How is Kooru different from a typical law firm or IT company?

Kooru (The Kooru Data Tech & Law (Thailand) Co., Ltd., registration no. 0105568171679) is an Integrated Specialist — meaning it uniquely bridges bar-qualified Thai attorneys with AI and data-technology engineers under a single operational roof. Unlike a pure law firm, Kooru delivers technically deployable solutions such as PDPA frameworks, AI Governance policies, and ISO 42001 readiness programmes. Unlike a pure IT company, every deliverable is reviewed by a licensed attorney and a TPQI Level-6 certified DPO before handoff, ensuring outputs are both legally compliant under Thai PDPA (Personal Data Protection Act B.E. 2562) and immediately implementable in production environments.

What certifications does the Kooru team hold?

The Kooru core team holds the following verified credentials: (1) TPQI (Thailand Professional Qualifications Institute) Level-6 certified Data Protection Officer (DPO) — the highest DPO qualification framework in Thailand; (2) Thai Bar Association licensed attorneys with specialisation in data privacy and intellectual property law; (3) A Master's degree in Intellectual Property and IT Law, awarded First Class Honours with Gold Medal distinction; (4) Cisco Gold Partner status — confirming enterprise-grade technical competency in networking and cybersecurity infrastructure. These combined credentials underpin every PDPA compliance framework, AI Governance policy, and IP legal instrument Kooru delivers.

What types of businesses does The Kooru serve?

Kooru specialises in three core business verticals: (1) Healthcare and Wellness Clinics — institutions handling Sensitive Personal Data including health records, biometrics, and medical histories, which carry the highest regulatory obligation under Thai PDPA Section 26; (2) SMEs undergoing digital transformation — companies building their first data governance frameworks, implementing new software systems, or expanding online operations; (3) Tech Startups and AI-native companies constructing AI Governance frameworks from inception, including ISO 42001 AI Management System readiness. Kooru operates Remote-First and serves clients across all provinces of Thailand, with primary on-site operations in the Bangkok Metropolitan Area.

Where does Kooru provide its services?

Kooru operates Remote-First and provides services to clients across all regions of Thailand. The primary model is fully digital — document delivery, consultation, and training are conducted online, enabling rapid onboarding and nationwide accessibility. Physical on-site engagements, such as staff PDPA training workshops or compliance audits, are available within the Bangkok Metropolitan Area, including Bangkok, Nonthaburi, Pathum Thani, and Samut Prakan.

Does Kooru offer any service guarantee?

Yes. Kooru provides a Professional Standards Guarantee on all deliverables. This means every PDPA framework, AI Governance policy, IP Wealth structure, and consent form is reviewed and approved by a TPQI Level-6 certified DPO and a Thai Bar Association licensed attorney before delivery to the client. All outputs are guaranteed to conform to the most current applicable Thai regulatory standards, including Thai PDPA B.E. 2562 and its subordinate ministerial regulations. Should a deliverable fail to meet the agreed regulatory standard, Kooru will revise it at no additional cost.

Does a small clinic really need PDPA compliance?

Yes — absolutely. Under Thai Personal Data Protection Act B.E. 2562 (PDPA), health data — including patient medical records, diagnoses, treatment histories, and biometric information — is classified as Sensitive Personal Data under Section 26. This classification applies to all healthcare operators regardless of entity size, including sole-proprietor clinics and small wellness centres. Non-compliance penalties include administrative fines of up to THB 5,000,000 (approximately USD 140,000), criminal imprisonment of up to one year, and civil damages payable directly to affected data subjects. There is no minimum business-size threshold for these obligations. The PDPC (Personal Data Protection Committee) has full authority to investigate any operator receiving a complaint.

What are the risks of using an off-the-shelf PDPA template?

Using an off-the-shelf PDPA template carries significant legal and regulatory risk. The primary issue is that generic templates do not capture your organisation-specific data processing activities required for a legally compliant ROPA (Record of Processing Activities). Under Thai PDPA, every data controller must maintain a ROPA documenting all personal data collected, its legal basis, processing purposes, retention periods, and third-party recipients. The ROPA is the first document the PDPC (Personal Data Protection Committee) requests during any compliance investigation or audit — gaps or inaccuracies are immediately flagged as non-compliance, regardless of whether the broader privacy policy document appears complete. A template that is not mapped to your actual business processes creates false security and direct legal exposure.

How many consent form types does a clinic need?

