QuickTM30 Privacy Policy
Privacy summary - read before collecting Guest Data
QuickTM30 is a private tool for accommodation providers. It is not a Thai Immigration or government application. For guest/passport/stay data, your hotel or accommodation business is normally the Data Controller. QuickTM30 normally processes that Guest Data as your Data Processor to provide the Service. You must provide required privacy notices to guests and ensure you have a lawful basis to scan, upload, store, export, and submit their data. Passport/MRZ data can be sensitive or high-risk. Users must review data before final save, export, upload, or government submission. QuickTM30 does not sell personal data.
1. Purpose and scope
This Privacy Policy explains how QuickTM30 collects, uses, discloses, stores, protects, and deletes personal data when you use the QuickTM30 mobile application, website, APIs, exports, support services, billing workflows, and related features (together, the “Service”). This Privacy Policy applies to hotel administrators, staff users, account contacts, support contacts, and other persons who use or communicate with QuickTM30. It also describes how QuickTM30 processes Guest Data when a hotel or accommodation provider uses the Service for passport scanning, TM30-ready records, exports, and related workflows. This Privacy Policy should be read together with the QuickTM30 Terms and Conditions. Capitalized terms not defined here have the meanings given in the Terms.
2. Important legal status: not a government app
QuickTM30 is a private software tool. It is not an official Thai Immigration, police, or government application, and it is not affiliated with or endorsed by any government authority. If you export data or submit data to any Government System, that Government System’s own privacy notice, security practices, terms, and official rules apply to that submission.
3. Controller and processor roles
For Guest Data, the hotel, accommodation provider, landlord, property manager, or other customer that decides to collect and use the data is normally the Data Controller. QuickTM30 normally acts as a Data Processor by processing Guest Data on the Customer’s instructions to provide the Service. For account administration, staff accounts, billing, payment records, security logs, support requests, service analytics, fraud prevention, legal compliance, and QuickTM30 business operations, QuickTM30 may act as an independent Data Controller. If your organization uses QuickTM30, your organization is responsible for providing privacy notices to guests and staff where required, selecting lawful bases for processing, controlling staff access, responding to guest rights requests, and deciding what data should be retained, exported, submitted, corrected, or deleted.
4. Personal data we collect
We collect personal data in the categories below, depending on how you use the Service. Account and hotel information: hotel name, hotel address, contact person, contact email, contact phone, billing email, export email, timezone, default language, company or property details, account status, plan, staff-seat usage, and administrative settings. Staff and user information: staff name, username, email, phone, role, permissions, password status, email verification status, device binding status, last login, session details, and account activity. Passwords are intended to be stored in hashed form, not plain text. Guest and stay information: guest name, surname, given names, full name, nationality, issuing country, passport number, date of birth, sex, passport expiry date, check-in date, check-out date, check-out unknown flag, duplicate indicators, submission status, internal references, audit timeline, and related TM30-ready record fields. Passport/MRZ images and extraction data: passport images or MRZ images that staff capture or upload; MRZ raw text; MRZ format; MRZ validity; parsing results; OCR confidence, error codes, error messages, diagnostics, and processing metadata. Exports and delivery data: export type, date range, generated file metadata, file names, file sizes, guest counts, download status, delivery method, delivery email, delivery logs, and export history. Billing and payment information: plan, top-up or add-on order, payment type, amount, currency, payment method, bank reference, customer reference, payment status, payment slip image, verification notes, invoice or receipt references, and billing history. We do not need and do not ask for your banking app passwords. Support and communications: support tickets, category, subject, description, messages, attachments if enabled, admin notes, email communications, and feedback. Device, log, and security data: device ID, device platform, IP address, user agent, session ID/token ID, login events, device restriction events, API request metadata, error logs, crash logs, audit logs, timestamps, and security alerts. Website/cookie data: if you use our website, we may collect cookies, device information, browser information, referral information, and usage analytics as described in Section 20.
5. Passport images and high-risk information
Passport images and MRZ data can contain highly sensitive or high-risk personal information, including a person’s name, nationality, passport number, date of birth, sex, expiry date, face image, document image, and travel-related identifiers. You should only capture or upload this information when necessary and lawful for your accommodation reporting or record-keeping purpose. QuickTM30 does not use passport images for facial recognition, biometric matching, or unrelated identity profiling unless a future feature is clearly introduced with appropriate notice and lawful basis. We may process passport/MRZ images to crop, enhance, read, parse, display, review, troubleshoot, secure, and generate records or exports as part of the Service. OCR and MRZ results are not final or guaranteed. Staff must review and correct extracted data before final save, export, upload, or government submission.
6. Sources of personal data
We receive personal data from hotel administrators, staff users, guest documents scanned or uploaded by staff, customer support communications, devices used to access the Service, payment workflows, service providers, logs generated by the Service, and information you choose to import, enter, export, or send.
