Privacy Policy

We recognize the importance of personal data and other information related to users of our services. (“Customer” or “You”). To ensure your confidence in our transparency and accountability in collecting, using, or disclosing your information in accordance with the Personal Data Protection Act B.E. 2562 (2019), we have established this policy to inform you of the details regarding the collection, use, and disclosure of your personal data.

1. Definitions

“Personal Data” Means any information that can be used to identify an individual, whether directly or indirectly, such as name, telephone number, email address, national identification number, passport number, etc.
“Data Subject” Refers to a natural person who is the owner of the personal data.
“Data Controller” Means a person or legal entity who has the authority to make decisions regarding the collection, use, or disclosure of personal data.
“Joint Data Controller” Refers to a person or legal entity that jointly determines, with another party, the purposes and means of processing personal data. Both parties share responsibility for the personal data.
“Data Processor” Means a person or legal entity that collects, uses, or discloses personal data on behalf of, or under the instruction of, the Data Controller.

2. Types of Personal Data Collected.

We collect your personal data only as necessary and in accordance with the Personal Data Protection Act B.E. 2562 (2019). The types of data collected are categorized based on the service channels as follows.

2.1 Data Collected from Use of Website and Application.

2.1.1 User Account Registration Information.

Full name
Gender
Date of birth
Country/Region
Registration email
Phone number

2.1.2 Transaction and Booking Information.

Booking reference number or ticket / service / product number
Travel date, time, and route
Passenger details, such as full name, contact phone number or email.

2.1.3 Payment and Payment Proof Information.

Payment reference code.
Credit/debit card details, such as name on card, card number, expiration date, and issuing bank.
Bank account information.
Tax invoice issuance details.
Payment proof.

2.1.4 Technical Information.

IP address, MAC address, session logs, or behavior tracking information (e.g., Session ID), including browser type and version.

2.1.5 Location Data.

If location features are enabled in the application, we may access your GPS coordinates or general location to provide relevant services, such as recommending nearby pickup points.

2.2 Data Collected from Contacting Our Customer Service Center (Call Center).

2.2.1 Basic Identification Information.

Full name
Phone number or email address used for contact.
Booking reference number for tickets, products, or services
Booking channel (e.g., website, agent, application)

2.2.2 Conversation Records.

Used solely for quality assurance, complaint management, and service-related documentation.

Call recordings with timestamps.
Incoming and outgoing phone numbers.
Complaints, suggestions, or issues reported, along with any supporting evidence (if applicable).

2.2.3 Transaction and Booking Information.

Booking reference number or ticket / product / service number
Travel date, time, and route
Passenger details, such as full name, contact phone number or email.

2.2.4 Payment and Payment Proof Information.

Payment reference code.
Credit/debit card details, such as name on card, card number, expiration date, and issuing bank.
Bank account information.
Tax invoice issuance details.
Payment proof.

2.3 Data Collected from Physical Service Locations or Authorized Agents.

2.3.1 Transaction and Booking Information.

Booking reference number or ticket / product / service number.
Travel date, time, and route.
Passenger details, such as full name, contact phone number or email.

2.3.2 Payment and Payment Proof Information.

Payment reference code.
Credit/debit card details, such as name on card, card number, expiration date, and issuing bank.
Bank account information.
Tax invoice issuance details.
Payment proof.

2.4 Data Collected from Other Channels.

We may collect additional data in cases where you contact us via other channels such as Facebook, Line, TikTok, including.

Social media account information (display name / User ID).
Messages or content you send.
Comments or responses to surveys.
Photos or attached documents (if submitted).

2.5 Sensitive Personal Data.

We do not have a policy to collect your sensitive personal data unless we have obtained your explicit consent or are required to do so by law. This includes, but is not limited to:

Genetic data
Biometric data
Race or ethnicity
Religion
Political opinions
Health information
Sexual behavior
Criminal records
Disabilities
Labor union membership

3. Sources of Personal Data.

We may collect your personal data through various channels as outlined below.