Under Thai PDPA, a healthcare clinic requires a minimum of three distinct consent form types, each covering a separate legal basis and processing purpose: (1) Medical Records and Treatment Consent — authorising collection and use of Sensitive Personal Data (health data) under PDPA Section 26, required before any clinical service is rendered; (2) Marketing and Media Consent — a separate, standalone consent covering use of patient images, reviews, testimonials, and promotional communications (cannot be bundled with treatment consent); (3) Third-Party Data Sharing Consent — explicitly authorising disclosure of patient data to laboratories, insurance companies, referral hospitals, or any external processor. Each form must be written in plain language, clearly identify the data controller, and allow withdrawal of consent without adverse consequences to service provision.

How long does a PDPA implementation take?

Implementation timelines vary by scope. Kooru's Data Shield Starter package — which delivers core foundational PDPA documents including a Privacy Notice, primary consent forms, and basic ROPA template — can be completed in as little as 24 to 48 hours, making it suitable for operators needing immediate baseline compliance. A full-scale, comprehensive PDPA implementation — covering complete ROPA mapping, all consent forms, Data Subject Rights response procedures, vendor DPA agreements, breach notification protocols, staff training, and cookie compliance — is completed within 7 to 14 business days depending on organisational complexity and client data availability.

Are employees required to receive PDPA training?

Yes. Thai PDPA mandates that data controllers implement organisational measures to ensure internal data-privacy awareness among all staff who handle personal data. This requirement sits alongside technical safeguards as a core compliance obligation. Kooru provides structured video-based PDPA training courses with built-in knowledge assessments and official completion certificates. Training is conducted online and covers Thai PDPA fundamentals, data subject rights, breach identification procedures, and role-specific handling obligations. Certificates serve as documentary evidence of compliance training — an important audit trail should the PDPC investigate your organisation.

What should we do if a data breach occurs?

Under Thai PDPA Section 37(3), upon discovering a personal data breach likely to result in risk to data subjects, the data controller is legally required to notify the PDPC (Personal Data Protection Committee) within 72 hours of becoming aware of the incident. If the breach is likely to result in high risk to the rights and freedoms of data subjects, the affected individuals must also be notified without undue delay. Failure to meet the 72-hour notification deadline is itself a separate regulatory violation. Kooru clients have immediate access to a dedicated Emergency Hotline, where our TPQI-certified DPO and legal team provide real-time guidance on breach assessment, PDPC notification drafting, data subject communication, and evidence preservation to minimise both regulatory penalties and civil liability.

What is ROPA, and why is it the most critical PDPA element?

ROPA stands for Record of Processing Activities — the legally mandated data-flow inventory required of every data controller under Thai PDPA. A properly maintained ROPA documents: (1) each category of personal data collected; (2) the legal basis for processing (consent, legitimate interest, contractual necessity, etc.); (3) the purpose of each processing activity; (4) data retention periods; (5) third-party recipients and any cross-border transfer mechanisms; and (6) technical and organisational security measures applied. The ROPA is the first document the PDPC (Personal Data Protection Committee) requests during any compliance audit or investigation. An organisation without an accurate, up-to-date ROPA is considered fundamentally non-compliant, regardless of whether it has a privacy policy published on its website. It is the backbone of all other PDPA documentation.

Do you offer outsourced DPO (Data Protection Officer) services?

Yes. Kooru offers a DPO-as-a-Service (DPOaaS) model for organisations that require a qualified Data Protection Officer but cannot justify the cost of a full-time in-house hire. Under Thai PDPA Section 41, certain organisations — including those processing large-scale Sensitive Personal Data such as health clinics — are required to appoint a DPO. Kooru's outsourced DPO solution provides a TPQI Level-6 certified professional to fulfil all statutory DPO obligations, including PDPC liaison, internal compliance monitoring, staff advisory, and incident response. This model typically reduces DPO-related costs by over 70% compared to an equivalent in-house appointment, while maintaining full regulatory accountability and coverage.

What makes a cookie banner legally compliant under Thai PDPA?

Under Thai PDPA, a legally compliant cookie banner must meet three core requirements: (1) Non-essential cookies — including analytics, marketing, and third-party cookies — must default to OFF (Opt-in model). Users must actively choose to enable them, not opt out after the fact; (2) Cookie categories must be clearly labelled and separated — at minimum: Essential, Statistics/Analytics, and Marketing; (3) The banner must not present a single 'Accept All' button as the only prominent action, with no accessible alternative to reject or customise. A banner that pre-toggles all categories to ON and buries the 'Reject' option does not meet the PDPA standard and exposes the website operator to regulatory action. This also aligns with GDPR precedents referenced by the PDPC in its guidance materials.

Do we need consent before posting customer photos on social media?

