Privacy policy

Who we are

This site is operated by Muaythai Dot Tickets Company Limited, a company registered in Thailand. Under the PDPA, we are the Data Controller for personal data collected through muaythai.tickets.

• Registered office: 1213/435 Soi Ladprao 94 (Panjamitr), Plabpla, Wangthonglang, Bangkok 10310, Thailand
• Company registration / Tax ID: 0105569034942
• Phone: +66 2 530 9718
• General contact: [email protected]

What data we collect

We group the personal data we collect into five categories.

• Account data. Your name, email address, and phone number when you create an account or sign in with a magic link. If you are an organizer, we additionally collect the company details you submit to list events.
• Order data. Your order reference, the event and ticket type you purchased, the quantity, the total paid, the buyer name on the order, and any delivery fields the organizer requires for gate entry.
• Payment metadata. A payment provider token, the payment method type (card or PromptPay), the last four digits of the card, the card brand, and the charge identifier returned by our payment provider. We never collect or store your full card number, card expiry, CVV, or banking credentials. Card details are entered into a form hosted by Omise and go directly from your browser to Omise.
• Communication data. The content of emails you send us, our replies, and any support notes we add while handling your request.
• Technical data. IP address, user agent, timestamps, and anonymous request identifiers captured by our servers for security, rate limiting, and fraud detection.

Why we collect it

The lawful basis under the PDPA differs by category.

• Account data and order data are processed under contract performance (PDPA §24(3)). We cannot sell you a ticket, deliver it, or let you sign into your ticket history without this data.
• Marketing emails about upcoming events are sent only with your separate explicit consent (PDPA §24(1)). The marketing opt-in at checkout and at signup is optional and unchecked by default. You can withdraw consent at any time.
• Payment metadata, tax invoice data, and refund records are retained under legal obligation (PDPA §24(6)), principally the Thai Revenue Code and the Thai Accounting Act B.E. 2543, which require financial records to be retained for seven years.
• Technical data is processed under legitimate interest (PDPA §24(5)) to secure the platform, prevent fraud, and diagnose outages, balanced against your rights and kept proportionate to that purpose.

How long we retain it

We retain each category only for as long as its purpose or a legal obligation requires. The summary below is a plain-language version of our retention schedule; the engineering reference is the internal data-retention policy.

• Account data: kept while your account is active. If you request deletion and have no records that must be retained under Thai tax law, we erase your account data within 30 days.
• Order data, payment metadata, refund records, and tax invoices: retained for 7 years from the date of the transaction under the Thai Accounting Act B.E. 2543 and the Thai Revenue Code. This retention overrides a deletion request for these specific records.
• Consent records: retained for 7 years from the most recent recorded event, aligning with the financial-records retention horizon, as evidence of lawful processing under PDPA §30.
• Communication data: retained for 24 months from the last message in a thread.
• Technical data: retained for 12 months for security review, then purged.
• Session tokens and abandoned carts: retained for 30 days then purged automatically.

Who we share it with

We use a small number of processors to operate the platform. Each one receives only the data it needs and is bound by a data processing agreement. We do not sell your data and we do not share it with advertisers or data brokers.

• Omise / Opn Payments (Thailand). Processes every card and PromptPay transaction and holds the tokenised card details. Required to take your payment.
• Postmark (United States and European Union). Sends your order confirmation, your ticket email, and support replies. Required to deliver your ticket.
• Neon (United States). Hosts our production database. Required to store your account, your orders, and your tickets.
• Railway (United States). Hosts the web application and background workers. Required to run the site.
• Cloudflare (global edge). Sits in front of the application for content delivery, DDoS protection, and web application firewall. Required to keep the site available.
• Event organizers. The organizer of the event you bought a ticket to receives the minimum data needed for gate entry and event operations. Organizer obligations to you are covered in the Terms and Conditions.
• Thai tax and regulatory authorities. Where a specific law compels disclosure, we comply. We do not disclose buyer data to authorities outside that obligation.

