What we hold, and what we don’t.

HAM STR Co. (a Thailand-registered company) operates Villa Azure. This page summarizes how we handle the personal data you share with us when you book, message, or simply browse the site. It is governed by Thailand’s Personal Data Protection Act B.E. 2562 (PDPA), with parallel reference to the EU GDPR for visitors in those jurisdictions.

What we collect when you book or message: name, email, phone, billing address, payment method (held with our payment processor OwnerRez, not on this site), and trip details (dates, group size, special requests). For bookings made through OTAs (Airbnb, Booking, Vrbo) we receive what those platforms share with us.

What we collect when you browse: standard request data (IP address, browser, device type, referrer, pages viewed, time on page) and a small set of marketing-attribution identifiers (Google click ID, Meta click ID) when you arrive from a paid ad. We collect this through cookies and similar technologies described below.

Cookies and analytics technologies we use:

• Google Tag Manager — container that loads the tracking technologies below. Sets a small set of session cookies.
• Google Analytics 4 (GA4) — aggregated traffic and behavior measurement (pages, sessions, conversion events). Cookies prefixed _ga, _gid.
• Google Ads conversion tracking — to measure which paid-search clicks lead to bookings or inquiries. Cookies prefixed _gcl.
• Meta Pixel (Facebook/Instagram), when running paid social — to measure ad performance and build remarketing audiences. Cookies prefixed _fbp.
• OwnerRez — our booking-and-payment provider sets its own session cookies on the secure checkout page. Their policy governs that surface.

We do not use third-party advertising cookies for cross-site behavioral profiling beyond the platforms above. We do not sell tracking data.

How we use what we collect:to confirm and operate your stay, to communicate before and during your visit, to measure which marketing channels work, to remarket to people who started a booking and didn’t finish, and to email you twice a year about high-season availability if you opted in. That is the full list.

Where the data goes:our website runs on Vercel (United States). Booking and payment data is held with OwnerRez (United States). Analytics and ad-platform data flows to Google (United States) and Meta (Ireland and United States). For visitors in the EU, the UK, and other jurisdictions with cross-border transfer rules, these transfers are made under the relevant Standard Contractual Clauses and platform-level adequacy frameworks (EU–US Data Privacy Framework where applicable).

Lawful basis: we process booking and operational data under our contract with you (PDPA s.24(3); GDPR Art. 6(1)(b)). We process analytics and marketing-attribution data under legitimate interest in non-consent jurisdictions, or under consent in EU/UK (PDPA s.24(5); GDPR Art. 6(1)(a)/(f)). The bottom-of-page consent banner uses Google Consent Mode v2: by default, advertising and analytics cookies are denied until you click Accept. Essential and security cookies remain on at all times. You can change your choice at any time by clearing the va_consent_v1entry in your browser’s site data, or by emailing us.

How to opt out of analytics and ad tracking: use your browser’s “Do Not Track” or built-in tracking-prevention setting, install the Google Analytics opt-out add-on, adjust your Meta ad preferences, or email us and we’ll exclude you from our analytics view.

Your rights: under PDPA (and GDPR if you’re in the EU/UK), you can ask us at any time to see, correct, port, restrict, or delete the personal data we hold on you, withdraw consent for marketing, or object to processing under legitimate interest. We respond within 30 days. Email stay@azurepattaya.com.

How long we keep it: booking and payment records for seven years (Thai tax/audit retention). Marketing-list email for as long as you stay subscribed plus 12 months. Analytics data is held by Google for the standard 14-month retention window we set in GA4.

What we never do: sell your data, share it with unrelated marketers, or include you in unrelated mailing lists.

Children:the site is intended for adults arranging travel. We don’t knowingly collect data from anyone under 16. If you believe a minor has shared data with us, email us and we’ll delete it.

Changes to this notice:we update this page when our tracking stack or our processors change. Material changes are reflected in the “Last updated” date below; subscribers to our occasional email get a heads-up before changes that affect them.

Last updated: 11 May 2026.