Koh Sanuk

Legal

Privacy Policy

How we collect, use, share and safeguard your personal information when you browse, enquire, or book a tour with us.

Last updated: May 22nd, 2026 Samui Tourist Information Ltd. Partnership

Samui Tourist Information Ltd. Partnership ("Koh Sanuk " "we " "us " or "our") respects your privacy and takes the protection of your personal data seriously. We collect personal data from our customers, partners, and visitors in order to provide tour, yacht-charter, and transfer services — and to keep you informed about those services in a way that genuinely helps you plan your trip.

This Privacy Policy ("Policy") explains what data we collect, why we collect it, how we use and share it, how long we keep it, and the choices and rights you have. It applies whenever you visit any Koh Sanuk website, contact us by email, phone or messaging, or book any service we offer.

We review this Policy regularly to keep it current with our operations, the technologies we use, and the regulations that apply to us — primarily the Thai Personal Data Protection Act B.E. 2562 (2019) ("PDPA") and, where applicable, the EU General Data Protection Regulation ("GDPR"). We may update this Policy from time to time; the version you are reading is the current one. Material changes will be highlighted at the top of the page when they take effect.

For purposes of this Policy:

"Personal Data" means information that identifies you or could reasonably be used to identify you — for example your name, contact details, or device identifiers — together with any information we link to you.

"Sensitive Data" means personal data that, under the PDPA, requires heightened protection: racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual orientation or behaviour, criminal records, health and disability information, trade-union membership, genetic data, and biometric data. Of these categories, the only sensitive item we routinely collect is your nationality, which is required by Thai law for tour-operator records and by some transfer providers for passenger manifests.

  1. How we collect your data

    We collect personal data through two main channels:

    1. Data you give us directly — when you fill in an enquiry or booking form, write to us by email or chat, call us, walk into our office, sign up for an account, or interact with us on social media.
    2. Data we receive from third parties — for example our payment processor (Omise) when you pay for a booking, our service partners (boat operators, transport providers) when they confirm a reservation, our hosting and analytics providers when you browse the site, and any individual or organisation with a legal relationship to us who legitimately shares data with us.
  2. What data we collect

    The categories below cover everything we may collect through the channels above:

    1. Identity information — title, first name, last name, nationality, country of residence, and the hotel address where you stay during your trip (so our drivers can find you).
    2. Contact information — phone number, email address, and your preferred messenger handle (WhatsApp, LINE, Telegram, etc.) so we can confirm and operate the booking.
    3. Booking information — the tour or service you have requested, dates, group size, special requirements (dietary, accessibility, child seats), and any free-text notes you send us.
    4. Payment information — we do not store payment-card numbers, CVV codes, or full card details on our servers. Card payments are handled directly by Omise (PCI-DSS Level 1 certified); we receive only a tokenised reference, the last four digits, the issuing country, and the authorisation result.
    5. Technical information — IP address and approximate location derived from it, browser type and version, operating system, device model, referrer URL, pages visited, time spent, cookie identifiers, and similar information from the device you use to access the site.
    6. Account information — if you create an account: username, email, a securely hashed password (we never store passwords in plain text), and a log of significant actions you take in your account (sign-ups, logins, bookings, exports).
    7. Communications — the content of messages you send us, copies of emails we exchange, and records of any complaints or feedback.
  3. Why we use your data (legal bases)

    We only process your data when we have a lawful reason to do so. Under the PDPA and the GDPR, the relevant bases for our processing are:

    1. Performance of a contract — to deliver the tour, charter, or transfer you have booked, to communicate with you about the booking, to issue receipts and vouchers, and to handle complaints or refunds.
    2. Compliance with legal obligations — to keep records required by Thai tax, tourism, and accounting law (the TAT licence regime, the Revenue Code, anti-money-laundering rules), and to respond to lawful requests from authorities.
    3. Legitimate interests — to improve our services (analysing aggregated usage, fixing errors, testing new features), to secure the site against fraud and abuse, and to maintain general business records. We balance these interests against your rights and have no automated decision-making with significant effects on you.
    4. Consent — for marketing communications (email newsletters, special offers, retargeting), for non-essential cookies, and for any other use we ask you about specifically. You can withdraw consent at any time without affecting processing already carried out.
  4. Who we share your data with

    We share personal data only where we need to in order to operate the service or to comply with the law. We never sell your data. The recipients are:

    1. Our team — directors, employees, and the partners listed on our office documents — strictly on a need-to-know basis to deliver your booking.
    2. Tour operators and service providers — the boat captains, transport companies, restaurants, dive instructors, and hotels who actually run the experiences we sell. They receive only the data they need to deliver their part (typically your name, contact, pick-up address, and group composition).
    3. Payment processors — Omise (the licensed gateway that handles all online card transactions), and the relevant card networks (Visa, Mastercard, JCB, etc.). They receive payment details directly from you via their secure forms; we receive only the result.
    4. Technical providers — our hosting, email, analytics, anti-fraud, and customer-support providers. They process data on our behalf under contracts that bind them to confidentiality and to PDPA / GDPR-equivalent safeguards.
    5. Professional advisers — our auditors, tax accountants, and legal counsel, when we genuinely need their advice and they have a confidentiality obligation.
    6. Authorities — Thai tax, tourism, immigration, and law-enforcement bodies, when we are legally required to disclose, or when disclosure is necessary to protect life, property, or our legal rights.
    7. Anyone you authorise — for example, a travel agency you have asked us to coordinate with.
  5. International transfers

