Privacy Policy

1.1 Personal Data. When you make a booking, we collect your name, email address, phone number, hotel name, and any other information you provide in the booking form (such as dietary requirements or medical notes).

1.2 Payment Data. Payment information (card details) is collected and processed directly by Stripe, our payment provider. We do not store or have access to your full card number, CVV or PIN. We retain only a masked card reference and transaction ID for booking records.

1.3 Usage Data. When you browse our website, we automatically collect standard log data such as your IP address, browser type, pages visited, time spent on pages, and referring URLs. This data is used for analytics and security purposes.

1.4 Communications. If you contact us by email, WhatsApp or through our contact form, we retain records of those communications to provide customer support and improve our services.

2.1 Booking Processing. We use your personal data to confirm your booking, send you booking confirmation and itinerary details, arrange hotel pick-up, and communicate important updates about your tour (such as weather changes or time adjustments).

2.2 Customer Support. We use your contact details to respond to enquiries, process cancellation requests, and handle refunds.

2.3 Marketing. With your consent, we may send you occasional newsletters or promotional offers about our tours. You can unsubscribe at any time via the link in any marketing email or by contacting us directly. We do not send marketing communications without consent.

2.4 Analytics & Improvement. We use aggregated, anonymised usage data to understand how visitors interact with our website and to improve our services and content.

2.5 Legal Compliance. We may use or disclose your information where required by Thai law or in response to a valid legal request from authorities.

All card payments are processed by Stripe, which is certified to PCI DSS Level 1, the highest level of payment card industry security. Stripe's servers use TLS encryption. We never transmit or store unencrypted card data. For more information on Stripe's security, visit stripe.com/docs/security.

4.1 Essential Cookies. We use session cookies required for the website to function, such as maintaining your booking session and authentication state.

4.2 Analytics. We use Google Analytics to collect anonymised data about website usage. Google Analytics uses cookies to track sessions. You can opt out via the Google Analytics opt-out browser add-on or by adjusting your browser settings.

4.3 Advertising. We may use the Meta (Facebook) Pixel to measure the effectiveness of our advertising and to enable remarketing audiences on Facebook and Instagram. The Pixel collects anonymised browsing data. You can manage your ad preferences at facebook.com/ads/preferences.

4.4 Cookie Control. Most browsers allow you to control cookies through their settings. Disabling certain cookies may affect the functionality of our website.

We use the following third-party services that may process your data:

• Stripe: payment processing. Data is processed in the US and EU under Stripe's own privacy policy.
• Google Analytics: website analytics. Anonymous usage data is processed by Google under Google's privacy policy.
• Meta Pixel (Facebook/Instagram): advertising measurement and remarketing. Anonymised data is processed by Meta under Meta's data policy.
• Resend: transactional email delivery (booking confirmations, updates). Your name and email address are passed to Resend solely for the purpose of delivering emails you have requested.
• Cloudflare: hosting, CDN and security. Cloudflare may process your IP address and request data for security and performance purposes.

We do not sell your personal data to any third party and we only share data with service providers who are bound by appropriate data protection agreements.

We retain booking records for a minimum of 3 years to comply with Thai tax and commercial regulations. Marketing consent records are retained for as long as you remain subscribed. Analytics data is retained in anonymised form.

If you request deletion of your account or personal data, we will remove your identifiable information within 30 days, except where retention is required by law.

Depending on your jurisdiction, you may have the following rights with respect to your personal data:

• Access: request a copy of the personal data we hold about you.
• Correction: request that we correct inaccurate data.
• Deletion: request that we delete your personal data (subject to legal retention requirements).
• Objection: object to the processing of your data for marketing purposes.
• Portability: request your data in a machine-readable format.
• Restriction: request that we restrict processing of your data in certain circumstances.

If you are a resident of the European Economic Area (EEA), these rights are governed by the GDPR. If you are a resident of Thailand, these rights are governed by the Personal Data Protection Act B.E. 2562 (PDPA).

To exercise any of these rights, please contact us using the details in Section 8 below. We will respond within 30 days.

For any privacy-related questions, to exercise your rights, or to request deletion of your personal data, please contact us:

We take all privacy concerns seriously and will acknowledge your request within 5 business days.