Data Protection Policy
As of: March 2026
Responsible: STP Professional Co., Ltd.
1. Purpose of This Policy
This Data Protection Policy describes the technical and organisational measures that STP Professional Co., Ltd. (hereinafter "SwissThaiPro") has implemented to protect personal data and confidential documents within the scope of the LTR Visa Service.
This policy supplements our Privacy Policy and our Terms and Conditions and is addressed both to our clients and to our internal team.
2. Data Protection Principles
SwissThaiPro adheres to the following data protection principles:
- Data minimisation: We collect and process only the data that is genuinely necessary for the provision of our service.
- Purpose limitation: Personal data is processed exclusively for the purpose for which it was collected – the application for the LTR Visa.
- Storage limitation: Data is stored only as long as necessary for the respective processing purpose or as required by statutory obligations.
- Integrity and confidentiality: We employ appropriate technical and organisational measures to ensure the security of data.
3. Technical Security Measures
3.1 Encryption
Data transmission:
All data transmitted between your browser and our website or document portal is encrypted using TLS 1.3 (Transport Layer Security). This applies to:
- All website page views
- The contact form
- The registration and payment form
- The document upload portal
- All communication within the protected client area
Data storage:
Security-relevant data such as TOTP secrets for two-factor authentication are stored encrypted with AES-256-GCM (Advanced Encryption Standard with 256-bit key). Passwords are hashed with bcrypt and are not available in plain text.
Key management:
Encryption keys are stored separately from the encrypted data. Access to keys is restricted to authorised system administrators.
3.2 Document Storage
Storage location:
Client documents are stored on a self-hosted Nextcloud instance. Nextcloud is an open-source platform for secure file management. Documents are not stored with third-party providers such as Amazon, Google or Microsoft.
Security features:
- Access exclusively via app password (Basic Auth) – no public share links
- Regular security updates and patches
- Regular backups of the database and documents
3.3 Access Controls
Client portal:
- Individual login with email address and password
- Password requirements: At least 8 characters
- Optional two-factor authentication (TOTP) with authenticator app and 10 one-time backup codes
- HttpOnly cookies with Secure flag (HTTPS-only in production)
Internal access (SwissThaiPro team):
- Access to client data only for authorised staff
- Individual admin accounts with separate authentication
- Two-factor authentication available for admin accounts
3.4 Network Security
- HTTPS/TLS for all connections (no unencrypted access possible)
- Nginx reverse proxy as an additional security layer
- Regular security updates and patches for the operating system and all components
4. Organisational Measures
4.1 Confidentiality
All SwissThaiPro employees who have access to client data:
- Receive data protection and data security training upon commencement of employment
- Have signed a confidentiality agreement (NDA)
4.2 Need-to-Know Principle
Access to client data is granted exclusively on a need-to-know basis. An employee only receives access to the data required for processing the respective client engagement.
4.3 Incident Response
In the event of a security incident, the following protocol applies:
- Immediate containment of the incident
- Assessment of the scope and affected data
- Notification of affected parties within 72 hours
- Notification of competent authorities (if required)
- Documentation and analysis of the incident
- Implementation of measures to prevent recurrence
Reporting obligation:
In the event of a data breach involving personal data, affected clients will be notified without delay, no later than within 72 hours, by email. The notification includes:
- Nature of the incident
- Affected data categories
- Countermeasures taken
- Recommendations for the client
- Contact details for enquiries
5. Data Processing Partners
5.1 Data Processors
The following third-party providers process personal data on our behalf:
| Provider | Purpose | Data type | Location |
|---|---|---|---|
| Nextcloud (Self-hosted) | Document storage | Uploaded documents | Own server |
| Matomo (Self-hosted) | Web analytics | Anonymised usage data, cookies | Own server |
5.2 Data Processing Agreements (DPA)
Written contracts are in place with all data processors, governing at minimum the following:
- Subject matter and duration of processing
- Nature and purpose of processing
- Type of personal data
- Obligations of the processor (confidentiality, security measures)
- Deletion obligations upon contract termination
6. Retention and Deletion Policy
6.1 Retention Periods
| Data type | Retention period |
|---|---|
| Registration data | Contract duration + 5 years |
| Payment receipts | 7 years (Thai tax law) |
| Uploaded documents | 12 months after visa issuance |
| Official correspondence | 5 years after completion |
| Web analytics data (Matomo) | 26 months |
6.2 Early Deletion
Clients may request early deletion of their data at any time. Deletion will be carried out within 30 days, provided no statutory retention obligations apply. Upon deletion, you will receive written confirmation.
7. Special Protection of Sensitive Data
7.1 Categories of Sensitive Data
The following data receives additional protection:
- Passport copies and identification documents
- Financial documents (bank statements, tax documents)
- Police clearance certificates
- Health-related data (insurance policies)
7.2 Protective Measures
- Access to client documents only by the assigned advisor
- Encrypted storage on own Nextcloud instance
- Clients can secure their portal access with two-factor authentication
8. Rights of Data Subjects
8.1 Right of Access
Clients may request a complete overview of all data stored about them at any time. The information is provided free of charge within 30 days.
8.2 Data Export
Clients can download their uploaded documents at any time via the document portal.
8.3 Deletion
See Section 6.2.
8.4 Contact for Data Protection Enquiries
Please direct all data protection enquiries to:
Email: info@swissthaipro.ch
Response time: Within 14 working days
9. Compliance
9.1 Applicable Data Protection Laws
SwissThaiPro is guided by the following data protection frameworks:
- Thailand Personal Data Protection Act (PDPA)
- EU General Data Protection Regulation (GDPR) – as applicable for EU/EEA clients
- Swiss Data Protection Act (DSG) – as applicable for Swiss clients
9.2 Review
The technical and organisational security measures are regularly reviewed and adjusted as necessary.
10. Changes to This Policy
Material changes to this Data Protection Policy will be communicated to clients by email. The current version is always available on our website.
11. Contact
STP Professional Co., Ltd.
Data Protection Officer
Email: info@swissthaipro.ch
Phone: +66 95 058 0034
STP Professional Co., Ltd.
29/22 Soi 112, Nong Kae
Hua Hin, Prachuap Khiri Khan 77110
Thailand
Last updated: March 2026