Privacy Policy

1. Who we are

This site (aumphangan.com) is operated by AUM Sound Healing Center, trading as AUM Phangan. We are a wellness venue based in Koh Phangan, Thailand. Our registered address is:

69/5 Wang Takien, Moo 8
Koh Phangan, Surat Thani 84280
Thailand

We are the data controller for personal information you give us through this website, our Telegram bot, or in person at the venue. Contact: aumsoundcenter@gmail.com.

2. What data we collect

We collect only what we actually need to run the venue and your bookings.

Information you give us

• Name, email, phone number, country.
• Booking details — date, session type, group size.
• Telegram username (if you contact us through @AumPhanganBot).
• Optional health notes (allergies, contraindications, pregnancy) so we can keep you safe during sound, sauna and breathwork sessions.
• Stripe billing details if you pay online — handled by Stripe, see below.
• Messages and questions you send us.

Information collected automatically

• IP address, browser type, device, language.
• Pages you visited, time on site, referring URL.
• Anonymous analytics events (clicks, scroll, conversion outcomes).

3. Why we collect it

• To provide and confirm bookings.
• To send session reminders, schedule changes and aftercare instructions.
• To meet Thai accounting and tax law (we are required to keep records).
• To improve the site, the schedule and the in-venue experience.
• To respond when you message us via Telegram, email or contact form.
• To prevent fraud and abuse (rate limits, security logs).

4. Lawful basis (GDPR / PDPA)

We rely on the following grounds for processing your data:

• Contractual necessity — to deliver the bookings, sessions and retreats you have purchased.
• Consent — for marketing emails, optional analytics, and any health information you choose to share. You can withdraw consent at any time.
• Legal obligation — to keep financial and tax records as required by Thai law.
• Legitimate interest — for security, fraud prevention and improving our services in a way you would reasonably expect.

5. Who we share data with

We do not sell your data. We share strictly with the processors below, each chosen because they are necessary to run the site and the bookings. Each handles your data under their own privacy policy and a data-processing agreement with us.

• Telegram — for chat-based bookings via @AumPhanganBot. telegram.org/privacy
• Stripe — for online payments. We never see your full card number. stripe.com/privacy
• Vercel — hosts this website (US / EU edge servers). vercel.com/legal/privacy-policy
• Supabase — stores bookings and user accounts (Singapore region). supabase.com/privacy
• Resend — sends transactional and marketing email. resend.com/legal/privacy-policy
• Sentry — captures application errors so we can fix bugs. sentry.io/privacy
• PostHog — anonymous product analytics (only if you accept analytics cookies). posthog.com/privacy

We will also disclose data if required by Thai law, a court order, or to protect the safety of guests and staff.

6. How long we keep your data

• Booking and payment records — 5 years, required for Thai tax compliance.
• Marketing consent — indefinitely until you withdraw it.
• Analytics events — anonymised after 12 months.
• Support emails and Telegram chats — up to 24 months after last interaction.
• Health notes — deleted at the end of the season unless you ask us to retain them for future visits.

7. Your rights

Whether the EU GDPR or Thai PDPA applies, you have the following rights over your personal data:

• Access — get a copy of what we hold about you.
• Correction — fix anything that is wrong or out of date.
• Deletion — ask us to erase your data (subject to tax-record retention).
• Portability — receive your data in a portable, machine-readable format.
• Withdraw consent — for marketing, analytics or health-data processing.
• Object — to processing based on legitimate interest.
• Lodge a complaint — with your local data-protection authority. In Thailand this is the Personal Data Protection Committee (PDPC).

8. How to exercise your rights

Email aumsoundcenter@gmail.com with the subject line “Data Request”. Tell us which right you want to exercise and include enough information to verify your identity (typically the email address used at booking). We respond within 30 days.

9. Cookies and similar technologies

We use a small number of essential cookies (authentication session, language preference, your cookie-consent choice) and optional analytics cookies. See our Cookie Policy for the full list. You can change your preferences any time using the cookie banner at the bottom of the page.

10. Children

Our services are not directed at people under 16. We do not knowingly collect data from anyone under 16 without parental consent. If you believe a minor has provided us with personal data, email us and we will delete it.

11. International data transfers

Because we use cloud services, your data may leave Thailand. Specifically:

• Vercel hosting — US and EU edge regions.
• Supabase storage — Singapore region (closest to Thailand).
• Resend email — US region.
• Stripe payments — varies by your country of residence.

All processors are bound by Standard Contractual Clauses (SCCs) or equivalent safeguards under both GDPR and PDPA. Data is encrypted in transit (TLS 1.2+) and at rest.

12. Updates to this policy

We post any changes on this page and update the “Last updated” date above. For material changes (new processor, new lawful basis, new category of data) we will notify you by email if you have given us one.

13. Contact / DPO

We do not currently have a formally appointed Data Protection Officer (DPO). All data-protection inquiries are handled by the venue management. Write to aumsoundcenter@gmail.com. For complaints in the EU, contact your national data-protection authority. For complaints in Thailand, contact the Personal Data Protection Committee (PDPC).