Published Jun 12, 2026Updated Jun 18, 20268 min read
Last updated: 2026-05-27 Effective date: 2026-05-27
Plain-English summary: This is the formal privacy notice required by Thailand's Personal Data Protection Act (PDPA). It explains what personal data we collect about you, why we collect it, who we share it with, how long we keep it, where it travels, and the rights you have over it. If you ever want to access, correct, or delete your data, write to [email protected] - we respond within 30 days.
We collect personal data in three ways: information you give us, information generated as you use the Service, and information we receive from third parties.
You give us:
Account data - name, email address, phone number, profile photo, account type (buyer / seller / agency / agent), preferred locale.
Listing data - when you list a property: address, price, photos, description, agent contact details, KYC documents (agencies only - passport / national ID / company registration).
Inquiry messages - content of messages exchanged with sellers, agencies, or buyers through the Service.
Payment data - billing address and the last 4 digits of the card you use; the full card number is held by our payment processor (Stripe) and never touches our servers.
Support correspondence - emails, chat transcripts, and any attachments you send our team.
We collect automatically as you use the Service:
Device & connection data - IP address, user-agent string, device type, operating system, browser type, language preference, referrer URL.
Usage data - pages viewed, listings saved, search queries, filters applied, click and scroll telemetry, session duration.
Approximate location - derived from IP using MaxMind's GeoLite2 database (city-level resolution; we do not collect GPS-precise location unless you explicitly grant browser geolocation permission).
Cookie data - see our Cookie Policy for the full list.
We receive from third parties:
Identity & enrichment - agency KYC verification status from third-party verifiers.
Payment confirmation - transaction status, dispute status, and fraud signals from Stripe.
Social login - basic profile data (name, email, profile photo) if you sign in with Google, Facebook, or another OAuth provider.
We do not collect special-category personal data (such as health, race, religion, or political opinion) and ask that you do not include such data in listing descriptions or inquiry messages.
We process your personal data only where one of the lawful bases recognised by PDPA applies. The mapping is:
Purpose | Lawful basis |
|---|---|
Create and maintain your account, deliver listings you saved, route inquiry messages | Performance of contract (PDPA s.24(3)) |
Verify agency identity (KYC) and prevent fraud / fake listings | Legitimate interest in marketplace integrity |
Send transactional emails (booking confirmations, listing approvals, password resets) | Performance of contract |
Send marketing newsletters, product updates, and re-engagement emails | Consent (PDPA s.24(1)) - you can withdraw anytime |
Set analytics and marketing cookies | Consent (PDPA s.24(1)) |
Set strictly-necessary cookies (session, CSRF, locale) | Legitimate interest in core functionality |
Respond to law-enforcement requests, comply with tax / audit obligations | Legal obligation (PDPA s.24(6)) |
Improve and develop the Service via aggregated analytics | Legitimate interest |
Detect, investigate, and prevent abuse / harassment / scams | Legitimate interest in user safety |
Where the lawful basis is consent, you can withdraw consent at any time without affecting the lawfulness of processing already carried out.
We share personal data only with the categories of recipient listed below, and only to the minimum extent needed for the relevant purpose.
Service providers acting on our written instructions as data processors:
Stripe (USA) - payment processing.
Resend (USA) - transactional + marketing email delivery.
Cloudinary (USA) - image hosting and on-the-fly transformation.
Hosting provider - Kubernetes-based infrastructure (region: TBD; details available on request).
MaxMind (USA) - IP-to-location lookup (offline database; your IP is never transmitted).
Anthropic (USA) - large-language-model API used for CMS content excerpts (no end-user personal data is sent to this service).
Other MoveSiam users - sellers, agencies, and buyers receive the inquiry messages and contact details you choose to send them.
Professional advisors - auditors, lawyers, and tax advisors bound by confidentiality.
Authorities - courts, regulators, and law-enforcement bodies where we are legally required to disclose, or where disclosure is needed to protect our rights or the safety of others.
Acquirers - in the event of a merger, acquisition, restructuring, or sale of assets, we may transfer personal data to the acquirer; you will be notified before any such transfer takes effect.
We do not sell your personal data and we do not share it with third parties for their own marketing purposes.
