pdpa

pdpa notice.

last updated: · en · thailand

1. who we are.

this notice applies to th.piexels.co. the data controller is Piexels. the bangkok studio runs with a local senior partner and serves thai residents directly.

for the full privacy policy covering both PDPA and GDPR, see /th/legal/privacy. this page is the Thai-specific summary.

2. what we collect.

  • contact data you submit via the intake form or by email: name, company, email, project type, budget band, timeline, message.
  • billing data when you become a paying client: legal entity, tax number, billing address.
  • technical logs and aggregate analytics, with no personal identifier joined to the analytic counts.

3. why we collect it.

we collect personal data to answer your inquiry, deliver the engagement, issue invoices, and meet our legal obligations under thai and applicable foreign law. legal bases are consent, contract performance, legitimate interest, and legal obligation under PDPA Sections 19 and 24.

4. retention.

  • inbound contact data: up to 24 months from the last interaction.
  • contract and invoice data: minimum 7 years for accounting purposes.
  • technical logs: 30 days maximum.

5. your rights under pdpa.

the Personal Data Protection Act B.E. 2562 (2019) grants you the following rights, exercisable by writing to bangkok@piexels.co. we respond within 30 days.

  • access (Section 30): receive confirmation that we hold data on you and a copy of that data.
  • portability (Section 31): obtain your data in a structured, machine-readable format.
  • objection (Section 32): object to certain processing activities.
  • deletion (Section 33): request erasure where the legal basis no longer applies.
  • suspension (Section 34): ask us to suspend processing while a complaint is being resolved.
  • correction (Section 36): have inaccurate or outdated data corrected.
  • withdraw consent (Section 19): withdraw any consent you previously gave, with effect for the future.

6. data protection contact.

all PDPA inquiries and rights requests route to bangkok@piexels.co and are answered within 30 days.

7. cross-border transfers.

we use subprocessors located outside Thailand (Vercel, Stripe, Supabase, Resend, Wise). PDPA Section 28 transfers rely on PDPC-recognised mechanisms: standard contractual clauses with the subprocessor where adopted, binding corporate rules where available, or explicit consent under Section 28(7) when neither applies. the EU-US Data Privacy Framework is not a valid mechanism under PDPA. transfer mechanism documents are available on request.

8. complaint route.

if you believe your PDPA rights have been violated, you can complain to the Personal Data Protection Committee (PDPC), Ministry of Digital Economy and Society, Bangkok. before escalating, we ask that you give us the chance to resolve the matter directly by writing to bangkok@piexels.co.