This Privacy Policy explains how Bangtao.xyz (operated by Montree, hereafter "we", "us", or "our") collects, uses, and protects personal data in accordance with the Personal Data Protection Act B.E. 2562 (2019) ("PDPA") of Thailand and all related subordinate legislation. By using this website or submitting a booking request, you acknowledge that you have read and understood this policy.
1 Data Controller
The data controller responsible for your personal data is:
| Business Name | Bangtao.xyz — Bangtao Beach Holiday Homes |
| Owner / Host | Montree |
| Address | Bangtao 15, Amphoe Thalang, Phuket 83110, Thailand |
| booking@bangtao.xyz | |
| Phone / WhatsApp | +66 6 5687 8790 |
| Website | https://bangtao.xyz |
We are a small private accommodation business operating in Phuket, Thailand. We do not appoint a Data Protection Officer (DPO) as we do not conduct large-scale systematic monitoring of individuals, but the owner listed above is responsible for all data protection matters.
2 Personal Data We Collect
We collect only the minimum personal data necessary to process your booking enquiry and provide our accommodation service. Data is collected when you:
- Submit a booking request form on this website
- Contact us by email, WhatsApp, or telephone
- Book through Airbnb (Airbnb's own privacy policy applies to that channel)
| Category | Data Collected | Source |
|---|---|---|
| Identity | Full name | Booking form / direct contact |
| Contact | Email address, telephone number | Booking form / direct contact |
| Booking | Property selected, check-in/check-out dates, number of guests | Booking form |
| Preferences | Special requests or additional notes (if provided voluntarily) | Booking form |
| Technical | IP address, browser type, pages visited, cookies (see Section 10) | Automatic — web server & analytics |
| Communication | Content of messages sent via WhatsApp, email, or LINE | Direct communication |
We do not collect sensitive personal data as defined by the PDPA (e.g. health data, biometrics, religious beliefs, criminal records) unless legally required.
We do not collect payment card data directly. Any payments are processed through bank transfer or third-party platforms (e.g. Airbnb) under their own privacy policies.
3 Legal Basis for Processing (PDPA Section 24)
Under the Thai PDPA, we must have a lawful basis for each processing activity. We rely on the following:
| Legal Basis | Processing Activity |
|---|---|
| Contractual Necessity (Section 24(3)) |
Processing your name, contact details, and booking dates to respond to your booking enquiry and confirm your reservation |
| Legitimate Interests (Section 24(5)) |
Maintaining booking records for internal administration; communicating about your stay; ensuring security of the property |
| Legal Obligation (Section 24(6)) |
Retaining financial and guest records as required by Thai accounting and hotel laws (e.g. reporting to local authorities if required under Thai law) |
| Consent (Section 19–20) |
Sending optional promotional messages or newsletters (if you opt in). You may withdraw consent at any time. |
⚠️ Note: We do not process special categories of sensitive data, so the higher standard of explicit consent (Section 26) is not required for our standard operations.
4 How We Use Your Personal Data
We use your personal data strictly for the following purposes:
- To process and confirm booking enquiries — responding to your reservation request and coordinating check-in/check-out logistics
- To communicate with you — sending booking confirmations, pre-arrival information, and responding to your questions
- To manage the accommodation service — ensuring a safe and comfortable stay, resolving issues during your visit
- To comply with Thai legal obligations — retaining records as required by the Revenue Department, local municipality, and Tourism Authority of Thailand
- To improve our service — analysing anonymised usage patterns on this website to improve user experience (no individual profiling)
- To send promotional communications — only if you have given explicit consent; you may opt out at any time
We will not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.
5 Sharing Your Personal Data
We do not sell, rent, or trade your personal data to third parties for marketing purposes. We share data only in the following limited circumstances:
| Recipient | Purpose | Safeguard |
|---|---|---|
| EmailJS (emailjs.com) |
Email delivery service used to transmit booking request forms from this website to our inbox | EmailJS Privacy Policy; data transmitted securely via HTTPS |
| Meta (WhatsApp) | If you contact us via WhatsApp, data is processed under Meta's privacy policy | Meta Privacy Policy applies |
| Airbnb, Inc. | If you book through our Airbnb listing, Airbnb processes your data under their own privacy policy | Airbnb Privacy Policy applies |
| Thai Government Authorities | Disclosure required by law (e.g. police, tax authorities, local government) upon lawful request | Only when legally required |
All third-party service providers acting as data processors are required to process your data only on our instructions and in accordance with applicable data protection law.
6 International Data Transfers (PDPA Chapter 7)
This website is hosted on Cloudflare Pages (Cloudflare, Inc., USA) and uses EmailJS (USA) to process booking form submissions. Your data may therefore be transferred to and processed in countries outside Thailand.
Under PDPA Section 28, international transfers are permitted where:
- The destination country has adequate data protection standards as determined by the PDPA Committee; or
- Appropriate safeguards are in place (contractual clauses, binding corporate rules); or
- The transfer is necessary to perform a contract you have requested (e.g. processing your booking enquiry)
We rely on the contractual necessity basis for transfers to Cloudflare and EmailJS as these are essential to delivering the booking service you requested. Both providers maintain industry-standard security certifications (ISO 27001, SOC 2).
