Privacy Policy

• For your data (account owner / staff in the system): we are the "Data Controller."
• For data about your customers/partners that you record in the system: you are the "Data Controller" and we are merely the "Data Processor" acting on your instructions.
• Responsibility for accuracy, legality, and consent basis of data you record is yours.

• Contact info: name, phone, email
• Business info: shop name, shop code, address, tax ID (if VAT-registered)
• Usage data: login/logout records, IP, browser — for security and auditing
• Payment info: processed by PCI DSS-compliant providers. We never store credit-card data ourselves.
• Data you record: customers, partners, products, sales, inventory, tax invoices, etc.

• Provide the service you signed up for, issue invoices, and respond when needed
• Notify you of billing, new features, and system outages
• Develop and improve the system; analyse aggregate (de-identified) usage
• Security monitoring, fraud prevention, response to legal requests
• Comply with Thai accounting, tax, and other legal requirements

• Contract (PDPA §24(3)) — to provide the Service per the Terms
• Legal obligation (PDPA §24(6)) — to retain tax/accounting data as required by Thai law
• Legitimate interest (PDPA §24(5)) — security, fraud prevention, system improvement
• Consent (PDPA §24(1)) — for marketing/promotional communications (if any; you may withdraw at any time)

• During subscription: retained as long as you are a customer.
• After cancellation: business data (accounting, tax, invoices) retained for 5 more years, as required by Thai Accounting Act B.E. 2543 and Revenue Code.
• Login + usage logs: 2 years, in line with Computer Crime Act B.E. 2550 (minimum 90 days; we keep longer for audit).
• After retention period, data is deleted or anonymised.
• If you exercise PDPA deletion rights, we delete data not in conflict with legal obligations.

• Access the data we hold about you
• Correct inaccurate information
• Request deletion or anonymisation (right to be forgotten) — where not in conflict with legal obligations
• Object to or restrict processing
• Data portability — CSV export in the system
• Withdraw consent (for processing based on consent)
• File a complaint with the Office of the Personal Data Protection Committee at pdpc.or.th
• Exercise rights: via the "PDPA delete" button in the system (for your customers data), or by contacting us directly.

• We never sell your data to third parties.
• We use industry-standard infrastructure providers to operate the service: cloud hosting · CDN · object storage · email · error monitoring · payment gateway · analytics.
• These providers are bound by confidentiality and data security agreements.
• We disclose to government authorities only under a court order or legal warrant.

• Your data may be processed in data centres in the Asia-Pacific region.
• Our infrastructure providers meet international security standards (ISO 27001, SOC 2, or equivalent).
• Your use of the Service constitutes consent for cross-border data transfer necessary for service operation, per PDPA §28-29.

• Data is encrypted in transit via TLS (HTTPS everywhere).
• Stored with providers meeting international security standards.
• Daily backups as per provider schedule.
• Passwords hashed with bcrypt. 2FA supported.
• Staff/team access limited to operational need with access logging.
• Despite industry-standard measures, no system is 100% secure. You are responsible for safeguarding your own password and 2FA credentials.

• We use essential cookies (session, authentication) for service operation.
• We may use analytics tools such as Google Analytics to improve user experience. No cross-site tracking.
• You may disable cookies in your browser, but some features may not work properly.

• In the event of a personal data breach that may pose risks to your rights and freedoms, we will notify the PDPC within 72 hours as required by PDPA §37.
• If risk is high, we will notify you directly by email.

We may update this policy as needed. We will notify you by email or in-app at least 30 days before changes take effect.

For questions about this policy, to exercise your PDPA rights, or to file a complaint about data processing, please contact us through the channels below.