Privacy

Geist Realty Co., Ltd. ("Geist Realty", "we", "us", "our") is a residential real estate brokerage based in Bangkok, Thailand. We act as the data controller for the personal data described in this policy.

For all privacy matters — questions, requests, complaints — write to our Data Protection Officer at dpo@geist.realty. For general enquiries, hello@geist.realty.

"You" means any visitor, prospective client, buyer, tenant, landlord, vendor, or other natural person whose personal data we hold.

This policy applies to all personal data collected through:

• Our websites geist.realty and links.geist.realty
• Our advertising on Meta platforms (Facebook, Instagram), including Meta Lead Ads instant forms and click-to-message campaigns
• The advisory enquiry form on links.geist.realty (submissions are processed by a Cloudflare Pages Function and emailed to hello@geist.realty)
• Our messaging channels — LINE, WhatsApp, Messenger, SMS, email, voice
• In-person meetings, viewings, signings, and physical correspondence
• Referrals from our network of agents, landlords, developers, and clients

We process personal data on the following lawful bases, depending on the jurisdiction:

• Consent — when you submit an enquiry form, opt into marketing, or accept cookies (PDPA §19; GDPR Art. 6(1)(a)).
• Contract performance — when we are introducing, viewing, negotiating, or closing a property on your behalf (PDPA §24(3); GDPR Art. 6(1)(b)).
• Legal obligation — anti-money-laundering checks, tax records, regulatory reporting (PDPA §24(6); GDPR Art. 6(1)(c)).
• Legitimate interest — site security, fraud prevention, internal analytics, and responding to unsolicited contact, balanced against your rights (PDPA §24(5); GDPR Art. 6(1)(f)).

We deliberately keep collection minimal. The categories below are the maximum scope; in most interactions we collect far less.

Identity

Name, preferred form of address, nationality (where required for visa-linked property eligibility).

Contact

Email, mobile, WhatsApp / LINE / WeChat IDs. We never request more channels than you offer.

Preferences

Budget, intent (buy / rent / list), preferred districts, bedrooms, move-in window, pet status, lifestyle notes you choose to share.

Transactional

For active clients only: ID document (for AMLO compliance), proof of funds (if requested), tenancy or sale agreements, deposit receipts.

Communications

The content of messages you send us across any channel, plus our replies, so we can continue the conversation properly.

Landlord submissions

Property address, photos, floor plans, ownership documents, rental history — submitted only by landlords listing with us.

Technical

IP address, user-agent, referrer, timestamps, and pages viewed — for security, fraud prevention, and aggregate analytics. If you open the advisory form, a managed challenge may issue a short-lived token confirming you are human; the token contains no profile data.

Marketing source

Which ad, channel, or referrer brought you to us — so we can measure what works without tracking you personally across the web.

We do not knowingly collect: financial account numbers, passwords, health data, biometric data, political opinions, religious beliefs, sexual orientation, or genetic data. If any such data reaches us by accident, we delete it on detection.

From you, directly: when you fill the advisory form on links.geist.realty, send a message through WhatsApp / LINE / email, leave a voicemail, hand us a business card, sign a viewing form, or submit a landlord listing.

From Meta: when you submit a Facebook or Instagram lead form or click-to-message ad, Meta forwards the fields you confirmed (typically name, email, phone) to us via the official Meta Lead Ads API or Messenger handover.

From introducers: when an existing client, agent partner, landlord, or developer refers you to us — we ask the introducer to obtain your permission first, and we will tell you who referred you on first contact.

From your device: when you visit our sites, basic technical data is logged (see § 16).

We do not buy lead lists. We do not scrape public databases for contact details. We do not use shadow profiles or third-party data brokers to enrich what you tell us.

This section is the disclosure Meta requires us to make for every Lead Ads instant form. It applies whenever you submit your details through one of our Facebook or Instagram ads.

