Privacy Notice for Customers

ServerToday (Thailand) Co., Ltd.

ServerToday (Thailand) Co., Ltd. ("the Company") places great importance on protecting the personal data of its customers, including individuals acting on behalf of juristic persons who are data subjects. The Company is committed to ensuring the security of your personal data in compliance with the Personal Data Protection Act B.E. 2562 and other applicable laws. This Privacy Notice explains the details of how we collect, use, and disclose ("process") your personal data, as well as your legal rights as a data subject.

Effective Date: May 6, 2025
Document ID: ISMS-1PC-006

Quick Navigation

1. Data Subjects2. Personal Data3. Sources of Personal Data4. Types of Personal Data Collected5. Purposes of Processing6. Disclosure of Personal Data7. Cross-Border Data Transfers8. Data Retention9. Data Protection Measures10. Data Subject Rights11. Third-Party Website Links12. Contact Information13. Governing Law14. Privacy Notice Updates

1. Data Subjects

This Privacy Notice covers personal data of job applicants and company personnel such as consultants, executives, officers and current employees, former employees, interns, and any persons related to the Company's personnel such as employees' family members, emergency contacts, etc.

"Customer" means any person who is a target of the Company's product or service sales operations, including participants in marketing campaigns or activities, persons interested in products or services through various channels, and/or users of the Company's services through online and electronic media. This also includes persons legally authorized to act on behalf of customers, such as guardians of minors, guardians of incompetent persons, and curators of quasi-incompetent persons.

2. Personal Data

"Personal Data" means information about an individual that can identify that person, directly or indirectly, excluding data of deceased persons specifically. Examples include name, surname, nickname, address, phone number, national ID number, passport number, social security number, driver's license number, tax ID, bank account number, credit card number, email address, IP address, Cookie ID, Log File, etc.

The following is not considered personal data: business contact information that does not identify an individual (e.g., company name, company address, corporate registration number, work phone numbers, work email such as info@servertoday.com), anonymous data, pseudonymous data that cannot re-identify individuals, and data of deceased persons.

"Sensitive Personal Data" means personal data relating to race, ethnicity, political opinions, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union data, genetic data, biometric data, or other data that affects the data subject in a similar manner as determined by the Personal Data Protection Committee. The Company handles such data with special care and will only collect, use, and/or disclose sensitive data with explicit consent or as permitted by law.

Throughout this Privacy Notice, unless specifically stated otherwise, "Personal Data" and "Sensitive Personal Data" relating to the data subject above shall be collectively referred to as "Personal Data".

Where the Company receives a copy of your national ID card or extracts data electronically for identity verification and legal transactions, the data may include religious information (sensitive data). The Company does not intend to collect such data and requests that you redact or obscure this information. If you do not do so, the Company reserves the right to redact it to protect your sensitive personal data.

3. Sources of Personal Data

The Company collects personal data and/or sensitive data through the following processes:

3.1 Data provided directly by you

Such as data from service applications and supporting documents, personal data or other data change requests, service requests, product or service inquiries, complaints, account or profile registrations via both offline and online channels, contact with the Company in any form (including written, verbal, image, and audio), surveys, feedback through various channels, and visits to the head office, branch offices, customer service centers, or exhibition booths, etc.

3.2 Data collected automatically

When you use the Company's services or visit the website via electronic devices (mobile phones, computers, laptops, etc.) using technology called "cookies" or similar technologies.

3.3 Data from external sources

Reliable public data sources including the Department of Provincial Administration, Department of Business Development, commercial data sources, websites, applications, social media, data providers, agencies, or associations related to your products or services.

3.4 Data from your interactions with the Company

Data from interactions with Company employees, agents, partners, or authorized representatives through websites, applications, social media, phone, email, meetings, interviews, SMS, fax, mail, video calls, or other means. Data may be collected in text, image, and audio formats.

3.5 Data from marketing activities

Data from participation in marketing campaigns, contests, lucky draws, events, or competitions organized by or on behalf of the Company and/or partners. When you provide third-party personal data, you warrant the accuracy of such data and confirm that you have informed those persons about this Privacy Notice.

