Privacy Policy
Effective: 2026-05-03 · Last updated: 2026-05-03
1. Who we are and how to reach us
This website samuidays.com (the "Site") is operated by SamuiDays Co., Ltd., a company registered in the Kingdom of Thailand (registered office and company number: [TBD]). We are the data controller for your personal data within the meaning of the Thai PDPA 2022, the EU GDPR (extraterritorial scope for EU/EEA visitors), and Russian Federal Law 152-FZ (where applicable — see §8).
For any privacy question, contact privacy@samuidays.com. We respond within 30 days.
2. What we collect
When you submit a booking enquiry or contact form:
- name, contact email and/or phone;
- intended check-in dates and request parameters (guest count, property type, budget);
- the free-text message you write.
When you just browse the Site:
- standard server logs (IP address, browser type, pages viewed, timestamps) — kept for no more than 30 days;
- strictly necessary cookies only (language, search filters). We do not set analytics, advertising, or marketing cookies.
What we deliberately do not collect: payment-card details, passport / ID numbers, health data, political opinions, biometric data.
3. Lawful bases
- Booking enquiry data — performance of a contract (PDPA s.24(3) / GDPR Art. 6(1)(b)).
- Server logs — legitimate interest in site security (PDPA s.24(5) / GDPR Art. 6(1)(f)).
- Strictly necessary cookies — necessary to deliver the service you requested.
4. Retention
- Booking enquiries: 24 months from your last contact.
- Server logs: up to 30 days.
- Email correspondence: up to 36 months (Postmark archive).
5. Who we share with
We do not sell your data. Sharing is limited to processors strictly necessary to operate the Site:
- OVHcloud SAS (France, EU) — hosting.
- Cloudflare, Inc. (USA) — DDoS protection / static delivery (EU SCCs / adequacy).
- Postmark / ActiveCampaign — transactional email.
- Backblaze B2 (USA / EU region) — encrypted backups.
- Villa owner — only data needed to process your enquiry.
International transfers protected by Standard Contractual Clauses or adequacy decisions.
6. Your rights
- Access a copy of the personal data we hold about you.
- Rectify inaccurate data.
- Erase data ("right to be forgotten"), except where retention is required by law.
- Restrict or object to processing.
- Withdraw consent.
- Lodge a complaint with PDPC Thailand (pdpc.or.th), your national DPA in the EU, or Roskomnadzor (rkn.gov.ru).
To exercise any right, email privacy@samuidays.com.
7. Security and breaches
Data encrypted in transit (TLS 1.3) and at rest (AES-256). Database access is least-privilege and logged. We notify PDPC Thailand and EU DPAs within 72 hours of a high-risk breach and affected users without undue delay.
8. Russian visitors (152-FZ)
The Site runs on a .com domain, the operator is in Thailand, and servers are in the EU. We do not run targeted marketing in Russia, do not use Yandex.Metrica / Yandex.Direct / SMS campaigns to Russian numbers, and do not partner with bloggers focused on a Russian audience.
If you are a Russian resident and believe your 152-FZ rights are affected, contact privacy@samuidays.com.
9. Changes to this policy
Material changes are announced 30 days in advance via an on-site banner.
10. Operator contact
SamuiDays Co., Ltd.
Email: privacy@samuidays.com
Address: [Bangkok / Koh Samui — TBD]