Privacy Policy
Thai Route Dot Com Co., Ltd., including its affiliated companies and group companies (collectively referred to as “we”, “us”, or “our”), in its capacity as a Data Controller, recognizes the importance of the personal data of its service users (collectively referred to as “customers” or “you”). We are committed to protecting such personal data by implementing appropriate security measures, ensuring transparency, and complying with applicable laws, particularly the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”). This Privacy Policy has been established to inform you of the details regarding the collection, use, and/or disclosure of your personal data, as well as your rights as a data subject.
1. Definitions
“Personal Data” means any information relating to a person which enables the identification of such person, whether directly or indirectly, including but not limited to name, surname, telephone number, email address, identification card number, passport number, contact information, or other similar information. “Data Subject” means a natural person who is the owner of the Personal Data. “Data Controller” means a person or juristic person having the authority to make decisions regarding the collection, use, or disclosure of Personal Data. “Joint Data Controller” means two or more persons or juristic persons that jointly determine the purposes and means of the processing of Personal Data and jointly bear responsibility for such Personal Data. “Data Processor” means a person or juristic person who operates in relation to the collection, use, or disclosure of Personal Data on behalf of, or pursuant to the instructions of, the Data Controller, provided that such person or juristic person is not the Data Controller. “Processing of Personal Data” means any operation performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, disclosure (by transmission, dissemination, or otherwise making available), alignment, combination, restriction, erasure, or destruction. “Business Partner” means any person or juristic person that has a business relationship with us in providing services, conducting business operations, or supporting our operations, including but not limited to third-party service providers, information technology service providers, payment service providers, and commercial partners such as transportation service providers.
2. Categories of Personal Data Collected
We collect your Personal Data only to the extent necessary, for lawful purposes, and in compliance with the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”). The categories of Personal Data we collect may be classified based on the service channels as follows:
2.1 Personal Data Collected via Website and Mobile Applications
2.1.1 Account Registration Information
Full name
(1) National identification number or passport number
(2) Date of birth
(3) Country or region
(4) Email address
(5) Telephone number
2.1.2 Transaction and Booking Information
(1) Booking number, ticket number, and details of products or services
(2) Travel date, time, and route
(3) Passenger details, such as full name, national identification number, passport number, telephone number, and email address
2.1.3 Payment Information and Proof of Payment
(1) Payment reference number
(2) Credit/debit card details (e.g., cardholder name, card number, expiration date)
(3) Bank account information
(4) Information required for issuing tax invoices
(5) Proof of payment
2.1.4 Technical Information
(1) IP Address, MAC Address
(2) Log data
(3) Session ID and usage behavior
(4) Device type, device model, and browser type
2.1.5 Location Data
GPS coordinates or approximate location (where you have enabled such feature), for the purpose of providing services such as recommending nearby pick-up points
2.2 Personal Data Collected via Customer Service (Call Center)
2.2.1 Basic Identification Information
(1) Full name
(2) National identification number or passport number
(3) Telephone number or email address
(4) Booking number or ticket number
(5) Booking channel
2.2.2 Communication Data
We may record and retain communication data for the purposes of service quality assurance, complaint handling, and as evidence of service transactions, including:
(1) Call recordings and call duration
(2) Incoming and outgoing telephone numbers
(3) Complaints, feedback, and details of issues, including any supporting documents (if any)
2.2.3 Transaction and Booking Information
(1) Booking number, ticket number, and details of products or services
(2) Travel date, time, and route
(3) Passenger details, such as full name, national identification number, passport number, telephone number, and email address
2.2.4 Payment Information and Proof of Payment
(1) Payment reference number
(2) Credit/debit card details (e.g., cardholder name, card number, expiration date)
(3) Bank account information
(4) Information required for issuing tax invoices
(5) Proof of payment
2.3 Personal Data Collected at Service Points or Through Agents
2.3.1 Transaction and Booking Information
(1) Booking number, ticket number, and details of products or services
(2) Travel date, time, and route
(3) Passenger details, such as full name, national identification number, passport number, telephone number, and email address
2.3.2 Payment Information and Proof of Payment
(1) Payment reference number
(2) Credit/debit card details (e.g., cardholder name, card number, expiration date)
(3) Bank account information
(4) Information required for issuing tax invoices
(5) Proof of payment
2.4 Personal Data Collected via Other Channels
We may collect additional Personal Data when you contact us through other channels, such as Facebook, LINE, TikTok, or email, including:
2.4.1 Social media account information (e.g., display name or user ID)
2.4.2 Messages or content you provide to us
2.4.3 Feedback, comments, or survey responses
2.4.4 Photos, documents, or attachments submitted to us
2.5 Sensitive Personal Data
We do not have a policy to collect your Sensitive Personal Data, unless we have obtained your explicit consent or where it is required by law. Sensitive Personal Data may include, but is not limited to, genetic data, biometric data, racial or ethnic origin, religious beliefs, political opinions, health data, sexual behavior, criminal records, disability information, or trade union membership.
