Privacy Policy
Last updated: May 1, 2026
1. Introduction
Halathai ("we", "us", "our") is operated by Vixalab LLC. This Privacy Policy explains what personal information we collect when you use our website (halathai.com), our mobile app, or related services (together, the "Platform"), how we use it, who we share it with, and the choices you have. It applies whether you sign in with email, Google, Apple, or Meta (Facebook).
2. Information We Collect
Information you provide:
- Account information: name, email address, phone number, password, profile picture, language preference
- Profile content: bio, interests, saved listings, lists, and posts you create
- Bookings & inquiries: traveller details, dates, pickup address, special requirements, and messages with operators or our support team
- Payments: we do not store your full card number. Stripe processes payments and returns a token plus the last 4 digits and card brand for receipts
- Reviews & user content: ratings, photos, comments, and reports you submit
Information collected automatically:
- Usage data: pages and screens viewed, features used, search terms, time spent
- Device data: IP address, browser, OS, device type and identifiers, app version, crash logs
- Approximate location: derived from IP. Precise location is only used if you grant the permission in the mobile app (e.g. to show nearby listings)
- Cookies, SDKs and similar technologies: described in section 7
Information from third parties:
- Meta (Facebook) Login: when you choose "Continue with Facebook", Meta sends us your name, email address, and profile picture. We do not request your friends list, posts, or any other Meta data
- Google & Apple Sign-In: we receive your name, email address, and a stable user identifier
3. How We Use Your Information
We use your information to:
- Create and secure your account
- Provide and personalise the Platform
- Process bookings, payments, refunds and operator communication
- Send transactional emails, push notifications, and receipts
- Respond to support requests
- Detect and prevent fraud, abuse and policy violations
- Measure marketing and improve the product (analytics & advertising — only with your consent where required)
- Comply with legal, tax and accounting obligations
4. Legal Bases for Processing (GDPR)
If you are in the European Economic Area, the United Kingdom or another jurisdiction with similar rules, we rely on the following legal bases:
- Performance of a contract: creating your account, processing bookings and payments, providing customer support
- Legitimate interests: securing the Platform, preventing fraud, basic analytics, improving features
- Consent: marketing emails, advertising cookies and SDKs (including Meta Pixel and Meta App Events), precise location, and access to camera or photo library
- Legal obligation: tax records, fraud reports, responding to lawful requests
You can withdraw consent at any time without affecting processing done before withdrawal.
5. Information Sharing
We share information only as described below:
- Public profile: your username, profile picture, public reviews and posts are visible to other users
- Operators & partners: when you make a booking or inquiry, we share the details needed to fulfil it (e.g. traveller name, contact, pickup, special requests) with the relevant tour operator, hotel, or service provider
- Service providers (processors): see section 8
- Legal requirements: when required by law, regulation, court order, or to protect our or others' rights, property and safety
- Business transfers: if Vixalab LLC is involved in a merger, acquisition, or asset sale, your information may be transferred — we will notify you
We do not sell your personal information. We do not share information with data brokers.
California residents: we do not sell or share your personal information as defined under the CCPA/CPRA. You still have the right to know, delete, correct, and limit use of your information — see Section 6.
6. Your Rights
Subject to local law, you have the right to access, correct, delete, restrict or object to processing of your personal information, to receive a portable copy, and to withdraw consent.
- Delete your account: open the app or website, go to Profile → Delete Account, or follow the public instructions at halathai.com/data-deletion
- Access or export your data: email [email protected]
- Marketing opt-out: use the "unsubscribe" link in any marketing email, or turn off notifications in account settings. Transactional messages (booking confirmations, receipts) cannot be turned off while your account is active
- Disconnect Meta Login: visit Facebook Settings → Apps and Websites and remove "Halathai"
EU/UK residents may also lodge a complaint with their local data protection authority. California residents have specific rights under the CCPA/CPRA.
7. Cookies, SDKs & Tracking
We and our partners use cookies, mobile SDKs, and similar technologies for essential functionality, analytics and advertising. You can manage non-essential tracking through our cookie banner, browser settings, or your device's tracking controls (iOS App Tracking Transparency / Android advertising ID).
- Essential: session, authentication, security — always on
- Functional: language, currency, recently viewed
- Analytics: Google Analytics, PostHog, Sentry (crash reporting), Firebase Analytics
- Advertising: Meta Pixel (web) and Meta App Events (mobile) — only loaded with your consent and used to measure campaign performance and show relevant ads
8. Third-Party Services
We use the following processors and third parties. Each operates under its own privacy policy:
- Supabase: authentication, database and storage hosting
- Stripe: payment processing
- Meta Platforms, Inc. (Facebook, Instagram): Meta Login, Meta Pixel, Meta App Events for advertising attribution and measurement
- Google: Google Sign-In, Google Maps, Google Places, Google Analytics
- Apple: Sign in with Apple, App Store services, push notifications
- Firebase (Google): analytics, crash reporting, cloud messaging
- Expo: mobile push delivery and over-the-air updates
- Bunny CDN: image and asset delivery
- PostHog: product analytics
- Sentry: error and crash reporting
Meta (Facebook) integration
We integrate with Meta in three ways: (a) Meta Login lets you sign in with your Facebook account; (b) Meta Pixel runs on our website to measure ads and reach you with relevant messaging; (c) Meta App Events runs in our mobile app for the same purpose. You can review and disconnect Halathai from Meta at any time via Facebook Settings → Apps and Websites. Meta's data policy is available at facebook.com/privacy/policy.
9. Data Security
We use industry-standard safeguards including TLS encryption in transit, encryption at rest, role-based access controls, row-level security in our database, regular dependency updates, and audit logging. No system is 100% secure — if you believe your account has been compromised, contact us immediately.
10. Data Retention
We keep your information only as long as we need it:
- Account profile: until you delete your account, then removed within 30 days from active systems
- Bookings, invoices and payment records: kept in anonymised form (no name, email or phone) for up to 7 years to meet tax and accounting obligations
- Support emails and chat logs: 24 months
- Server and security logs: 90 days
- Encrypted backups: overwritten on a rolling window of up to 6 months
- Marketing analytics events: up to 26 months
11. International Transfers
We are a US company (Vixalab LLC, Wyoming) with operations in Thailand. Your data may be processed in the United States, Thailand, the European Union (Supabase regions), and any country where our processors operate. For transfers out of the EEA, UK or Switzerland we rely on Standard Contractual Clauses (SCCs) and additional safeguards where appropriate.
12. Automated Decision-Making
We do not use automated decision-making or profiling that produces legal or similarly significant effects on you. Search ranking, recommendations and fraud signals are advisory only and are not used to make binding decisions about pricing, eligibility or refunds without human review.
13. Children's Privacy
The Platform is not directed to children. We do not knowingly collect data from anyone under 13 in the United States, or under 16 in the European Economic Area, the United Kingdom and other jurisdictions where 16 is the digital-consent age. If you believe a child has provided us with personal information, please contact [email protected] and we will delete it.
14. Changes to this Policy
We may update this Privacy Policy from time to time. Material changes will be announced via email or an in-app notice. The "Last updated" date at the top reflects the latest revision. Continued use of the Platform after a change means you accept the updated policy.
15. Contact Us
For privacy questions, data requests, or to reach our data protection contact:
- Privacy email: [email protected]
- General support: [email protected]
- Data deletion instructions: halathai.com/data-deletion
- Company: Vixalab LLC
- Address: 33 N Gould St, Sheridan, WY 82801, United States