Privacy Policy
Thai International Harvest Auction Center Co., Ltd. (THAINT)
Effective Date: 15/08/2025
1) Introduction
1.1 This Privacy Policy explains how THAINT collects, uses, discloses, transfers, and protects personal data relating to users of our auction ecosystem—Buyers, Sellers, logistics partners, visitors, and other participants—across online systems and on-site auction centers.
1.2 We comply with applicable data protection laws, including Thailand’s PDPA B.E. 2562, the EU/UK GDPR, and (when applicable) China’s PIPL. Where laws conflict, we apply the stricter protection or as required by local law.
1.3 This Policy complements (and does not replace) our General Terms & Conditions, Auction Regulations, Cookies Policy, CCTV Notice, and any processing-specific notices you see in our platform or facilities.
2) Identity of the Controller & Contact
Controller: Thai International Harvest Auction Center Co., Ltd. (THAINT)
Registered Address: 239/1 Moo 3, Paknam, Langsuan, Chumphon, Thailand
Data Protection Officer (DPO): admin@thaint.auction
EU/UK/China representatives: If/when legally required, we may appoint a local representative; details will be published in this section.
3) Scope & Audience
3.1 Applies to personal data processed via: (a) our website/app, (b) onboarding forms, (c) email/phone/chat, (d) on-site centers (including CCTV and visitor logs), and (e) integrations (e.g., payment, logistics, identity verification).
3.2 This Policy covers all users (Buyers, Sellers, suppliers, visitors, staff of counterparties). It does not cover third-party websites/services linked from our platform.
4) Definitions (plain-English)
Personal Data: Any information that identifies or can identify a natural person.
Sensitive Data: Data on health/biometrics, religion, ethnicity, etc. (processed only if permitted by law and necessary).
Processing: Any operation performed on data (collect, store, analyze, transmit, etc.).
Controller/Processor: We usually act as Controller. We may act as Processor for certain Seller services (e.g., white-label listings) under a Data Processing Addendum (DPA).
Profiling/Automated Decision-Making (ADM): Automated evaluation of aspects relating to a person; we do not make legally binding decisions solely by automation about users.
5) Roles & Relationship of the Parties
5.1 THAINT as Controller: for platform operations, KYC/verification, auction participation, billing, site security, CCTV.
5.2 THAINT as Processor: for optional Seller-managed programs (e.g., Seller exports buyer lists into THAINT tools); in such cases, a DPA governs instructions and security.
5.3 Joint Controllers: If we co-host an auction with a partner and jointly decide purposes/means, we will provide a joint controller notice explaining responsibilities.
6) Data We Collect & Sources
A. Identity & Contact: name, title, date of birth, nationality, ID/passport, company details, tax/VAT, address, phone, email, messaging IDs (LINE/WeChat/WhatsApp).
B. Account & Authentication: user IDs, roles, hashed passwords, 2FA tokens, access logs.
C. Business & Transaction: lots viewed/bid/won, invoices, payments, credit notes, delivery docs, claims & disputes.
D. Technical & Usage: IPs, device/browser data, cookies/SDK events, error logs, session telemetry, anti-fraud signals.
E. Media & Facility: CCTV within centers, visitor logs, access badges, time of entry/exit.
F. Quality/Traceability (product-linked): RFID/QR codes, CT-scan/AI QC outputs (e.g., maturity class, defects), cold-chain telemetry (temperature, timestamps).
G. Communications: emails, chat transcripts, call notes, support tickets.
H. Marketing Preferences: opt-in/opt-out records, newsletter engagement.
Sources: directly from you; your employer (for B2B accounts); public registers; logistics/payment partners; anti-fraud vendors; on-site systems (CCTV, access control); cookies/SDKs.
7) Children
Our services are for adults (18+). We do not knowingly collect children’s data. If we learn we’ve collected it, we will delete it unless retention is legally required.
8) Purposes & Legal Bases (GDPR / PDPA / PIPL)
We process personal data only when we have a valid legal basis.
