Privacy Policy

1. Data Controller

The data controller is Garuda Strategy, with registered premises at 88 Sathorn Tai Road, Thung Maha Mek, Sathorn, Bangkok 10120, Thailand. For privacy-related enquiries, contact: privacy@garudast.

2. Personal Data We Collect

We collect personal data through the following means:

• Enquiry and contact forms: Name, email address, telephone number (optional), and the content of your message.
• Enrolment and programme administration: Name, email, telephone, employer, role, and payment information where applicable.
• Website analytics: Anonymised usage data collected via analytics cookies (with consent) — page visits, session duration, and browser type. No personally identifying analytics data is stored without consent.
• Correspondence: Records of written communications with our team.

We do not collect sensitive categories of personal data (such as health, race, or political opinion) in the course of our normal operations.

3. Legal Basis for Processing

We process personal data under the following bases, in accordance with Thailand's Personal Data Protection Act B.E. 2562 (PDPA):

• Consent: For optional communications, marketing, and analytics cookies.
• Contractual necessity: For the administration of programme enrolment and delivery.
• Legitimate interest: For responding to enquiries and maintaining programme records.
• Legal obligation: Where required by applicable Thai law or regulatory authority.

4. How We Use Your Data

• Responding to enquiries and providing programme information
• Processing enrolment applications and administering participation
• Communicating programme schedules, materials, and updates
• Issuing certificates of completion
• Sending relevant communications about future programmes (where consent has been given)
• Improving the website and user experience (analytics, with consent)
• Complying with legal and regulatory requirements

We do not sell personal data to third parties, and we do not use personal data for automated profiling or decision-making.

5. Data Sharing and Third Parties

We share personal data only in the following limited circumstances:

• Payment processing: Payment data is processed by authorised third-party payment providers under their own privacy terms.
• Analytics services: Anonymised usage data may be processed by analytics platforms such as Google Analytics, subject to cookie consent.
• Legal requirements: Where required by Thai law, court order, or regulatory authority.
• Partner organisations (Stewardship Programme): With participant awareness and consent, limited professional information may be shared with partner organisations facilitating the programme's engagement component.

6. Data Retention

Enquiry data is retained for up to 12 months unless enrolment proceeds. Participant enrolment and programme records are retained for 5 years from programme completion to support certificate verification and alumni communications. Financial records are retained as required by Thai accounting law. Analytics data (where consented) is retained in aggregated form only.

7. Data Protection Measures

• Access to personal data is restricted to staff who require it for their role
• Data is stored on secure servers with appropriate access controls
• Website forms use encrypted transmission (HTTPS)
• In the event of a data breach affecting your rights, we will notify you and the relevant authority within the timeframe required by the PDPA

8. Cookies

Our website uses essential cookies for basic functionality and optional analytics and preference cookies subject to your consent. You can manage your cookie preferences at any time via the Cookie Policy page. Withdrawing consent does not affect any processing already carried out.

9. Your Rights Under the PDPA

Under Thailand's Personal Data Protection Act, you have the following rights:

• Right of access: To request a copy of the personal data we hold about you.
• Right to rectification: To request correction of inaccurate data.
• Right to erasure: To request deletion of your data in certain circumstances.
• Right to data portability: To receive your data in a structured, machine-readable format.
• Right to object: To object to processing based on legitimate interest.
• Right to withdraw consent: To withdraw previously given consent at any time.
• Right to lodge a complaint: With the Personal Data Protection Committee of Thailand.

To exercise any of these rights, contact privacy@garudast. We will respond within 30 days.

10. Minimum Age

Our programmes are designed for working professionals. We do not knowingly collect data from individuals under the age of 18. If you believe a minor has submitted data to us, please contact us and we will delete it promptly.

11. External Links

Our website may contain links to external sites. We are not responsible for the privacy practices of those sites and recommend reading their policies before providing personal data.

12. Policy Updates

This policy may be updated from time to time. The Last Updated date at the top of this page reflects the most recent revision. Continued use of the website following any change constitutes acceptance of the revised policy.

13. Contact for Privacy Matters

For any questions, requests, or concerns relating to this policy or to the personal data we hold, please contact: