Privacy Policy & Personal Data Processing Notice

Version: 2026-05-29 | Effective date: 29 May 2026

This Privacy Policy (the “Policy”) explains how Satva Samui Retreat Hotel (yoga retreat hotel on Koh Samui, Kingdom of Thailand; “Satva Samui”, “we”, “us”, the “Controller”) collects, uses, stores, shares, and protects personal data when you use satvasamui.com (the “Website”).

The Policy is designed to align with the EU General Data Protection Regulation (GDPR), the UK GDPR, Thailand’s Personal Data Protection Act B.E. 2562 (2019) (PDPA), and other applicable privacy laws as of 2026. Where your local law grants stronger rights, those rights apply.

1. Controller & contact

Data controller: Satva Samui Retreat Hotel, Koh Samui, Surat Thani Province, Thailand.

Privacy requests (access, correction, deletion, consent withdrawal, complaints):

Contact section on the Website;
WhatsApp: +66 950 165 058;
Telegram: @OlgaSatva.

We respond within a reasonable period, typically within 30 calendar days (EU/UK: up to one month, extendable to two months where permitted, with notice).

2. Scope

This Policy covers:

data you submit via Website forms (enquiries, bookings, programme selection);
data collected automatically when you browse the Website (technical data, cookies);
communications via chat and messengers if you contact us through Website links;
records of your consent to this Policy and related terms.

Third-party platforms linked from the Website (Instagram, Telegram, Google Maps, etc.) have their own privacy policies.

3. Categories of personal data

Identity & contact: name, phone number (including WhatsApp and Telegram), email (if provided).
Enquiry data: selected programme or treatment, preferred dates, comments, form source (landing, popup, footer).
Consent records: acceptance of this Policy, date/time, policy version (2026-05-29), IP address, User-Agent, Referer (on form submission).
Usage analytics: aggregated, anonymised page-view statistics (pages visited, referrer, browser/device type, approximate country) via Umami; not linked to form submissions unless you also submit a form.
Technical data: data required for Website operation, abuse prevention, and logs (including Cloudflare Turnstile).
Chat data: messages and metadata in the Tawk.to widget, if you use it.
Special category data (health, diet, contraindications): only if you voluntarily include them in messages or comments; we do not require them to submit a form.

We do not knowingly collect data from children without parental consent (see section 15).

4. Sources

directly from you (forms, chat, messengers, phone);
automatically when you use the Website (cookies, server logs, anti-spam checks);
from processors acting on our instructions (hosting, email, chat), as needed to provide services.

5. Purposes & legal bases

Purpose	Legal basis (GDPR / PDPA)
Respond to enquiries, consultations, bookings	Consent; contract / pre-contract steps; legitimate interests
Lead management and staff notifications	Legitimate interests; consent
Proof of consent to Policy and terms	Legal obligation; consent
Spam and abuse prevention (Turnstile)	Legitimate interests; consent where required for cookies
Understand Website traffic and improve content (Umami analytics)	Legitimate interests
Promotional emails (only if you opt in via the email field)	Separate consent; withdraw anytime
Legal compliance and claims	Legal obligation

We do not sell personal data or share it with third parties for their marketing without your separate consent.

6. Consent

By submitting a form you confirm that you have read this Policy, our Terms & Conditions and Cancellation Policy, and consent to processing as described. Consent is logged in our database (timestamp, IP, policy version, request headers). Withdrawal of consent does not affect lawfulness of processing before withdrawal.

7. Marketing

Email is optional. If you provide an email to receive offers and promotions, that constitutes separate marketing consent. You may opt out anytime (unsubscribe link or message us on WhatsApp/Telegram). Opting out of marketing does not prevent us from responding to your enquiry using your main contact details.

8. Cookies & similar technologies

We may use:

strictly necessary cookies and local storage — forms, security, session;
functional — Tawk.to live chat (Tawk.to privacy);
technical — Cloudflare Turnstile (Cloudflare privacy);
analytics — privacy-friendly website statistics via Umami (Umami privacy): page views, referrer, browser/device type, approximate country; no advertising profiles or cross-site tracking.

We do not use advertising pixels or behavioural analytics for ad targeting (Google Analytics with advertising features, Meta Pixel, etc.). Umami does not build marketing profiles or share data with ad networks. If we add other tracking tools, we will update this Policy and obtain consent where required by law.

You may restrict cookies in your browser; chat and forms may not work fully.

9. Recipients & processors

Hosting & database — lead storage (PostgreSQL);
Resend — staff email notifications (Resend privacy);
Tawk.to — live chat and support tickets (Tawk.to privacy);
Cloudflare — Turnstile, bot protection (Cloudflare privacy);
Umami — privacy-friendly website analytics (Umami privacy);
Messengers & social networks — when you contact us via Website links (WhatsApp, Telegram, Instagram, etc.);
Professional advisers — lawyers, accountants, under confidentiality;
Public authorities — where legally required.

Processors are bound by contractual confidentiality and security obligations.

10. International transfers

We are based in Thailand. Servers and email/chat providers may be located outside Thailand, the EU, and the UK (including the US and EU). Transfers rely on your consent, adequacy decisions, Standard Contractual Clauses (SCCs), or other lawful mechanisms under GDPR and PDPA.

11. Retention

Enquiries & booking correspondence: up to 3 years from last interaction, unless law or disputes require longer.
Consent records: with the related lead, for at least the same period.
Marketing contacts: until opt-out or 2 years of inactivity.
Technical logs: typically up to 12 months.
Analytics (Umami): aggregated statistics retained by Umami according to their policy (typically up to 24 months); not tied to your name or form data.

After retention periods, data is deleted or anonymised unless law requires otherwise.

12. Security

We use organisational and technical measures: restricted database access, HTTPS, honeypot and Turnstile on forms, hashed admin passwords, backups, and data minimisation. No internet transmission is 100% secure; we use industry-standard safeguards.

13. Your rights

Depending on applicable law, you may:

confirm whether we process your data and obtain a copy;
rectify inaccurate or incomplete data;
erase data where no lawful basis remains;
restrict processing or object (including to marketing);
withdraw consent;
data portability (where applicable);
not be subject to solely automated decisions with legal or similar significant effect (we do not use such processing).

14. EU / EEA / UK residents (GDPR / UK GDPR)

We act as data controller for processing described here. You may lodge a complaint with your supervisory authority. EU authorities: EDPB; UK: ICO.

15. Thailand residents (PDPA)

We process personal data fairly, transparently, and with appropriate security. You may contact Thailand’s Personal Data Protection Committee (PDPC) if unsatisfied with our response.

16. Children

Our Website and services are intended for adults. We do not knowingly collect data from anyone under 18. If you believe a child provided data without parental consent, contact us and we will delete it.

17. Automated decision-making

We do not use fully automated processing that produces legal or similarly significant effects without human involvement. Turnstile is a technical anti-abuse measure only.

18. Changes

We may update this Policy. The current version is published here with date and version (2026-05-29). Material changes may be highlighted on the Website. Continued use after changes take effect may constitute acceptance where permitted by law.

19. Related documents

Terms & Conditions;
Cancellation Policy;
Russian version: Политика конфиденциальности (RU).

Last updated: 29 May 2026. Document version: 2026-05-29.

← Back to website