The matrix below maps typical operations:
| Purpose | Examples | Legal Basis |
|---|---|---|
| Registration & ID verification | KYC, business license, tax ID | Contract; Legal obligation; Legitimate interests (fraud prevention) |
| Auction operations | Listing, bidding, auction clock logs | Contract; Legitimate interests (secure, fair platform) |
| Payments & invoicing | Billing, receipts, chargebacks | Contract; Legal obligation (tax) |
| Quality & traceability | CT-scan outputs, RFID/QR linkage, cold-chain logs | Contract; Legitimate interests (food safety & transparency) |
| Security & fraud prevention | Access logs, anomaly detection, IP risk | Legitimate interests; Legal obligation (upon request) |
| Customer support & disputes | Tickets, returns/claims | Contract; Legitimate interests |
| Marketing communications | Newsletters, events | Consent (where required); Legitimate interests (B2B) |
| Compliance & audits | Regulator inquiries, court orders | Legal obligation |
| Analytics & product improvement | Performance metrics, UX | Legitimate interests; Consent for non-essential cookies |
Automated decision-making:
We do not make decisions with legal or similar significant effects solely by automation about Buyers/Sellers.
Risk scoring/flags are reviewed by staff.
9) Special Notes on RFID/QR, CT-Scan & IoT Telemetry
9.1 Product QC data (e.g., maturity, defects) is linked to lots, not to natural persons. However, when traceability links a lot to a sole proprietor, that linkage can be personal data under PDPA/GDPR/PIPL.
9.2 We store the minimum necessary QC outputs, timestamps, and device IDs to ensure traceability, recalls, and fair auction information.
9.3 QC outputs are advisory aids for Buyers; Buyers remain responsible for fitness for purpose unless otherwise agreed in a contract or consumer law applies.
10) Cookies, Pixels & SDKs
10.1 We use essential cookies (authentication, security), functional cookies (preferences), and analytics/marketing cookies or SDKs (only with consent where required).
10.2 You can manage cookies in your browser; essential cookies are required for core features (login, bidding). See our Cookies Policy for full details.
11) Disclosures & Recipients
We may share data with:
Government & regulators (lawful requests, customs/food safety).
Payment providers & banks (billing, anti-fraud).
Logistics & cold-chain partners (delivery, temperature integrity).
IT/security vendors (hosting, DDoS, email/SMS gateways, analytics).
Professional advisors (lawyers, auditors, insurers).
Partners in co-hosted auctions (as notified).
We do not sell personal data.
12) International Data Transfers
12.1 Where data is transferred out of Thailand/EEA/UK/China, we use approved safeguards: SCCs (EU 2021/914), addenda for UK, PIPL standard contracts or security assessments for China, and equivalent mechanisms.
12.2 We assess recipient country laws and vendors’ security before enabling transfers.
13) Retention Policy
We retain data only as long as needed for stated purposes or to meet legal duties.
Indicative schedule:
| Category | Typical Retention |
|---|---|
| Account & KYC docs | Active account + 5–10 years after last transaction (tax/audit) |
| Auction logs, invoices, receipts | 10 years (tax/accounting) |
| QC/traceability (RFID/CT/temperature) | Lot lifetime + recall limitation period (typically 5–10 years) |
| Support tickets & disputes | Case close + 5 years |
| CCTV footage | 30–90 days unless incident requires longer |
| Cookies/analytics events | Per cookie/SDK policy (e.g., 13–26 months) |
| Marketing preferences | Until opt-out + minimal proof of consent for 5 years |
Note: Actual periods may vary by law or litigation holds.
14) Security Measures
We implement layered technical/organizational measures, including:
Encryption in transit (TLS) and at rest for sensitive fields.
Role-based access control (RBAC), least privilege, MFA for admins.
Network segmentation, WAF/DDoS, anti-malware, endpoint protection.
Secure development lifecycle, code reviews, vulnerability scanning.
Audit logs for privileged actions; regular access reviews.
Staff confidentiality agreements and PDPA/GDPR training.
Vendor security assessments and DPAs with processors.
No system is 100% secure; we continuously improve.
