Your Relocation Project

No visa selected.

Record of Processing Activities

GDPR & PDPA Compliance โ€” Siam Visa Pro

This document constitutes the Record of Processing Activities (RoPA) of the Siam Visa Pro platform, in accordance with Article 30 of the GDPR (European General Data Protection Regulation) and the requirements of the PDPA (Thailand Personal Data Protection Act).

๐Ÿข Identity of the Data Controller

OrganizationCIM Visas (Branche Technologique) / Siam Visa Pro
Contact Addressinfo@siamvisapro.com
Data Protection Officer (DPO)Legal Officer (info@siamvisapro.com)
Global PurposeAdministrative assistance, compliance auditing of Thai visa applications (DTV, LTR, SMART, Elite, etc.), and matchmaking with immigration experts.

๐Ÿ“‹ Processing Activities Register

Activity #1

Eligibility Qualification and Pre-Audit (AI & OCR)

Automated analysis of the financial and administrative viability of a visa application file via our proprietary algorithm and AI document analysis.

Legal BasisExplicit and specific user consent (Art. 6.1.a and Art. 9.2.a of the GDPR for automated processing of identity documents / Sec. 26 of the PDPA) collected prior to upload, combined with the execution of pre-contractual measures.
Data SubjectsProspects and clients applying for a visa.
Categories of Collected Data
Socio-professional dataAge, nationality, occupation, description of the DTV project (Soft Power, Digital Nomad).
Financial dataSavings amount (liquid assets), monthly income.
Contact dataE-mail, phone number.
Highly confidential data processedBank statements and proof of income (subject to secure OCR processing).
Data Recipients
  • Siam Visa Pro administrators and audit agents.
  • Gemini Enterprise Protocol API (isolated instance, no global training on user data).
Retention Period
  • Raw financial proofs: Automatically deleted from active memory after data extraction (OCR) and validation (ephemeral lifetime of 24 hours).
  • Qualified lead profile: Kept for 3 years from the last contact with the user, unless early deletion is requested.
Activity #2

Document Space Management (File Assembly)

Secure upload and storage of supporting documents required for the official consular visa submission.

Legal BasisExplicit user consent (collected via a dedicated checkbox for processing identity data and passport photograph) and performance of the service contract.
Data SubjectsClients who have activated the senior audit phase or paid for an assistance package.
Categories of Collected Data
Identity dataFull name, passport number, expiration date, complete passport scan (including the photograph).
Status dataProof of address, activity or enrollment certificates, company registration certificates.
Data Recipients
  • Certified "Senior Audit" experts only (role-based access control in the Admin Panel).
  • Google Cloud Platform cloud hosting (GCP Region Europe-West / Belgium).
Retention Period
  • Official documents (passport scans, proof of address) are purged at the latest 6 months after the finalization of the visa application or in case of prolonged account inactivity of 12 months.
Activity #3

Customer Support Management (Chat, Calls & Scheduling)

Real-time support exchanges via instant messaging, scheduling phone or video audit appointments, and transcripts of exchanges for the continuous improvement of the visa application file.

Legal BasisLegitimate interest of the organization (ensuring high-quality support) and performance of the contract.
Data SubjectsUsers browsing the site and interacting with the virtual assistant Supansa or a physical agent.
Categories of Collected Data
Identification dataName, email, preferred contact method.
Communication dataChat message history, files attached in the chat, voice recordings, audit call transcripts.
Technical metadataIP address, device type (computer/phone), operating system, approximate geographic data via IP address resolution only (strict exclusion of any GPS geolocation to respect the principle of minimization).
Data Recipients
  • Customer support team and audit agents.
  • Third-party technical solution providers (VoIP/Chat routing solutions) and Firestore database (GCP Belgium).
Retention Period
  • Chat history and text transcripts: Retained for 1 year for evidence purposes and tracking of the consular visa file, then anonymized or deleted. Raw call audio files are destroyed immediately after transcription validation.
Activity #4

Billing and Payment

Collection of compliance audit fees and visa preparation packages.

Legal BasisPerformance of a contract and legal obligation (tax accounting).
Data SubjectsClients purchasing a service on the Siam Visa Pro platform.
Categories of Collected Data
Payment dataPayment status, amount paid, unique transaction identifier. Note: No raw credit card numbers are stored on our servers. Everything is handled securely by Stripe.
Billing dataFull name, billing address, email.
Data Recipients
  • Internal finance/accounting department of CIM Visas.
  • Stripe secure payment gateway (PCI-DSS certified).
Retention Period
  • 10 years from the closing of the financial year (legal retention period for accounting records).

๐Ÿ”’ Security & International Transfers

To ensure the integrity and confidentiality of the data listed in this register, the following technical, organizational, and legal measures are implemented:

Regulation of Cross-Border Flows

  • The primary storage and processing servers are located within the European Union (GCP Belgium).
  • Data flows required for operations between Thailand (operational headquarters / immigration authorities) and the European Union are strictly regulated by EU Standard Contractual Clauses (SCCs) and comply with the cross-border transfer adequacy mechanisms of the Thai PDPA, ensuring a mirrored level of protection.

Data Encryption

  • In transit: Mandatory TLS 1.3 protocol site-wide with HSTS policy.
  • At rest: Firestore database encrypted by default via Google Cloud Key Management System (KMS).

Network Protection & Proxy

  • Cloudflare encrypted tunnel to hide the application server's origin IP address.
  • Cloudflare WAF (Web Application Firewall) active against injections, scans, and DDoS attacks.

AI Data Protection

  • Gemini Enterprise Protocol AI instance isolated from public servers.
  • No training: Contractual prohibition on using Siam Visa Pro data to train global AI models.
  • Ephemeral sessions: Automatic audit context purge after 24 hours of inactivity.

Strict Access Control (RBAC)

  • Restricted access based on role (client, agent, admin). Passports and bank statements are only accessible to 'Senior Audit' or 'Admin' accounts.

โš–๏ธ Rights of Data Subjects

Each Siam Visa Pro user benefits from the following rights, which they can exercise by contacting info@siamvisapro.com:

Right of access and rectification

Direct consultation of their profile in their personal account space and real-time correction.

Right to erasure ("Right to be forgotten")

Complete deletion of supporting documents and the user account (excluding Stripe billing and regulatory financial transaction recording obligations).

Right to restriction of processing

Possibility to temporarily freeze data processing during a dispute or application file audit.

Right to object and withdraw consent

Possibility to refuse or withdraw consent for automated AI processing of documents. The analysis is then fully transferred to a human agent within 48h.

Read our Global Security Policy