Privacy Policy
How we collect, use, and protect your personal data
Last Updated: June 2026Privacy Policy
Last Updated: June 2026This Privacy Policy explains how Fireleaf Solutions Co., Ltd. ("we," "us," or "our") collects, uses, stores, and protects your personal data when you use our website, book tours, or interact with our services. We are committed to protecting your privacy in accordance with the Thailand Personal Data Protection Act (PDPA), the EU General Data Protection Regulation (GDPR), and the UK General Data Protection Regulation (UK GDPR).
1. Data Controller
Fireleaf Solutions Co., Ltd.
124/45 Moo 3, Chaweng Beach Road
Koh Samui, Surat Thani 84320, Thailand
Email: privacy@samui.tours
Phone: +66 82 206 8816
As the data controller, we determine the purposes and means of processing your personal data. If you have questions about how your data is handled, please contact our Data Protection Officer at privacy@samui.tours.
↑ Back to top2. Personal Data We Collect
We collect the following categories of personal data:
2.1 Information You Provide
- Identity data: Full name, nationality, passport or ID number (when required for tour bookings)
- Contact data: Email address, phone number, WhatsApp number
- Booking data: Tour preferences, travel dates, number of travellers, hotel pickup location, special requirements
- Payment data: Billing name, billing address. Credit/debit card details are processed directly by our payment processor (Authorize.net) and are never stored on our servers.
- Communication data: Messages sent via contact forms, email, WhatsApp, or phone
- Health data: Medical conditions or dietary requirements you voluntarily disclose for tour safety purposes
2.2 Information Collected Automatically
- Device data: Browser type and version, operating system, screen resolution
- Usage data: Pages visited, time spent on pages, click paths, referral source
- Network data: IP address, approximate geographic location (country/city level)
- Cookie data: See our Cookies section and full Cookie Policy
Sensitive data: We do not intentionally collect sensitive personal data such as racial or ethnic origin, political opinions, or biometric data. Any health information you voluntarily provide (e.g., mobility limitations for tour suitability) is processed solely for safety purposes with your explicit consent.
3. Purposes of Processing
We use your personal data for the following purposes:
| Purpose | Description |
|---|---|
| Booking Fulfillment | Processing and managing your tour reservations, sending confirmations, coordinating hotel pickups and logistics |
| Customer Communication | Responding to inquiries, providing tour information, sending pre-trip details, post-tour follow-ups |
| Payment Processing | Processing payments securely via Authorize.net, issuing invoices and receipts, handling refunds |
| Analytics & Improvement | Understanding how visitors use our website, improving user experience, monitoring site performance |
| Marketing | Sending promotional offers and tour recommendations (only with your consent, and you can opt out at any time) |
| Security | Protecting our website against fraud, abuse, and unauthorized access; maintaining system integrity |
| Legal Compliance | Meeting tax, accounting, and regulatory obligations under Thai law |
4. Legal Bases for Processing
4.1 Under the GDPR (EU/EEA Visitors)
- Contract performance (Article 6(1)(b)): Processing necessary to fulfill your booking and provide our tour services
- Consent (Article 6(1)(a)): Marketing communications, non-essential cookies, and processing of health data you voluntarily provide
- Legitimate interest (Article 6(1)(f)): Website analytics, fraud prevention, improving our services — balanced against your privacy rights
- Legal obligation (Article 6(1)(c)): Tax records and accounting requirements under Thai law
4.2 Under the PDPA (Thailand)
- Consent (Section 19): We obtain your consent before collecting and processing your personal data, unless an exemption applies
- Contractual necessity (Section 24(3)): Processing necessary to perform a contract to which you are a party (tour bookings)
- Legitimate interest (Section 24(5)): Processing necessary for our legitimate interests, provided it does not override your fundamental rights
- Legal obligation (Section 24(6)): Compliance with Thai laws including tax and consumer protection regulations
4.3 Under the UK GDPR (UK Visitors)
The same legal bases as described in Section 4.1 above apply to the processing of personal data of individuals in the United Kingdom, in accordance with the UK GDPR and the UK Data Protection Act 2018.
↑ Back to top5. Third-Party Data Recipients
We share your personal data with the following third-party service providers, each for specific and limited purposes:
| Service Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Authorize.net (Visa) | Payment processing | Billing name, address, payment card details (processed directly, never stored by us) | United States |
| Google Analytics (Google LLC) | Website analytics | IP address (anonymized), device info, browsing behavior, demographics | United States |
| Google Ads (Google LLC) | Advertising & conversion tracking | Anonymized conversion data, click identifiers | United States |
| Meta/Facebook Pixel (Meta Platforms) | Advertising & remarketing | Browsing behavior, conversion events, hashed identifiers | United States |
| Google Maps (Google LLC) | Map displays & location services | IP address, location data (when maps are loaded) | United States |
| Google Places API (Google LLC) | Displaying customer reviews | No personal data shared (read-only, public review data) | United States |
| WhatsApp (Meta Platforms) | Customer communication | Phone number, message content (initiated by you) | United States |
| WPML (OnTheGoSystems) | Website translation | Language preference (cookie-based) | European Union |
We do not sell, rent, or trade your personal data to any third parties. Data is shared only as described above and under appropriate contractual safeguards.
