Check Application StatusEN

Fill-TDAC — Application Assistance Portal

Legal

Privacy Policy

Last updated: May 12, 2026 · Effective: May 12, 2026

This Privacy Policy explains how AETHER INNOVATIONS PTE. LTD.(UEN 202501320M, with registered office at 2 Venture Drive, #19-21, Vision Exchange, Singapore 608526, “Aether Innovations”, “we”, “us”, or “our”) collects, uses, discloses, and protects personal data when you use Fill-TDAC (the “Service”) at fill-tdac.com. We comply with the Singapore Personal Data Protection Act 2012 (“PDPA”), the EU/UK General Data Protection Regulation (“GDPR”), and the California Consumer Privacy Act/CPRA (“CCPA”).

Table of Contents

  1. Data Controller
  2. Categories of Personal Data We Collect
  3. Why We Process Your Data & Legal Bases
  4. Disclosure: Government Authorities & Processors
  5. International Data Transfers
  6. Data Retention
  7. Data Security
  8. Your Rights (PDPA · GDPR · CCPA)
  9. Children & Minors
  10. Cookies & Analytics
  11. No Sale of Personal Data
  12. Changes to This Policy
  13. Contact & Complaints

1. Data Controller

The data controller for the personal data processed through the Service is:

AETHER INNOVATIONS PTE. LTD.
UEN: 202501320M
Registered office: 2 Venture Drive, #19-21, Vision Exchange, Singapore 608526
Privacy contact: support@fill-tdac.com

2. Categories of Personal Data We Collect

Because the Service exists to prepare and submit your Thailand Digital Arrival Card, we necessarily handle sensitive identity and travel data. We collect only what is strictly required to perform the Service and to meet our legal obligations.

  • Identity data. Full legal name, date of birth, gender, nationality, country of birth.
  • Document data. Passport number, issue and expiry dates, issuing country, MRZ data, and, where you choose to upload one, an image of the passport biographical page or visa. We use this data solely to populate and verify your TDAC submission.
  • Contact data. Email address, phone number (if you provide one), and, where applicable, a postal address for billing.
  • Travel data. Flight or vessel details, arrival and departure dates, mode of arrival, accommodation address in Thailand, purpose of visit, recent travel history where required by Thai authorities.
  • Health data. Only where the Thai immigration authority specifically requires a declaration (for example, in connection with public-health measures). Where collected, this is processed under explicit consent and transmitted only to the relevant authority.
  • Payment data. Payments are processed by Stripe. We do not see or store your full card number; we retain only the last 4 digits, card brand, country of issuance, billing name, transaction ID, and authorization status for accounting, fraud-prevention, and tax purposes.
  • Technical data. IP address, device fingerprint, browser type, timezone, log timestamps, and pages viewed, used for security, fraud prevention, and service operation.
  • Communications data. Emails and support messages you send us, retained for service-quality and dispute purposes.

3. Why We Process Your Data & Legal Bases

PurposeLegal basis (GDPR) / PDPA basis
Preparing, reviewing, and submitting your TDAC Application to the Thai immigration authority; delivering the approved QR-coded TDAC by email.Performance of a contract (Art. 6(1)(b) GDPR) / PDPA s.13 consent + s.17 deemed consent for necessary purpose.
Transmission of health or other special-category data where required by the destination authority.Explicit consent (Art. 9(2)(a) GDPR) given at checkout.
Customer support, account management, status checks.Performance of a contract; legitimate interests in operating the Service (Art. 6(1)(f)).
Fraud detection, chargeback defence, abuse prevention.Legitimate interests in protecting the Service and our payment processors (Art. 6(1)(f)).
Accounting, invoicing, tax reporting.Legal obligation under the Singapore Income Tax Act and Companies Act (Art. 6(1)(c)).
Service improvement, anonymized analytics.Legitimate interests with privacy-respecting analytics.
Optional marketing communications.Consent (Art. 6(1)(a)); you may withdraw at any time.

4. Disclosure: Government Authorities & Processors

Government authorities. By using the Service, you instruct and authorize us to disclose your personal data (including passport details, travel details, and any required declarations) to the relevant Thai immigration authority for the strict purpose of TDAC issuance. This disclosure is the core purpose of the Service. Once submitted, the data is also governed by the privacy practices of the receiving authority, over which we have no control.

Processors and sub-processors. We work with the following categories of vetted processors under written data-processing agreements. Processors are listed below with the function they perform; we update this list when material changes occur.

