1. 📖 Definitions and Interpretation

In this Policy, the following terms shall have the meanings ascribed to them below, unless the context otherwise requires:

"Personal Data"

Any information relating to an identified or identifiable natural person (whether directly or indirectly identifiable), as defined in Section 6 of the PDPA. For the avoidance of doubt, Personal Data does not include data relating to deceased persons as a matter of Thai law.

"Sensitive Personal Data"

A special category of Personal Data as enumerated in Section 26 of the PDPA, including (without limitation) data concerning racial or ethnic origin, political opinions, religious beliefs, criminal records, health data, biometric data, and genetic data.

"Processing"

Any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, restriction, erasure, or destruction.

"Data Controller"

The person or entity that has the authority and responsibility to make decisions regarding the collection, use, or disclosure of Personal Data.

"Data Processor"

Any person or entity that Processes Personal Data on behalf of, and under the instructions of, the Data Controller.

"Consent"

A freely given, specific, informed, and unambiguous indication of the Data Subject's agreement to the Processing of their Personal Data, as required under Section 19 of the PDPA.

"DPO"

Our designated Data Protection Officer, whose contact details are set out in Section 10.

2. 📂 Personal Data We Collect

We collect Personal Data to the minimum extent necessary to fulfil the purposes described in Section 3 below, in accordance with the principle of data minimisation. The categories of Personal Data we may collect include:

2.1 🪪 Identity Data

First name, last name, title, position, company name, and other information you provide when engaging with our advisory or consulting services.

2.2 📬 Contact Data

Email address, telephone number, LINE ID, billing address, and correspondence address.

2.3 💳 Transaction and Financial Data

Payment details (processed via secure third-party payment gateways), service purchase history, and bank account numbers where a refund is required. We do not store complete payment card details on our own systems.

2.4 🖥️ Technical Data

Internet Protocol (IP) address, browser type and version, device identifiers, time zone settings, operating system, log files, and traffic data generated through your interaction with our website. Please refer to our Cookie Policy for further detail.

2.5 👤 Profile and Usage Data

Your interests in our Services, responses to surveys and questionnaires, feedback submitted to us, and records of your interactions with our website and correspondence.

2.6 ⚠️ Sensitive Personal Data

We do not, as a matter of general practice, collect Sensitive Personal Data. In the exceptional event that such data is required in the course of an advisory engagement (for example, in connection with an employment law or healthcare compliance matter), we shall obtain your explicit Consent in advance and implement enhanced safeguards appropriate to the sensitivity of such data.

2.7 Data Collected from Third Parties

We may, on occasion, receive Personal Data about you from third parties, including business partners, referral sources, or publicly available professional registries, to the extent permitted by applicable law.

3. ⚖️ Lawful Basis and Purposes of Processing

We Process your Personal Data only where we have a valid lawful basis under the PDPA. The lawful bases we rely upon, and the corresponding purposes, are as follows:

3.1 Contractual Necessity (Section 24(3) PDPA)

Where Processing is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into such a contract. This includes:

• Registering and administering your user account;
• Preparing and executing consultancy agreements and engagement letters;
• Delivering the Services requested by you;
• Processing payments and issuing invoices.

If you do not provide the Personal Data necessary for the above purposes, we may be unable to enter into or perform our contractual obligations to you.

3.2 Compliance with Legal Obligations (Section 24(6) PDPA)

Where Processing is necessary for compliance with a legal obligation to which we are subject, including:

• Maintenance of statutory accounting records under the Thai Accounting Act;
• Compliance with tax reporting obligations under the Revenue Code;
• Responding to lawful requests, subpoenas, court orders, or directions from competent regulatory authorities, including the Office of the Personal Data Protection Committee ("PDPC").

