Legal
Privacy Policy
Version 2.0 Valid from: 13 June 2026 Scope: venom-mt.com (including subdomains) and all related booking and lead-capture processes
1. Controller
The controller within the meaning of PDPA and GDPR is:
Phangan Muay Thai Co., Ltd. 116/2 Moo 1, Koh Phangan Surat Thani 84280 Thailand
Operating under the brand Venom Muay Thai Gym Managing Director: Rene Ruppert Company ID: 0013164210
Contact for data protection enquiries: privacy@phangan-mt.com General enquiries: hello@venom-mt.com
Hereinafter "the Company" or "we".
2. Representation in the EU
No EU representative within the meaning of Article 27 GDPR is currently appointed. Data protection enquiries from the European Union should be directed to the Company at privacy@phangan-mt.com. We will process all enquiries within the statutory time limits.
3. Data we process and on what legal basis
3.1 Bookings (all offered camp and training products as well as Fight Night Tickets)
Data: Name, e-mail address, booking reference, arrival and departure dates, selected tier or product, accommodation preference, country/timezone, language.
Purpose: Performance of the contract between you and the Company, sending of transactional e-mails (booking confirmation, welcome pack, reminders), camp preparation.
Legal basis: Article 6(1)(b) GDPR (performance of contract); PDPA Section 24 (contract).
3.2 Self-Assessment (where provided for the booked product — currently Road to the Ring)
Data: Information on training experience, sparring experience, self-assessment of one's own fitness level (e.g. how long you can jog without a break, how often you train per week).
Purpose: Assessment of athletic suitability for the selected tier by the Head Coach; preparation of the training plan.
Legal basis: Article 6(1)(b) GDPR (performance of contract); PDPA Section 24 (contract).
Note: No health data or information on pre-existing medical conditions is collected. Should pre-existing conditions, injuries, or other health-related restrictions be relevant, the guest is to disclose these directly to the coaching team on-site (see Terms §3 and §6); no digital recording of such information takes place in our systems.
3.3 Payment data
Data: Collected directly within the checkout window of the payment service provider Stripe (credit card number, bank account details, billing address, depending on the chosen payment method). The Company does not receive the full payment data, but only a payment reference, the amount paid, and the status.
Purpose: Processing of payment.
Legal basis: Article 6(1)(b) GDPR; PDPA Section 24.
Processors: Stripe Payments Europe, Limited (Ireland) for EU customers; Stripe Payments (Thailand) Limited for local processing.
3.4 Identification data and check-in reporting
Data: Name, date of birth, nationality, passport or national ID number, check-in date.
Purpose: Compliance with Thai reporting obligations. Accommodation guests must, pursuant to Section 38 of the Immigration Act B.E. 2522, be reported to the competent Immigration Police within 24 hours of check-in (TM30 notification). In addition: identification for competition registration with the Sports Authority of Thailand for guests participating in competitions.
Legal basis: Article 6(1)(c) GDPR (legal obligation); PDPA Section 24 (legal obligation).
Recipients: Immigration Bureau Thailand (all accommodation guests); Sports Authority of Thailand and Board of Boxing Sport (competitors).
Storage by the Company: The data is kept exclusively in paper form for the duration of the stay and destroyed by shredding after the guest's departure. No storage in our IT systems takes place.
3.5 E-mail communication
Data: E-mail address, message content.
Purpose: Response to enquiries, sending of transactional messages (booking confirmation, welcome pack, reminder, post-camp review request), correspondence before and during the stay.
Legal basis: Article 6(1)(b) GDPR (pre-contractual and contractual performance); for non-transactional correspondence, Article 6(1)(f) GDPR (legitimate interest in guest communication); PDPA Section 24.
3.6 Image and video recordings
Data: Images and videos of guests from training, daily camp life, and competitions.
Purpose: Marketing use on the website, in social media, and in promotional material.
Legal basis: Article 6(1)(f) GDPR (legitimate interest in the camp's external representation) and consent pursuant to the applicable Terms and Conditions; PDPA Sections 24/19.
Deletion on objection: You may object to the use of your identifiable recordings at any time by e-mail to privacy@phangan-mt.com. Upon receipt of the objection, we will remove the affected recordings from all channels under our control (our own website, our own social media accounts, our own promotional material), to the extent that this is possible with reasonable effort and technically feasible. A complete removal of content already distributed on the internet (third-party sites, archived copies, shared posts, search-engine caches, etc.) is factually not possible in its entirety; we have no influence over this.
3.7 Server logs
Data: IP address, date/time of request, requested URL, referrer URL, user agent, HTTP status code.
Purpose: Ensuring the technical operation of the website, error diagnosis, protection against attacks.
Legal basis: Article 6(1)(f) GDPR (legitimate interest in IT security); PDPA Section 24.
