Haven MD Clinic

Privacy notice

Last updated: May 2026

Haven MD Clinic is a private medical clinic in Hua Hin. This notice explains what personal data we collect, why we use it, who we share it with, how long we keep it, and the rights you have over it under Thailand's Personal Data Protection Act (PDPA), B.E. 2562/2019. We have written it in plain language. If anything is unclear, please ask us.

1. Who we are

Haven MD Clinic ("we", "us", "our") is a licensed private medical clinic at 45 Hua Hin 55/1 Alley, Hua Hin, Prachuap Khiri Khan 77110, Thailand. We are the data controller for the information described in this notice. Our privacy contact answers patient queries about data protection: havenmdclinic@gmail.com, +66 62 161 8944.

2. What this notice covers

This notice applies to information collected through our website, the contact form, phone bookings, LINE and WhatsApp messages, walk-in registration, and care delivered at the clinic. Where lab work or imaging is performed by a partner provider, that provider may also process your data as a separate controller; we name them in section 6.

3. What we collect

We collect three categories of personal data. Most of it comes from you directly when you book or attend an appointment.

Identity and contact

  • ·Full name, date of birth, nationality, sex assigned at birth, gender identity if you choose to share it
  • ·Passport or Thai ID number where required by law (for medical certificates, controlled prescriptions, or insurance invoices)
  • ·Phone, email, LINE ID, WhatsApp number, postal address
  • ·Emergency contact details if you choose to provide them

Health and care

  • ·Symptoms, medical history, medications and allergies
  • ·HIV and STI test results, sexual-health history, ART regimen, PrEP/PEP details
  • ·Vaccination history
  • ·Annual check-up findings (bloods, ECG, imaging, biomarkers)
  • ·Doctor's notes, lab requisitions, lab results, prescriptions
  • ·Photographs only where clinically required and with your separate written consent

Technical and website

  • ·IP address, device and browser, pages viewed (only after you accept analytics cookies)
  • ·Cookies set by our cookie banner; see section 9

4. How we use your data and our lawful basis

PDPA requires us to name a lawful basis for every purpose. For health-related processing we rely on Section 24(3) (performance of our contract with you, that is the treatment relationship) combined with Section 26(5)(a) (preventive medicine, medical diagnosis and treatment by a regulated medical professional bound by confidentiality). For purposes outside treatment we rely on your explicit consent under Section 26(1) or your interest in pre-contractual steps under Section 24(3).

PurposeLawful basis
Booking, registering, and treating you at the clinicSection 24(3) and 26(5)(a)
Sending appointment reminders and follow-up by SMS, email, or LINESection 24(3)
Sending lab results through the channel you chooseSection 26(1) explicit consent at the time of testing
Issuing invoices and processing paymentsSection 24(3) and legal accounting obligations
Responding to enquiries sent through the website form, LINE, or WhatsAppSection 24(3) pre-contractual; Section 26(1) for any health detail you choose to share
Newsletters and patient updatesSection 26(1) explicit consent; you can withdraw at any time
Website analytics (Google Analytics or similar)Consent through the cookie banner
Responding to lawful requests from regulators or courtsLegal obligation

5. HIV, STI, and sexual-health data: our extra confidentiality commitments

We hold ourselves to a higher standard for sexual-health data because the social and personal consequences of disclosure are real. Specifically: we do not disclose HIV status, STI results, PrEP or PEP use, or ED treatment to family members, employers, schools, immigration officers, or insurance companies without your separate, written consent. Within the clinic, access is restricted to staff who are directly involved in your care. Lab requisitions to external reference laboratories use the minimum identifying detail allowed by the lab. Test results are delivered only to you, through the channel you nominate. If you ask us to deliver results by LINE or WhatsApp, we will confirm that this is your wish each time before sending. You can ask us to record your sexual-health visits under a separate clinic ID at any time.

