 14 months)
• Security Incident Records: 5 years for investigation and prevention

8.5 Legal and Compliance Data

• Legal Documentation: As required by statute of limitations (typically 6-10 years)
• Regulatory Reports: As required by applicable regulations
• Audit Records: 7 years from the end of the relevant financial year

9. International Data Transfers

Your personal data may be transferred to, stored, and processed in countries outside Thailand, including countries that may not have equivalent data protection laws.

9.1 Transfer Safeguards

When we transfer data internationally, we implement appropriate safeguards:

• Standard Contractual Clauses approved by data protection authorities
• Adequacy decisions by relevant data protection authorities
• Binding Corporate Rules for intra-group transfers
• Certification schemes and codes of conduct

9.2 Third-Party Service Providers

Some of our service providers are located in other countries, including:

• United States: Cloud hosting, payment processing, email services
• European Union: Analytics, marketing tools, customer support
• Singapore: Regional data processing and backup services

9.3 Your Rights Regarding International Transfers

You have the right to obtain information about the safeguards we use for international transfers and to object to transfers in certain circumstances. Contact us for more information.

10. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your browsing experience, analyze website usage, and provide personalized content. This section explains what cookies we use and how you can control them.

10.1 What Are Cookies?

Cookies are small text files stored on your device when you visit our website. They help us recognize your device and remember your preferences to provide a better user experience.

10.2 Types of Cookies We Use

Essential Cookies (Always Active)

These cookies are necessary for the website to function properly and cannot be disabled:

• Session management and user authentication
• Security and fraud prevention
• Load balancing and performance optimization
• Shopping cart and booking process functionality

Analytics Cookies (Requires Consent)

These cookies help us understand how visitors use our website:

• Google Analytics 4 (GA4) for comprehensive website traffic analysis, including page views, user interactions, conversion tracking, and demographic insights with IP anonymization and 14-month data retention
• Heatmap tools to understand user behavior
• Page performance and error tracking
• Conversion and goal tracking

Marketing Cookies (Requires Consent)

These cookies are used to deliver relevant advertisements:

• Facebook Pixel and Google Ads tracking
• Remarketing and retargeting campaigns
• Affiliate program tracking and attribution
• Social media integration and sharing

10.3 Third-Party Cookies

We may also use third-party services that set their own cookies:

• Google Analytics 4 (GA4): Comprehensive website traffic analysis and user behavior tracking
• Google Ads: Conversion tracking, remarketing campaigns, and advertisement performance measurement
• Google Tag Manager: Centralized tracking code management and analytics implementation
• Facebook: Social media integration and advertising
• Payment Processors: Secure payment processing
• Customer Support: Live chat and help desk services

10.4 Managing Your Cookie Preferences

You can control cookies through:

• Our Cookie Banner: Manage preferences when you first visit our site
• Browser Settings: Block or delete cookies through your browser preferences
• Industry Tools: Use tools like Digital Advertising Alliance

10.5 Google Consent Mode v2 Compliance

We implement Google Consent Mode v2 to ensure your privacy preferences are respected across all Google services. This advanced consent framework allows us to:

• Default Denial: All Google Analytics and Google Ads tracking is denied by default until you provide explicit consent
• Granular Controls: You can separately control analytics (Google Analytics) and marketing (Google Ads) tracking preferences
• Real-time Updates: Your consent choices are immediately communicated to Google services
• Privacy-First: When consent is denied, Google services operate in a privacy-enhanced mode with limited data collection
• Conversion Modeling: Google may use statistical modeling to measure conversions while respecting your privacy choices

Your consent status is stored locally and communicated to Google services in real-time. You can update your preferences at any time using our cookie consent banner or browser settings.

11. Data Security Measures

We implement comprehensive security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. Our security approach includes technical, organizational, and physical safeguards.

11.1 Technical Security Measures

• Encryption: All data transmissions are protected using SSL/TLS encryption
• Access Controls: Role-based access with multi-factor authentication
• Network Security: Firewalls, intrusion detection, and monitoring systems
• Data Encryption: Sensitive data encrypted at rest using industry standards
• Regular Updates: Security patches and software updates applied promptly
• Vulnerability Testing: Regular security assessments and penetration testing

11.2 Organizational Security Measures

• Staff Training: Regular data protection and security awareness training
• Access Limitations: Need-to-know basis and least privilege principles
• Incident Response: Documented procedures for security breach response
• Vendor Management: Due diligence and security requirements for all suppliers
• Data Minimization: Collecting and retaining only necessary data

11.3 Physical Security Measures

• Secure data centers with controlled access
• CCTV monitoring and security personnel
• Environmental controls and backup power systems
• Secure disposal of physical media and equipment

11.4 Data Breach Response

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours
• Inform affected individuals without undue delay
• Provide clear information about the breach and remedial actions
• Take immediate steps to contain and mitigate the breach

7. International Data Transfers

Your information may be transferred to and processed in countries other than the country in which you reside. These countries may have different data protection laws.