Yes. Under Thai PDPA, a photographic image that identifies or is reasonably capable of identifying a specific individual constitutes Personal Data. Publishing such an image on social media or any public platform without lawful basis is a PDPA violation. The lawful basis for marketing-related image use is explicit consent — meaning the data subject must provide freely given, specific, informed, and unambiguous written consent before the image is captured for the intended purpose. This consent cannot be bundled with treatment or service agreements and must be documented and retained as evidence. Alternatively, the purpose must be clearly stated in your publicly available Privacy Notice, but consent remains the most defensible legal basis for marketing use.

Should Thai SMEs be concerned about AI regulations yet?

Yes — and the risk is immediate, even before Thai national AI legislation is formally enacted. Two vectors create present-day compliance obligations for Thai SMEs: (1) EU AI Act (Regulation (EU) 2024/1689), which entered into force on 1 August 2024 and applies extraterritorially — any Thai company whose AI systems produce outputs used in the EU, or that processes EU-resident data, is within scope. Penalties reach up to EUR 35,000,000 or 7% of global annual turnover; (2) Commercial contractual requirements — major enterprise buyers and EU trading partners are already mandating proof of AI Governance standards in their supplier due-diligence processes and procurement contracts. Thai SMEs that cannot demonstrate responsible AI use risk losing international contracts independently of any statutory requirement.

What risks does a company face when employees use ChatGPT for work?

Unmanaged employee use of public AI tools such as ChatGPT exposes an organisation to two primary risk categories: (1) Shadow AI and Data Leakage — when employees input confidential information (client data, trade secrets, unpublished financials, source code) into a public AI system, that data is processed on external servers and may be used to train future AI models, permanently exiting the organisation's control. This constitutes a potential PDPA breach if Personal Data is involved; (2) IP Infringement — AI-generated content (text, images, code) produced without a governing policy may incorporate third-party copyrighted material. Without clear contractual and policy frameworks governing AI output ownership and clearance, the company may face copyright liability to third parties. Kooru's AI Governance frameworks establish an enforceable AI Usage Policy, Shadow AI monitoring controls, and IP clearance protocols to mitigate both risks.

ISO/IEC 42001:2023 is the world's first international standard for Artificial Intelligence Management Systems (AIMS), published by the International Organization for Standardization in December 2023. It provides a structured framework for organisations to govern the responsible development, deployment, and monitoring of AI systems across their operations. Certification to ISO 42001 demonstrates that an organisation: (1) has identified and mitigated AI-specific risks including bias, opacity, and unintended harm; (2) maintains documented AI policies, objectives, and accountability structures; (3) conducts systematic AI impact assessments; and (4) operates under continuous improvement processes for AI governance. ISO 42001 is increasingly referenced in EU AI Act compliance frameworks and is becoming a contractual requirement in enterprise procurement processes globally.

What does Kooru TrustAI do?

Kooru TrustAI is Kooru's AI Governance consulting service. It delivers three core outputs: (1) AI Usage Policy — a comprehensive, legally reviewed policy document governing how employees may use AI tools, defining permissible data inputs, output ownership, prohibited uses, and accountability chains; (2) Algorithmic Risk Assessment — a structured evaluation of each AI system your organisation deploys or procures, assessing risk level, potential harms, bias vectors, and required safeguards aligned with ISO/IEC 42001:2023 and EU AI Act risk tiers; (3) ISO 42001 Certification Readiness — gap analysis, documentation preparation, internal audit support, and pre-certification review to prepare your organisation for third-party ISO 42001 certification audits.

Do we need to prepare for the EU AI Act if we export to Europe?

Yes — compliance is mandatory. The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024 and applies on an extraterritorial basis, similar in scope to the GDPR. Any organisation that places an AI system on the EU market, provides AI-enabled services to EU users, or deploys AI whose outputs affect EU residents falls within its jurisdiction — regardless of where the organisation is incorporated. For Thai companies exporting AI-embedded products, processing EU customer data with AI, or providing AI-augmented services to EU clients, compliance is not optional. Penalties for prohibited AI practices reach EUR 35,000,000 or 7% of global annual turnover (whichever is higher); penalties for other violations reach EUR 15,000,000 or 3% of global turnover.

What is GenAI Security?

GenAI (Generative AI) Security is the practice of protecting AI systems — particularly Large Language Models (LLMs) — against two primary threat classes: (1) Prompt Injection Attacks — adversarial inputs crafted to manipulate an AI system's behaviour, bypassing its safety guardrails or causing it to reveal sensitive data, execute unintended commands, or act against its operator's instructions. This is the AI equivalent of SQL injection and is formally catalogued by OWASP in its LLM Top 10 vulnerability list; (2) Hallucination Risk — AI systems generating factually incorrect, fabricated, or harmful outputs with high apparent confidence. In enterprise contexts, this creates liability exposure, regulatory risk, and reputational harm if unchecked outputs reach customers or regulators. Kooru's GenAI Security assessments identify and remediate both attack surfaces within your AI deployment.

