Book Now
Escape Villas Logo

Privacy Policy

1. Introduction and Scope
This Privacy Policy explains how Escape Villas (“we,” “us,” or “our”) collects, uses, discloses, and protects your Personal Data. We are committed to protecting your privacy and handling your data in a transparent and secure manner.

This policy applies to individuals whose personal data we process, particularly those in the European Union (EU) and Thailand, as we comply with both the General Data Protection Regulation (GDPR) and the Thailand Personal Data Protection Act (PDPA).

2. Data Controller Contact Information
The Data Controller for the processing of your Personal Data is:

Escape Villas
156/33 Moo 5, T. Rassada
Phuket 83000, Thailand
Email: stay@escape.villas
Phone: +66 83 636 6116

If you are a resident of the EU or Thailand, or if you have any questions regarding your data and this policy, please contact us using the details above.

3. Definitions

  • Personal Data: Any information relating to an identified or identifiable living natural person (Data Subject). This includes names, identification numbers, location data, online identifiers, and factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person. (PDPA explicitly excludes data of deceased persons).
  • Sensitive Personal Data: Special categories of data requiring a higher level of protection, such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, data concerning a person’s sex life or sexual orientation, or criminal records.
  • Data Subject: The individual to whom the Personal Data relates.
  • Processing: Any operation or set of operations performed on Personal Data, such as collection, recording, organizing, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, or otherwise making available, alignment, or combination, restriction, erasure, or destruction.

4. Principles for Processing Personal Data
We adhere to the core principles of both the GDPR and PDPA:

  • Lawfulness, Fairness, and Transparency: We process data lawfully, fairly, and in a transparent manner. You will be informed about the collection and use of your data.
  • Purpose Limitation: We collect your data for specified, explicit, and legitimate purposes and do not process it further in a manner incompatible with those purposes.
  • Data Minimisation: We only collect and process Personal Data that is adequate, relevant, and strictly limited to what is necessary for the purposes for which it is processed.
  • Accuracy: We take every reasonable step to ensure Personal Data is accurate and, where necessary, kept up to date. Inaccurate data will be corrected or erased without delay.
  • Storage Limitation: We keep Personal Data in a form that permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data is processed.
  • Integrity and Confidentiality (Security): We process Personal Data in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
  • Accountability: We, as the Data Controller, are responsible for, and must be able to demonstrate compliance with, all the principles above.

5. Information We Collect
We collect the following categories of Personal Data:

  • Identity Data: Name, date of birth, gender, nationality, identification documents (if required for service/legal reasons).
  • Contact Data: Postal address, email address, telephone number.
  • Technical Data: Internet Protocol (IP) address, login data, browser type and version, time zone setting, operating system and platform, and other technology on the devices you use to access this website.
  • Usage Data: Information about how you use our website, products, and services.
  • Marketing and Communications Data: Your preferences in receiving marketing from us and your communication preferences.

Sensitive Personal Data: We do not generally collect Sensitive Personal Data unless required for a specific, lawful purpose (e.g., health data for an employment application or service provision), and only with your explicit consent or where legally permitted/required.

6. Legal Basis and Purposes for Processing
We will only process your Personal Data when we have a valid legal basis to do so. The purposes and legal bases under GDPR/PDPA typically include:

  • Contractual Necessity: To perform a contract with you or take steps at your request before entering into a contract (e.g., processing your order, managing your account).
  • Legal Obligation: To comply with a legal or regulatory obligation (e.g., tax law, anti-money laundering regulations).
  • Legitimate Interests: Where the processing is necessary for our legitimate interests (or those of a third party) and your fundamental rights do not override those interests (e.g., improving our products/services, direct marketing, fraud prevention).
  • Consent: Where you have given clear consent for us to process your Personal Data for a specific purpose (e.g., subscribing to a newsletter, for collecting Sensitive Personal Data). You have the right to withdraw consent at any time, which must be as easy as giving it.

