Last Updated: 1 May 2026
This Data Protection Policy explains how Thailand Digital Arrival Card (TDAC) aims to protect personal, passport, travel, accommodation, health declaration, and support-related information submitted through this independent Google Site.
TDAC-related support may involve sensitive traveler information because the official TDAC process requires details such as passport information, personal information, travel information, accommodation information in Thailand, and health declaration information.
Important Notice
Thailand Digital Arrival Card (TDAC) is an independent informational and traveler assistance Google Site.
This site is:
Not the official Thai Immigration website
Not operated by the Thai government
Not affiliated with Thai Immigration, any embassy, or any consulate
Not authorized to approve TDAC, visas, or entry into Thailand
Not able to guarantee immigration clearance
The official TDAC website states “No Fees.” Any fee charged by an independent assistance service should be clearly disclosed as a separate service fee, not a Thai government fee.
Purpose of This Data Protection Policy
This policy is designed to explain how traveler information should be protected when users:
Read TDAC guidance
Submit a contact form
Request TDAC assistance
Ask for status-check support
Request TDAC update help
Submit family or group traveler details
Share documents for review
Use optional travel-related services
Because TDAC support can involve passport and travel data, this site should follow a careful, limited, and privacy-conscious data handling approach.
Data Protection Principles
We aim to follow these data protection principles:
Collect only necessary information
Use information only for the stated purpose
Keep information accurate and updated
Limit access to authorized persons only
Store information only as long as necessary
Protect data from unauthorized access
Avoid unnecessary sharing
Delete or anonymize data when no longer needed
Respect user correction and deletion requests where applicable
Thailand’s Personal Data Protection Act framework recognizes individuals’ rights to control how their personal data is collected, stored, processed, and shared, and places duties on data controllers and processors.
Types of Data We Protect
This policy may apply to the following types of information.
1. Identity and Passport Data
This may include:
Full name as shown on passport
Passport number
Nationality / citizenship
Date of birth
Gender
Passport issue country
Passport expiry details, if required
This data should be handled carefully because it can identify a traveler and may be used for immigration-related processing.
2. Travel Data
This may include:
Arrival date in Thailand
Flight number
Arrival airport, land checkpoint, or sea port
Departure country or boarding location
Travel purpose
Transit details
Travel route
Family or group travel details
Travel data should be used only for TDAC preparation, status guidance, update support, or selected travel services.
3. Accommodation Data
This may include:
Hotel name
First address in Thailand
Province or city
District or area
Hotel contact details, if provided
Private residence address, if staying with friends or family
Accommodation information should be protected because it may reveal where a traveler will stay in Thailand.
4. Health Declaration Data
This may include:
Recent travel history
Countries visited before arrival
Health declaration answers
Health-related arrival information requested for TDAC
Health-related data should be treated with extra care and should only be collected when needed for TDAC-related assistance. Under privacy frameworks, health-related data is commonly treated as sensitive information and usually requires stronger protection and clear purpose limitation.
5. Contact and Support Data
This may include:
Email address
Phone number, if provided
Support request details
Reference number
TDAC number, if provided
Uploaded screenshots or documents
Communication history
This data may be used to respond to support requests, verify a request, or provide follow-up guidance.
6. Family and Group Traveler Data
If a user submits information for family or group travelers, the data may include details of children, infants, elderly travelers, friends, business groups, or tour group members.
The person submitting group data should confirm that they have permission to provide the information. Children’s information should only be provided by a parent, guardian, or authorized adult.
Collection Limitation
We should collect only the information needed for the specific request.
For example:
For a general question, name and email may be enough
For status guidance, reference number or TDAC number may be needed
For update support, changed travel details may be needed
For family support, each traveler’s details may be needed
For optional transfer service, arrival flight and hotel address may be needed
Do not ask users to provide passport copies, health details, or full travel documents unless they are genuinely required for the requested support.
Purpose Limitation
Information should only be used for the purpose explained to the user.
TDAC-related data may be used to:
Respond to inquiries
Provide TDAC preparation guidance
Help review submitted information
Support update-related requests
Assist with status-check questions
Provide missing confirmation guidance
Manage family or group support
Process selected optional travel services
Maintain service records
Prevent fraud or misuse
Comply with legal or operational requirements
Information should not be used for unrelated marketing, resale, profiling, or unnecessary sharing.
Access Control
Access to traveler information should be limited to authorized persons who need it to handle the request.