How does Private RAG enhance enterprise AI security?

Private RAG (Retrieval-Augmented Generation) is a deployment architecture that enables organisations to run a fully private AI assistant — powered by their own internal knowledge bases — without transmitting data to public cloud AI services. In a Private RAG setup, the embedding model, vector database, and LLM inference are all executed on the organisation's own servers or private cloud environment. The result: employees can query internal documents, policies, and records using natural language AI, while sensitive data never leaves the organisation's infrastructure and is never exposed to third-party AI training pipelines. This directly addresses the data-leakage and PDPA compliance risks associated with public AI tools. Kooru designs and deploys Private RAG systems as part of its enterprise AI Governance engagements.

Who should implement AI Governance?

AI Governance is non-optional for any organisation in the following categories: (1) Companies with in-house AI development teams — building, training, or fine-tuning AI models creates direct liability for output harms, bias, and IP issues without a governing framework; (2) Agencies or content producers using AI at scale — generating content, code, images, or decisions via AI without a documented review and clearance process creates copyright, accuracy, and ethical liability; (3) Businesses using AI to analyse or act on customer data — including recommendation systems, credit scoring, medical screening, HR screening, or targeted marketing — where automated or AI-assisted decisions affect individuals and trigger PDPA and potentially EU AI Act obligations. If an AI system's outputs directly or indirectly affect customers, staff, or third parties, governance is a legal and operational requirement, not a best practice.

What is AEO, and how does it differ from SEO?

AEO (Answer Engine Optimization) is the discipline of structuring content so that AI-powered answer engines — including ChatGPT, Google Gemini, Perplexity, and Google's AI Overviews — select and surface it as a direct, authoritative answer to a user's query. The fundamental difference from traditional SEO (Search Engine Optimization): SEO targets ranking positions within conventional ten-blue-link search results pages; AEO targets selection as a cited source or featured answer within AI-generated responses. As consumer search behaviour shifts from 'click links' to 'ask AI', AEO-optimised content captures visibility in the channel where queries are increasingly resolved — without the user ever reaching a SERP. AEO-optimised content is self-contained, factually dense, authoritatively attributed, structured with schema markup, and aligned with E-E-A-T (Experience, Expertise, Authoritativeness, Trustworthiness) signals.

Why is our website traffic declining despite consistent SEO work?

Declining organic traffic despite sustained SEO effort is a structural shift, not a technical failure. Consumer search behaviour has fundamentally changed: users increasingly query AI assistants (ChatGPT, Gemini, Perplexity) and receive direct answers without visiting any website — a phenomenon known as zero-click AI search. Google's AI Overviews, deployed globally since May 2024, further intercept informational queries by generating AI summaries above all traditional blue-link results, reducing click-through rates for even well-ranked pages. Traditional SEO optimises for a search experience that is declining in volume. Kooru's Ranking+ service re-engineers content architecture for AEO and GEO (Generative Engine Optimization) — ensuring your content is structured, attributed, and authoritative enough to be selected as a cited source by AI answer engines.

Does Kooru Ranking+ guarantee search rankings?

No ethical SEO or AEO provider can guarantee specific algorithmic ranking positions with absolute certainty, as search and AI engine algorithms are independently operated by Google, OpenAI, Anthropic, and others. What Kooru's Ranking+ service guarantees is rigorous, standards-based optimisation: every deliverable conforms to Google's E-E-A-T framework (Experience, Expertise, Authoritativeness, Trustworthiness) — the primary trust evaluation framework applied by both Google's Search Quality Rater Guidelines and AI answer engines when assessing content credibility. This includes structured schema markup, authoritative attribution, factual accuracy, content depth, and technical site health. These factors are the strongest known determinants of selection by AI answer engines and of sustainable organic ranking in conventional search.

What is GSE (Generative Search Experience)?

GSE (Generative Search Experience), also referred to as Google AI Overviews or previously as SGE (Search Generative Experience), is Google's AI-powered search interface that generates a synthesised, AI-written summary response at the very top of a search results page — above all traditional blue-link organic results and paid advertisements. Introduced globally in May 2024, AI Overviews now appear for a significant proportion of informational and commercial queries. Content cited within an AI Overview receives high-visibility placement regardless of its traditional SERP ranking position, but requires different optimisation signals than conventional SEO — specifically: structured data markup, self-contained factual answers, clear E-E-A-T attribution, and content that AI parsing models can cleanly extract and verify.

Can healthcare businesses use aggressive grey-hat marketing tactics?