15) Data Breach & Incident Response
15.1 We operate a formal incident response plan.
15.2 Where required, we notify the regulator without undue delay (aiming for within 72 hours under GDPR-style standards) and affected individuals when the breach is likely to result in a high risk to rights and freedoms.
15.3 Notifications describe what happened, data types, our mitigation, and steps you can take.
16) Your Rights
Depending on your location, you may have the rights to: access, rectify, erase, restrict, object, portability, and to withdraw consent.
How to exercise: email admin@thaint.auction.
Verification: we may request reasonable proof of identity/authority.
Response time: we aim to respond within 30 days (extendable by law for complex cases).
Complaints: You may lodge a complaint with Thailand’s PDPC or your local authority.
17) Consent Management & Marketing
17.1 Non-essential cookies/marketing require consent in certain jurisdictions. You may withdraw consent at any time in your preferences or by contacting us.
17.2 For B2B communications, we rely on legitimate interests where permitted; you can always unsubscribe.
18) Accuracy & Your Responsibilities
18.1 Please keep your data accurate and up to date.
18.2 Business accounts must ensure only authorized staff access the platform and follow company and THAINT security rules.
19) Supplier/Seller-Provided Data
If you upload Buyer data (or other personal data) to THAINT tools, you must ensure you have a legal basis and provide required notices. We can provide a DPA upon request where THAINT acts as a processor.
20) Sub-Processors & Vendor Management
We engage vetted service providers under written contracts with confidentiality, security, and PDPA/GDPR/PIPL-compliant terms. A current list of categories (and, where legally required, specific vendors) can be provided upon request.
21) CCTV & On-Site Notices
21.1 We use CCTV in auction facilities for safety, theft prevention, and incident investigation.
21.2 Signs are posted at entry points; footage is retained 30–90 days unless required longer for incidents.
21.3 Access is restricted to authorized personnel or law enforcement upon lawful request.
22) Law Enforcement & Legal Requests
We disclose data only when legally required (court orders, regulator mandates) or to protect life/safety. Where permissible, we will notify affected users before disclosure.
23) Automated Tools, Fairness & Transparency
We use anomaly detection and risk signals to protect the integrity of the auction (anti-bot, anti-fraud). These tools do not make final or legally binding decisions about you without human review.
24) International & Jurisdiction-Specific Notices
Thailand (PDPA): lawful bases, consent for sensitive data, and breach notifications align with PDPA guidance.
EU/UK (GDPR/UK-GDPR): additional rights include data portability and automated decision-making safeguards; SCCs for transfers.
China (PIPL): cross-border transfers use standard contracts/security assessments; local storage considered where required.
25) Changes to This Policy
We may update this Policy periodically. We will post changes with a new Effective Date and, where significant, provide more prominent notice or seek renewed consent if required by law.
26) Contact & DPO
Data Protection Officer (DPO)
Thai International Harvest Auction Center Co., Ltd.
239/1 Moo 3, Paknam, Langsuan, Chumphon, Thailand
Email: admin@thaint.auction
27) Quick Reference – Processing Summary (Annex)
| Processing Activity | Data Involved | Recipients | Legal Basis | Typical Retention |
|---|---|---|---|---|
| Registration & KYC | Identity, company docs | THAINT, KYC tools | Contract; Legal obligation | Account life + 5–10 yrs |
| Auction Operation | Account, logs, bids | THAINT systems | Contract; Legitimate interests | 5–10 yrs |
| Payments | Billing, bank refs | Banks, PSPs | Contract; Legal obligation | 10 yrs |
| QC/Traceability | RFID/QR, CT outputs | THAINT, logistics | Contract; Legitimate interests | 5–10 yrs |
| Security & Fraud | IP/device, flags | Security vendors | Legitimate interests | Rolling logs 12–24 mos |
| Marketing | Contact, preferences | Email/SMS tools | Consent / Legitimate interests | Until opt-out (+ proof 5 yrs) |
| CCTV | Video | Security team, police | Legitimate interests | 30–90 days |