Recommended access rules:
Only trained support staff should access traveler data
Access should be limited by role and purpose
Sensitive documents should not be downloaded unnecessarily
Passport and health data should not be shared in open chats
Staff should not copy data to personal devices
Access should be removed when no longer needed
Shared folders or forms should be regularly reviewed
Secure Storage
Traveler information should be stored only in secure, trusted systems. If Google Forms, Google Drive, Gmail, or similar tools are used, access settings should be reviewed carefully.
Recommended storage practices:
Use strong passwords
Enable two-factor authentication where possible
Limit access to necessary team members
Avoid public file-sharing links
Avoid storing passport data in unsecured spreadsheets
Delete duplicate files when not needed
Keep form response sheets private
Review Google Drive sharing permissions regularly
Secure Communication
When communicating about TDAC support, avoid exposing sensitive traveler details unnecessarily.
Recommended communication rules:
Do not include full passport numbers in email subject lines
Do not send passport images to unrelated parties
Do not discuss sensitive details in public comments
Do not share traveler data in social media groups
Use secure and verified email addresses
Confirm identity before sharing status-related information
Mask sensitive data when full details are not required
Example masking:
Passport number: M123****
Date of birth: **/**/1990
TDAC number: TDAC-****789
Data Sharing Rules
Traveler data should not be sold.
Data may only be shared when necessary, such as with:
Authorized support staff
Trusted service providers
Payment processors, if payment is used
Travel-service providers, if optional add-ons are selected
Official systems or authorities, when needed for the requested service or legal obligation
Security or legal advisors, if needed to handle fraud, disputes, or compliance issues
Only the minimum necessary information should be shared.
Optional Travel Add-On Data
If optional travel add-ons are offered, such as airport transfer, eSIM, lounge access, or arrival support, only the information needed for that service should be collected and shared.
Examples:
Airport Transfer
May require name, arrival date, flight number, pickup time, hotel address, and contact number.
eSIM
May require name, email address, country, device compatibility, and delivery email.
Lounge Access
May require traveler name, date, airport, flight details, and booking reference.
Optional add-ons should be clearly separate from official TDAC submission.
Sensitive Data Handling
Sensitive data should receive extra protection.
Sensitive TDAC-related data may include:
Passport number
Passport image
Date of birth
Nationality
Health declaration details
Hotel address
Children’s travel details
TDAC confirmation or QR code
Rules for sensitive data:
Collect only when necessary
Do not store longer than needed
Do not share through unsafe channels
Restrict staff access
Delete unnecessary copies
Avoid printing unless required
Do not use for unrelated marketing
Children’s Data Protection
Children and infants may require TDAC when entering Thailand. Children’s data should be handled with extra care.
Rules for children’s data:
Collect only from a parent, guardian, or authorized adult
Use only for TDAC-related or family travel support
Do not use children’s data for unrelated marketing
Do not share children’s passport details unnecessarily
Delete children’s data when no longer needed
Keep family confirmations private
Data Retention Policy
Traveler data should be kept only as long as needed for the purpose it was collected.
Suggested retention approach:
Retention periods should be reviewed regularly and shortened where possible.
Data Deletion Procedure
Users may request deletion of their personal information where appropriate.
Recommended deletion process:
Receive deletion request
Verify the requester’s identity
Locate related records
Check whether retention is legally or operationally required
Delete or anonymize eligible data
Confirm completion where appropriate
Keep minimal proof of deletion request if necessary
Deletion may not always be possible immediately if data is needed for legal, payment, refund, fraud-prevention, dispute, or compliance reasons.
Data Correction Procedure
Users may request correction of information held by this site.
Correction may apply to:
Name spelling in support records
Email address
Arrival date
Flight details
Hotel address
Reference number
Contact details
For official TDAC records, correction may be limited by the official system. The official TDAC guide says submitted information can be updated before travel, but some fields such as full name in passport, nationality/citizenship, and date of birth cannot be updated through the normal update process.
Data Breach Response
If a data breach or security incident occurs, reasonable steps should be taken to reduce harm.
Recommended breach response process:
Identify the issue
Secure affected accounts, files, or forms
Stop further unauthorized access
Review what information may be affected
Notify affected users where appropriate
Notify service providers or authorities if required
Reset passwords or permissions if needed
Improve security controls to prevent recurrence
Examples of possible incidents:
Public Google Form response sheet exposure
Unauthorized access to email
Lost device with traveler documents
Wrong email recipient
Shared Google Drive folder made public
Phishing attack affecting support account
Staff and Team Responsibilities
Anyone handling TDAC-related data should follow data protection rules.
Team members should:
Access only data needed for their role
Keep traveler information confidential
Avoid saving data on personal devices
Use secure accounts
Report suspected data incidents quickly
Delete unnecessary files
Avoid discussing sensitive cases publicly
Follow privacy and data protection policies
User Responsibilities
Users also have responsibilities when submitting information.