3.3 Legitimate Interests (Section 24(5) PDPA)

Where Processing is necessary for the purposes of our legitimate interests or those of a third party, provided that such interests are not overridden by your interests or fundamental rights and freedoms. These legitimate interests include:

• Ensuring the security and integrity of our information systems and network infrastructure;
• Fraud prevention, detection, and investigation;
• Analytics and quality improvement of our Services;
• Client relationship management and business development activities;
• Enforcement or defence of legal claims.

3.4 Consent (Section 19 and Section 26 PDPA)

Where we are required by law to obtain your Consent before Processing, or where we elect to do so. This includes:

• Sending marketing communications, newsletters, and updates regarding our Services;
• Processing Sensitive Personal Data in exceptional circumstances.

You may withdraw your Consent at any time by contacting our DPO (Section 10) or by using the unsubscribe mechanism in our marketing communications. Withdrawal of Consent shall not affect the lawfulness of Processing carried out prior to such withdrawal.

4. 🤝 Disclosure of Personal Data

We treat your Personal Data as strictly confidential. We do not sell, rent, or trade your Personal Data. We may disclose your Personal Data to third parties only in the following circumstances and subject always to appropriate contractual and legal safeguards:

4.1 Service Providers and Data Processors

We engage carefully selected third-party service providers who act as Data Processors on our behalf, bound by written data processing agreements that comply with Section 40 of the PDPA. These include, without limitation:

• Cloud infrastructure providers: Amazon Web Services (AWS) and Google Workspace (Google LLC), for data hosting and storage;
• Audit and assurance services: Siri Audit, for statutory audit and financial review purposes;
• Technology consultants: Netbright and other IT service partners, for system maintenance and support;
• Legal and professional advisers: Partner law firms engaged in connection with specific client matters, subject to professional duties of confidentiality.

4.2 Regulatory and Governmental Authorities

We may disclose Personal Data to governmental bodies, courts, regulators (including the PDPC, the Revenue Department, and law enforcement authorities), where required to do so by applicable law, regulation, court order, or other lawful compulsion. We shall, to the extent permitted by law, endeavour to notify you of any such disclosure.

4.3 Corporate Restructuring and Business Transfers

In the event of a merger, acquisition, restructuring, sale of assets, or insolvency proceeding involving The Kooru, your Personal Data may form part of the assets transferred to a successor entity. Any such transfer shall be subject to confidentiality obligations no less protective than those set out in this Policy, and we shall notify you in advance where practicable and required by law.

5. 🌏 International Transfers of Personal Data

In connection with our use of cloud-based technology platforms (including Google Workspace and Amazon Web Services), your Personal Data may be transferred to and processed on servers located outside the Kingdom of Thailand, including in the United States, Singapore, and other jurisdictions.

Where we transfer Personal Data internationally, we shall ensure that:

• The destination country affords an adequate level of personal data protection as determined under applicable Thai law; or
• We have implemented appropriate transfer mechanisms, including binding data processing agreements incorporating standard contractual clauses or equivalent safeguards, in compliance with Section 28 of the PDPA; or
• The transfer falls within a recognised exception under the PDPA, including your explicit Consent or the necessity of the transfer for the performance of a contract.

We further require all international service providers to maintain information security standards consistent with ISO/IEC 27001 or equivalent international benchmarks. You may request further information regarding international transfer safeguards from our DPO.

6. 🗓️ Data Retention

We retain Personal Data for no longer than is necessary to fulfil the purposes for which it was collected, or as required or permitted by applicable law. Our principal retention periods are as follows:

• Accounting and tax records: A minimum of ten (10) years from the end of the relevant financial year, in compliance with the Thai Accounting Act and the Revenue Code;
• Contractual and engagement records: The duration of the relevant contractual relationship plus an additional period corresponding to the applicable statute of limitations (generally ten (10) years under the Thai Civil and Commercial Code) for the purposes of establishing, exercising, or defending legal claims;
• Marketing communications: Until you withdraw your Consent or opt out;
• Technical and usage data: As specified in our Cookie Policy, typically not exceeding twenty-four (24) months.

