Azure Journey Co., Ltd. ("we", "us", or "the Company") respects your privacy and is committed to protecting your personal data in compliance with Thailand's Personal Data Protection Act B.E. 2562 (2019) ("PDPA"). This policy explains what data we collect, why we collect it, how we use it, and the rights you have over your data.
1. Data Controller
The data controller is Azure Journey Co., Ltd., a tour operator licensed by the Tourism Authority of Thailand (TAT license No. 11/08188), with its registered office at 101/397 Moo 1 Phueksalada Village, Soi Lat Krabang 54, Bang Saothong, Samut Prakan 10540, Thailand.
2. Personal Data We Collect
We collect the following categories of personal data only to the extent necessary to provide our tour services:
- Identification: full name, Thai national ID number or passport number, date of birth, nationality
- Contact: phone number, email address, LINE ID or WeChat ID
- Travel documents: passport scan / number, passport expiry, visa status
- Booking details: tour selected, room type, dietary restrictions, special needs, emergency contact
- Payment data: amount paid, payment method, last 4 digits of card (handled by Omise — we do not store full card numbers), tax invoice details
- Marketing preferences: only if you have explicitly opted in
- Technical data: IP address, browser type, session cookies — used solely to operate the website and prevent abuse
3. Purposes of Processing
We use your personal data for the following purposes:
- To process your tour booking, issue receipts and tax invoices, and arrange your travel
- To communicate with you about your booking (confirmations, schedule changes, departure reminders)
- To handle inquiries, complaints, refund requests, and customer support
- To comply with legal and tax obligations (accounting records, tour-operator regulatory reporting)
- To prevent fraud and protect the security of our website and customers
- To send marketing emails about future tours — only if you have given explicit consent (you can withdraw at any time)
4. Legal Basis
We process your data on the following PDPA-recognized bases:
- Performance of contract — for tour booking, payment, and service delivery
- Consent — for marketing communications and PDPA-controlled disclosures
- Legal obligation — for tax records, anti-money-laundering, and tour-operator regulatory compliance
- Legitimate interest — for fraud prevention, internal operations, and dispute resolution, balanced against your privacy
5. Data Sharing With Third Parties
We share data only with processors and partners necessary to deliver your booking. We do NOT sell your personal data.
- Payment processor — Omise (Synqa Co., Ltd.) processes card and PromptPay payments. Card data is handled directly by Omise per PCI-DSS standards.
- Hosting and database — Supabase (data stored in Singapore region) and Vercel (CDN/edge) host our website and database under contractual data-processing agreements.
- Email delivery — Resend handles transactional emails (booking confirmations, password reset, etc.).
- Travel partners — airlines, hotels, ground operators, and visa-application centers receive only the data necessary to fulfill your booking (e.g. passport details for hotel check-in).
- Government authorities — when legally required (tax authorities, immigration, anti-money-laundering).
6. Retention Period
We retain your personal data only as long as necessary for the purposes above. Booking and accounting records are kept for at least 5 years per Thailand's Revenue Code. Inquiry data is kept for up to 2 years. Marketing-consent records are kept until you withdraw consent. Audit logs of administrative actions are retained for 90 days. After the retention period, data is anonymized or securely deleted.
7. International Data Transfers
Some of our processors (Omise, Supabase, Vercel, Resend) may store or process data outside Thailand. We only use providers that offer adequate safeguards consistent with the PDPA — typically standard contractual clauses or equivalent protections.
8. Your Rights as a Data Subject
Under the PDPA, you have the following rights regarding your personal data:
- Right of access — request a copy of the data we hold about you
- Right to rectification — correct inaccurate or incomplete data
- Right to erasure ("right to be forgotten") — request deletion when no longer needed
- Right to restrict processing — limit how we use your data
- Right to object — object to processing based on legitimate interest or for marketing
- Right to data portability — receive your data in a machine-readable format
- Right to withdraw consent — at any time for marketing or other consent-based processing
- Right to lodge a complaint — with the Personal Data Protection Committee (PDPC) of Thailand
To exercise any of these rights, contact us using the details in section 11. We will respond within 30 days.
9. Cookies
We use only essential cookies necessary to operate the website — session cookies for authentication and language preference. We do not use advertising cookies or third-party analytics that profile you. You can clear cookies in your browser settings, but this may sign you out and reset your language preference.
10. Data Security
We protect your data with industry-standard safeguards: encrypted database connections (TLS), encrypted storage at rest, role-based access control, audit logs of administrative actions, and regular security reviews. We require all staff and partners with data access to maintain confidentiality.
11. How to Contact Us
For privacy questions, to exercise your rights, or to report a data-protection concern, contact us at:
Azure Journey Co., Ltd.
Address: 101/397 Moo 1, Bang Saothong, Samut Prakan 10540
Phone: 02 136 5920 / 063 226 0758
Email: admin@azurejourney.com
12. Updates to This Policy
We may update this policy when our practices change or when required by law. The "Last updated" date at the top reflects the latest revision. Material changes will be highlighted on our website or notified by email if you have an active booking.