3.1 Data Collected Directly from You.

We may collect personal data directly from you in the following circumstances.

When you register for membership by completing forms, whether in paper format, through our website, application, or social media platforms.
When you book tickets, products, or services through our channels such as website, application, Call Center, physical service points, or authorized agents.
When you fill out information via forms.
When you contact us, make inquiries, or provide feedback or suggestions about our products or services.
When you opt in to receive news or promotional materials from us.

3.2 Data Collected Automatically.

We may automatically collect your personal data in the following instances.

When you visit or use our website, which may use cookies or similar technologies to gather technical information related to your usage.
When using our services, including data associated with such use, such as device information. (e.g., IP address, MAC address)

3.3 Data Collected from Third Parties.

We may collect your personal data from lawful external sources or where you have consented for your information to be disclosed to us, such as when third parties submit your personal data to us for the purposes of providing you with our services or related business operations.

3.4 When You Provide Us with Third-Party Personal Data.

In some cases, you may provide us with personal data of other individuals (e.g., spouse, family members, or friends), such as when booking tickets, products, or services on their behalf.

In such cases, you represent and warrant that you have obtained consent from those individuals for us to collect, use, and disclose their personal data as described in this policy.

4. Principles of Personal Data Collection.

We collect personal data in accordance with the following principles.

4.1 Contractual Necessity (Section 24(3))

The collection of personal data is based on the necessity to perform a sales or service contract between the Data Controller ("we") and the Data Subject ("you"). This includes the collection of personal data, contact information, booking and travel details for the purpose of issuing and delivering tickets, products, or services in accordance with your request.

4.2 Compliance with Legal Obligation (Section 24(6))

We collect and use payment information, including details related to the payment of fares, products, or service fees, as necessary for processing transactions, verifying payments, and fulfilling contractual obligations related to the issuance and delivery of tickets, goods, or services.

4.3 Legitimate Interests (Section 24(5))

Conversation data may be used to monitor service quality and maintain records of information provided, advice given, or transactions conducted via telephone. We retain voice recordings only as necessary, with appropriate security measures in place, and access strictly limited to authorized personnel.
We may use your data for business analytics to improve our products or services, as well as to tailor content and promotions that are relevant to you.
Additionally, we may use anonymized or non-identifiable data which falls outside the scope of the Personal Data Protection Act B.E. 2562 (2019), for the purpose of analyzing overall trends.

4.4 Prevention of Fraud and Harm to Others (Section 24(2))

We may process your personal data when necessary to prevent or suppress danger to your life, health, or that of others for example, notifying emergency services in the event of a travel-related accident, or monitoring suspicious behavior to prevent fraud.

5. Purpose of Personal Data Collection.

5.1 To support a seamless user experience and efficient service delivery.

Facilitate the booking of transportation tickets, and the purchase of products or services.
Deliver transportation tickets, products, or services.
Process returns or modifications of transportation tickets, products, or services.
Send reminders to complete bookings or transactions that remain unfinished.
Provide advance travel-related information you should be aware of.
Communicate important service announcements or notifications.
Contact you for legal compliance purposes or to resolve disputes.

5.2 To respond to your inquiries and provide assistance.

Provide assistance related to the services offered to you.
Update your information and process requests for the exercise of rights or handle complaints.

5.3 To develop and improve the quality of our products and services.

Analyze and enhance our services to better meet your needs.

5.4 To provide information about tickets, products, or services, as well as for marketing and promotional communications.

Send information about tickets, products, or services in order to offer privileges, promotions, discounts, and special offers related to tickets, products, or services provided by merchants or transport operators via email, based on legitimate interests as appropriate. You may opt out of receiving marketing emails at any time by clicking “Unsubscribe” at the bottom of the email.

5.5 For data analysis purposes.

Anonymize your data such that anonymized data is not subject to the Personal Data Protection Act B.E. 2562 (2019), for use in marketing analysis and market research aimed at improving products and services.