  • Stripe Payments Europe / Stripe Inc.— payment processing under Merchant Category Code 4722. Card data is collected and stored directly by Stripe; we do not handle full card numbers.
  • Vercel Inc. — web hosting and CDN for fill-tdac.com.
  • Resend— transactional email delivery (order confirmation, status updates, TDAC delivery).
  • Supabase— managed database and storage (EU/Singapore region) hosting application records.
  • Mindee(where the user uploads a passport image) — optical character recognition of MRZ to reduce data-entry errors. Uploaded images are processed and then deleted from Mindee per their retention policy.

We do not sell or rent your personal data, and we do not share it with advertising networks for cross-context behavioural advertising.

5. International Data Transfers

Because the Service is global and our infrastructure is operated from data centres in Singapore, the European Union, and the United States, your personal data may be transferred to and processed in jurisdictions other than your own.

Where personal data of EEA, UK, or Swiss residents is transferred outside their region to a country that has not received an adequacy decision, we rely on the European Commission’s Standard Contractual Clauses (2021/914) and, where applicable, the UK International Data Transfer Addendum, together with appropriate technical and organisational safeguards.

For Singapore residents, transfers are made in accordance with PDPA s.26 and the Personal Data Protection Regulations 2014, ensuring a comparable standard of protection.

Disclosures to the Thai immigration authority are made strictly to perform the contract you have entered into with us.

6. Data Retention

We retain personal data only for as long as needed for the purposes described in this Policy.

  • Operational records. Application data is retained for as long as needed to deliver the Service and to respond to status inquiries.
  • Fraud and chargeback defence. We retain transactional records, IP logs, and submission evidence for 18 months after delivery, in order to defend against chargebacks and abuse claims.
  • Accounting and tax records. Invoices, payment records, and accounting documentation are retained for 7 years in accordance with the Singapore Income Tax Act and Companies Act.
  • Passport / visa image uploads. Where you upload a document image, we delete the image once OCR is complete and the Application has been successfully delivered, save for a hash retained for fraud-prevention purposes.

After the applicable retention period, data is deleted, anonymized, or aggregated.

7. Data Security

We apply industry-standard technical and organisational measures to protect your data, including:

  • encryption in transit using TLS 1.3 for all traffic to and from the Service;
  • encryption at rest for databases and storage hosting personal data;
  • role-based access controls, least-privilege principles, and audit logging for staff access to applications;
  • payment-card data isolation through Stripe’s PCI-DSS Level 1 environment, ensuring we never directly handle full card numbers;
  • regular security reviews of dependencies, infrastructure configurations, and access permissions.

No system is perfectly secure. If we become aware of a personal data breach that is likely to result in risk to your rights, we will notify the competent authority and affected individuals as required by applicable law (within 72 hours under GDPR; without undue delay under PDPA s.26D).

8. Your Rights (PDPA · GDPR · CCPA)

Subject to applicable law, you have the right to:

  • Access the personal data we hold about you;
  • Rectify inaccurate or incomplete data;
  • Erase data we no longer need to retain (subject to legal retention obligations described in Section 6);
  • Restrict or object to certain processing based on legitimate interests;
  • Port your data to another controller in a structured, machine-readable format;
  • Withdraw consent for any processing based on consent, without affecting prior lawful processing;
  • Lodge a complaint with a supervisory authority (the Personal Data Protection Commission of Singapore for PDPA; your national data-protection authority for GDPR; the California Attorney General or CPPA for CCPA).

California residents additionally have the right to know what categories of personal information have been collected, sold, or disclosed for a business purpose, and the right to non-discrimination for exercising CCPA rights. We do not sell personal information (see Section 11).

To exercise any right, contact support@fill-tdac.com. We will verify your identity and respond within thirty (30) days, or any shorter period required by law.

9. Children & Minors

The Service is not directed to children under the age of 13 (or 16 where applicable). We do, however, process a minor’s TDAC data where a parent, legal guardian, or authorized adult traveler submits an Application on the minor’s behalf and provides the information required by the Thai authority. By doing so, the submitting adult confirms they have the necessary authority and consent.

10. Cookies & Analytics

We use only the cookies and similar technologies necessary to operate the Service, plus privacy-respecting analytics. Details are in our Cookies Policy.

11. No Sale of Personal Data

We do not sell your personal data, and we do not share it for cross-context behavioural advertising. For the purposes of the CCPA/CPRA, “sale” and “share” do not occur on the Service. We honour Global Privacy Control signals where required.

12. Changes to This Policy

We may update this Policy from time to time. The “Last updated” date at the top of the page reflects the most recent revision. Material changes will be communicated by email or by a prominent notice on the Service.

13. Contact & Complaints

For any privacy question or to exercise your rights, please contact us:

AETHER INNOVATIONS PTE. LTD.
Attn: Privacy Office
2 Venture Drive, #19-21, Vision Exchange, Singapore 608526
Email: support@fill-tdac.com

See also our Terms of Service, Refund Policy, and Legal Disclaimer.