Personal Information Protection Policy

Effective Date: [2025-5-11]

Last Updated Date: [2025-5-11]

Welcome to the services provided by MongThai Company Limited (hereinafter referred to as "we", "us", "our", or "MongThai") through its website www.mongthai365.com and mobile application "MongThai". We are committed to protecting your personal information in accordance with Thailand's Personal Data Protection Act B.E. 2562 (2019) (PDPA) and other applicable laws and regulations. This policy aims to explain how we collect, use, disclose, transfer, and protect your personal information when you use our website, mobile application, and related services (collectively, "Services").

Please read this policy carefully. By using our Services, you understand and agree to the practices described in this policy.

1. Who We Are (Data Controller Information)

Company Name: MongThai Company Limited
Contact Information:
- Email: services@mongthai365.com
Data Protection Officer (DPO) or Designated Contact: services@mongthai365.com
Our Data Protection Officer/Contact Person is responsible for overseeing our compliance with this policy and the PDPA.

2. Legal Basis for Processing Your Personal Information

We only collect and process your personal information when we have a lawful basis under the Thai PDPA and other applicable laws. These bases primarily include:

Contractual Basis: Necessary for the performance of a contract to which you are a party, such as providing travel booking and related services.
Consent: In specific situations, particularly when processing your sensitive personal information or for direct marketing purposes, we will seek your explicit consent.
Legitimate Interest: Necessary for our legitimate business interests, such as improving services, fraud prevention, and maintaining platform security, provided these interests do not unduly affect your rights and freedoms. We have assessed the relevant legitimate interests.
Legal Obligation: Necessary for compliance with a legal obligation to which we are subject, such as reporting to government agencies or responding to legal processes.

3. Types of Personal Information We Collect

To provide you with travel booking and related services, we may collect the following types of personal information:

Identity Information: Full name, title, date of birth, age, gender, nationality, passport number, ID card number and expiry date, country of issuance, visa information (if applicable).
Contact Information: Mailing address, billing address, email address, telephone number (landline and/or mobile, if you choose to provide it).
Booking and Itinerary Information: Flight number, origin, destination, dates and times, hotel name, address, check-in and check-out dates, car rental information, tour activity booking details, information of accompanying travelers (if you book for others, you must ensure you have their authorization to provide their personal information), seat preferences, meal preferences, frequent flyer program numbers.
Payment Information: Credit/debit card type, card number (we typically process this through a PCI-DSS compliant third-party payment gateway, and we may only store partially masked information such as a token or the last four digits and expiry date), bank account information (if paying by bank transfer), payment transaction records.
Technical Information: IP address, device type, operating system, browser type and version, login data, access times and dates, browsing history, cookie information (see "Cookies and Tracking Technologies" section below), geolocation information (if you authorize).
Account Information: Username, password (encrypted), user preferences, favorites, customer service records, communication records.
Sensitive Personal Information (requires your explicit consent):
- Health conditions or disability information (e.g., when you request special assistance, medical support, or have specific health-related travel requirements).
- Religious or philosophical beliefs (e.g., when you have special meal requests related to religion).
- Biometric data (e.g., may be used for identity verification at some airports or hotels, we will clearly inform you and obtain your consent).
- Criminal records (only if legally required or permitted, e.g., for specific visa applications).
We only collect and process sensitive personal information when necessary and with your explicit consent (e.g., through a dedicated, un-pre-ticked consent box or by clearly informing you at the point of collection and obtaining consent) or as permitted by law.

4. How We Collect Your Personal Information

We collect your personal information through the following means:

Directly from You: When you register an account on the MongThai platform, make a booking, fill out forms, contact customer service, participate in promotions, or surveys.
Automated Collection: When you use our Services, we automatically collect certain technical information through cookies, server logs, and other similar technologies.
Third-Party Sources: From partners related to your booking, such as airlines, hotels, car rental companies, travel agencies, Global Distribution Systems (GDS); from payment service providers for transaction confirmation; from social media platforms (if you choose to log in to our Services using your social media account); from publicly available sources (where legally permitted).

5. Purposes for Using Your Personal Information

We use your personal information for the following purposes, based on the corresponding legal bases (as outlined in Section 2):

Creating and managing your account
Processing your bookings and purchase requests
Providing travel-related services
Processing payments
Customer service and support
Communicating with you (sending booking confirmations, itinerary changes, important notices)
Personalizing your experience
Marketing and promotions (with your consent)
Improving our services and products
Ensuring the security of our platform and preventing fraud
Complying with legal and regulatory requirements
Conducting data analysis and research (usually anonymized or aggregated)

6. How We Share and Disclose Your Personal Information

To provide services and achieve the purposes mentioned above, we may share your personal information with the following types of third parties:

Travel service providers, Global Distribution Systems (GDS), and technology partners, payment processors and financial institutions, customer service partners, marketing and advertising partners (with your consent), IT service providers, government agencies and law enforcement, professional advisors, and in the event of a business transfer.
We require all third parties to strictly adhere to confidentiality obligations, implement appropriate security measures to protect your personal information, and only use your information for purposes specified by us.

7. Cross-Border Transfer of Personal Information

Due to the global nature of the travel business, your personal information may be transferred to countries outside of Thailand. When we conduct such cross-border transfers, we will ensure that the recipient has an adequate level of data protection recognized by the PDPA, or has implemented appropriate safeguards required by the PDPA (such as Standard Contractual Clauses - SCCs), or the transfer is based on other specific circumstances permitted by law (such as necessity for the performance of a contract or with your explicit consent).