• Who receives your data. Meta Platforms, Inc. (and its affiliates) collect the lead form fields you confirm and transmit them to Geist Realty Co., Ltd. via the official Meta Lead Ads API. Geist Realty is the controller of that data from the moment we receive it.
• What we collect from the form. The fields visible to you on the form — typically full name, email, phone, plus any custom questions on that specific ad (e.g. budget range, preferred district, buy or rent). Nothing else from your Facebook profile is sent to us.
• How we use it. Solely to respond to your enquiry, match you with relevant properties, schedule viewings, and, with your separate consent, send occasional curated updates. We do not use it to retarget you on other platforms.
• How long Meta keeps it. Meta retains lead form submissions for up to 90 days in the Ads Manager, then deletes them. We download leads promptly and Meta's retention is not extended by us.
• How long we keep it. See § 13.
• Meta's role. Meta processes the form as a separate controller for the purpose of operating the Lead Ads product. Meta's own handling of your data is governed by its privacy policy, not ours.
• Your right to withdraw. Submitting a lead form does not commit you to anything. You can ask us to delete your details at any time by writing to dpo@geist.realty; we honour the request within 7 working days.

If you would prefer not to use a lead form, you can contact us directly at hello@geist.realty or through any of the channels listed at links.geist.realty.

Strictly to do the work you have asked us to do:

• Reply to your enquiry and continue the conversation.
• Match you with properties that fit your brief.
• Arrange viewings, negotiate terms, prepare offers and counter-offers.
• Complete a transaction — contracts, deposits, key handover, post-move support.
• Comply with anti-money-laundering, tax, and other legal obligations.
• Send service messages about a transaction already in progress.
• Send occasional curated updates — only if you opt in, and only until you opt out.
• Defend ourselves in the event of a legal claim.
• Improve the site and our service in aggregate — never by profiling you individually.

We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects on you.

The only parties who receive personal data outside of Geist Realty are:

• The processors listed in § 08, who handle data on our instructions only and are contractually forbidden from using it for their own purposes.
• A specific counterparty in a transaction you are pursuing — e.g. the landlord of a unit you have asked to view — and only the minimum data needed for that step (typically just a first name and one contact channel).
• A regulator, court, or law-enforcement body, where we are compelled by valid Thai legal process. We will tell you about the request unless legally prohibited.
• An acquirer, in the event Geist Realty merges or is acquired — in which case the acquirer is bound to honour this policy or give you the chance to withdraw.

For the avoidance of doubt under CCPA / CPRA: in the 12 months preceding the date of this policy, we have not sold personal information and have not shared personal information for cross-context behavioural advertising, as those terms are defined under California law. If this ever changes we will update this section and offer a clear opt-out before any change takes effect.

For this site, the following providers receive or process personal data on our behalf. Each is bound by a data-processing agreement that limits their use to our instructions.

Cloudflare

Hosting, content delivery, and the managed challenge that protects the advisory form from automated abuse.

Resend

Email delivery — the route by which advisory-form submissions reach hello@geist.realty.

Meta Platforms

When you submit a lead form or click-to-message ad on Facebook or Instagram, Meta acts as a separate controller and transmits the form fields to us. See § 05 for the specific Meta disclosure.

Google Fonts

When the page loads, your browser fetches typefaces from Google's CDN. Your IP address and user-agent are visible to Google for the duration of that request; no contact data is sent.

Other channels you may use to reach us — LINE, WhatsApp, Messenger, Instagram, email — are independent communications platforms. They handle messages under their own terms; we receive only what you choose to send.

We review this list at least annually and update it here when it changes.

Several of the providers above are based outside Thailand, the EU/UK, or California. When personal data leaves your home jurisdiction we rely on one of the following safeguards, as applicable:

• Standard Contractual Clauses approved by the European Commission and adopted by the UK ICO.
• Adequacy decisions, where one exists for the destination country.
• Your explicit consent to a specific transfer, where no other safeguard applies (PDPA §28).
• Performance of a contract with you that necessarily requires the transfer (PDPA §28(3); GDPR Art. 49(1)(b)).