Some of our service providers (notably Stripe, Resend, Cloudinary, and Upstash) are located in the United States and may transfer your personal data outside Thailand. Where the destination country has not been designated by Thailand's Personal Data Protection Committee (PDPC) as providing an adequate level of protection, we rely on:
Standard contractual clauses - binding contracts requiring the recipient to apply equivalent protections; or
Your explicit consent - where neither adequacy nor SCCs are available.
You can request a copy of the relevant transfer safeguards by writing to [email protected].
We keep personal data only for as long as we need it for the purpose for which it was collected, plus any period required by law.
Category | Retention |
|---|---|
Active account data | While the account is open |
Closed account data | Up to 7 years after closure (Thai Civil & Commercial Code / Revenue Code retention) |
Listing data and inquiry messages | While the listing is active + 24 months after de-listing |
Payment records | 7 years (Revenue Department audit requirement) |
Marketing-consent records | Until consent is withdrawn, then 12 months for proof-of-withdrawal |
Audit logs - informational events | 365 days |
Audit logs - security warnings | 730 days |
Audit logs - critical security events (impersonation, role / ban changes, force-logout) | Retained indefinitely for forensic and regulatory purposes |
Cookie-consent record | Until you change your preferences or 12 months, whichever is sooner |
Anonymous analytics | Indefinitely in aggregated, non-identifiable form |
After the applicable retention period we delete or irreversibly anonymise the data.
PDPA gives you a defined set of rights over your personal data. You can exercise any of these rights by writing to [email protected] - we will respond within 30 days, in line with PDPA timelines.
Right of access (s.30) - request a copy of the personal data we hold about you.
Right to rectification (s.36) - ask us to correct inaccurate or incomplete data.
Right to erasure (s.33) - ask us to delete your data, subject to legal-retention exceptions (for example, tax records we must keep for 7 years).
Right to restriction (s.34) - ask us to pause processing while a dispute is being resolved.
Right to data portability (s.31) - receive your data in a structured, commonly-used, machine-readable format.
Right to withdraw consent (s.19) - withdraw consent for any processing that relies on it; withdrawal does not affect lawfulness before that point.
Right to object (s.32) - object to processing carried out on the legitimate-interest or marketing basis.
If you exercise any of these rights, please include enough information for us to identify you and the data in question. We may need to verify your identity to prevent unauthorised disclosure.
The Service is not directed at children under 18 and we do not knowingly collect personal data from anyone under that age. If you believe a child has provided us with personal data, contact [email protected] and we will delete it.
We protect personal data with technical and organisational measures appropriate to the risk, including:
Encryption in transit - all browser-to-server traffic uses TLS 1.2 or later.
Encryption at rest - OAuth tokens for social-publishing integrations are encrypted with AES-256-GCM using the SOCIAL_TOKEN_ENCRYPTION_KEY secret; payment data is held by Stripe under PCI-DSS controls.
Access controls - role-based access for staff; impersonation actions are audit-logged with no suppression.
Vulnerability management - regular dependency updates, security review of third-party services, and an internal review process for any change that touches personal data.
Incident response - we will notify the PDPC and affected users in line with PDPA Section 37(4) if a breach is likely to result in a high risk to your rights.
No system is perfectly secure. You can help by choosing a strong, unique password and turning on two-factor authentication if it is available on your account.
We use cookies and similar technologies to operate the Service, remember your preferences, understand how the Service is used, and personalise marketing. The categories, names, and retention of each cookie - and how to manage your preferences - are described in our Cookie Policy.
We may update this Privacy Policy from time to time. Where a change is material (for example, a new processing purpose or a new category of recipient), we will notify registered users at least 14 days in advance by in-app banner and by email to the address on file.
The current version is always available at /legal/privacy. Previous versions are available on request from [email protected].
If you believe we have mishandled your personal data, please contact [email protected] first - we want the chance to put things right. If you remain unsatisfied, you have the right to lodge a complaint with Thailand's Personal Data Protection Committee (PDPC):
Website: https://www.pdpc.or.th/
Address: Office of the Personal Data Protection Committee, Bangkok, Thailand
If you are based in the European Economic Area or the United Kingdom, you may also complain to your local supervisory authority.
Terms of Use - the contract between you and Move Siam
Cookie Policy - what cookies we set, by category, and how to manage them
Acceptable Use Policy - content and conduct rules
Listing Disclaimer - our role as a marketplace
Was this helpful?