5.6 To prevent, detect, and investigate criminal activities.

Conduct audits and take necessary actions to prevent violations of applicable laws, including security breaches that may affect the personal data of the data subject.

6. Automated Data Processing.

We may use automated systems or tools to analyze your data in order to improve your user experience and to present content or services tailored to your interests. Such processing does not significantly affect your rights or freedoms, such as producing legal or similarly significant effects. Examples include.

Recommending tickets, products, services, or travel routes based on your booking history.
Offering promotions or privileges aligned with your usage behavior.
Segmenting users for travel trend analysis.
Detecting anomalies or risks in the booking process to prevent fraud.

If automated processing results in decisions that significantly affect you, we will implement appropriate safeguards. You will also have the right to express your opinion, object to such decisions, or exercise your rights through the contact channels provided in Section 19.

7. Disclosure of Personal Data to Third Parties.

We do not disclose your personal data to third parties except in the following cases.

7.1 Disclosure to Joint Data Controllers. (e.g., transport operators)

Your personal data may be shared with joint data controllers under a Joint Controller Agreement (JCA), based on contractual necessity as part of the service you have requested and as necessary for the performance of a contract. This includes actions such as issuing tickets, verifying boarding rights, managing seat assignments, or notifying schedule changes or cancellations.
Additionally, if you request services via a transport operator or use a promotion offered by one of our partners, we may share your data with such partners under a Data Processing Agreement (DPA) based on your service request. Examples include.

(1) Payment processors.

(2) Background verification and anti-money laundering service providers.

(3) Insurance and financial service partners.

7.2 Disclosure to Subsidiaries and Affiliates

Your personal data may be disclosed to our subsidiaries and affiliates acting as data processors under a Data Processing Agreement (DPA). Such disclosure will be based on a contractual necessity to fulfill your service requests in accordance with the terms and conditions you have accepted.

7.3 Disclosure Required by Law or Government Authorities

We may disclose your personal data when required to do so by applicable law, regulation, legal process, or upon a lawful request by governmental or regulatory authorities.

7.4 Disclosure with Your Explicit Prior Consent

We may disclose your personal data to third parties only when we have obtained your explicit prior consent for such disclosure, and only for the purposes for which your consent has been given

8. Retention Period of Personal Data.

We will retain your personal data for only as long as necessary to fulfill the purposes stated in this policy or as required by law, as follows.

User account registration data. Retained for the entire duration of your account’s active use.
Personal data related to ticket bookings and travel. Retained for a period of 5 years from the date of your last use of the service.
Payment information and proof of payment. Retained for 5 years in accordance with accounting laws.
Basic identification data and customer service call recordings. Retained for no longer than 90 days from the date of recording. In specific cases, such as a complaint or dispute, the data may be retained until the conclusion of the investigation or until the applicable statute of limitations under the law has expired.
Usage data for statistical analysis. Retained for no longer than 3 years and maintained in a format that does not identify any individual.
User access logs. We retain computer traffic data (log files) sufficient to identify users for at least 90 days. In cases where there is suspicion of unlawful activity, we will retain such data for no less than 1 year, as required by law.

9. Personal Data Security Measures.

We implement security measures in accordance with legal requirements to protect personal data against loss, unauthorized access, destruction, use, alteration, modification, or unlawful disclosure. The measures include.

User Access Control
Authentication
Access Logging
Access Request Process
Access Review
Data Encryption
Restricted Employee Access
Joint Controller Agreement (JCA)

10. Rights of the Data Subject.

Right of Access. You have the right to request access to your personal data under our responsibility and request a copy of such data.
Right to Rectification. You have the right to request that we correct your personal data to ensure it is accurate, up to date, and complete. If you are a registered member, you can update your personal information via your account profile page.
Right to Erasure / Right to be Forgotten. You have the right to request that we delete, destroy, or anonymize your personal data when it is no longer necessary, in accordance with Section 19.
Right to Restriction of Processing. You have the right to request a temporary suspension of the processing of your personal data while we are verifying its accuracy or reviewing an objection request.
Right to Object. You have the right to object to the collection, use, or disclosure of your personal data.
Right to Data Portability. You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to request the transfer of such data to another data controller.
Right to Withdraw Consent. You have the right to withdraw your consent to the processing of your personal data at any time while we retain your data.
Right to Lodge a Complaint. You have the right to file a complaint with the Office of the Personal Data Protection Committee (PDPC) if you believe your rights have been violated or the data controller has not complied with the law.

