Skip to content
cmgt.Chiang Mai Go Tours

Policy

Privacy policy

Last updated · 20 May 2026

This policy explains what personal data Go Tours Co., Ltd. trading as Chiang Mai Go Tours(“we”, “us”) collects when you use this website or book a tour, why we collect it, who we share it with, and the rights you have under Thai PDPA and the EU GDPR.

1. Who we are

Go Tours Co., Ltd. trading as Chiang Mai Go Tours is a TAT-licensed Thai tour operator (licence #14/02485) based in Chiang Mai. We are the data controller for personal data collected through this website and at checkout.

2. Personal data we collect

We collect the minimum data we need to confirm and run your tour:

  • Booking details — name, email, phone, nationality, hotel or pickup address, number of travellers, dietary or accessibility notes, tour and date.
  • Payment — card payments are tokenised by our PCI-DSS compliant payment processor. We never see or store your card number, CVV, or expiry.
  • Communications — messages you send us via the contact form, WhatsApp, or email.
  • Site analytics — if you consent via the cookie banner, we load Google Analytics 4 and Meta Pixel, which set cookies and collect aggregated page-view, device, and referrer data. See our cookie policy for the full list. Essential cookies (cart, currency, consent) are set without analytics consent.

3. Why we collect it

We process personal data for the following purposes, on the following lawful bases:

  • Booking fulfilment — to confirm your booking with the operator, arrange pickup, contact you with changes, and run the tour. Lawful basis: performance of a contract.
  • Tax and accounting records — to meet Thai tax-law retention requirements. Lawful basis: legal obligation.
  • Site analytics — to understand which pages and tours are working. Lawful basis: your consent via the cookie banner; you can withdraw it at any time.
  • Service improvement and security — diagnosing problems, preventing fraud, and protecting the site. Lawful basis: our legitimate interest in running a safe service.

4. Who we share it with

We do not sell personal data. We share the minimum needed with the following processors, each under a data-processing agreement:

  • Payment processor — a PCI-DSS compliant gateway that handles card and PromptPay QR payments. Card details are tokenised by them and never reach our servers.
  • Resend (US, EU sub-processor) — transactional booking emails.
  • Cloudflare R2 — image hosting.
  • Google — Maps and Places API for pickup locations; Google reviews import for the public reviews page; Google Analytics 4 if you consent.
  • Meta — Meta Pixel attribution if you consent.
  • Vercel (US, EU edge) — site hosting.
  • Tour operators — when you book, the operating partner receives the name, traveller count, pickup point, and any dietary notes for your tour. Nothing more.

International transfers (e.g. to Vercel US) rely on EU Standard Contractual Clauses and the Thai PDPA cross-border safeguards.

5. Retention

We keep personal data only as long as we need it:

  • Booking records — 7 years, per Thai Revenue Code accounting-record requirements.
  • Contact-form messages — 2 years after last reply.
  • Analytics data — 14 months maximum (GA4 default).
  • Marketing email lists — until you unsubscribe.

6. Your rights

Under Thai PDPA and EU GDPR you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Erase your data (where it isn't required for tax or legal records).
  • Port your data to another provider.
  • Withdraw consent for analytics at any time.
  • Object to or restrict processing.
  • Lodge a complaint with the Thai Personal Data Protection Committee (PDPC) or your local EU data-protection authority.

We respond to verified requests within 30 days. We may ask for identity verification before acting on a request.

7. Contact us

Data-protection enquiries: privacy@chiangmaigotours.com.

General contact, change requests, or to file a complaint: contact us.