3. Sources of Personal Data
We may collect your Personal Data from the following sources:
3.1 Personal Data Collected Directly from You
3.1.1 When you register for an account by completing forms, whether in physical documents, via our website, mobile applications, or social media platforms
3.1.2 When you make bookings for transportation tickets, products, or services through various channels such as our website, mobile applications, Call Center, service points, or authorized agents
3.1.3 When you fill out forms or provide information to us
3.1.5 When you communicate with us, make inquiries, provide feedback, or submit suggestions regarding our products or services
3.1.6 When you subscribe to receive news, marketing communications, or promotional materials from us
3.2 Personal Data Collected Automatically
3.2.1 When you visit or use our website or services that utilize cookies or similar technologies to collect technical data regarding your usage
3.2.2 Information derived from your use of our services and related data, such as device information (e.g., IP Address, MAC Address)
3.3 Personal Data Collected from Third Parties
We may collect your Personal Data from third-party sources where such collection is lawful or where consent has been obtained from you for the disclosure of your Personal Data to us, for purposes such as providing services to you or supporting our business operations
3.4 Personal Data of Third Parties Provided by You
In certain cases, you may provide us with Personal Data of other individuals (such as your spouse, family members, or friends), for example, when making bookings on their behalf. In such cases, you represent and warrant that you have obtained the necessary consent from such individuals to allow us to collect, use, and disclose their Personal Data in accordance with this Privacy Policy
4. Legal Basis for the Collection of Personal Data
We collect, use, and disclose your Personal Data based on the following legal bases in accordance with the PDPA:
4.1 Contractual Basis (Section 24 (3))
We process your Personal Data as necessary for the performance of a contract between us, as the Data Controller, and you, as the Data Subject. This includes the collection of your account registration information and transaction and booking information for the purposes of issuing transportation tickets, products, or services, and delivering such tickets, products, or services in accordance with your request.
4.2 Legal Obligation (Section 24 (6))
We process your Personal Data where necessary for compliance with applicable laws, including the collection and retention of payment information and proof of payment relating to transportation tickets, products, or services.
4.3 Legitimate Interests (Section 24 (5))
We may process your Personal Data based on our legitimate interests, provided that such interests do not override your fundamental rights, including:
4.3.1 Communication data, for the purposes of service quality assurance and maintaining records of information provided, advice given, or transactions conducted via telephone. Call recordings will be retained only as necessary, with appropriate security measures and access restricted to authorized personnel
4.3.2 The use of your data for business analytics to improve our products or services, including the delivery of relevant content and promotions
4.3.3 The use of anonymized or aggregated data, which does not identify any individual and is therefore not subject to personal data protection laws, for statistical and analytical purposes
4.4 Vital Interests (Section 24 (2))
We may process your Personal Data where necessary to prevent or suppress danger to a person’s life, body, or health, including your own or that of others, such as notifying emergency services in the event of an accident during travel, or detecting suspicious activities to prevent fraud or potential harm.