No. Healthcare businesses in Thailand face dual regulatory constraints on marketing: (1) Thailand's Medical Council Act B.E. 2525 (amended) and the Medical Profession Act impose strict prohibitions on misleading medical claims, unapproved before-and-after comparisons, and testimonial formats that imply guaranteed outcomes; (2) Google's Search Quality Rater Guidelines classify healthcare and medical content as YMYL (Your Money or Your Life) — the highest scrutiny tier — meaning content quality signals (accuracy, credentials, citations) are evaluated with exceptional rigour. Kooru exclusively practices White-Hat SEO for healthcare clients, using medically accurate, professionally authored content that aligns with Medical Council standards and E-E-A-T requirements. This produces sustainable, credible long-term organic visibility without the dual regulatory and algorithmic penalty risk that grey-hat tactics generate.

Is AI-generated content beneficial for SEO?

AI-generated content can be beneficial for SEO when it undergoes rigorous human editorial review by a subject-matter expert before publication. Google's documentation (updated 2024) confirms that the production method — human or AI — is not itself a ranking signal; the quality, accuracy, and E-E-A-T alignment of the content is what matters. However, unreviewed AI content carries specific risks: (1) Factual hallucinations — AI systems generate plausible but incorrect claims that, when published, damage site credibility and trigger quality penalties; (2) Absence of genuine expert experience — Google's E-E-A-T framework specifically rewards content reflecting real first-hand expertise that AI cannot authentically demonstrate; (3) Duplicate content risk — AI trained on the same data corpus produces similar outputs across sites, reducing content differentiation. Kooru's content strategy combines AI efficiency with mandatory specialist editorial review to produce material that passes both algorithmic and human quality evaluation.

Does Kooru's marketing service include paid advertising?

Kooru's core marketing service — Ranking+ — focuses exclusively on Organic Growth through SEO and AEO (Answer Engine Optimization). This includes technical SEO audits, content architecture for AI search, structured data (schema markup), E-E-A-T optimisation, and keyword strategy. Paid Media (Google Ads, Meta Ads, Line Ads) falls outside Kooru's primary service scope. For clients requiring paid advertising campaigns to complement their organic strategy, Kooru provides introductions to trusted specialist partner agencies with which it maintains working relationships — ensuring a coherent, integrated growth approach without service-quality compromise.

If I commission outsourced developers to build software, who owns the copyright?

Under Thai Copyright Act B.E. 2537 (1994), copyright in a work vests automatically in its creator — the person who actually created the work. When software is developed by an outsourced freelancer or external development agency, copyright defaults to that developer, not to the commissioning business — unless the parties have entered into a written IP Assignment Agreement explicitly transferring copyright to the client before or at the time of creation. Without such an agreement, a commissioning business may pay in full for software development yet have no enforceable copyright ownership — meaning the developer retains the right to sell, modify, or use the same codebase for other clients. Kooru drafts comprehensive IP Assignment Agreements that legally transfer copyright, waive moral rights where applicable under Thai law, and cover all deliverables from initial specifications through to final production code.

What are the advantages of registering a trademark through Kooru vs. doing it yourself?

Self-filing a trademark with Thailand's Department of Intellectual Property (DIP) is legally permissible but carries significant rejection risk without professional preparation. The most common and costly error is submitting a mark without conducting a comprehensive Trademark Similarity Search — a prior-art review of all registered and pending marks in the same Nice Classification classes. Similarity is assessed on visual, phonetic, and conceptual grounds under Thai Trademark Act B.E. 2534 (amended B.E. 2559). A rejected application forfeits the filing fee, delays brand protection by 12–24 months, and may require a mark redesign. Kooru conducts a thorough similarity search before any filing, prepares legally sound specifications of goods and services, and manages the full registration process — significantly reducing rejection probability and protecting both the timeline and investment.

Can I copyright a business idea?

No. Under Thai Copyright Act B.E. 2537 and the foundational idea-expression dichotomy recognised in all major IP law systems, ideas, concepts, business models, and methodologies are not themselves protected by copyright. Copyright protects only the fixed, original expression of an idea — such as written content, source code, technical diagrams, architectural drawings, and visual artworks. However, business ideas can be partially protected through other IP mechanisms: (1) Trade Secret law — protecting confidential business methods through non-disclosure agreements; (2) Patent registration — for novel, inventive technical processes or products; (3) Trademark registration — protecting the brand identity associated with the concept; (4) Copyright registration of tangible outputs — protecting the code, documentation, or designs that embody the idea. Kooru's IP Wealth framework identifies which of your business's intangible assets are protectable, and formalises them into a registered, defensible IP portfolio.

