Last updated: June 1, 2026. Effective immediately.

SHA Thailand (“we”, “our”, or “us”) operates the website at https://shathailand.com. This Privacy Policy explains what data we collect, how we use it, who we share it with, and the rights you have over your data. It is written to comply with the European Union’s General Data Protection Regulation (GDPR), Thailand’s Personal Data Protection Act B.E. 2562 (PDPA), and the California Consumer Privacy Act (CCPA), the three frameworks most likely to apply to our readers.

If you only read one section, read “Your rights” near the bottom. That is the actionable part.

1. Information we collect

We collect two kinds of data: information you give us directly and information automatically collected by the site.

1.1 Information you provide directly

  • Email address when you write to the editorial team via the contact page. We store the email only for the duration of the conversation plus 12 months for context if you write back.
  • Newsletter subscription (if applicable) including your email and any name you provide. Stored on our email-service provider’s servers. You can unsubscribe at any time via the link in any newsletter email.
  • Corrections or feedback you send us about articles. We may publish anonymized versions of your correction as an article update; we do not publish your name or email unless you explicitly request attribution.

1.2 Information collected automatically

  • Server access logs. IP address, browser type, referring page, timestamp, page requested. Standard web-server logs retained for 30 days for security and performance diagnostics.
  • Analytics cookies. We use Google Analytics 4 to understand how readers use the site. GA4 collects anonymized usage data with IP anonymization enabled. The data is aggregated; we cannot tie analytics records to individual readers.
  • Performance cookies. Our content-delivery network sets technical cookies needed to serve cached pages efficiently. These do not track you across sites.
  • Affiliate-tracking cookies. When you click an affiliate link (for example to Agoda or Tripadvisor), the destination site may set a cookie that attributes a future booking to our referral. We do not see your personal data through this cookie; we only receive aggregate booking confirmations and commission payments.

2. How we use the information

We use the data we collect for five clearly defined purposes. We do not use it for anything else.

  1. To respond to editorial inquiries. If you write to us with a correction, pitch, or question, we use your email address to reply.
  2. To send newsletters (only if you have explicitly subscribed). You can unsubscribe at any time and we delete your address from the mailing list within 14 days of receiving the unsubscribe request.
  3. To improve the site. Aggregated analytics tell us which articles are useful, which load slowly, and which sections lose readers. We act on those signals to fix the content.
  4. To track affiliate commissions. When you book a hotel after clicking through one of our affiliate links, the partner platform (Agoda, Tripadvisor, 12go, GetYourGuide, etc.) records the referral and pays us a commission. We see only the aggregate.
  5. To protect the site. Server logs are reviewed when we suspect attempted abuse (brute-force login attempts, scraping, etc.) and the IP addresses of confirmed bad actors may be blocked.

3. Cookies and tracking

The cookies set on shathailand.com fall into four categories:

Category Purpose Examples Required?
Strictly necessary Site delivery, security LiteSpeed cache cookies, security tokens Yes; cannot be disabled without breaking the site
Analytics Aggregate usage measurement Google Analytics 4 (_ga, _ga_*) No; can be blocked via browser settings or cookie-consent banner
Performance CDN routing, image optimization Hostinger HCDN, WebP serving Yes if you want fast page loads
Affiliate attribution Set by destination sites after you click outbound Agoda, Tripadvisor, 12go partner cookies No; declined by not clicking outbound links

We do not set advertising or retargeting cookies. There are no display ads on the site. Affiliate cookies are set by the partner site you visit after clicking a link, not by us.

4. Third-party services we use

We rely on a small number of third-party services. Each one has its own privacy policy that governs the data it processes. We list them so you can review the policies of any service that handles your data through us.

If you visit any of these partner sites by clicking an affiliate link from SHA Thailand, the partner’s privacy policy applies to that visit. We have no visibility into your activity on their sites.

