Skip to main content
Thailand Travel Card
Apply now

Privacy Policy

Effective date: 1 April 2026. Last updated: 2026-05-21. This policy describes how we handle personal data for the TDAC concierge service.

1. Data controller

The data controller for the information you submit through this service is Digital Nafta Portal FZCO, a company registered in the International Free Zone Authority (IFZA), Dubai Silicon Oasis (DSO), United Arab Emirates, which operates the Thailand Travel Card service. Payments are billed through Thailand Travel Card S.L., a company registered in Spain. You can reach the controller about privacy and exercise your data-protection rights at privacy@thailandtravelcard.com.

2. Data we collect

  • Personal details (name, date of birth, nationality, email, phone) needed to file the TDAC.
  • Passport data (number, issuing country, issue/expiry dates) used only for filing with Thai Immigration.
  • Trip and accommodation details required by the TDAC form.
  • Payment metadata from Stripe (no full card numbers are ever stored on our servers).
  • Device, browser and IP information for fraud prevention and chargeback defence.

3. How we use the data

We use the data only to file your TDAC with Thai Immigration, deliver your approved card, provide support and prevent fraud. We do not sell personal data. We do not use it for advertising.

4. Retention

Passport data is deleted 30 days after delivery of the approved TDAC. Order and invoice records are kept for 7 years to comply with tax law. Fraud-signal metadata is kept for 180 days.

5. Your rights

Subject to applicable law (GDPR Articles 15 and 17, Thailand PDPA sections 30 and 33) you can request access, correction, deletion or a copy of your data. Use our self-service data rights page — enter your email, choose export or deletion, and we send a signed verification link valid for 24 hours to your registered email address. The flow is entirely self-service:

  • Export — download a JSON snapshot of your orders, drafts, terms acceptances and email log. The export is scoped strictly to your own data.
  • Deletion — schedule hard-deletion 30 days out. You can cancel yourself within that undo window from the same email link; you never need to contact support to undo a deletion.

If you prefer email, write to privacy@thailandtravelcard.com. We respond within 30 days.

6. Lawful basis (GDPR Article 6)

Order fulfilment and payment rely on Article 6(1)(b) — performance of a contract. Health-declaration fields rely on Article 9(2)(a) — explicit consent. Fraud and chargeback prevention rely on Article 6(1)(f) — legitimate interests, with human review on every block. Optional analytics and marketing cookies (when enabled) rely on Article 6(1)(a) — consent. Transferring your declaration to the Thai Immigration Bureau relies on Article 49(1)(b) — necessary for the contract you instructed us to perform.

Our complete lawful basis register — including data categories, retention periods and cross-border transfer mechanisms for every processor — is maintained at docs/legal/lawful-basis.md and available on request to privacy@thailandtravelcard.com.

7. Sub-processors

We use Stripe for payments, Resend for transactional email, Fingerprint.js Pro and MaxMind for fraud prevention. Each acts as a sub-processor under a signed Data Processing Agreement.

For users in the EEA, the United Kingdom and Switzerland, automated processing of your order is enforced at the code level to use EU-resident infrastructure only — we never route your order through a non-EU residential proxy. The technical guard that enforces this lives in workers/bot/src/proxy-guard.ts and is exercised by tests on every CI run.

See also our terms of service.

Privacy Policy · Thailand Travel Card