Privacy Policy

1. Data Controller

HomeIT Business & Consultancy ("we", "us", or "our") operates the FirmFlow platform ("Service"). We are the data controller responsible for your personal data as defined under Thailand's Personal Data Protection Act B.E. 2562 (PDPA).

Contact: support@thailand-saas.com

2. Personal Data We Collect

We collect the following categories of personal data:

• Account data — name, email address, job title, firm name
• Billing data — bank account details or QR payment references provided for subscription payments
• Usage data — pages visited, features used, session duration, browser type, IP address
• Client data you upload — any personal data about your firm's clients that you enter into FirmFlow; you are the data controller for this data and we act as data processor
• Communications — emails and messages you send to our support team

3. Legal Basis for Processing

We process your personal data on the following legal bases under PDPA:

• Contract performance — to provide, maintain, and support the FirmFlow service you have subscribed to
• Legitimate interest — to improve the platform, prevent fraud, and ensure security
• Legal obligation — where required by Thai law
• Consent — for marketing communications (you may withdraw consent at any time)

4. How We Use Your Data

• Provision and operation of the FirmFlow platform
• Processing subscription payments via bank transfer or QR code
• Sending service-related notifications (billing receipts, downtime alerts, product updates)
• Responding to support requests
• Analysing aggregate usage to improve product features
• Complying with legal and regulatory obligations

5. Data Sharing and Sub-Processors

We do not sell your personal data. We share data only with:

• Cloudflare, Inc. — website hosting, CDN, and DDoS protection. Cloudflare may process metadata (IP addresses, request logs) as part of delivery. See Cloudflare's Privacy Policy.
• Google Workspace — internal business communications and document storage
• Law enforcement or regulators — only when required by a valid legal obligation under Thai law

We do not use any third-party payment processors; all payments are handled directly via bank transfer or QR code and no payment credentials are stored on our servers.

6. Data Retention

• Account data — retained for the duration of your subscription plus 3 years after termination, or as required by Thai accounting and tax law
• Usage logs — retained for 90 days
• Support communications — retained for 2 years
• Client data you upload — deleted within 30 days of account closure upon request

7. Your Rights Under PDPA

As a data subject under Thailand's PDPA, you have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — request correction of inaccurate or incomplete data
• Erasure — request deletion of your data where there is no overriding legal basis to retain it
• Portability — receive your data in a structured, machine-readable format
• Objection — object to processing based on legitimate interest
• Restriction — request that we limit processing of your data in certain circumstances
• Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing

To exercise any of these rights, email us at support@thailand-saas.com. We will respond within 30 days as required by PDPA.

8. Cookies

We use the following types of cookies:

• Essential cookies — required for login sessions and platform functionality; cannot be disabled
• Analytics cookies — aggregate, anonymised data to understand how the platform is used

You can control analytics cookies through your browser settings. Disabling essential cookies will prevent you from using the platform.

9. Data Security

We use industry-standard security measures including TLS encryption in transit, access controls, and Cloudflare's security infrastructure. No method of transmission over the internet is 100% secure; we will notify you promptly in the event of a data breach that affects your personal data, as required by PDPA.

10. International Transfers

Your data is primarily stored and processed within Cloudflare's network. Cloudflare may route traffic through servers outside Thailand as part of its global CDN. Where data is transferred internationally, Cloudflare maintains appropriate safeguards consistent with PDPA requirements.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email and by updating the "Last updated" date above. Continued use of FirmFlow after the effective date constitutes acceptance of the revised policy.

12. Contact

For any privacy-related questions or to exercise your PDPA rights, contact:
HomeIT Business & Consultancy
support@thailand-saas.com