7. How we use personal data
We use personal data to provide, operate, maintain, secure, and improve the Service, including to: create and manage accounts; authenticate staff; bind devices; manage sessions; process passport/MRZ images; create draft, review, and saved Submissions; detect possible duplicates; generate exports; deliver files by download or email; maintain scan usage counters, plan balance, top-up balance, billing orders, and payment history; verify payment slips; provide support; troubleshoot OCR, media, export, and billing issues; send operational notices; prevent fraud, abuse, and unauthorized access; monitor performance and reliability; comply with legal, tax, accounting, and security obligations; enforce the Terms; and create aggregated, anonymized, or de-identified analytics to improve the Service. We do not sell personal data. We do not use Guest Data for unrelated advertising or unrelated marketing lists.
8. Legal bases for processing
Where Thailand’s Personal Data Protection Act and similar laws apply, QuickTM30 relies on legal bases that may include contract necessity, legitimate interests, legal obligations, consent where required, and processing on the Customer’s instructions as Data Processor. The Customer is responsible for selecting and documenting the lawful basis for collecting and using Guest Data and for providing any required notices or consent forms to guests. Our legitimate interests may include securing accounts, preventing fraud and abuse, improving OCR reliability, maintaining service logs, handling support, enforcing our Terms, and operating our business, provided those interests are not overridden by rights that apply under law.
9. Customer responsibilities for guest privacy
Customers must ensure that guest data collection and processing through QuickTM30 is lawful, fair, transparent, necessary, and proportionate. Customers must not upload passports, payment slips, IDs, images, or other personal data unless they are authorized to process that data. Customers must provide all required privacy notices to guests and other data subjects, explain how guest data will be used for accommodation reporting and record-keeping, identify any government submissions, explain retention periods where required, and respond to rights requests. Customers must also restrict staff access to authorized personnel and train staff to review data carefully before relying on it.
10. How we share personal data
We may share personal data as follows: Within your hotel account: administrators and authorized staff may access records, exports, payment information, staff activity, audit logs, and settings according to their role and permissions. With service providers and subprocessors: hosting, storage, OCR or image processing, email delivery, monitoring, analytics, security, support, payment/banking, app-store, and infrastructure providers may process data for us under confidentiality and security obligations. With government systems or authorities: QuickTM30 does not normally submit Guest Data directly to government systems. If you export, upload, email, or submit data to a Government System, you are responsible for that disclosure. We may disclose data if required by law, court order, lawful government request, or to protect rights, safety, and security. Business transfers: data may be disclosed or transferred in connection with a merger, acquisition, financing, restructuring, sale of assets, or similar transaction, subject to appropriate safeguards. Professional advisers: lawyers, accountants, auditors, insurers, and other advisers may access data where necessary for legitimate business, legal, or compliance purposes. We do not sell personal data.
11. Subprocessors and vendors
We may use subprocessors and vendors to provide the Service. The categories may include cloud hosting, database storage, file storage, OCR/image processing, email delivery, monitoring, error logging, customer support, payment handling, banking, app-store distribution, and security tools. We use reasonable contractual, technical, and organizational measures intended to require vendors to protect personal data they process for us. A current subprocessor list may be provided on request where required by law or contract. Some vendor names, locations, and functions may change as the Service evolves.
12. International transfers
QuickTM30 is operated from Thailand, but personal data may be processed in Thailand or in other countries where we, our affiliates, or our service providers operate. Those countries may have data protection laws different from your country. Where required, we take steps designed to protect personal data in accordance with this Privacy Policy and applicable law, such as contractual commitments, access controls, and security measures. By using the Service and instructing us to process Guest Data, the Customer authorizes transfers necessary to provide, secure, support, and maintain the Service, subject to applicable law.
13. Security measures
We use reasonable technical, organizational, and administrative safeguards designed to protect personal data from unauthorized access, loss, misuse, alteration, disclosure, or destruction. These measures may include encryption in transit where supported, access controls, role-based permissions, hashed password storage, device/session controls, monitoring, logging, backups, least-privilege access, and security review practices. No system is 100% secure. You must also protect your account by using secure devices, strong credentials, appropriate staff permissions, secure email recipients, trusted networks, and prompt revocation of access when staff no longer need it.
14. Personal data breaches
If we become aware of a personal data breach affecting Guest Data that we process as Data Processor, we will notify the relevant Customer without undue delay as required by applicable law and provide reasonably available information to help the Customer assess and respond to the incident. Where QuickTM30 acts as Data Controller for affected personal data, we will assess the incident and make required notifications to regulators and/or data subjects where required by applicable law. Customers are responsible for their own breach-response obligations as Data Controller, including assessing risk, notifying regulators or data subjects where required, documenting the incident, and taking remedial steps.
15. Data retention
We retain personal data only as long as reasonably necessary for the purposes described in this Privacy Policy, the Terms, your plan, your instructions, our legal obligations, dispute resolution, security, fraud prevention, accounting, backup, and legitimate business needs. Retention depends on the data category and your settings or contract. The table below describes the general approach; actual retention may vary where required by law, contract, backup cycles, deletion requests, security needs, or technical constraints.