Is Kooru affordable for SMEs?

Yes. Kooru's service architecture includes accessible Starter packages specifically designed to fit SME budgets, providing foundational PDPA compliance, basic AI usage policies, and essential IP protections at a price point well below the cost of equivalent boutique law firm retainers. Enterprise packages are available for larger organisations requiring comprehensive, multi-service engagements. Context for cost consideration: the minimum PDPA administrative fine under Thai PDPA is THB 500,000, rising to THB 5,000,000 for Sensitive Personal Data violations. A regulatory fine or IP dispute — even at the lower end — will cost multiples of any Kooru service investment. Compliance spend is therefore a risk-adjusted investment, not an overhead.

What is the service engagement process?

Kooru's engagement process follows four steps: (1) Package Selection — choose the appropriate service package on the Kooru website (kooru.com) based on your organisation's needs; (2) Payment — complete full payment or the required deposit via bank transfer or secure credit card payment gateway; (3) Onboarding Checklist — receive a tailored information checklist specifying exactly what data, documents, and access Kooru requires from you to begin the engagement; (4) Immediate Commencement — the Kooru team begins work upon receipt of your completed onboarding information. Starter packages commence production within 24 hours of onboarding completion.

Can Kooru issue a VAT invoice?

Yes. Kooru is a registered company (The Kooru Data Tech & Law (Thailand) Co., Ltd., registration no. 0105568171679) and issues full Thai tax invoices (ใบกำกับภาษี) for all services. All prices displayed on the Kooru website are exclusive of 7% Value Added Tax (VAT), which is added at the time of invoicing. Tax invoices are issued upon request and are suitable for corporate accounting and tax deduction purposes.

Is there after-sales support?

Yes. All Kooru Pro-tier packages and above include complimentary post-delivery consultation access for a defined support period. The standard support window is 30 days for Pro packages and up to 90 days for Enterprise engagements. During this period, clients may direct implementation questions, request clarifications on delivered documents, and receive guidance on applying the frameworks to specific operational scenarios — without additional charge. This ensures that documentation does not sit unused on a shelf but is successfully integrated into day-to-day operations.

What information do I need to prepare before we start?

The specific information required depends on the service engaged. For PDPA projects, the core requirements are: (1) an organisational chart showing all departments and roles that handle personal data; (2) a complete list of all software systems in active use — including CRMs, booking systems, cloud storage, communication tools, HR systems, and any third-party platforms that receive personal data. For AI Governance projects, Kooru requires an inventory of all AI tools and systems deployed by employees or embedded in products. For other services, a tailored onboarding Checklist is provided at the commencement of each engagement, specifying exactly what is needed. Clients are not expected to prepare anything in advance beyond selecting their package — the Checklist guides the entire information-gathering process.

What payment methods does Kooru accept?

Kooru accepts two payment methods: (1) Bank Transfer (โอนเงิน) — via standard Thai banking channels to Kooru's registered company account; (2) Credit Card — processed through a secure online Payment Gateway. All transactions are conducted in Thai Baht (THB). A payment confirmation and tax invoice are issued following successful payment. Corporate clients requiring purchase order workflows or alternative payment terms should contact Kooru directly via LINE OA or email at sale@kooru.com to arrange suitable arrangements.

What if I need a custom service not listed in your packages?

Kooru accommodates requirements beyond its standard package catalogue through a Custom Quotation process. To initiate a custom engagement, contact Kooru via: (1) LINE OA — available at lin.ee/gwJasq1, for rapid-response consultation; (2) Email — at sale@kooru.com, for detailed written scope discussions. Common custom engagements include multi-site PDPA implementations, cross-border data transfer agreements under PDPA Chapter VI, bespoke AI Governance frameworks for specific industry sectors, and combined PDPA + AI Governance + IP protection retainers. Kooru will scope a tailored proposal following an initial consultation, typically within 1–2 business days.

PDPA Compliance Thailand FAQ | AI Governance

FAQ & Knowledge Base

Knowledge Hub

"PDPA, AI Governance, and Digital Law. Clear answers, simplified."

