top of page

Privacy Policy

WHO WE ARE

 

Healsea Co., Ltd. (“Healsea”, “we”, “us”, “our”) operates the website healsea.site and associated booking, consultation, customer‑support and marketing channels. Our registered office is Mouana Grande, Ko Kaeo, Mueang Phuket District, Thailand, email healsea.th@gmail.com. We are the Data Controller under the Thai PDPA and, when relevant, the EU GDPR.

SCOPE OF THIS POLICY

 

This Policy explains what personal data we collect, how and why we use it, the lawful bases we rely on, the safeguards we apply, and the rights you can exercise. It covers all online and offline interactions with Healsea, including enquiries, bookings, wellness questionnaires, tele‑consultations and marketing subscriptions.

 

WHAT DATA WE COLLECT


• Identification: name, postal address, passport number  
• Contact: e‑mail, telephone, social‑media ID  
• Health & Wellness (sensitive): medical history, photographs, treatment preferences  
• Booking & Payment: itinerary, flight details, card tokens, invoices  
• Technical: IP address, device IDs, cookies, usage logs  

Sensitive data is never collected unless strictly necessary and always with explicit opt‑in consent.

 

HOW WE COLLECT DATA


• Direct input via web forms, chat or e‑mail  
• Pre‑consultation medical questionnaires or file uploads  
• Automatic collection through cookies or similar technologies

 

LEGAL BASES FOR PROCESSING


We rely on at least one of the following legal bases for each processing activity: Consent; Contract; Legal Obligation; Vital Interests; Legitimate Interests; Explicit Consent for Sensitive Data.

 

HOW WE USE YOUR DATA


• Arrange consultations with partner clinics/hospitals  
• Facilitate travel logistics (hotels, transport, translators)  
• Provide before/after‑care and follow‑up support  
• Issue invoices, process payments and manage refunds  
• Send optional newsletters or promotional offers (with opt‑out)  
• Maintain security, debug and improve our digital platforms  

 

SHARING & DISCLOSURE


We share data only as needed with: accredited healthcare providers; travel agents, hotels or logistics partners; payment processors; IT vendors under strict data‑processing agreements; regulators, courts or law‑enforcement when legally compelled. Third‑party marketing platforms only with prior opt‑in consent and a clear unsubscribe option.

 

INTERNATIONAL TRANSFERS


Because Healsea serves global clients, data may be transferred to countries outside Thailand or your home jurisdiction. Where we do so we will use destinations deemed adequate by the PDPC or European Commission, implement Standard Contractual Clauses or equivalent safeguards, and perform Transfer Impact Assessments where required.

 

DATA RETENTION


• Medical records: minimum 10 years  
• Booking and accounting records: 7 years  
• Marketing data: until you unsubscribe or 2 years after last interaction, whichever is sooner  

Data are securely deleted or anonymised when no longer necessary.

 

SECURITY MEASURES


Healsea applies administrative, technical and physical safeguards, including: ISO‑27001‑aligned policies, encryption in transit and at rest, role‑based access controls, two‑factor authentication, secure backups and regular penetration testing. We maintain an incident‑response plan and 72‑hour breach notification procedure.

 

COOKIES & SIMILAR TECHNOLOGIES


Non‑essential cookies (analytics, advertising) load only after consent. Visitors can revoke or adjust preferences at any time via the cookie banner or browser settings. Strictly‑necessary cookies operate regardless for site functionality.

 

YOUR RIGHTS


Thailand PDPA, EU/UK GDPR, California CCPA/CPRA, Other Regions – you may access, correct, delete, port or object to your data. We verify all requests and respond within one month (GDPR) or 45 days (CCPA). Contact our DPO at dpo@healsea.site.

 

CHILDREN’S PRIVACY


Our services are not directed to persons under 18. We do not knowingly collect data from children under 13 and will delete any such data promptly upon discovery.

 

HIPAA NOTICE (U.S. PATIENTS)


Healsea is not a U.S. “covered entity”. However, if we handle U.S. patients’ Protected Health Information on behalf of a covered U.S. provider, we sign Business Associate Agreements and apply HIPAA safeguards for that data.

 

UPDATES TO THIS POLICY


We may amend this Policy to reflect legal or operational changes. Material changes will be highlighted on the website and, where required, we will seek fresh consent.

bottom of page