Data category: General retention approach Account and hotel profile data: While the account is active, then as needed for legal, accounting, support, dispute, and security purposes. Staff account and session data: While the staff account or hotel account is active, then as needed for security, audit, dispute, and legal purposes. Guest submissions and stay records: As configured by the Customer, plan, contract, or Service settings; otherwise as needed to provide history, exports, support, audit, and compliance features. Passport/MRZ images: As configured by the Customer or Service settings; otherwise for the period needed for OCR, preview, review, support, audit, and troubleshooting, subject to deletion rules. Exports and delivery logs: As needed to provide export history, downloads, delivery evidence, support, and audit functions. Payment orders, payment slips, and billing records: As needed for billing, tax, accounting, fraud prevention, disputes, and legal compliance. Support tickets and communications: As needed to provide support, maintain service history, improve reliability, and resolve disputes. Security, audit, and error logs: As needed for security, abuse prevention, troubleshooting, audit, legal compliance, and system reliability. Backups: Until overwritten or deleted according to backup cycles and disaster recovery practices.
16. Deletion, export, and account closure
Customers may request export, correction, deletion, or account closure by contacting support@quicktm30.com, subject to account verification, legal requirements, security needs, backup cycles, payment obligations, and our ability to verify authority. Deletion from active systems may not immediately remove data from backups, audit logs, security logs, payment records, or legal/accounting records. We may retain limited information where necessary for legal compliance, dispute resolution, fraud prevention, security, enforcement, or legitimate business records. Customers should export and retain any official reports, receipts, payment records, or business records they need before requesting deletion or closing an account.
17. Data subject rights
Subject to applicable law and verification of identity/authority, data subjects may have rights to access personal data, receive a copy, correct inaccurate data, request deletion or anonymization, object to certain processing, restrict certain processing, request portability, withdraw consent where processing is based on consent, and lodge a complaint with the relevant authority. Because the Customer normally controls Guest Data, guests should normally contact the hotel or accommodation provider first. If a guest contacts QuickTM30 directly about Guest Data, we may refer the request to the relevant Customer or assist the Customer as appropriate. We may not be able to respond to Guest Data requests without the Customer’s instructions or verification of authority. Staff users and account contacts may contact support@quicktm30.com to request access, correction, deletion, or other rights regarding their own account-related personal data, subject to applicable limitations.
18. Accuracy and correction
OCR and MRZ extraction may produce inaccurate data. Customers and staff must review and correct guest records before final save, export, upload, or government submission. If you believe account, staff, billing, or support data held by QuickTM30 is inaccurate, contact us or update it through the Service where available.
19. Camera, photos, storage, and device permissions
The mobile app may request camera access to capture passport MRZ images, and it may use device or network permissions needed for authentication, secure upload of camera-captured MRZ crops, protected media previews, device binding, session management, and abuse prevention. The scanner app does not request photo library or storage access and does not upload payment slips. Payment-slip workflows are handled through the QuickTM30 web/admin account where available. You can control camera permission in your device settings, but some features may not work if permissions are disabled. The app may generate or store a device identifier used for account security, device binding, session management, and abuse prevention.
20. Cookies, analytics, and similar technologies
Our website or web-based features may use cookies, local storage, analytics tools, or similar technologies to operate the website, remember preferences, measure performance, prevent abuse, and improve the Service. Browser settings may allow you to block or delete cookies, but some features may not work properly. If we introduce non-essential advertising cookies or similar marketing technologies that require consent, we will request consent where required by law.
21. Marketing and operational communications
We may send operational communications about your account, security, billing, support tickets, payment status, plan changes, service changes, and legal notices. These are part of the Service and may not always be optional. We may send marketing communications where permitted by law or with consent where required. You may opt out of marketing emails, but you will continue to receive operational notices.
22. Children
QuickTM30 is intended for business use by accommodation providers and their staff. It is not directed to children. Staff users should be adults or otherwise legally authorized by the Customer. Guest Data may incidentally include children where the Customer lawfully processes family or guest records; the Customer is responsible for ensuring appropriate lawful basis, notices, and protections for such data.
23. Automated processing and profiling
The Service may use automated OCR, MRZ parsing, duplicate checks, status calculations, quota counters, and fraud/security checks. These features support operational workflows and do not replace human review. QuickTM30 does not make official immigration decisions, legal determinations, or government acceptance decisions.
24. Aggregated and de-identified data
We may create aggregated, anonymized, or de-identified data that does not identify an individual, hotel, staff member, or guest. We may use and share such data for analytics, service improvement, security, benchmarking, reliability, and business purposes.
25. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. We will update the effective date and may provide notice in the app, by email, on the website, or through another reasonable method for material changes. Continued use of the Service after the effective date means the updated policy applies to future processing, subject to applicable law.
26. Contact us
For privacy questions, support requests, data subject requests, or security concerns, contact support@quicktm30.com. You may also contact us at the registered address listed above. Customers should include their hotel/account name and enough information for us to verify authority before we disclose, export, correct, or delete account data.