4. Types of Personal Data Collected

The Company may collect the following types of personal data:

  • General Personal Data

    Name, surname, age, date of birth, nationality, national ID number, passport

  • Contact Information

    Address, phone number, email

  • Account Data

    User account, usage history

  • Identity Documents

    Copy of national ID card, copy of passport

  • Transaction & Financial Data

    Purchase history, credit card details, bank account

  • Technical Data

    IP address, Cookie ID, website usage history

  • Other Data

    Photos, videos, and other data considered personal data under applicable law

5. Purposes of Collection, Use, and Disclosure

The Company collects, uses, or discloses your personal data under the following legal bases:

  • Contract
  • Legal Obligation
  • Legitimate Interest
  • Vital Interest
  • Consent — The Company will request your consent where required by law, or where none of the above legal bases are applicable to the personal data collected from you.

The purposes for collecting, using, and disclosing customers' personal data include, for example:

  • To create and manage user accounts for registration and account management
  • To deliver products or services as ordered or requested
  • To improve products, services, or user experience
  • For internal business management, analytics, auditing, and financial management
  • For marketing and promotions, sending information about offers and special deals
  • For after-sales service, customer support, and complaint management
  • To collect feedback through satisfaction surveys and customer opinions
  • To process payments for products or services
  • To perform contractual obligations and service terms
  • To comply with laws and regulatory requirements

6. Disclosure of Your Personal Data

To fulfill the purposes stated in this Privacy Notice, your personal data may be disclosed to:

6.1 Within the Company

Disclosed to relevant internal departments on a need-to-know basis.

  • Sales staff or other relevant departments, with access rights defined according to their roles and responsibilities.
  • Executives or your direct supervisors who are responsible for management or decision-making concerning you, or when HR-related procedures are involved.
  • Support functions such as IT, accounting, finance, procurement, and marketing communications.

6.2 Outside the Company

Your personal data may be disclosed or transferred to the following external organizations:

  • Government agencies and regulators as required by law (e.g., Revenue Department, Social Security Office, Department of Labour Protection, Bank of Thailand, SEC, Ministry of Commerce)
  • Agents, contractors, and service providers (e.g., payroll processing, provident funds, banks, insurance, training, travel, office buildings, external auditors, and consultants). The Company ensures these providers comply with legal requirements and protect your data appropriately.
  • External organizations or persons for transaction verification purposes and to provide products or services matching your needs.

7. Cross-Border Data Transfers

The Company may transfer your personal data internationally when necessary:

7.1 The Company may send or transfer your personal data to other persons both domestically and internationally where necessary to fulfill a contract you are party to, or pursuant to a contract between the Company and another person or juristic person for your benefit, or to carry out your pre-contractual request, or to prevent or suppress harm to the life, body, or health of you or others, to comply with law, or as necessary to carry out a mission of significant public interest.

7.2 The Company may store your data on computers, servers, or clouds operated by third parties, and may use software or platform services provided by third parties to process your personal data. The Company will not allow unauthorized persons to access personal data and will require such third parties to maintain appropriate personal data security measures.

7.3 Where it is necessary to send or transfer your personal data internationally, the Company will comply with personal data protection law and implement appropriate measures to ensure your data is protected, that you can exercise your rights as required by law, and that recipients maintain appropriate data protection measures, process the data only as necessary, and take steps to prevent unauthorized use or disclosure.

8. Data Retention

The Company retains your personal data as follows:

  • 8.1 The Company will retain your personal data for as long as necessary, taking into account the necessity and purposes for which it was collected, used, and processed, including compliance with applicable legal requirements.
  • 8.2 The Company will continue to collect, use, and disclose your personal data even after the termination of your relationship with the Company, to the extent necessary under applicable legal requirements for legitimate interests, or by storing it in a form that does not identify you directly or indirectly, such as "Anonymous Data" or "Pseudonymous Data".
  • 8.3 The Company may retain your personal data for as long as necessary to fulfill the purposes of processing described in this Privacy Notice. The Company will retain your personal data for no more than 10 years after the date your relationship ends or your last contact with the Company, unless the law permits longer retention.
  • 8.4 To align with relevant limitation periods, the Company will store your personal data in appropriate formats according to data type. Where necessary, the Company may continue to retain your personal data beyond the applicable legal limitation period for the legitimate interests of the data controller, unless such interests are outweighed by your fundamental rights in the personal data.
  • 8.5 The Company will review and delete, destroy, or permanently anonymize personal data upon expiry of the retention period, when data is no longer relevant or necessary for the purposes of collection, or when the Company must comply with your valid deletion request.

