Legal Document

Privacy Policy

Effective date: 1 May 2026 · Version 1.0

This Privacy Policy explains how TDAC-Portal ("Company," "we," "us") collects, uses, discloses, and retains your personal data when you use our website and services. Please read it carefully before submitting any information. If you do not agree, do not use the Service.

1. Data Controller

TDAC-Portal is the Data Controller of your personal data for the purposes of the EU General Data Protection Regulation (GDPR), the Thailand Personal Data Protection Act B.E. 2562 (PDPA), and equivalent applicable data protection laws.

Contact for data protection matters:
Email: privacy@visatourist.org

2. Data We Collect and Why

We collect only the information that is necessary to provide the Service:

Category	Data Collected	Purpose	Legal Basis
Identity	Full name, date of birth, nationality, gender	Completing TDAC form fields	Contract performance (Art. 6(1)(b) GDPR)
Passport	Passport number	Completing TDAC form fields	Contract performance
Travel	Flight number, arrival date, port of entry, accommodation name, address, city	Completing TDAC form fields	Contract performance
Contact	Email address, phone number (with country code)	Delivery of confirmation; support correspondence	Contract performance
Health (Sensitive)	Yellow-fever-risk country travel, current symptoms, prescription medications	Completing mandatory TDAC health declaration fields	Explicit consent (Art. 9(2)(a) GDPR; PDPA s.26)
Payment	Order amount, Stripe transaction ID, payment timestamp	Order confirmation; financial records	Contract performance; legal obligation
Technical	IP address, browser type, session cookies	Security, fraud prevention, session management	Legitimate interests (Art. 6(1)(f) GDPR)

Health data requires your separate, explicit consent. Before collecting any health declaration, we will present a standalone consent prompt that must be actively accepted. This consent is distinct from acceptance of our Terms of Service and can be withdrawn at any time prior to submission to Thai Immigration (after submission to Thai Immigration, we cannot reverse that transfer).

We do not collect payment card numbers. Card data is entered directly into Stripe's secure elements and never passes through or is stored on our infrastructure.

3. How We Use Your Data

Service delivery: Preparing, reviewing, and submitting your TDAC to Thai Immigration.
Communication: Sending your confirmation email, QR pass, and any case updates.
Customer support: Responding to queries about your application.
Legal and financial record-keeping: Maintaining payment records as required by applicable financial regulations.
Security and fraud prevention: Detecting and preventing fraudulent or unauthorized use of the Service.

We do not sell your personal data to any third party. We do not use your data for advertising or profiling purposes.

4. Data Sharing and Transfers

Your personal data may be shared with the following recipients:

Recipient	Role	Purpose	Transfer Mechanism
Thai Immigration Bureau	Independent controller	Official TDAC submission (the core purpose of the Service)	Art. 49(1)(b) GDPR derogation (necessary for contract performance at your request)
Stripe, Inc.	Data processor	Payment processing	EU-US Data Privacy Framework + SCCs; Stripe DPA
Cloud hosting provider	Data processor	Infrastructure and secure data storage	Data Processing Agreement + SCCs
Email delivery provider	Data processor	Sending confirmation emails	Data Processing Agreement + SCCs

International transfers: Your data will be transferred to Thailand (Thai Immigration) as the specific and explicit purpose for which you engaged us. This transfer is necessary to perform the contract between us (GDPR Art. 49(1)(b)). We are transparent about this transfer at the point of data collection. All other third-country transfers are covered by Standard Contractual Clauses or adequacy decisions.

5. Data Retention

We apply strict, purpose-limited retention periods:

Data Type	Retention Period	Reason
Passport number, nationality, date of birth, health declarations	30 days after successful TDAC submission, then securely deleted	Dispute resolution window; no further purpose after submission
Name, email address	12 months after service delivery	Support queries; post-service correspondence
Payment records (order ID, amount, timestamp, Stripe reference)	7 years	Legal financial record-keeping requirements
Session and security logs	90 days	Security monitoring and incident investigation

Data is deleted or anonymized at the end of its retention period using secure deletion methods. Note: data already transmitted to Thai Immigration cannot be deleted by us from their systems; our retention obligations apply only to data we hold.

6. Your Rights

Subject to applicable law, you have the following rights regarding your personal data:

Access (Art. 15 GDPR): Request a copy of all personal data we hold about you.
Rectification (Art. 16 GDPR): Request correction of inaccurate or incomplete data.
Erasure (Art. 17 GDPR): Request deletion of your data where it is no longer necessary for the purposes for which it was collected, or where you withdraw consent (health data).
Restriction (Art. 18 GDPR): Request that we limit processing of your data in certain circumstances.
Portability (Art. 20 GDPR): Receive a machine-readable copy of data processed on the basis of contract or consent.
Objection (Art. 21 GDPR): Object to processing based on legitimate interests.
Withdraw consent: Withdraw consent for health data processing at any time prior to submission to Thai Immigration.
Lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority (EU users: your national DPA; UK users: the ICO; Thai users: the PDPC).

To exercise any of these rights, email privacy@visatourist.org. We will respond within 30 days. We may ask you to verify your identity before processing your request.

Important limitation: If your data has already been submitted to Thai Immigration, we can delete the copy we hold, but we are unable to remove data from Thai government systems. Please contact Thai Immigration directly for requests relating to data held by them.

7. Data Security

We implement industry-standard security measures to protect your personal data, including:

AES-256-GCM encryption for data at rest;
TLS 1.3 encryption for all data in transit;
Strict access controls and role-based permissions;
Regular security assessments; and
Stripe.js for payment processing, ensuring card data never enters our infrastructure.

In the event of a data breach likely to result in risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (GDPR Art. 33) and, where required, notify you directly without undue delay (GDPR Art. 34).

8. Cookies

We use a limited number of cookies necessary for the operation of the Service. For full details, see our Cookie Policy.

9. Children

The Service is directed to adults (18+). We do not knowingly collect personal data directly from children under 16. If you are a parent or guardian submitting data on behalf of a minor traveler, you represent that you have the legal authority to do so and consent to this Privacy Policy on behalf of the minor.

10. Thailand PDPA

For users who are data subjects in Thailand, this Privacy Policy also serves as our PDPA Notice as required by Section 23 of the Personal Data Protection Act B.E. 2562. Your rights under the PDPA are equivalent to those described in Section 6 above. To exercise PDPA rights or lodge a complaint, contact privacy@visatourist.org or the Office of the PDPC at pdpc.go.th.

11. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes by posting the updated policy with a new effective date. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.