8. Data Security

We have implemented appropriate technical and organizational security measures (such as data encryption, access controls, firewalls, etc.) to prevent your personal information from being accidentally lost, accessed, used, altered, or disclosed without authorization. Although we strive to protect your information, data transmission over the internet is not absolutely secure.

You are also responsible for keeping your account credentials (such as passwords) confidential and not sharing them with others.

9. Data Breach Notification

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will, in accordance with the Thai PDPA, promptly notify the Personal Data Protection Committee (PDPC) of Thailand, and, where necessary, notify affected individuals.

10. Data Retention

We will only retain your personal information for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period, we consider the amount, nature, and sensitivity of the personal information, the potential risk, the purposes of processing, and applicable legal requirements. When your personal information is no longer needed, we will securely delete or anonymize it.

11. Your Rights

Under the Thai PDPA, you have the following rights regarding your personal information:

Right to Access
Right to Rectification
Right to Erasure / Right to be Forgotten
Right to Restrict Processing
Right to Data Portability
Right to Object (especially against processing based on legitimate interests or for direct marketing)
Right to Withdraw Consent (without affecting the lawfulness of processing before withdrawal)
Right to Lodge a Complaint (to the Personal Data Protection Committee - PDPC of Thailand)

Exercising Your Rights:

To exercise any of the above rights, please contact us using the contact details provided in Section 1 or Section 18 of this policy. We may ask you to provide reasonable proof of identity to ensure the security of your information and verify your identity. We will respond to your request within the statutory period (usually 30 days, which may be extended in special circumstances). Exercising your rights is generally free of charge, but for repetitive or manifestly unfounded requests, we reserve the right to charge a reasonable fee as permitted by the PDPA.

12. Cookies and Tracking Technologies

Our website (www.mongthai365.com) and MongThai mobile application may use cookies and similar tracking technologies.

13. MongThai Application Permissions

To provide you with full functionality and the best user experience, the MongThai application may request access to certain features or information on your mobile device. We only request these permissions when necessary to provide you with specific services or features, or with your explicit consent. Below is a list of permissions we may request and their primary purposes:

Permission Name (Android/iOS Generic Description)	Purpose of Permission	Can User Refuse & Impact
Location	Find nearby hotels, attractions, restaurants, or transport stations. Display your current location and plan routes on a map. Provide location-based personalized recommendations or offers (if you consent).	You can refuse. If refused, some location-based services (e.g., "nearby recommendations") may be unavailable or have limited functionality.
Camera	Allow you to scan QR codes (e.g., e-tickets, hotel check-in vouchers). Allow you to take and upload photos (e.g., for user avatars, attraction reviews). (If applicable) Scan passports or ID documents for quick information filling.	You can refuse. If refused, functions requiring the camera (e.g., QR code scanning, photo upload) will be unavailable.
Storage/Files	Store downloaded e-tickets, itineraries, hotel booking vouchers, etc., on your device. Cache data to improve app performance and offline access experience. Allow you to upload files from your device (e.g., documents for identity verification).	You can refuse. If refused, you may not be able to save offline files, cache data, or upload files.
Notifications	Send you important notifications such as booking confirmations, flight status updates, itinerary reminders. Send you promotional offers, deals, and personalized recommendations (if you consent to receive marketing notifications).	You can manage notification settings. If turned off, you may not receive important updates or promotional information promptly.
Network Access	Connect to the internet to download the latest travel information, complete bookings, synchronize data, etc.	This is essential for the core functionality of the app. Without network access, most app functions will be unavailable.

You can usually manage or revoke permissions granted to the app in your mobile device's "Settings" menu.
We only use the data accessed through these permissions for the explicitly stated purposes.

14. Minors' Privacy

Our Services are primarily intended for adults. We do not knowingly collect personal information from minors under the age of 20 without the consent of their parents or legal guardians (for minors under 10, consent must be obtained from parents or legal guardians; for minors aged 10 to under 20, they may consent themselves in certain circumstances, or parental/guardian consent is required, depending on their capacity and the nature of the transaction). We will take reasonable steps to try to verify age and the validity of consent.

If a parent or guardian becomes aware that their child has provided us with personal information without their consent, please contact us immediately. If we learn that we have collected personal information from a minor without necessary parental or guardian consent, we will take steps to delete such information as soon as possible.

15. Third-Party Links and Services

Our Services may contain links to third-party websites, plugins, or services not operated by us (e.g., payment gateways, social media logins, partner websites). Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our Services, we encourage you to read the privacy policy of every website or service you visit.

16. Changes to This Policy

We may update this Personal Information Protection Policy from time to time to reflect changes in our business practices or updates to laws and regulations. Any changes will be posted as a revised policy on our website (www.mongthai365.com) and/or the MongThai mobile application, with an updated "Last Updated Date". If the changes significantly affect your rights, we will notify you through appropriate means (e.g., by posting a prominent notice on our website or sending you an email). We encourage you to review this policy periodically to stay informed about how we protect your information.

17. Policy Language

This Personal Information Protection Policy is written in English. To comply with local Thai legal requirements and for the convenience of Thai users, we also provide a Thai version of this policy.

18. Contact Us

If you have any questions, comments, or concerns about this Personal Information Protection Policy or how we handle your personal information, or if you wish to exercise your rights, please contact us or our Data Protection Officer (DPO)/Designated Contact Person at:

MongThai Company Limited (MongThai)
Email: services@mongthai365.com
DPO or Designated Contact Email: services@mongthai365.com

We will endeavor to respond to your request in a timely manner.