By using our services, you consent to the transfer of your information to Thailand and other countries where we operate.

12. Your Data Protection Rights Under PDPA

Under Thailand's Personal Data Protection Act (PDPA) and other applicable data protection laws, you have several important rights regarding your personal data. These rights are fundamental to protecting your privacy and giving you control over your information.

12.1 Right to Access (Right to Know)

What it means: You can request a copy of all personal data we hold about you.

What we provide:

• Confirmation of whether we process your personal data
• Categories of personal data we collect
• Purposes of processing and legal basis
• Recipients or categories of recipients
• Retention periods or criteria for determining them
• Information about data sources (if not collected directly from you)
• A copy of your personal data in a commonly used format

How to request: Submit a data access request through our Data Request Portal

Response time: Within 30 days of receiving your request

12.2 Right to Rectification (Right to Correct)

What it means: You can request correction of inaccurate or incomplete personal data.

Examples:

• Updating your contact information
• Correcting booking details or preferences
• Adding missing information to complete your profile

How to request: Contact us directly or use our Data Request Portal

Response time: Corrections made within 7 days, complex cases within 30 days

12.3 Right to Erasure (Right to be Forgotten)

What it means: You can request deletion of your personal data in certain circumstances.

When this applies:

• The data is no longer necessary for the original purpose
• You withdraw consent and there's no other legal basis
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed
• Deletion is required for legal compliance

Limitations: We may refuse deletion if we need the data for legal obligations, public interest, or legitimate business purposes (e.g., tax records, completed bookings).

12.4 Right to Restrict Processing

What it means: You can request that we limit how we use your data while we resolve disputes or concerns.

When this applies:

• You contest the accuracy of the data (restriction during verification)
• Processing is unlawful but you prefer restriction to deletion
• We no longer need the data but you need it for legal claims
• You've objected to processing (restriction pending review)

Effect: We can only store the data, not use it for other purposes (except with your consent).

12.5 Right to Data Portability

What it means: You can receive your data in a machine-readable format or have it transferred to another service.

What's included:

• Profile information and preferences
• Booking history and transaction records
• Communication preferences and settings
• Any other data processed with your consent or for contract performance

Format: JSON, CSV, or XML format suitable for automated processing

Limitations: Only applies to data processed with consent or for contract performance

12.6 Right to Object

What it means: You can object to certain types of processing.

General Right to Object

You can object to processing based on legitimate interests, including:

• Website analytics and performance monitoring
• Fraud prevention measures (subject to our assessment)
• Business development and improvement activities

Direct Marketing

You have an absolute right to object to direct marketing, including:

• Promotional emails and newsletters
• Targeted advertising and remarketing
• Marketing phone calls and SMS
• Profiling for marketing purposes

12.7 Right to Withdraw Consent

What it means: You can withdraw consent at any time for processing based on consent.

Examples:

• Marketing communications and newsletters
• Analytics and tracking cookies
• Optional data collection during surveys
• Social media integration and sharing

Effect: Withdrawal doesn't affect the lawfulness of processing before withdrawal

How to withdraw: Use our Cookie Consent Banner, unsubscribe links, or contact us directly

12.8 Right Not to be Subject to Automated Decision-Making

What it means: You have the right not to be subject to decisions based solely on automated processing that significantly affects you.

Our commitment: We ensure human oversight for all significant decisions affecting our users

12.9 How to Exercise Your Rights

Multiple Ways to Contact Us:

• Data Request Portal: Submit a formal request online
• Email: [email protected] with "Data Rights Request" in the subject
• Mail: Pattaya, Thailand

Information We Need:

• Your full name and contact information
• Specific right you want to exercise
• Details about your request
• Proof of identity (for security purposes)

Response Timeframes:

• Acknowledgment: Within 3 business days
• Full Response: Within 30 days (may extend to 60 days for complex requests)
• Urgent Requests: Security-related requests processed immediately

12.10 Complaints and Appeals

If you're not satisfied with how we handle your data rights request:

• Internal Appeal: Contact [email protected] for review
• Regulatory Complaint: File a complaint with the Personal Data Protection Commission of Thailand
• Legal Remedies: Seek compensation through Thai courts if you suffer damages

9. Data Retention

We will retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, and as required by law.

13. Children's Privacy Protection

We are committed to protecting the privacy of children and complying with applicable child protection laws.

13.1 Age Restrictions

• Minimum Age: Our services are not intended for individuals under 18 years of age
• Parental Consent: Users aged 16-17 require verifiable parental consent
• Account Creation: We verify age during the registration process

13.2 Protection Measures

• We do not knowingly collect personal data from children under 16
• Age verification prompts during account creation
• Special procedures for handling data of minors (16-17) with parental consent
• Enhanced data protection measures for any data involving minors

13.3 Parental Rights

If you are a parent or guardian and believe your child has provided personal data to us:

• Contact us immediately at [email protected]
• Request access to your child's data
• Request deletion of your child's data
• Withdraw consent for your child's data processing

Response Commitment: We will respond to parental requests within 24 hours and take immediate action to protect children's privacy.