5. Affiliate disclosure

Many of the outbound links on SHA Thailand are affiliate links. When you click one and complete a booking, the partner platform pays us a commission. The commission does not change your booking price; you pay the same rate you would pay if you went to the partner site directly.

Affiliate links on the site are marked with rel="sponsored nofollow noopener" in their HTML, in line with Federal Trade Commission guidance and the Advertising Standards Authority code. Every article that contains affiliate links carries an inline disclosure near the top.

The full list of affiliate partners and our editorial-independence policy is on the affiliate disclosure page.

6. Your rights

Under GDPR, PDPA, and CCPA, you have specific rights over the data we hold about you. To exercise any of these, write to us via the contact page with the subject line “Data request” and we will respond within 30 days.

  • Right to access. Request a copy of any personal data we hold about you.
  • Right to correction. Ask us to correct any data that is inaccurate.
  • Right to deletion. Ask us to delete your data. We will delete it within 30 days unless we are legally required to retain it (in which case we will tell you what we are required to retain and for how long).
  • Right to portability. Request a machine-readable export of your data.
  • Right to object. Object to the processing of your data for any purpose.
  • Right to withdraw consent. Withdraw any consent you previously gave, at any time, without affecting the lawfulness of processing before the withdrawal.
  • Right to lodge a complaint. Complain to your data-protection authority. In Thailand, the relevant authority is the Personal Data Protection Committee (PDPC). In the EU, it is your member state’s data-protection authority.

7. Data retention

We retain personal data only as long as we need it.

  • Server access logs: 30 days.
  • Email correspondence: duration of the conversation plus 12 months.
  • Newsletter subscribers: until you unsubscribe (deleted within 14 days of unsubscribe).
  • Google Analytics aggregated data: 26 months at the GA4 default setting.
  • Affiliate-commission records: 7 years for tax and accounting compliance. These are aggregated booking records; they do not contain your personal data.

After the retention period ends, data is either deleted or fully anonymized so it can no longer be tied to an identifiable person.

8. International data transfers

SHA Thailand operates from Thailand but our reader base is global. Some of the third-party services we use are based outside Thailand and the EU. Specifically:

  • Google Analytics processes data in the United States and other regions.
  • Hostinger uses servers in the EU and Asia depending on the closest edge.
  • Most affiliate partners (Agoda, Tripadvisor, GetYourGuide, etc.) process data globally.

For transfers out of the European Economic Area, we rely on the Standard Contractual Clauses approved by the European Commission. For PDPA-governed transfers out of Thailand, we rely on the partner’s published data-protection commitments and the legal basis of contract performance (you cannot book a Thai hotel without sharing data with Agoda).

9. Children’s privacy

SHA Thailand is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you are a parent and believe your child has provided us with personal data, write to us via the contact page and we will delete it.

10. Security

The site runs on HTTPS with HSTS enabled. WordPress is updated on the standard release schedule. We use the Rank Math SEO plugin and a minimal plugin set to reduce the attack surface. WordPress administrator accounts use two-factor authentication. Server access requires SSH keys; password authentication is disabled.

Despite these measures, no system is fully secure. If we discover a security incident that affects personal data, we will notify affected readers within 72 hours of discovery, as required by GDPR and PDPA.

11. Changes to this policy

We update this policy when we add or remove services, when laws change, or when we change practices. The “Last updated” date at the top of this page is authoritative. Significant changes are also flagged on the homepage and in the next newsletter (if you are subscribed). The previous versions of this policy are kept in our archives; you can request a previous version through the contact page.

12. Contact

For any privacy-related question, request, or complaint, write to us via the contact page with the subject line “Privacy”. For urgent matters (suspected data breach, identity-theft concern related to our site), put “URGENT” in the subject and we will respond within 24 hours.

Data controller: SHA Thailand editorial team.

Postal address: Available on request. We do not publish a postal address to avoid mail-system abuse.

This policy is reviewed every six months. The next scheduled review is December 2026.