9. How We Protect Your Personal Data

The Company implements measures in accordance with Section 37 of the PDPA and ISO/IEC 27701 standards, including appropriate technical, physical, and organizational security measures to prevent unauthorized loss, access, use, alteration, modification, or disclosure of personal data, including:

  • Access control with authentication and authorization systems
  • Data encryption for stored and transmitted data
  • Logging and monitoring of data-related activities
  • Data backup and disaster recovery (DR & BCP)
  • PDPA and ISO/IEC 27701 training for employees and stakeholders
  • Regular review, testing, and assessment of security measures
  • Requiring data recipients to maintain confidentiality and process data only as specified by the Company

10. Data Subject Rights

Data subjects have the following rights regarding their personal data:

10.1 Right to Withdraw Consent

You may withdraw consent at any time while the Company retains your data, unless restricted by law or a contract that benefits you. Note: Withdrawal may affect your access to certain services, benefits, or information. For your own benefit, please consider the impact before proceeding.

10.2 Right to Access

You may request access to and copies of your personal data, including information about its sources. Exception: The Company may refuse if disclosure would affect others' rights or is prohibited by law or court order.

10.3 Right to Data Portability

You may request your data in a machine-readable format and request transfer to another controller, where technically feasible. Note: This right applies only to data provided with your consent or necessary for the Company's service delivery.

10.4 Right to Object

You may object to processing based on legitimate interests or public interest. The Company will cease processing unless it can demonstrate compelling legal grounds or the processing is necessary for legal claims. You may also object to the use of your data for marketing or scientific, historical, or statistical research purposes.

10.5 Right to Erasure

You may request deletion, destruction, or anonymization of your data if it was processed unlawfully, is no longer necessary, or you have withdrawn consent or exercised your right to object. Exception: Where the Company has a legal obligation or the data is necessary for legal claims.

10.6 Right to Restrict Processing

You may request temporary suspension of processing, for example while awaiting verification of a correction or objection request, or when the Company should delete data under law but you request restriction instead.

10.7 Right to Rectification

You may request correction of your data to ensure it is accurate, current, complete, and not misleading.

10.8 Right to Complain

If you believe the Company has collected, used, or disclosed your data in violation of law, you may file a complaint with the competent authority.

Additional Note: The exercise of the above rights may be limited by law, such as when the Company has legal obligations or court orders, or when exercising the right would violate others' rights. If a request must be denied, the Company will clearly explain the reasons.

12. Contact Information

If you have questions or wish to exercise your rights, please contact:

Data Controller

ServerToday (Thailand) Co., Ltd.

111/128 Moo 2, Ratchaphruek Rd., Bangraknoi, Mueang Nonthaburi, Nonthaburi 11000

dpo@servertoday.com
www.servertoday.com
02-026-3112

Data Protection Officer

DPO Team

111/128 Moo 2, Ratchaphruek Rd., Bangraknoi, Mueang Nonthaburi, Nonthaburi 11000

dpo@servertoday.com
02-026-3112

13. Governing Law

This Privacy Notice is governed by and interpreted in accordance with Thai law. Thai courts shall have jurisdiction over any dispute that may arise.

14. Changes to This Privacy Notice

The Company regularly reviews this Privacy Notice to ensure consistency with practices and applicable laws. Any significant changes will be communicated through appropriate channels along with the updated version. We recommend checking this notice periodically.

This notice is effective as of May 6, 2025

Download Document ID: ISMS-1PC-006