🏢 Category 1: About The Kooru & Credibility

Q: How is Kooru different from a typical law firm or IT company?
A: Kooru is an Integrated Specialist — we uniquely bridge bar-qualified legal professionals with AI and Data technology experts under one roof. The result: solutions that are both legally sound and technically deployable, not just advisory paperwork that sits on a shelf.
Q: What certifications does the Kooru team hold?
A: Our core team includes a TPQI Level-6 certified DPO, Thai Bar Association attorneys, and specialists holding a Master's in IP & IT Law (First Class Honours, Gold Medal). We also operate as a Cisco Gold Partner.
Q: What types of businesses does The Kooru serve?
A: We specialise in three core verticals: Healthcare & Wellness Clinics, SMEs undergoing digital transformation, and Tech Startups building AI Governance frameworks from the ground up.
Q: Where do you provide your services?
A: We operate Remote-First and serve clients across all of Thailand. Our primary on-site operational base is in the Bangkok Metropolitan Area.
Q: Does Kooru offer any service guarantee?
A: Yes — a Professional Standards Guarantee. All deliverables, including PDPA frameworks, AI Governance policies, and IP Wealth structures, are guaranteed to conform to the latest regulatory standards and are reviewed by qualified DPO professionals and licensed attorneys before delivery.

🛡️ Category 2: PDPA & Data Privacy (Healthcare & SME Specialization)

Q: Does a small clinic really need PDPA compliance?
A: Absolutely. Health data is classified as Sensitive Personal Data under Thai PDPA. A breach can result in fines of up to THB 5,000,000 and imprisonment of up to one year — regardless of clinic size.
Q: What are the risks of using an off-the-shelf PDPA template?
A: Significant risk. Generic templates rarely capture your business-specific data processing activities (ROPA). ROPA is the first thing the PDPC examines during a compliance audit — and gaps there are immediately flagged as non-compliance.
Q: How many Consent Form types does a clinic need?
A: At minimum, three core types: (1) Medical Records / Treatment Consent, (2) Marketing & Media Consent — reviews and photography, and (3) Third-Party Data Sharing Consent — labs and insurers.
Q: How long does a PDPA implementation take?
A: Our Kooru Data Shield (Starter) package delivers foundational compliance in as little as 24–48 hours. A comprehensive, full-scale implementation is completed within 7–14 business days.
Q: Are employees required to receive PDPA training?
A: Yes. Thai PDPA mandates that organisations build internal data-privacy awareness. Kooru provides structured Video Training courses with assessments and completion certificates for your entire team.
Q: What should we do if a data breach occurs?
A: You are legally required to notify the PDPC within 72 hours. Kooru clients have immediate access to our Emergency Hotline, where our specialists guide you through every required legal step in real time — minimising your exposure.
Q: What is ROPA, and why is it the most critical PDPA element?
A: ROPA (Record of Processing Activities) is your legally mandated data-flow map. Without a properly maintained ROPA, your PDPA compliance is considered fundamentally non-existent — it is the very first document regulators request during any audit.
Q: Do you offer outsourced DPO (Data Protection Officer) services?
A: Yes. Our DPO-as-a-Service model can reduce the cost of maintaining a full-time in-house DPO by over 70%, while providing the same level of expertise, accountability, and regulatory coverage.
Q: What makes a cookie banner legally compliant?
A: A compliant banner must default non-essential cookies to OFF (Opt-in model), with clearly categorised cookie types. A single "Accept All" button — with nothing pre-toggled off — does not meet the PDPA standard.
Q: Do we need consent before posting customer photos on social media?
A: Yes. You must obtain explicit written consent or clearly disclose the intended purpose within your Privacy Notice before publishing any identifiable customer images.

🤖 Category 3: AI Governance & ISO 42001 (Kooru TrustAI)

Q: Should Thai SMEs be concerned about AI regulations yet?
A: Yes — even before Thai national AI legislation is enacted. EU trading partners and major corporates are already requiring their suppliers to demonstrate AI Governance standards. Failing to prepare now creates immediate commercial and contractual risk.
Q: What risks does a company face when employees use ChatGPT for work?
A: Two primary risks: (1) Shadow AI — confidential data leaking into public AI systems without your knowledge, and (2) IP Infringement — using AI-generated content without a governing policy may expose the company to copyright liability.
Q: What is ISO 42001?
A: ISO 42001 is the world's first international standard for AI Management Systems. Certification demonstrates that your organisation deploys AI responsibly, safely, and transparently — an increasingly mandatory signal for enterprise clients and global regulators.
Q: What does Kooru TrustAI do?
A: Kooru TrustAI helps you establish a comprehensive AI Usage Policy, conduct algorithmic risk assessments, and prepare your organisation for ISO 42001 certification readiness — covering governance, documentation, and audit trails.
Q: Do we need to prepare for the EU AI Act if we export to Europe?
A: Absolutely. The EU AI Act is in force. If your products or services involve AI systems or process data from EU customers, compliance is mandatory. Penalties for non-compliance are severe and extraterritorial.
Q: What is GenAI Security?
A: GenAI Security protects your AI systems against two core threats: Prompt Injection — where adversarial inputs manipulate AI behaviour to extract sensitive data — and Hallucination — where AI generates confident but incorrect or harmful outputs.
Q: How does Private RAG enhance enterprise AI security?
A: Private RAG (Retrieval-Augmented Generation) gives your organisation a fully private AI assistant — processed entirely on your internal servers. Your sensitive data never leaves your infrastructure and is never exposed to public AI systems.
Q: Who should implement AI Governance?
A: Any organisation in these categories: companies with in-house AI development teams, agencies producing AI-generated content at scale, and businesses using AI to analyse customer data. If AI touches your customers, governance is non-optional.