7. Disclosure of Personal Data
We may share your Personal Data with the following parties for the purposes outlined in this policy:

  • Internal third parties: Other companies within our group or corporate structure.
  • External third parties: Service providers (e.g., payment processors, IT service providers, logistics partners), professional advisors (e.g., lawyers, accountants), and regulatory authorities.

We require all third parties to respect the security of your Personal Data and to treat it in accordance with the law. We do not allow our third-party service providers to use your Personal Data for their own purposes and only permit them to process your Personal Data for specified purposes and in accordance with our documented instructions.

8. International Data Transfers (Cross-Border Transfers)
As we comply with both GDPR and PDPA, we may transfer your Personal Data outside of the European Economic Area (EEA) and/or Thailand.

  • For EEA/GDPR: When we transfer your Personal Data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented: (a) Transfer to countries deemed by the European Commission to provide an adequate level of protection; or (b) Use of specific contracts approved by the European Commission which give Personal Data the same protection it has in Europe (Standard Contractual Clauses).
  • For Thailand/PDPA: We will only transfer your Personal Data abroad if the destination country has adequate data protection standards as determined by the Personal Data Protection Committee (PDPC), or where exceptions apply, such as obtaining your explicit consent, fulfilling a contract, or implementing other appropriate safeguards as specified by the PDPA (e.g., Binding Corporate Rules).

9. Data Security and Breach Notification
We have implemented appropriate technical and organizational measures to ensure the security and integrity of your Personal Data, protecting it from unauthorized access, loss, misuse, modification, or disclosure. These measures include: [List examples, e.g., encryption, access controls, regular security testing].

In the event of a Personal Data breach, we will notify the relevant supervisory authority (such as the Data Protection Commission for the EU or the PDPC in Thailand) and the affected Data Subjects without undue delay, as required by law.

10. Data Retention (Storage Limitation)
We will retain your Personal Data only for as long as necessary to fulfil the purposes for which it was collected, including for satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process it, and applicable legal requirements.

Example Retention Period: Customer transaction data, including invoices and payment records, is kept for seven (7) years after the end of the customer relationship or transaction date to comply with both Thai (minimum 5 years) and most EU Member States’ (ranging from 6 to 10 years) tax, VAT, and commercial law obligations.

11. Your Data Subject Rights (GDPR & PDPA)
Under the GDPR and PDPA, you have significant rights over your Personal Data. These rights include, but are not limited to:

  • Right to be Informed: To be informed about the collection, use, and disclosure of your Personal Data (which this policy aims to do).
  • Right of Access: To request a copy of the Personal Data we hold about you.
  • Right to Rectification: To request that any incomplete or inaccurate data we hold about you is corrected or updated.
  • Right to Erasure (‘Right to be Forgotten’): To request that we delete your Personal Data where there is no good reason for us to continue processing it.
  • Right to Restrict Processing: To request that we suspend the processing of your Personal Data, for example, if you want us to establish its accuracy or the reason for processing it.
  • Right to Object: To object to the processing of your Personal Data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object. You also have the right to object to direct marketing.
  • Right to Data Portability: To request the transfer of your Personal Data to you or to a third party in a structured, commonly used, machine-readable format.
  • Right to Withdraw Consent: Where we are relying on your consent to process your Personal Data, you have the right to withdraw that consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

You will not usually have to pay a fee to exercise any of your rights. We will respond to all legitimate requests within 30 days (in line with PDPA requirements, which is a key local difference from the standard GDPR requirement of ‘without undue delay’ and ‘one month’).

12. How to Exercise Your Rights or Lodge a Complaint
If you wish to exercise any of the rights set out above, or have any concerns about our use of your Personal Data, please contact us using the contact details provided in Section 2.

You also have the right to lodge a complaint with the relevant supervisory authority:

  • For EU Data Subjects: The Data Protection Authority in the EU Member State of your habitual residence, place of work, or the place of the alleged infringement.
  • For Thailand Data Subjects: The Personal Data Protection Committee (PDPC) in Thailand.

13. Policy Updates
We may update this policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any significant changes by posting the new policy on our website and updating the “Last Updated” date below.

Last Updated: October 15, 2025