Legal

Privacy Policy

Last updated: 15 February 2025

1. Introduction

Heartwood ("we", "us", "our") is committed to protecting the personal information of the people we work with. This policy explains what data we collect, why we collect it, how we use it, and the rights you have over it.

This policy applies to information collected through our website, enquiry forms, email correspondence, and in the course of delivering our property rental services in Chiang Mai, Thailand.

Questions about this policy can be directed to [email protected].

2. Data We Collect

We may collect the following categories of personal data:

Contact information: name, email address, telephone number.
Correspondence: the content of messages you send us, including enquiries and service-related communications.
Service-related information: details relevant to your rental search or tenancy, such as preferred property type, intended stay duration, and budget.
Technical data: IP address, browser type, and pages visited, collected via cookies and analytics tools (see Section 5).

We collect only what is reasonably necessary for the purposes described in this policy.

3. How We Use Your Data

We use personal data for the following purposes:

Responding to enquiries and conducting initial consultations.
Delivering the services you have engaged us for (rental search, tenancy support).
Communicating updates, progress notes, and relevant information during an active engagement.
Maintaining records of completed engagements as required for operational and legal purposes.
Improving the quality and relevance of our website using aggregate analytics data.

Legal basis (for those to whom PDPA or GDPR applies): Processing is based on contract performance, legitimate interest, or your explicit consent depending on the activity. We do not process data for automated decision-making.

4. Data Retention

Contact and correspondence data relating to an active engagement is held for the duration of the engagement and for three years thereafter, to allow for follow-up and reference.

Enquiry data from contacts who did not proceed to an engagement is held for twelve months, after which it is deleted.

Technical/analytics data is retained in aggregate form only and is not linked to identifiable individuals.

5. Cookies and Analytics

Our website uses cookies to understand how visitors use the site and to improve the experience. These are described in more detail in our Cookie Policy. You can manage your cookie preferences at any time via that page.

We use privacy-respecting analytics that do not share data with advertising networks. Analytics data is used solely to understand aggregate usage patterns.

6. Data Sharing

We do not sell, rent, or trade personal data.

We may share data with the following categories of recipients where necessary for service delivery:

Landlords and property managers, with your knowledge and for the purpose of arranging viewings or lease signing.
Third-party service providers acting on our behalf (e.g. email hosting), bound by data processing agreements.

We do not share data with advertisers or marketing networks.

7. Data Security

We take reasonable technical and organisational measures to protect personal data against unauthorised access, loss, or misuse. These include access controls, encrypted communications channels, and regular review of data handling practices.

In the event of a data breach that poses a risk to individuals' rights, we will notify affected parties and relevant authorities as required by applicable law.

8. Your Rights

Depending on your jurisdiction, you may have the following rights in relation to your personal data:

Access: request a copy of the data we hold about you.
Rectification: ask us to correct inaccurate data.
Erasure: request deletion of your data, subject to legal retention requirements.
Portability: receive your data in a machine-readable format.
Objection: object to processing based on legitimate interest.
Withdrawal of consent: where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

If you are located in the EU/EEA, you may also lodge a complaint with your national data protection authority. For Thailand-based matters, the relevant authority is the Office of the Personal Data Protection Committee (PDPC).

9. Third-Party Links

Our website may contain links to external sites. This policy does not apply to those sites and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any external sites you visit.

10. Children's Privacy

Our services are intended for adults aged 18 and over. We do not knowingly collect personal data from individuals under the age of 18. If you believe we have received information from a minor, please contact us so we can arrange for its deletion.

11. Policy Updates

We may update this policy from time to time to reflect changes in our practices or applicable law. The most recent version is always available on this page. Material changes will be communicated via email to active clients where appropriate.

12. Contact

Data controller: Heartwood, 103 Suthep Road, Tambon Suthep, Mueang, Chiang Mai 50200, Thailand.

Email: [email protected]