Your rights under the PDPA

PDPA §§30 to 37 give you the following rights over your personal data. You can exercise all of them free of charge. We verify that a request is actually yours before acting on it.

• Right to access (§30). You can see what personal data we hold about you and request a copy. Use /my/data-export for a self-serve export of your profile, orders, tickets, refunds, and consent records.
• Right to data portability (§31). The export above is provided in a machine-readable JSON format so you can take it to another service.
• Right to object (§32). You can object to processing based on legitimate interest, including our fraud-detection and security processing.
• Right to erasure (§33). You can request deletion of your account at /my/account/delete. We process the request within 30 days. Records that we must keep under Thai tax and accounting law are retained and pseudonymised where possible; the response to your request explains exactly which records remain and why.
• Right to restriction (§34). You can ask us to pause processing while a correction or objection is under review.
• Right to rectification (§35). You can correct inaccurate or incomplete data. Most fields are editable in your account; for anything you cannot edit, contact us.
• Right to withdraw consent (§36). Where consent is the lawful basis, you can withdraw it at any time. Withdrawing consent for marketing emails does not affect your ticket delivery or your order history.
• Right to lodge a complaint (§37). If you are unhappy with how we handle your data, you can complain to the Personal Data Protection Committee (PDPC) of Thailand. Regulator contact details are published at pdpc.or.th.

Cookies and tracking

We group cookies and similar technologies into three tiers and show them to you in a cookie consent banner on your first visit.

• Essential cookies. Always on. Used for your session, your cart, checkout state, and security features such as CSRF protection. The site cannot run without these.
• Analytics cookies. Off until you opt in. If you opt in, we collect aggregated product-usage data to improve the funnel. No analytics script loads before you consent.
• Marketing cookies. Off until you opt in. We do not run marketing pixels or advertising trackers by default.

You can change your cookie choices at any time from the cookie banner or from your account settings. Withdrawing an opt-in stops the corresponding scripts from loading on your next visit.

International transfers

Some of the processors named above run infrastructure outside Thailand. In particular, our production database is hosted with Neon in the United States, and Railway, Postmark, and Cloudflare operate from multiple regions that include the United States and the European Union.

Under PDPA §28, we transfer data to these destinations on the basis of binding contractual commitments and the processors' own data protection programs. Each processor publishes security and privacy documentation, and each is bound to us by a signed data processing agreement that requires equivalent protection to the PDPA and restricts further onward transfer. We review the roster of processors at least once a year.

Security

We run the platform under a PCI DSS SAQ-A scope. Card data never touches our servers; it is collected by an iframe hosted by Omise and tokenised before any information reaches us. We never log card numbers, expiry dates, or CVV.

Thailand has required 3D Secure 2 authentication on card transactions since October 2022, and every card payment on muaythai.tickets is processed under that standard. You may be redirected to your bank to confirm the payment.

Data in transit is encrypted with TLS. Our database, application hosts, and queues are in private networks with restricted production access. Access to production data is limited to the smallest team needed to operate the platform and is logged.

Data Protection Officer and contact

We have designated a Data Protection Officer (DPO) as the point of contact for privacy questions, rights requests, and regulator correspondence. Until a separate DPO is appointed, the founder acts as DPO.

• Data Protection Officer: [email protected]
• General contact: [email protected]
• Postal address: 1213/435 Soi Ladprao 94 (Panjamitr), Plabpla, Wangthonglang, Bangkok 10310, Thailand

You can also complain to the Thai data protection regulator. The Personal Data Protection Committee (PDPC) publishes contact details at pdpc.or.th.

Changes to this policy

We review this policy at least once a year and whenever we add a processor, change a retention rule, or change how we use your data. Each published version carries the date at the top of this page. Material changes are announced on the site before they take effect so you have time to review them.

Effective date

This policy is effective from 17 April 2026.