6. Who we share data with

We do not pre-load tracking, advertising, or analytics from third parties on this website. The categories below only receive data when you actively choose them (for example, when you message us on LINE or pay by card), when the law requires it, or as part of running the clinic securely. We share the minimum needed for each purpose:

  • Reference laboratories and imaging providers

    Performing tests we order on your behalf

  • Pharmacies

    Filling prescriptions where the clinic does not dispense directly

  • Payment processor (card and Thai bank transfer)

    Charging the agreed fees and issuing receipts

  • Cloud email and document provider

    Storing patient records securely with access controls

  • Secure messaging providers (LINE Corporation, Meta Platforms for WhatsApp)

    Delivering messages and results when you choose those channels

  • Accounting and tax advisors

    Statutory bookkeeping and tax filings

  • IT support contractors

    Maintaining our systems under written confidentiality agreements

  • Regulators and law enforcement

    Only on a lawful request that we have verified

7. International transfers

Some of the providers in section 6 process data outside Thailand. LINE Corporation processes in Japan. Meta (WhatsApp) processes in the United States and Ireland. Our email and document provider may process in Singapore, Japan, the United States, or the European Union depending on the service. Where Thai law requires it, we rely on the destination being on the PDPC whitelist or on standard contractual clauses with the provider, in line with Sections 28 and 29 PDPA. If neither applies, we obtain your explicit consent before any transfer outside Thailand.

8. How long we keep your data

We keep personal data only as long as we need it for the purposes above, then we delete or anonymise it. Specifically:

Adult medical recordsAt least 5 years from your last visit, in line with Thai medical-records practice; longer if there is an open clinical or legal matter
Medical records of minorsUntil the patient reaches the age of majority + 5 years
Appointment enquiries (form, LINE, WhatsApp) that do not lead to a visit12 months, then deleted
Marketing or newsletter subscribersUntil you withdraw consent
Financial records (invoices, receipts)10 years, as required by Thai tax law
Cookies and analytics dataPer the cookie banner table; most expire within 12 months

9. How we keep your data safe

Patient records are stored in access-controlled systems with encryption in transit and at rest. Paper records are kept in locked storage. Access is granted on a need-to-know basis. All staff sign confidentiality agreements before they start, and we re-train annually. If we discover a personal-data breach that risks your rights, we will notify the Personal Data Protection Committee within 72 hours and contact you directly when the risk to you is high, as required by Section 37 PDPA.

10. Your rights

Under PDPA you have the following rights over your data. Most apply free of charge and we respond within 30 days. We may extend once by another 30 days for complex requests; we will tell you if we do.

  • AccessAsk us what we hold about you and get a copy (Section 30)
  • PortabilityReceive your data in a structured, machine-readable format and have us send it to another controller where technically feasible (Section 31)
  • ObjectObject to processing based on legitimate interest or for direct marketing (Section 32)
  • ErasureAsk us to delete your data, subject to legal duties such as medical-records retention (Section 33)
  • RestrictionAsk us to pause processing while we resolve a dispute (Section 34)
  • CorrectionHave inaccurate data corrected or incomplete data completed (Section 36)
  • Withdraw consentWithdraw any consent you have given, at any time, without affecting processing that already happened (Section 19 paragraph 5)
  • ComplainFile a complaint with the Personal Data Protection Committee (PDPC) at pdpc.or.th if you believe we have not handled your data correctly

To exercise any of these rights, email havenmdclinic@gmail.com or speak to reception. We may need to verify your identity before we act on a request.

11. Cookies and website analytics

This website does not set any cookies. We do not use third-party analytics, advertising pixels, session-replay tools, or any other tracking technology. Your language choice (English or Thai) is reflected in the URL (/en or /th) rather than stored in a cookie. Because there is nothing to consent to, you will not see a cookie banner.

12. Contact form, LINE, and WhatsApp messages

Please do not put sensitive medical details (HIV status, STI symptoms, sexual history, prescription requests) into the contact form or into the first message you send us on LINE or WhatsApp. We treat anything you do send us as confidential, but the safer route is to send a short message asking us to call you back, then discuss the detail by phone or in the clinic. Enquiry messages that do not lead to an appointment are kept for 12 months and then deleted.

13. Changes to this notice

We review this notice when our services, providers, or the law change. The version date is at the top of this page. Material changes will be highlighted on the website and, where appropriate, notified to active patients directly.

14. Contact us or make a complaint

Privacy contact at Haven MD Clinic: havenmdclinic@gmail.com or +66 62 161 8944. Postal: 45 Hua Hin 55/1 Alley, Hua Hin, Prachuap Khiri Khan 77110. Independent complaints: Personal Data Protection Committee (PDPC), Office of the PDPC, pdpc.or.th.

+66 62 161 8944