5. Purposes of Processing Personal Data
We collect, use, and disclose your Personal Data for the following purposes:
5.1 To Facilitate the Use of Services and Service Delivery
5.1.1 To facilitate the booking of transportation tickets and the purchase of products or services
5.1.2 To deliver tickets, products, or services
5.1.3 To process refunds or changes to tickets, products, or services
5.1.4 To notify you to complete bookings in cases where transactions are incomplete
5.1.5 To provide you with important travel-related information in advance
5.1.6 To inform you of news, promotions, or important service-related announcements
5.1.7 To contact you for legal compliance or dispute resolution purposes
5.2 To Respond to Inquiries and Provide Assistance
5.2.1 To provide customer support in relation to our services
5.2.2 To update your information and process your requests for exercising data subject rights or handling complaints
5.3 To Improve and Develop Our Services
To analyze, develop, and improve our services to better meet your needs
5.4 To Provide Information and Marketing Communications
5.4.1 To provide you with information about transportation tickets, products, or services, including privileges, promotions, discounts, and special offers from merchants or transportation service providers via email, SMS, or telephone, based on our legitimate interests where appropriate
5.4.2 You may opt out of receiving marketing communications at any time by clicking the “unsubscribe” link in our emails
5.5 For Data Analytics
To anonymize your data so that it can no longer identify you, and to use such data—which is not subject to the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”)—for marketing analysis and market research to improve our products and services
5.6 To Prevent, Detect, and Investigate Misconduct or Crime
To carry out monitoring and take necessary actions to prevent violations of applicable laws, including detecting and addressing security breaches that may affect data subjects
6. Automated Processing
We may use automated systems or tools to analyze your Personal Data in order to enhance your user experience and provide you with relevant information or services. Such processing will not have a significant impact on your rights or freedoms. Examples include:
6.1 Recommending transportation tickets, products, or services, including routes based on your booking history
6.2 Offering promotions or privileges tailored to your usage behavior
6.3 Segmenting users to analyze travel trends
6.4 Detecting anomalies or risks in the booking process to prevent fraud
In the event that automated processing results in decisions that significantly affect you, we will implement appropriate safeguards. You have the right to object to such decisions as set out in Section 10, or exercise your rights through the contact channels specified in Section 19.
7. Disclosure of Personal Data to Third Parties
We will not disclose your Personal Data to third parties except in the following circumstances:
7.1 Disclosure to Joint Data Controllers (Transportation Service Providers)
7.1.1 Your Personal Data may be disclosed to transportation service providers acting as Joint Data Controllers under a Joint Controller Agreement (JCA), based on contractual necessity as part of the services you have requested, such as ticket issuance, boarding verification, seat management, and notifications of delays or cancellations
7.1.2 In addition, where you request services through such providers or participate in promotions offered by our partners, we may share your Personal Data with such partners based on contractual necessity, under a Data Processing Agreement (DPA), including but not limited to:
(1) Payment processors
(2) Background check and anti-money laundering (AML) service providers
(3) Insurance and financial partners
7.2 Disclosure to Affiliates and Group Companies
Your Personal Data may be disclosed to our affiliated and group companies acting as Data Processors, under a Data Processing Agreement (DPA), based on contractual necessity to provide services to you
7.3 Disclosure Required by Law or Government Authorities
We may disclose your Personal Data where required by law, or in response to lawful requests from competent government authorities
7.4 Disclosure Based on Your Explicit Consent
Your Personal Data may be disclosed to third parties where you have given your explicit prior consent
8. Data Retention
We will retain your Personal Data only for as long as necessary to fulfill the purposes stated in this Privacy Policy, or as required by applicable laws, as follows:
8.1 Account Registration Information will be retained for the duration of your account usage
8.2 Transaction and Travel Data will be retained for a period not exceeding 5 years from your last use of our services
8.3 Payment Information and Proof of Payment will be retained for a period not exceeding 5 years in accordance with applicable accounting laws
8.4 Basic Identification Information and Call Center Recordings will be retained for a period not exceeding 90 days from the date of recording, unless retention is necessary for purposes such as handling complaints or disputes, in which case such data may be retained until the completion of the relevant process or until the expiration of the applicable statutory limitation period
8.5 Usage Data for Statistical Analysis will be retained for a period not exceeding 3 years, in anonymized form that does not identify any individual
8.6 System Access Data: We will retain computer traffic data (log files) sufficient to identify users for at least 90 days. In the event of suspected unlawful activity, such data may be retained for a period of not less than 1 year, as required by applicable laws
9. Data Security Measures
We implement appropriate technical and organizational security measures in accordance with applicable laws to protect your Personal Data against loss, unauthorized or unlawful access, destruction, use, alteration, modification, or disclosure, including:
9.1 Access control and user authorization management
9.2 Identity verification and authentication mechanisms
9.3 Access logging and monitoring systems
9.4 Approval processes for access rights
9.5 Periodic access review and revalidation
9.6 Data encryption measures
9.7 Restriction of access to Personal Data strictly to authorized personnel only
9.8 Implementation of agreements with Joint Data Controllers and Data Processors to ensure appropriate data protection standards
10. Data Subject Rights
You have the following rights under applicable data protection laws:
10.1 Right of Access: You have the right to request access to your Personal Data under our responsibility and to obtain a copy of such data
10.2 Right to Rectification: You have the right to request correction of your Personal Data to ensure that it is accurate, complete, and up to date. If you are a registered user, you may update your information via your account settings
10.3 Right to Erasure: You have the right to request the deletion, destruction, or anonymization of your Personal Data where it is no longer necessary, subject to the conditions set out in Section 16
10.4 Right to Restriction of Processing: You have the right to request the temporary suspension of the use of your Personal Data while we are verifying your request for rectification or considering your objection
10.5 Right to Object: You have the right to object to the collection, use, or disclosure of your Personal Data
10.6 Right to Data Portability: You have the right to receive your Personal Data in a structured, commonly used, and machine-readable format, and to request that such data be transferred to another Data Controller
10.7 Right to Withdraw Consent: You have the right to withdraw your consent at any time, where processing is based on your consent
10.8 Right to Lodge a Complaint: You have the right to lodge a complaint with the Personal Data Protection Committee (PDPC) if you believe that your rights have been violated
If you wish to appoint a representative to submit a request on your behalf, a written power of attorney and identity verification documents of both parties are required.