📈 Category 4: Digital Growth Strategy (SEO, AEO & Marketing)

Q: What is AEO, and how does it differ from SEO?
A: AEO (Answer Engine Optimization) structures your content to be selected as a direct answer by AI platforms like ChatGPT, Gemini, and Google's AI Overviews. Traditional SEO targets ranking within conventional blue-link search results — a channel that is rapidly declining in relevance.
Q: Why is our website traffic declining despite consistent SEO work?
A: Consumer behaviour has fundamentally shifted — people now "ask AI" instead of "click links." Kooru Ranking+ is engineered to recover and grow your visibility within this new AI-first search paradigm.
Q: Does Kooru Ranking+ guarantee search rankings?
A: No one can guarantee algorithmic outcomes with absolute certainty. What we guarantee is rigorous optimisation of your site's structure and content to meet E-E-A-T standards — the primary trust framework used by both Google and AI search engines to evaluate credibility.
Q: What is GSE (Generative Search Experience)?
A: GSE refers to Google's AI-powered search interface that presents AI-generated summaries at the very top of results pages — above traditional blue links. Kooru optimises your content to earn placement within these high-visibility AI answer positions.
Q: Can Healthcare businesses use aggressive grey-hat marketing tactics?
A: We do not recommend it. Kooru exclusively practises White-Hat SEO using medically accurate content aligned with Thailand's Medical Council standards. This approach delivers credible, sustainable long-term growth — without the regulatory risk.
Q: Is AI-generated content beneficial for SEO?
A: Yes — if it undergoes rigorous human editorial review to verify accuracy and enrich it with specialist insights that AI alone cannot authentically provide. Unreviewed AI content carries both ranking and reputational risk.
Q: Does Kooru's marketing service include paid advertising?
A: Our core focus is Organic Growth (SEO/AEO). For Paid Media campaigns, we connect you with trusted specialist partner agencies who can complement your organic strategy.

💼 Category 5: Intellectual Property (IP) Solutions

Q: If I commission outsourced developers to build software, who owns the copyright?
A: Under Thai law, copyright defaults to the creator — meaning your outsourced developer — unless contractually transferred. Kooru drafts comprehensive IP Assignment Agreements to ensure your ownership is legally secured from day one.
Q: What are the advantages of registering a trademark through Kooru vs. doing it yourself?
A: Our specialists conduct a thorough Trademark Similarity Search before submission, significantly reducing the risk of rejection by Thailand's Department of Intellectual Property — a critical step that self-filers frequently miss, costing both time and money.
Q: Can I copyright a business idea?
A: Ideas themselves are not copyrightable. However, the expression of an idea — such as source code, technical diagrams, or written works — is protectable. Kooru helps you identify and formalise your ideas into registrable, defensible IP assets through our IP Wealth framework.

💰 Category 6: Pricing & Engagement Process

Q: Is Kooru affordable for SMEs?
A: Yes. We offer accessible Starter packages designed for SME budgets, alongside Enterprise packages for larger organisations. Any service investment is a fraction of the cost of a regulatory fine or legal dispute.
Q: What is the service engagement process?
A: Four simple steps: (1) Select your package on our website. (2) Complete payment or deposit. (3) Receive your onboarding Checklist. (4) Our team begins work immediately.
Q: Can Kooru issue a VAT invoice?
A: Yes. All displayed prices are exclusive of 7% VAT. A full tax invoice is issued upon request.
Q: Is there after-sales support?
A: Yes. All Pro-tier packages and above include complimentary post-delivery consultation access for a defined period of 30 to 90 days.
Q: What information do I need to prepare before we start?
A: For PDPA projects, we require your organisational chart and a list of all software systems in use. For other services, our team provides a tailored onboarding Checklist at the start of the engagement.
Q: What payment methods does Kooru accept?
A: We accept bank transfers and credit card payments processed through a secure Payment Gateway.
Q: What if I need a custom service not listed in your packages?
A: Contact us for a custom Quotation via LINE OA or email us directly at sale@kooru.com — we are happy to scope tailored solutions for any requirement.

We’re looking for people who share our vision!

That’s what it takes to be one of us.

Applications Opening Soon