Retention period: 14 days rolling, automatic deletion thereafter.
3.8 Web statistics (Umami)
For the evaluation of general website usage, we use Umami, an open-source statistics software which we operate on our own server.
Umami works without cookies and without personally identifiable identifiers. Only aggregated and anonymised data is collected: pages accessed, country of origin (at country level), device and browser type, time on page, referrer (where visitors come from).
IP addresses are not stored. Assignment to individual persons does not take place.
Legal basis: Article 6(1)(f) GDPR (legitimate interest in reach measurement and website optimisation); PDPA Section 24.
3.9 Consequences of non-provision of data
The provision of data required for the booking (§3.1: name, e-mail, booking details) is mandatory for concluding the contract and performing the booked product. Without this data, no booking can be made.
The provision of identification data at check-in (§3.4) is required by law; without it, the stay cannot commence.
The provision of further data categories — in particular image and video recordings (§3.6) — is voluntary and based on consent or legitimate interest; non-provision or objection has no contractual consequences.
4. Cookies and similar technologies
We use exclusively technically necessary cookies and similar storage mechanisms which are required for the operation of the website:
- Language preference (DE/EN)
- Session cookie for the booking flow
- Stripe checkout cookie (set by Stripe during payment processing)
No marketing, tracking, or analysis cookies are used. A cookie banner is therefore not required.
Legal basis: Article 6(1)(f) GDPR (legitimate interest in the operation of the website); §25(2) No. 2 TTDSG (technically necessary); PDPA Section 24.
5. Recipients of the data
We pass on your data to the following recipients to the extent necessary for the performance of the contract or on the basis of a legal obligation:
- Stripe (payment processing) — Stripe Payments Europe, Limited (Ireland) / Stripe Payments (Thailand) Limited
- Hostinger (hosting and e-mail dispatch) — Hostinger International Ltd., Lithuania
- Sports Authority of Thailand / Board of Boxing Sport (competition registration, where relevant)
- Trainers and camp staff (internal, to the extent required for training and competition support)
- Authorities (upon legal request, e.g. tax or reporting obligations)
No further transfer to third parties takes place.
6. International data transfer
As the Company is established in Thailand, personal data of EU citizens is generally transferred to a third country within the meaning of the GDPR (Thailand). The transfer takes place on the basis of Article 49(1)(b) GDPR (performance of the contract with you).
Hostinger is established in Lithuania (EU). Stripe processes personal data within the EU as well as in the USA; Stripe bases its third-country transfers on the European Commission's Standard Contractual Clauses.
7. Retention period
| Data category | Retention period |
|---|---|
| Booking data | 10 years (Thai tax retention obligation) |
| Self-Assessment data | Up to 12 months after end of camp, then deletion |
| Payment data (at our side) | 10 years |
| Identification data (check-in reporting) | Paper form for the duration of the stay, then destruction by shredding |
| E-mail correspondence | 5 years after last contact |
| Image/video recordings | Maximum 15 years after the recording; earlier deletion upon objection, to the extent within our control and technically feasible (see §3.6) |
| Server logs | 14 days |
Where statutory retention obligations apply, the data will be stored until expiry of the retention period and is blocked from further processing during this time.
8. Your rights
Both under PDPA (Sections 30–37) and under GDPR (Articles 15–22), you have the following rights:
- Access: Information on which data we process about you
- Rectification: Correction of inaccurate data
- Erasure: Removal of your data, provided no retention obligation applies
- Restriction: Restriction of processing
- Data portability: Receipt of your data in a structured, machine-readable format
- Objection: Objection to processing based on legitimate interest
- Withdrawal of consent: With effect for the future, where processing is based on consent
- Complaint: You may lodge a complaint with a supervisory authority (PDPC in Thailand; in the EU with the data protection authority of your habitual residence)
Requests to exercise your rights should be sent to: privacy@phangan-mt.com
We will process requests within the statutory time limits (PDPA: 30 days; GDPR: 1 month, extendable up to 3 months in complex cases).
9. Supervisory authorities
Thailand: Personal Data Protection Committee (PDPC) Ministry of Digital Economy and Society www.pdpc.or.th
EU/EEA: The competent authority is the data protection authority of the EU member state of your habitual residence.
10. Changes to this privacy policy
We reserve the right to amend this privacy policy if the underlying data processing changes. The current version is available at any time at venom-mt.com/en/privacy. In the event of substantial changes, we will inform active users by e-mail.
11. Applicable law and language version
This privacy policy is governed by Thai data protection law (PDPA) and — to the extent that data processing of EU citizens is concerned — by the GDPR.
This privacy policy is provided in German and English. In the event of any discrepancy between the language versions, the English version prevails.
End of Privacy Policy — Version 2.0 — As of: 13 June 2026