    Koh Sanuk is based in Thailand and most of your data stays here. However, some of our service providers (notably hosting, email delivery, analytics, and payment processing) are based in or route traffic through other countries, including the EEA, the United States, Singapore, and India. When we transfer data outside Thailand or the EEA we rely on one or more of the following safeguards: an adequacy decision from the relevant authority, Standard Contractual Clauses (SCCs), or your explicit consent for the specific transfer.

  6. How long we keep your data

    We do not keep your data longer than necessary. Specifically:

    1. Booking and customer records — kept for seven (7) years after the booking concludes, to comply with Thai accounting and tax-record requirements (Revenue Code §83/13 and §93).
    2. Marketing-list data — kept until you unsubscribe or otherwise withdraw consent, whichever comes first.
    3. Technical / cookie data — kept for up to 14 months in identifiable form, then aggregated.
    4. Account data — kept while your account is active and for one (1) year after you close it, in case of post-trip disputes or refund claims.
    5. Data subject to ongoing legal proceedings — kept until the matter is resolved and the applicable limitation period has expired.

    After the relevant period we either securely delete the data or anonymise it so that it can no longer identify you.

  7. How we keep your data secure

    We use industry-standard technical and organisational measures to protect your data: TLS encryption for all web traffic, hashed passwords (bcrypt), restricted access controls for employees, off-site encrypted backups, regular security reviews of our hosting infrastructure, and contractual safeguards with every processor. We do not store payment-card details — those go directly to our PCI-DSS-certified processor.

    No system is perfect, and if we ever become aware of a data breach that affects your rights we will notify you and the relevant authorities without undue delay, in accordance with the PDPA and the GDPR.

  8. Cookies

    We use cookies and similar technologies on our site for three purposes: strictly necessary cookies (which keep you logged in, store your basket, and remember your language and currency), analytics cookies (which help us understand which pages visitors find useful), and marketing cookies (which support advertising and retargeting). Only the strictly necessary cookies are set by default; analytics and marketing cookies are loaded only after you give your explicit consent in the cookie banner.

    You can change your cookie preferences at any time through the link in the site footer, and you can clear cookies from your browser settings. If you disable strictly necessary cookies, parts of the site (login, booking, currency switching) will not work.

  9. Your rights

    Under the PDPA, the GDPR, and most other major data-protection laws, you have the following rights in relation to the personal data we hold about you. We will respond to any request within 30 days and free of charge in most cases.

    1. Right of access — request a copy of the personal data we hold about you, in a commonly used machine-readable format.
    2. Right to rectification — ask us to correct any data that is inaccurate, out-of-date, or incomplete.
    3. Right to erasure ("right to be forgotten") — ask us to delete data we hold about you. We may refuse only where the law requires us to keep specific records (for example tax records during their statutory retention period).
    4. Right to restrict processing — ask us to pause processing while we verify a correction or evaluate an objection.
    5. Right to object — object to processing based on our legitimate interests (including profiling for marketing), in which case we will stop unless we have compelling grounds that override your rights.
    6. Right to data portability — receive the personal data you provided to us in a structured, commonly used format, and have it transmitted to another controller where technically feasible.
    7. Right to withdraw consent — at any time, by clicking the unsubscribe link in any marketing email, by changing your cookie preferences, or by writing to us. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
    8. Right to lodge a complaint — with the relevant data-protection authority: in Thailand, the Personal Data Protection Committee (pdpc.or.th); in the EU, your national supervisory authority (a list is maintained at edpb.europa.eu).

    To exercise any of these rights, write to us using the contact details below. We may ask you to verify your identity before acting on a request, to make sure we are not releasing your data to someone else.

  10. Children

    Our services are intended for adults. We do not knowingly collect personal data from anyone under 16. If you are a parent or guardian and believe your child has provided personal data to us without your consent, please contact us and we will delete it.

  11. Changes to this Policy

    If we make material changes to this Policy we will post a clear notice on the page and, where required, contact you directly. Continuing to use our services after a change means you accept the updated Policy.

  12. How to reach us

    Questions about this Policy, requests to exercise any of your rights, or concerns about how we handle your data should go to:

    Samui Tourist Information Ltd. Partnership
    135 Moo 3, Maret, Koh Samui, Surat Thani 84310, Thailand
    Email: support@kohsanuk.com
    Phone / WhatsApp: +66 82 279 4936

    We aim to acknowledge every privacy enquiry within two working days and to give you a full answer within thirty days.

Questions about how we handle your data?

Our office on Koh Samui is staffed by real people — happy to walk you through anything in this document or process a data request.

Contact support@kohsanuk.com
© 2012-2026 Koh Sanuk.All rights reserved.