Our data sovereignty approach: first-party analytics, separate booking and usage systems, and your choices.
FastTrack BKK ("we", "us") treats data sovereignty as a product choice: we decide what we collect, where it is stored, how long we keep it, and who can access it. We do not outsource website usage analytics to third-party session-replay vendors. Booking data and optional website analytics are handled as separate systems with different purposes and retention rules.
| Kind | Purpose | When collected |
|---|---|---|
| Booking data | Fulfil your fast-track service, issue vouchers, support, refunds | When you book or contact us |
| Website analytics | Understand how pages are used (optional session replay and usage events) | Only after you accept the analytics consent banner |
These streams are not stored in the same database. A booking record is not merged with analytics replay by default; where we link a completed booking to a browsing session, we use opaque identifiers supplied at checkout, not passport numbers in analytics storage.
When you make a booking, we process personal data needed to deliver the service, including:
Passport numbers are encrypted at rest (AES-256-GCM). Images are stored in encrypted blob storage and served via time-limited signed URLs. Passport-related uploads are automatically purged 30 days after the flight date. We share the minimum necessary details with our vetted airport partner operator to deliver the service. We do not sell or rent booking data.
Full legal detail: Privacy Policy.
If you accept analytics in our consent banner, we use first-party FastTrack Analytics — software we operate ourselves — to collect usage events and optional session replay on this website. If you decline, we do not enable analytics collection or session replay for your browser session.
Analytics may record page paths, clicks, and a masked replay of page structure. We configure replay masking for sensitive fields where applicable. Do not enter passport or payment details into free-text fields on marketing pages.
Our systems run on established cloud providers under our control (including hosting, databases, and encrypted object storage). Data may be processed in regions where those providers operate data centres. We choose subprocessors for reliability and security; a current list of categories is: web hosting and CDN, application and database hosting, encrypted blob storage, and email delivery for transactional messages.
This page describes architectural choices and defaults. It does not replace the Privacy Policy for lawful bases, international transfers, or formal data-subject requests.