You can request a copy of the relevant transfer mechanism for your data by writing to the DPO.

We maintain technical and organisational measures appropriate to the risk of the data we hold:

• Encrypted in transit. All connections to our sites and APIs are encrypted by modern TLS.
• Encrypted at rest. Contact details stored on our systems are encrypted, with key management separated from the data itself.
• Bot defence. The advisory form sits behind a managed challenge so automated submissions don't reach our inbox.
• Least-privilege access. Only team members who need to see contact details can; access is logged and reviewed.
• Authentication. Multi-factor authentication on every team account; no shared passwords.
• Backups. Encrypted, retention-capped, and periodically tested for restore.
• Vendor diligence. Every processor in § 08 is reviewed before onboarding and re-reviewed annually.

No system is invulnerable. We do not promise perfection — we promise the level of care a serious brokerage should exercise, and we will be honest with you if something goes wrong.

Our breach playbook:

• Contain — isolate affected systems, rotate compromised credentials, preserve forensic evidence.
• Assess — what data, how many people, what risk of harm, what jurisdictions are implicated.
• Notify — the Personal Data Protection Committee (Thailand), the EU/UK supervisory authorities where required, the California Attorney General where required, and you personally where the breach poses a high risk to your rights and freedoms.
• Remediate — fix the underlying issue, document lessons learned, update controls.
• Report — publish a post-incident summary on this page when the matter is closed.

Nothing in this section limits any other rights or remedies available to you under applicable law. To the extent permitted by law, however, Geist Realty's liability for any unauthorised third-party access — including hacking, phishing, social engineering, malware, or other criminal acts directed at us or our providers — is limited to the proper performance of the obligations in this section. We do not accept liability for harm caused by a third-party criminal act where we have exercised reasonable care, save where applicable law disallows such limitation.

Geist Realty will not be liable for any failure or delay in performing its obligations under this policy where such failure or delay results from causes beyond its reasonable control. This includes: acts of God, natural disasters, fires, floods, earthquakes, pandemics, epidemics, war, terrorism, civil unrest, riots, sabotage, government action, embargoes, sanctions, blackouts, internet or telecommunications outages, large-scale cyber-attacks on infrastructure not controlled by us, and the failure or breach of an upstream service provider despite our reasonable diligence.

This clause does not relieve us of obligations that survive a force-majeure event — including our duty to notify you of a breach as soon as reasonably practicable, our duty to delete your data on request, and our duty to respond to lawful regulator inquiries. Nor does this clause displace any non-waivable rights you have under applicable law.

If a force-majeure event continues for more than 60 days and prevents us from meeting a material obligation to you, either party may terminate the engagement on written notice without further liability beyond what has already accrued.

We keep personal data only as long as needed for the purpose it was collected, plus the minimum statutory retention period.

Unconverted enquiries

12 months from last contact, then hard-deleted unless you have asked us to keep your brief active.

Active clients

For the duration of the engagement, then 7 years (Thai tax & civil-law records retention), then hard-deleted.

Landlord listings

For the duration of the listing, plus 3 years after the unit transacts or is withdrawn.

Marketing opt-ins

Until you opt out, plus 30 days for opt-out audit trail.

Site analytics

13 months in aggregated form; raw logs purged after 90 days.

Lead form submissions (Meta)

Pulled from Meta within 24 hours, then governed by the retention rules above. Meta deletes its copy after 90 days.

You may request earlier deletion at any time. We will honour it unless we have an overriding legal obligation to retain (in which case we will tell you which records we have to keep, why, and for how long).