You may exercise your rights by submitting a request via email at dpo@thairoute.com, downloading the request form from our website, or contacting us as specified in Section 19. We will respond to your request within 30 days from the date we receive a complete request with sufficient identification documents.
11. Cross-Border Data Transfer
In the event that it is necessary for us to transfer your Personal Data to a foreign country, we will comply with applicable laws and ensure that adequate data protection measures are in place, including:
11.1 Assessing the adequacy level of data protection in the destination country
11.2 Entering into a Data Transfer Agreement (DTA)
11.3 Implementing Binding Corporate Rules (BCRs), where applicable
11.4 Obtaining your explicit consent, where required
12. Cookies and Similar Technologies
We use cookies and similar technologies to analyze your usage, such as browser type, search preferences, IP address, advertising display, and access date and time, including:
12.1 Cookies
12.2 Web beacons
12.3 Tags
12.4 Scripts
12.5 Local shared objects (e.g., HTML5 or Flash cookies)
12.6 Advertising identifiers (e.g., Apple IDFA or Google Advertising ID)
You may manage your cookie preferences through your browser settings, including:
(1) Blocking or disabling cookies
(2) Clearing browsing history and cache
(3) Adjusting mobile device settings to limit certain types of data sharing
13. Links to Third-Party Websites or Services
Our website may contain links to third-party websites or services which may collect your Personal Data. We are not responsible for the privacy practices or security of such third parties. You are advised to review the privacy policies of those third parties and comply with their applicable terms.
14. Consequences of Refusal to Provide Personal Data
We may be required to collect your Personal Data based on contractual necessity, legal obligations, legitimate interests, or for the prevention of fraud and harm.
If you choose not to provide or allow us to process your Personal Data, you may still use our services; however, such refusal may affect certain service functionalities, such as notifications, marketing offers, or personalized support, which may result in a less convenient user experience.
15. Changes to the Privacy Policy
This Privacy Policy may be updated, amended, or modified from time to time to ensure compliance with the PDPA and other applicable laws. We recommend that you review this Privacy Policy periodically. Any changes will be published on our website.
16. Account Deletion
If you have a user account and wish to delete it, you may do so via the following link:
https://accounts.busx.com → select “Your BusX Information” → “Deleting Your BusX Account”
Once your account has been deleted, your Personal Data will be permanently removed from our system and cannot be recovered.
17. Personal Data Breach Management
In the event of a personal data breach, we will notify the Personal Data Protection Committee (PDPC) within 72 hours from becoming aware of the breach. We will assess the risk and notify you without delay if the breach is likely to result in a high risk to your rights and freedoms.
In assessing such risk, we will consider the severity of the data involved, the scope of affected individuals, and the likelihood of misuse.
18. Personal Data of Minors
In the case of minors who have not reached legal age, we do not have a policy to collect their Personal Data without obtaining consent from their parent or legal guardian.
19. Contact Details
If you have any questions or require further information regarding this Privacy Policy, please contact us at:
19.1 Email: info@thairoute.com
19.2 Data Protection Officer (DPO): Thai Route Dot Com Co., Ltd. Address: No. 1 TP&T Building, 15th Floor, Soi Vibhavadi Rangsit 19, Chatuchak, Bangkok
19.3 DPO Email: dpo@thairoute.com
19.4 Telephone: +66 2-537-8471