14. Third-Party Services and Links

14.1 Third-Party Websites

Our website may contain links to third-party websites, services, or applications. We are not responsible for the privacy practices or content of these third parties.

• Review the privacy policies of any third-party sites you visit
• We do not control or endorse third-party privacy practices
• Third-party services may collect their own data about you

14.2 Integrated Third-Party Services

We integrate with various third-party services that may collect data:

• Payment Processors: Handle payment transactions securely
• Maps and Location Services: Provide property location information
• Social Media Platforms: Enable social sharing and login features
• Customer Support Tools: Facilitate customer service interactions
• Analytics Providers: Help us understand website usage

14.3 Social Media Integration

When you interact with our social media features:

• The social media platform may collect information about your interaction
• We may receive information from your social media profile (with permission)
• You can control social media data sharing through platform settings

15. Affiliate Program Specific Provisions

15.1 Additional Data Collection for Affiliates

Participants in our affiliate program provide additional information:

• Business Information: Company details, website URLs, promotional methods
• Financial Data: Bank account details, tax identification numbers
• Performance Data: Click-through rates, conversion statistics, earnings
• Compliance Information: Tax forms, identity verification documents

15.2 Affiliate Data Processing

• Commission calculations and payment processing
• Performance monitoring and reporting
• Fraud prevention and program integrity
• Tax reporting and compliance (where required by law)
• Program improvement and optimization

15.3 Affiliate Rights and Obligations

• Access to performance data and earnings reports
• Right to request data correction or deletion (subject to legal requirements)
• Obligation to maintain accurate and current information
• Compliance with affiliate program terms and applicable laws

16. Privacy Policy Updates and Changes

16.1 Update Process

We may update this Privacy Policy from time to time to reflect:

• Changes in our data processing practices
• New legal requirements or regulatory guidance
• Introduction of new services or features
• Feedback from users and data protection authorities
• Industry best practices and security improvements

16.2 Notification of Changes

When we make significant changes to this Privacy Policy, we will:

• Website Notice: Post a prominent notice on our website
• Email Notification: Send emails to registered users (for material changes)
• In-App Notifications: Display notifications in your account dashboard
• Consent Re-collection: Request new consent if required by law

16.3 Effective Date

• Changes become effective 30 days after notification (unless urgent)
• Continued use of our services constitutes acceptance of changes
• You may object to changes or close your account if you disagree
• Previous versions available upon request for your records

16.4 Material Changes

We consider the following to be material changes requiring explicit notification:

• Changes to the types of personal data we collect
• New purposes for data processing
• Changes to data sharing practices
• Modifications to your rights or how to exercise them
• Changes to data retention periods
• Introduction of new tracking technologies

17. Regulatory Compliance and Jurisdiction

17.1 Applicable Laws

This Privacy Policy and our data processing practices comply with:

• Thailand: Personal Data Protection Act B.E. 2562 (2019)
• International: Applicable data protection laws in jurisdictions where we operate
• Industry Standards: Payment Card Industry (PCI) Data Security Standards
• Sector-Specific: Tourism and hospitality industry regulations

17.2 Regulatory Oversight

• Primary Regulator: Personal Data Protection Commission of Thailand
• Registration: We maintain all required regulatory registrations
• Reporting: We comply with mandatory data breach reporting requirements
• Audits: We undergo regular compliance audits and assessments

17.3 Legal Basis Documentation

We maintain detailed records of:

• Legal basis for each category of data processing
• Data processing impact assessments
• Consent records and withdrawal documentation
• Data sharing agreements and controller-processor contracts
• International transfer safeguards and adequacy decisions

17.4 Dispute Resolution

• Governing Law: Thai law governs this Privacy Policy
• Jurisdiction: Thai courts have exclusive jurisdiction for legal disputes
• Alternative Resolution: We encourage resolution through direct communication first
• Regulatory Complaints: You may file complaints with applicable data protection authorities

18. Accessibility and Language

18.1 Accessibility Commitment

We are committed to making our Privacy Policy accessible to all users:

• Screen reader compatible formatting
• Clear and simple language where possible
• Logical structure with numbered sections
• High contrast and readable fonts

18.2 Language Versions

• Primary Language: This Privacy Policy is originally written in English
• Translations: Thai language version available upon request
• Conflicts: In case of conflicts, the English version prevails
• Updates: All language versions updated simultaneously when possible

19. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:

19.1 Response Commitment

• General Inquiries: Response within 5 business days
• Data Rights Requests: Acknowledgment within 3 business days, full response within 30 days
• Privacy Complaints: Priority handling with response within 7 business days
• Security Concerns: Immediate response for urgent security matters

19.2 Alternative Contact Methods

• Data Request Portal: Submit formal requests online
• General Support: For non-privacy inquiries, use our regular customer service channels

Important: This Privacy Policy was last updated on September 12, 2025. We recommend reviewing this policy periodically for any updates or changes.