Upon expiry of the applicable retention period, we shall securely delete, destroy, or irreversibly anonymise the relevant Personal Data in accordance with our internal data disposal procedures and applicable legal requirements.

7. 🛡️ Security Measures

We are committed to robust data governance and have implemented a comprehensive framework of technical and organisational security measures designed to protect your Personal Data against unauthorised access, use, alteration, disclosure, or destruction, in accordance with the minimum standards prescribed by the PDPA and international best practice.

Our security measures include, without limitation:

• Encryption: Personal Data in transit is encrypted using TLS/HTTPS protocols; data at rest is encrypted using AES-256 or equivalent standards;
• Access controls: Role-based access controls, multi-factor authentication, and the principle of least privilege are applied across all systems;
• Vendor management: All Data Processors are subject to due diligence and contractual data security requirements;
• Incident response: We maintain a documented Personal Data Breach response procedure, including notification protocols to the PDPC and affected Data Subjects within the timeframes prescribed by the PDPA;
• Staff training: All personnel with access to Personal Data receive regular training on data protection obligations and security hygiene.

Notwithstanding the above, no method of electronic transmission or storage is entirely secure. You acknowledge that you provide Personal Data at your own risk, and we cannot absolutely guarantee the security of your data.

8. 🧑‍⚖️ Your Rights as a Data Subject

Subject to applicable legal limitations, you have the following rights under Chapter 3 of the PDPA with respect to your Personal Data held by us. You may exercise any of these rights by submitting a written request to our DPO using the contact details in Section 10:

We shall respond to all valid requests within thirty (30) days of receipt, or such longer period as permitted by applicable law, and shall notify you of any extension. Where we are unable to comply with a request, we shall provide written reasons. You also have the right to lodge a complaint with the PDPC at www.pdpc.or.th.

9. 🍪 Cookies and Similar Technologies

Our website uses cookies, web beacons, pixel tags, and similar tracking technologies to enhance your user experience, analyse website traffic, and, where you have given Consent, to deliver targeted content and marketing communications.

You may manage your cookie preferences at any time by accessing our Cookie Settings panel, or by configuring your browser settings. Please note that disabling certain categories of cookies may impair the functionality of our website.

Full details of the cookies we use, their purposes, and their retention periods are set out in our Cookie Policy, which forms an integral part of this Policy.

10. 📮 Contact Information

If you have any questions, concerns, or complaints regarding this Policy or our Processing of your Personal Data, or if you wish to exercise any of your rights set out in Section 8, please contact us using the details below. We are committed to resolving all enquiries promptly and in good faith.

🏢 Data Controller

The Kooru Data Tech & Law (Thailand) Co., Ltd.
Mooban Sintorn, Happyland Road
Khwaeng Khlong Chan, Bang Kapi District
Bangkok 10240, Thailand
Website: www.kooru.com

👩‍⚖️ Data Protection Officer (DPO) / Legal Department

Attn: Khun Phuwara (DPO & Head of Legal)
Email: lawyer@kooru.com
Website: www.kooru.com

We endeavour to respond to all enquiries within 15 business days of receipt. For complex requests, we may require up to 30 days, and we shall inform you of any such extension.

11. 🔄 Amendments to This Policy

We reserve the right to amend, update, or replace this Policy at any time to reflect changes in applicable law, regulatory guidance, our data Processing activities, or the nature of our Services. The amended Policy shall take effect immediately upon publication on our website, and the "Last Updated" date at the top of this document will be revised accordingly.

Where any amendment is material — that is, where it significantly affects your rights or the manner in which we Process your Personal Data — we shall endeavour to provide you with advance notice by email or by a prominent notice on our website prior to the change taking effect, to the extent reasonably practicable.

We encourage you to review this Policy periodically. Your continued use of our Services following publication of an amended Policy constitutes your acknowledgement of such amendments.