7 Data Retention
We retain your personal data only as long as necessary for the purposes described in this policy, taking into account Thai legal obligations:
| Data Type | Retention Period | Basis |
|---|---|---|
| Booking enquiries (not confirmed) | 90 days after last contact | Legitimate interest |
| Confirmed booking records | 5 years after check-out date | Thai Revenue Code (Section 87/3) requires 5-year accounting records |
| Communication records (email, WhatsApp) | 2 years after last communication | Legitimate interest / legal disputes |
| Website technical data (logs) | 90 days | Computer Crime Act B.E. 2550 (as amended) — Section 26 requires 90-day log retention |
| Marketing consent records | Until consent is withdrawn + 1 year | Compliance with PDPA consent requirements |
After the retention period expires, personal data is securely deleted or anonymised.
8 Your Rights Under the PDPA
As a data subject under the Thai PDPA (Sections 30–43), you have the following rights. To exercise any right, contact us at booking@bangtao.xyz. We will respond within 30 days.
Know what data we collect, why, and how it is used — this policy fulfils that obligation.
Request a copy of the personal data we hold about you and information on how it is processed.
Request correction of inaccurate, incomplete, or misleading personal data.
Request deletion of your data where there is no longer a lawful basis to retain it.
Request that we restrict processing of your data in certain circumstances (e.g. while accuracy is disputed).
Receive your data in a structured, machine-readable format where technically feasible.
Object to processing based on legitimate interests or for direct marketing at any time.
Withdraw previously given consent at any time. This does not affect the lawfulness of prior processing.
⚠️ Some rights may be limited where we have an overriding legal obligation to retain data (e.g. Thai accounting records required for 5 years). We will explain any applicable limitations in our response.
If you are dissatisfied with our response, you have the right to lodge a complaint with the Personal Data Protection Committee (PDPC) of Thailand or the Office of the Personal Data Protection Committee (OPDPC) at www.pdpc.or.th.
9 Security Measures
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction (PDPA Section 37):
- HTTPS encryption — all data transmitted between your browser and this website is encrypted using TLS
- Cloudflare protection — website hosted on Cloudflare Pages with DDoS protection and Web Application Firewall
- Access controls — booking emails accessible only to the property owner
- No server-side storage — this website does not operate a database; form submissions are delivered directly to email via EmailJS
- Secure email — we use standard email security (SPF, DKIM) for our booking@bangtao.xyz address
While we take reasonable steps to protect your data, no method of internet transmission is 100% secure. Please contact us immediately at booking@bangtao.xyz if you suspect any unauthorised access to your data.
In the event of a personal data breach that is likely to result in high risk to your rights and freedoms, we will notify you and the PDPC without undue delay in accordance with PDPA Section 37(4).
10 Cookies & Tracking
This website uses minimal cookies and tracking technologies:
| Cookie / Technology | Type | Purpose | Duration |
|---|---|---|---|
| Cloudflare security cookies | Strictly Necessary | Bot detection, DDoS protection, security | Session / 1 year |
| Google Fonts | Functional | Loading web fonts; Google may collect IP address and browser data | Session |
| EmailJS SDK | Functional | Enables booking form email submission | Session |
We do not currently use analytics cookies (e.g. Google Analytics) or advertising/retargeting cookies. If we add any in future, this policy will be updated and your consent sought where required by law.
Under the Thai PDPA and Electronic Transactions Act, strictly necessary cookies do not require consent. For all other cookies, you may adjust your browser settings to refuse cookies, though this may affect website functionality.
11 Children's Privacy
Our service is directed at adults. We do not knowingly collect personal data from children under the age of 10 years (the PDPA minor threshold for requiring parental consent) without verifiable parental or guardian consent.
If you are a parent or guardian and believe your child has submitted personal data to us without consent, please contact us at booking@bangtao.xyz and we will delete it promptly.
12 Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Post a notice on our homepage for significant changes
- Notify you directly by email if the change materially affects your rights
We encourage you to review this policy periodically. Your continued use of this website after changes are posted constitutes acceptance of the updated policy.
13 Contact Us & How to Complain
For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact:
| Data Controller | Montree — Bangtao.xyz |
| booking@bangtao.xyz | |
| +66 6 5687 8790 | |
| Address | Bangtao 15, Amphoe Thalang, Phuket 83110, Thailand |
| Response time | Within 30 days of receipt (as required by PDPA Section 30) |
Supervisory Authority: If you are not satisfied with how we handle your request, you have the right to lodge a complaint with the Thai Personal Data Protection Committee:
Office of the Personal Data Protection Committee (OPDPC)
Ministry of Digital Economy and Society
120 Moo 3, The Government Complex, Chaeng Watthana Road,
Lak Si, Bangkok 10210, Thailand
Website: www.pdpc.or.th
This Privacy Policy was prepared in accordance with the Personal Data Protection Act B.E. 2562 (2019) of Thailand, the Computer Crime Act B.E. 2550 (as amended 2560), and the Electronic Transactions Act B.E. 2544. In the event of any conflict between the English version and a Thai translation, the Thai version shall prevail for the purposes of Thai law.