If you wish to authorize another person to exercise your rights on your behalf, a written power of attorney and identification documents for both parties must be submitted.

You may exercise your rights by submitting a request via email to dpo@thairoute.com, downloading the request form from our website, or contacting us as provided in Section 19. We will respond to your request within 30 days from the date we receive the complete request and identity verification documents.

11. Cross-Border Data Transfers.

In cases where it is necessary for us to transfer your personal data to another country, we will comply with legal requirements and ensure that the destination country has an adequate level of data protection. Our safeguards include.

Assessing the adequacy of the data protection standards of the destination country.
Executing a Data Transfer Agreement (DTA).
Implementing Binding Corporate Rules (BCRs).
Obtaining your explicit consent for such transfer.

12. Use of Cookies.

We use cookies to analyze your usage behavior, such as browser type, search preferences, IP address, advertisement display, and usage timestamps. Technologies used may include.

Cookies
Web Beacons
Tags
Scripts
Locally Shared Objects (e.g., HTML5 or Flash Cookies)
Advertising Identifiers such as Apple’s IDFA or Google’s Advertising ID

You may manage your cookie preferences through your browser settings, including.

Configuring your browser to disable or block cookies.
Clearing your browsing history and cache.
Adjusting your mobile device settings to limit certain types of data sharing.

13. External Website or Service Links.

Our website may contain links to third-party websites that may collect usage and personal data. We are not responsible for the security or privacy practices of such external websites. You are advised to review the privacy policies of those websites and follow their stated data protection practices.

14. In Case of Consent Refusal or Denial of Personal Data Use.

We may need to collect your personal data based on legal grounds such as contractual necessity, legal compliance, legitimate interests, or the prevention of fraud and harm. If you choose not to provide consent for certain uses of your personal data, you may still use our services. However, refusal may affect some aspects of the service such as receiving notifications, marketing, or personalized support leading to a reduced service experience, as we may not be able to process your data for full-service efficiency.

15. Changes to the Privacy Policy.

This privacy policy may be amended or updated from time to time to ensure compliance with the Personal Data Protection Act B.E. 2562 (2019), or other applicable laws. We encourage you to review this policy periodically. Any updates will be announced on our website.

16. Account Deletion.

If you hold a user account and wish to delete it, you may do so by visiting https://accounts.busx.com, selecting the “Your BusX Information” menu, and choosing “Deleting Your BusX Account” to proceed. Once the account deletion is completed, your personal data will be permanently erased from our system and cannot be recovered.

17. Personal Data Breach Management.

In the event of a personal data breach, we will notify the Office of the Personal Data Protection Committee (PDPC) within 72 hours of becoming aware of the incident. If the breach is likely to result in a high risk to your rights and freedoms, we will notify you promptly.
Risk assessment will consider the severity of the data leaked, the scope of affected individuals, and the likelihood of misuse of the compromised data.

18. Special Provisions Regarding Minors.

For minors who have not reached legal age under applicable law, we do not collect personal data without the consent of a parent or legal guardian. It is our policy to avoid processing personal data of minors without such consent.

19. Contact Information

If you have any questions, feedback, or require further information regarding this privacy policy, please contact us at:

Email: info@thairoute.com
Data Protection Officer (DPO): Thai Route Dot Com Co., Ltd. 1 TP&T Building, 15th Floor, Soi Vibhavadi Rangsit 19, Chatuchak Subdistrict, Chatuchak District, Bangkok, Thailand.
Email (DPO): dpo@thairoute.com
Phone number: 02-537-8471