Wherever you are, you may exercise the following rights with respect to the personal data we hold about you:

• Access — a copy of what we hold, in a readable form, free of charge once per year.
• Correction — fix anything that is wrong or out of date.
• Deletion — also called "right to be forgotten" — subject to overriding legal obligations.
• Restriction — pause our processing while a dispute is resolved.
• Objection — to processing based on legitimate interest or direct marketing.
• Portability — receive your data in a structured, machine-readable format.
• Withdraw consent — at any time, without affecting prior processing.
• Lodge a complaint — with the Personal Data Protection Committee (Thailand), an EU/UK supervisory authority, or the California Attorney General.
• California-specific. Rights under CCPA / CPRA including the right to know, delete, correct, opt out of sale or sharing (we do neither — see § 07), and limit use of sensitive personal information. We do not discriminate against you for exercising any right.

To exercise any of these, email dpo@geist.realty. We respond within 30 days (PDPA, GDPR) or 45 days (CCPA), whichever is shorter. We will verify your identity proportionate to the sensitivity of the request — usually by confirming a second contact channel — and we will never charge you for a reasonable request.

Our services are not directed at children under 18. We do not knowingly collect personal data from anyone under 18 (under 13 for CCPA purposes; under 16 for GDPR digital-services consent unless local law sets a lower age). If we become aware that we have collected data from a minor, we will delete it.

We use the minimum cookies and local storage we can:

• Theme preference. A single localStorage entry records your light/dark choice. No tracking; only your own browser reads it.
• Form draft. While the advisory form is open, your in-progress answers are kept in your browser so a reload doesn't erase them. Cleared on submission or when you clear browser storage.
• Challenge cookie. When you open the advisory form, the managed challenge may set a short-lived cookie to remember you've already passed it. Not advertising tracking.
• Meta pixel. Loaded only on the public marketing site, and only after explicit consent. You can decline and continue to use the site fully.

You can change your consent at any time by clearing your browser storage for our domains, or by writing to the DPO.

To the maximum extent permitted by applicable law — and subject to all rights that cannot lawfully be limited:

• Geist Realty's aggregate liability under or in connection with this policy is limited to the fees you have paid us in the twelve months preceding the event giving rise to the claim, or THB 100,000, whichever is the greater.
• We are not liable for indirect, incidental, special, consequential, exemplary, or punitive damages, including lost profits, lost opportunities, or reputational harm, even if advised of the possibility.
• We are not liable for the acts or omissions of independent third parties, including landlords, developers, banks, notaries, and government agencies, except to the extent caused by our negligence.
• Nothing in this section limits liability for fraud, wilful misconduct, gross negligence, or any liability that cannot lawfully be excluded — including, for residents of jurisdictions where such limitations are not permitted, liability for personal injury, death, or breach of statutory consumer rights.

This limitation reflects a fair allocation of risk between us. The standards of care we promise above (§ 10) and the regulator-grade response we owe you on a breach (§ 11) are the substantive protections; this clause caps monetary exposure where law allows.

We may update this policy from time to time — to reflect new services, new providers, new laws, or clearer language. The "Last updated" date at the top always reflects the current version, and we keep prior versions on request.

For material changes — anything that expands the categories of data we collect, the purposes we use it for, or the parties we share it with — we will notify you by email before the change takes effect, and where consent is required we will ask for it afresh.

This policy is governed by the laws of the Kingdom of Thailand. Disputes arising from or in connection with it are subject to the exclusive jurisdiction of the courts of Bangkok, save that nothing in this clause prevents you from bringing a complaint before a competent regulator or court in your country of residence where applicable law gives you that right.

Before commencing legal proceedings, both parties agree to attempt good-faith resolution in writing for a period of not less than 30 days from the date of the complaint.

For all privacy matters, the most direct route is our Data Protection Officer.

Email · dpo@geist.realty
General · hello@geist.realty
Links hub · links.geist.realty

If you are not satisfied with our response, you may contact the Personal Data Protection Committee (PDPC) of Thailand at pdpc.or.th, your EU / UK supervisory authority, or the California Attorney General.