CTCyber Tour Phuket
Legal

Privacy Notice

Last updated: February 2026

1. Who we are

Cyber Tour Phuket Co., Ltd. (TAT Licence No# 34/2335) is the data controller of the information you share with us through the B2B partner portal. Registered office: 128/50 Moo 5, Pracha U Thit Road, T. Rassada, A. Muang, Phuket 83000, Thailand.

2. What we collect

  • Account data — name, work email, company, phone, role, business registration / TAT licence number.
  • Booking data — passenger names, dates, pick-up / drop-off, tour selections, special requests you enter in itineraries you build for your clients.
  • Payment data — bank transfer slips you upload; card payments are processed by ChillPay Thailand (we never see the card number).
  • Technical data — IP address, browser / device, login timestamps, and the audit log of admin actions on your account. IP addresses are also resolved to an approximate city / country via a third-party geo-lookup service so administrators can identify the location of active sessions (used solely for account security and operational visibility).

3. Why we process it (legal basis under PDPA)

  • Contract — to register your agency, quote tours, book suppliers, issue invoices and credit notes.
  • Legitimate interest — fraud detection, abuse prevention, system security (session tracking, two-factor authentication).
  • Legal obligation — tax records, ChillPay merchant-acquirer reporting, TAT regulatory record-keeping.
  • Consent — sending promotional rates and product updates by email; you can withdraw any time by replying UNSUBSCRIBE or asking your account manager.

4. Who we share it with

  • Suppliers we contract to fulfil the booking (boat operators, transfer companies, hotels). They receive only what they need to execute the service.
  • ChillPay — Thailand-licensed payment gateway for card / QR / online banking transactions.
  • Cloud infrastructure — MongoDB, AWS S3 / Emergent object storage, Meta WhatsApp Business API (outbound notifications), and a third-party IP geo-lookup service (ipwho.is) used to display approximate session locations on the admin presence dashboard.
  • Authorities if required by a court order or applicable Thai law.

We do not sell your data, ever.

5. How long we keep it

Booking and accounting records are kept for 10 years as required by Thai accounting law. Inactive partner accounts are anonymised after 36 months of no login. You can request earlier deletion (see your rights below) and we will honour it unless we are legally obliged to keep it longer.

6. Your rights

Under the PDPA you may at any time:

  • Access a copy of the personal data we hold about you.
  • Ask us to correct anything that's wrong or outdated.
  • Ask us to erase your account (subject to legal retention).
  • Object to direct marketing or withdraw consent.
  • Receive a portable copy of your data in a common machine-readable format.
  • Lodge a complaint with the Personal Data Protection Committee of Thailand.

To exercise any of the above, email online@cybertourthailand.com with the subject line "PDPA request". We respond within 30 days.

7. Security

Passwords are stored hashed with bcrypt; admins can enable two-factor authentication and revoke active sessions from any device. All traffic is encrypted in transit (TLS). Uploaded files are scanned for type spoofing before acceptance. Every privileged change is recorded in an append-only audit log.

8. Cookies

We only use cookies that are strictly necessary — a singleaccess_tokencookie to keep you signed in. No tracking, no analytics, no advertising cookies.

9. Changes

If we materially change this notice we will email all registered partners and update the "Last updated" date above. Continued use of the portal after the change constitutes acceptance of the revised notice.

10. Contact

Cyber Tour Phuket Co., Ltd. · 128/50 Moo 5, Pracha U Thit Road, T. Rassada, A. Muang, Phuket 83000, Thailand.
Phone: +66 81 797 2288 · Email: online@cybertourthailand.com

← Back to homepageApply for B2B access →