1. Introduction
To comply with the Personal Data Protection Act, B.E. 2562 (2019), G Million Co., Ltd. (hereinafter referred to as the “Company”) recognizes the importance of personal data. The Company has thus implemented measures to protect the personal data of its users by establishing policies and guidelines for personal data protection to ensure compliance with the Personal Data Protection Act, B.E. 2562 (2019) and other relevant regulations.
2. Definitions
“Company” means Reto Hub Co., Ltd. and includes the personal data controller as defined by the Personal Data Protection Act. “Personal Data” means information relating to an individual that enables the identification of such person, whether directly or indirectly, but does not include information of a deceased person specifically. “User or Data Subject” means the owner of the personal data processed by the Company, including but not limited to website users, customers, employees, personnel, agents, and any individuals involved in the Company's activities and operations. “Personal Data Protection Laws” means the Personal Data Protection Act, B.E. 2562 (2019) and relevant subordinate legislation, including any future amendments.
3. Personal Data Collected by the Company
The Company will collect personal data related to the use of its services, which the Company will collect and process only with your consent or as permitted by law. This includes but is not limited to the following information:
3.1 Personal data of the users includes:
-
Title, First Name, Last Name, Date of Birth
-
Username and Password
-
Location data, including IP address
-
Government-issued identification, including photos of ID card, ID card number, and photos of passport or work permit (for foreigners)
3.2 Contact information includes:
-
Email address
-
Current address
-
Mobile Phone Number
-
Emergency contact information and other similar data
3.3 Financial information includes:
-
Credit/Debit card information
-
Security code (CCV Code)
-
Transaction data and purchase history that the users have made through the Company's platform
4. Personal data of minors, quasi-incompetent persons, and incompetent persons
The Company does not intend to collect, store, or process personal data of individuals under the age of 20, quasi-incompetent persons, or incompetent persons without the consent of their legal guardians, custodians, or curators, as applicable. The user certifies and guarantees that they have the legal right and capability to use the Company's platform. If a person under the age of 20, a quasi-incompetent person, or an incompetent person uses the service, it will be assumed that they have obtained consent from their legal guardians, custodians, or curators. If the Company becomes aware that it has unintentionally collected and processed personal data of individuals under the age of 20, quasi-incompetent persons, or incompetent persons without the required legal consent, the Company will promptly delete such personal data in accordance with its procedures outlined in this policy.
5. Sources of Personal Data
The Company will collect personal data of users obtained through the following channels:
5.1. Personal data obtained directly from users: The Company will collect personal data from users when they perform the following actions:
5.1.1 Registering for services with the Company or submitting requests for various rights specified with the Company
5.1.2 Completing surveys or interacting via email or other communication channels between the Company and the user, at the user's discretion
5.2. Automatically Collected Data: The Company collects certain information when users access the Company's website, log in, and interact with the Company, such as through the use of the Company's website or through the user's browser cookies. The Company collects users' IP addresses, location data, and other information permitted by the user's device settings.
6. Purposes of Collecting Personal Data
The Company collects, uses, or discloses your personal data for the following purposes:
6.1. For identity verification and authentication of users or members
6.2. For other purposes as required by law or relevant agreements
6.3. To obtain necessary information for providing services when users subscribe as members with the Company
6.4. To ensure secure communication for smooth transmission of user intent confirmations and handling of complaints
7. Processing of Personal Data
Once the Company receives users' personal data, it will proceed with the following actions on the personal data in accordance with the purposes stated in section 6, users' consent, or legal requirements.
7.1. The Company collects users' personal data. In order to access and use the Company's services, users must provide identifiable personal data so that the Company can effectively provide services. The Company may collect users' personal data in document format, and/or image format, and/or electronic file format.
7.2. Use of Users' Personal Data: The Company may process users' personal data based on the following legal bases:
7.2.1. Processing Based on Contract: When you register for services, you need to provide personal data to the Company. This data is necessary for the Company to process in connection with providing services and performing various activities related to the purposes stated in section 6, or to communicate with you, or to track and notify you of benefits from changes in service features, respond to inquiries, and notify you of changes. This is in accordance with the contract basis under the Personal Data Protection Act.
7.2.2. Processing Based on Consent: The Company may use your personal data to design or develop its services or marketing activities, or to collect, use, or disclose your personal data for direct marketing purposes when you have given consent. If you wish to withdraw your consent for such processing, you can contact the Company and express your intent as specified in section 10.
7.2.3. Processing Based on Legitimate Interest: The Company may process your personal data for its internal management and reporting purposes, to develop and maintain service standards, and to manage the Company’s risk. This is in accordance with the legitimate interest basis under the Personal Data Protection Act.
7.2.4. Processing Based on Legal Obligation: The Company may process your personal data to comply with laws governing its services, which may require the submission of information, such as under the Civil Procedure Code that empowers the court to order parties to submit documents or information in legal proceedings. This is in accordance with the legal obligation basis under the Personal Data Protection Act.
7.3. Disclosure of Personal Data to Third Parties: Generally, the Company will not disclose or transfer your personal data to external individuals or entities unless the Company has obtained your consent or is required to comply with applicable legal obligations. However, in order to conduct the Company's business according to the purposes specified in section 6 and the personal data processing outlined in section 7 of this policy, the Company may need to disclose or share some of your personal data to third parties (which may be located or provide services in Thailand or abroad) as follows:
7.3.1. Affiliated companies of the Company: When it is necessary to process data under the purposes specified in section 6 of this privacy policy.