↑ Back to top6. Cross-Border Data Transfers
As our business operates from Thailand and uses international service providers, your personal data may be transferred outside your country of residence. Specifically:
- Thailand → United States: Data shared with Google (Analytics, Ads, Maps), Meta (Facebook Pixel, WhatsApp), and Authorize.net for the purposes described above
- Thailand → European Union: Data shared with WPML/OnTheGoSystems for translation services
6.1 Safeguards
For transfers of personal data from the EU/EEA or UK, we rely on the following safeguards:
- Standard Contractual Clauses (SCCs): We ensure that our US-based service providers have implemented appropriate SCCs as approved by the European Commission
- Data Processing Agreements: All third-party processors are bound by data processing agreements that require them to protect your data to an equivalent standard
- Adequacy decisions: Where applicable, transfers are made to countries that the European Commission has determined provide an adequate level of data protection
For transfers under the PDPA, we ensure that the receiving country has adequate data protection standards or that appropriate safeguards are in place, in accordance with the notifications issued by the Personal Data Protection Committee (PDPC).
↑ Back to top7. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required by law.
| Data Category | Retention Period | Reason |
|---|---|---|
| Booking & transaction records | 7 years | Thai tax and accounting obligations (Revenue Code) |
| Consent records | 5 years after withdrawal | PDPA compliance and audit trail requirements |
| Analytics data | 26 months | Google Analytics default retention setting |
| Marketing consent records | Until consent is withdrawn | Active consent required for ongoing marketing |
| Customer communication logs | 3 years | Customer service quality and dispute resolution |
| Website server logs | 90 days | Security monitoring and incident response |
When the retention period expires, your data is securely deleted or anonymized so that it can no longer be linked to you.
↑ Back to top8. Your Rights
Depending on your location and the applicable data protection law, you have the following rights regarding your personal data:
| Right | Description | GDPR | PDPA | UK GDPR |
|---|---|---|---|---|
| Access | Request a copy of the personal data we hold about you | ✓ | ✓ | ✓ |
| Rectification | Request correction of inaccurate or incomplete data | ✓ | ✓ | ✓ |
| Erasure | Request deletion of your personal data (subject to legal retention requirements) | ✓ | ✓ | ✓ |
| Restriction | Request that we limit how we process your data | ✓ | ✓ | ✓ |
| Portability | Receive your data in a structured, machine-readable format | ✓ | ✓ | ✓ |
| Objection | Object to processing based on legitimate interest or for direct marketing | ✓ | ✓ | ✓ |
| Withdraw Consent | Withdraw previously given consent at any time (without affecting prior lawful processing) | ✓ | ✓ | ✓ |
8.1 How to Exercise Your Rights
To exercise any of the above rights, please contact our Data Protection Officer:
Email: privacy@samui.tours
Response time: We will respond to your request within 30 days. If your request is complex, we may extend this by an additional 60 days, and we will notify you of any extension.
We may ask you to verify your identity before processing your request to ensure we are acting on behalf of the rightful data subject.
8.2 Right to Complain
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the relevant supervisory authority:
- Thailand: Personal Data Protection Committee (PDPC) — www.pdpc.or.th
- European Union: Your local Data Protection Authority (DPA) — see EDPB member list
- United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk
9. Children's Privacy
Our services are not directed at children under the age of 16. We do not intentionally collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without appropriate parental consent, we will take steps to delete that data promptly.
If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@samui.tours.
↑ Back to top10. Automated Decision-Making
We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you. All booking confirmations and customer-related decisions are made by our team members.
↑ Back to top11. Cookies
Our website uses cookies and similar tracking technologies. Cookies are small text files stored on your device that help us provide and improve our services. We use the following categories of cookies:
- Strictly necessary cookies: Essential for website functionality (e.g., session management, language preferences). These do not require consent.
- Analytics cookies: Help us understand how visitors use our website (Google Analytics). Loaded only with your consent.
- Marketing cookies: Used to deliver relevant advertisements (Google Ads, Meta Pixel). Loaded only with your consent.
You can manage your cookie preferences at any time using the cookie settings banner on our website. For full details, please read our Cookie Policy.
↑ Back to top12. EU Representative
In accordance with Article 27 of the GDPR, we have appointed a representative in the European Union for data subjects in the EU/EEA:
↑ Back to top13. UK Representative
In accordance with Article 27 of the UK GDPR, we have appointed a representative in the United Kingdom:
↑ Back to top14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make changes:
- The "Last Updated" date at the top of this page will be revised
- For material changes that significantly affect your rights, we will notify you via email (if we have your email address) or through a prominent notice on our website
- We encourage you to review this policy periodically
15. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Fireleaf Solutions Co., Ltd.
Data Protection Officer
124/45 Moo 3, Chaweng Beach Road
Koh Samui, Surat Thani 84320, Thailand
Email: privacy@samui.tours
Phone: +66 82 206 8816
WhatsApp: Send us a message