Users should:
Provide accurate information
Use their own active email address
Avoid sending unnecessary documents
Avoid sharing passport details in public comments
Verify they have authority to submit family or group data
Keep TDAC confirmations safe
Report wrong information quickly
Use official channels for final verification
Cross-Border Data Transfer
Because this site may use Google services, email tools, payment processors, travel-service providers, or cloud-based systems, data may be processed or stored outside the user’s country of residence.
Where international transfer occurs, reasonable steps should be taken to protect information and use trusted service providers. Thailand’s PDPA framework includes requirements around cross-border data transfers and data controller responsibility.
Vendor and Service Provider Controls
If third-party tools are used, they should be selected carefully.
Possible vendors include:
Google Sites
Google Forms
Google Drive
Email providers
Payment processors
Analytics tools
Travel-service providers
Customer support tools
Recommended controls:
Use reputable providers
Review privacy settings
Limit access permissions
Avoid unnecessary integrations
Check data export and deletion options
Use secure payment processors
Keep records of key vendors
Cookies and Analytics Data Protection
If analytics tools or cookies are used, users should be informed through the Cookie Policy.
Analytics data should be used only to:
Improve site performance
Understand visitor behavior
Improve content quality
Identify broken pages or usability issues
Measure general page traffic
Analytics should not be used to expose passport details, form content, or sensitive traveler data.
Data Minimization for Google Forms
If Google Forms are used on this Google Site, keep forms focused and minimal.
Best practices:
Ask only what is needed
Avoid passport uploads unless necessary
Use clear consent text
Keep form response sheets private
Disable unnecessary public sharing
Review who can access responses
Do not collect card details in normal forms
Add privacy and service-fee links near the form
Prohibited Data Practices
This site should not:
Sell traveler passport data
Share TDAC details for unrelated marketing
Publicly display traveler information
Use false government branding
Claim guaranteed immigration approval
Store full payment card details in normal forms
Request passwords or bank login details
Collect unnecessary health records
Keep passport copies longer than needed
Share children’s data without proper authorization
Scam Prevention and Traveler Safety
Travelers should be careful when using TDAC-related websites. Thailand’s Immigration Bureau has warned travelers about fraudulent websites falsely offering TDAC services for a fee, while emphasizing that the official TDAC process is mandatory but free through official government channels.
Before submitting passport or payment details, users should check:
Clear independent-site disclosure
Clear service-fee disclosure
Privacy Policy
Data Protection Policy
Refund Policy
Contact details
Secure forms
No fake government branding
No guaranteed approval promise
Policy Review and Updates
This Data Protection Policy should be reviewed regularly, especially when:
New forms are added
New payment tools are added
New travel add-ons are offered
Data storage tools change
Support processes change
Legal requirements change
New security risks are identified
Last Updated: 1 May 2026
Data Protection Contact
For data protection questions, correction requests, deletion requests, or concerns about personal information, users should contact the site through the Contact Us page.
When contacting us, include:
Full name
Email address used in your request
Reference number, if available
Clear description of your request
Proof of identity, if required for verification
Button Text:
Contact Us
Request Data Correction
Request Data Deletion
FAQs for Data Protection Policy Page
Why does this site need a Data Protection Policy?
TDAC-related support may involve passport, travel, accommodation, health declaration, and family traveler information. A Data Protection Policy explains how such information should be protected.
What TDAC information needs protection?
Information such as passport number, full name, date of birth, nationality, arrival date, flight details, hotel address, health declaration details, TDAC number, and family traveler details should be protected.
Is this the official Thai Immigration website?
No. Thailand Digital Arrival Card (TDAC) is an independent informational and assistance Google Site. It is not the official Thai Immigration website or a government authority.
Is the official TDAC free?
Yes. The official TDAC website states “No Fees.”
Is passport data sold?
No. Passport, travel, and personal data should not be sold or used for unrelated purposes.
Who can access submitted information?
Only authorized persons who need the information to handle the user’s request should access submitted data.
Can users request deletion?
Yes. Users may request deletion where appropriate, but some records may need to be retained for payment, refund, legal, fraud-prevention, dispute, or compliance reasons.
Can users request correction?
Yes. Users may request correction of records held by this site. Official TDAC corrections may depend on the official update system and field restrictions.
How should children’s data be handled?
Children’s data should be provided only by a parent, guardian, or authorized adult and should be used only for TDAC-related or family travel support.
What should users avoid sharing?
Users should avoid sharing passport copies, TDAC QR codes, health details, payment details, or children’s data through public comments, social media, unknown agents, or unsecured channels.