7.3.2. Other financial institutions: When required by law to disclose information for financial transaction or fund tracing purposes in cases where you are a victim of financial crime or when suspicious funds are transferred to your account from financial crimes, or when you consent to the Company disclosing your personal data to complete a transaction.
7.3.3. Company's contractors, agents, and service providers (including but not limited to payment service providers, identity verification service providers, data analysis service providers, cloud or data center service providers, marketing and advertising service providers, media for public relations, email and messaging service providers, social media service providers, event management companies, customer relationship management system providers, and security and information technology development and maintenance service providers) when necessary to support the Company's business and to offer and respond to the use of the Company's products and/or services. The Company will establish personal data processing agreements as required by law.
7.3.4. Other relevant parties: In the event of the purchase, sale, transfer, merger of the Company, or organizational restructuring, it may be necessary to share data to complete the transaction or restructuring.
7.3.5. Government and regulatory agencies and external parties as required by law: When the Company has legal obligations or when legal processes compel the disclosure of information to courts, enforcement agencies, officials, regulators, legal advisors, the Company's authorized representatives, or any other person when the Company believes it is necessary to comply with the law or to protect the rights of the Company, third-party rights, or individual safety.
7.4. Data Transfer Abroad: The Company may send or transfer personal data for storage and/or processing as specified in this policy outside of Thailand. The Company will ensure that your data is transferred to a destination country or entity with adequate privacy protection standards and policies in accordance with applicable personal data protection laws.
8. Retention Period and Destruction Process of Personal Data
8.1. Personal Data Retention Period: The Company will retain personal data for each type according to the specified period as follows:
|
No. |
List of Personal Data |
Retention Period |
|---|---|---|
|
1 |
Subscription or Membership Withdrawal Records |
5 years |
|
2 |
Payment and Procurement Records |
5 years |
|
3 |
User Complaint or Dispute Records |
3 years |
|
4 |
Advertisement and Indication Records |
6 months |
|
5 |
Login Records |
3 months |
9. Data Subject Rights and Channels to Exercise Rights
Users have various rights related to their personal data under the criteria, methods, and conditions prescribed by the Personal Data Protection Act. You can exercise your rights as specified in this policy as follows:
9.1.Right to withdraw consent: Data subjects have the right to withdraw their consent for the processing of their personal data at any time while their personal data is held by the Company.
9.2. Right of access: Data subjects have the right to access and request their personal data, request the Company to provide a copy of such personal data, and request the Company to disclose the acquisition of personal data that the data subjects did not consent to be collected by the Company.
9.3. Right to rectification: Data subjects have the right to request the Company to correct inaccurate data or complete incomplete data.
9.4. Right to erasure: Data subjects have the right to request the Company to delete their data for certain reasons, such as:
-
When the personal data is no longer necessary for the purposes for which it was collected, used, or disclosed.
-
When the data subject withdraws consent for the collection, use, or disclosure of personal data.
-
When the data subject objects to the collection, use, or disclosure of personal data.
9.5. Right to restriction of processing: Data subjects have the right to restrict the processing of their personal data for certain reasons, such as:
-
When the data controller does not comply with the data subject's request to correct, update, complete, or prevent misunderstandings regarding personal data.
9.6. Right to data portability: Data subjects have the right to transfer their personal data provided to the Company to another data controller or to themselves for certain reasons.
9.7. Right to object: Data subjects have the right to object to the processing of their personal data for certain reasons. If you wish to exercise the rights of data subjects specified in this section, you can do so by submitting a request through the following channels:
-
Send an email to the Company's Data Protection Officer as specified in the "Contact Information" section of this privacy policy, using the subject line "Request to Exercise Data Subject Rights" or
-
Fill out the Data Subject Rights Request Form.
Before processing your rights request, the Company may need to request additional information from you to verify your identity. If the request is submitted by an authorized representative, the Company will use the provided personal data solely for the purpose of verifying and processing the data subject's rights request. If the Company accepts the request for consideration, it will review and notify you of the outcome within 30 days of receiving the request. Please note that if the Company is required by law to deny or is unable to fulfill your request, it will inform you of the reasons for the denial.
10. Marketing and Promotional Activities
During the service usage, the Company will send information about marketing and promotional activities, products, and services of the Company that may interest users for the benefit of providing efficient services. If users agree to receive such information from the Company, they have the right to withdraw their consent at any time. Users can cancel their consent to receive such notifications.
11. Personal Data Protection Measures
The Company has implemented systems and security measures within the Company by selecting appropriate data storage systems with mechanisms and techniques, along with security measures in accordance with the Personal Data Protection Act. This includes restricting access to your personal data by the Company’s employees, staff, and agents to prevent unauthorized use, disclosure, destruction, or access to your personal data and to ensure data recovery in case of unforeseen incidents.
12. Changes to Privacy Policy
To comply with best practices and the Personal Data Protection Act, the Company reserves the right to change this privacy policy from time to time and as permitted by law. The Company will announce such changes on its website. The revised privacy policy will take effect on the date it is published on the website. The Company recommends that you regularly review this privacy policy. Your continued use of the Company’s website after changes have been made to the privacy policy will be deemed as your acceptance of the revised policy.
13. Contact Channels
If you have any questions about the Company’s practices regarding the collection, use, disclosure, and/or transfer of personal data, or if you wish to exercise your rights under the Personal Data Protection Act, you can contact us at:
บริษัท จี มิลเลี่ยน จำกัด
ที่อยู่สำนักงาน เลขที่ 89 ชั้น 8 ห้อง 801 อาคาร เอไอเอ แคปปิตอล เซ็นเตอร์ ถ.รัชดาภิเษก แขวงดินแดง เขตดินแดง กรุงเทพมหานคร 10400