PRIVACY · VERSION 2026-05-05
← ← MPBxChange Home|ASEAN|
LIVE
Matching · Escrow · Digital Contract · source, sign & settle cross-border industrial trade
updated 60s
MPBxEXCHANGE
Sign InBrowse suppliers

Privacy Policy

Effective 2026-05-05 · PDPA B.E. 2562 (2019)

The English version of this policy is the authoritative text. Translations are provided for convenience; in case of any discrepancy, the English version prevails.

1. Who is the data controller

MPBxChange, operated by [Operating Entity, registered in Thailand], is the Data Controller for personal data processed through the platform. Contact: dpo@mpbxchange.com (Data Protection Officer).

2. What data we collect

The platform collects the following categories of personal data:

  • Identity: name, email, phone, employer, job title.
  • Authentication: hashed password, MFA factors, session tokens, IP address, user-agent.
  • KYC documents: business registration, tax ID, bank account proof, beneficial-owner declaration, ISO/IATF/IEC/UL/FDA certifications, factory licences, etc. — uploaded for the purpose of trust verification.
  • Transactional: listings posted, RFQs sent, quotes received, contracts signed, milestones advanced, disputes raised, comments posted.
  • Audit log: every action (create, update, sign, advance, comment) timestamped with IP address and user-agent.
  • Payment metadata: bank reference numbers and payment status (we do not store card numbers; where the Parties designate an escrow arrangement, it is administered by the provider they designate — MPBxChange never holds funds).
  • Cookies: see §9 — categorical consent.

3. Lawful basis (PDPA §24-§25)

We process personal data on the following lawful bases:

ActivityLawful basis
Account creation, login, contract executionContractual necessity §24(3)
KYC verification, sanctions screeningLegal obligation under AMLA §24(6)
Trust score, transaction history displayLegitimate interest §24(5) — platform integrity
Audit logging for regulatory + dispute purposesLegitimate interest §24(5) + Legal obligation §24(6)
Marketing emails, product announcementsConsent §24(1) (revocable)
Cookies (analytics + marketing)Consent §24(1)

4. Who we share data with (processors)

The platform uses the following third-party processors. A Data Processing Agreement is in place with each per PDPA §40.

ProcessorPurposeLocation
Supabase Inc.Database, storage, authenticationUnited States (Singapore region)
Vercel Inc.Application hosting + CDNUnited States
Resend Inc.Transactional + system emailsUnited States
Designated settlement provider (where the Parties use one)Escrow account administrationThailand
Sanctions-screening providerAML / sanctions list checkingEU / SG (TBA)
Vemaps.comThailand outline SVG (no PII)EU

We do not sell personal data to advertisers or data brokers. We do not share personal data outside this list of processors except: (a) when ordered by a competent court or regulator; (b) when required to honour AMLA reporting obligations; (c) when a successor entity acquires MPBxChange.

5. Cross-border data transfers (PDPA §28)

Some of our processors are located outside Thailand (United States, Singapore, European Union). Where the destination jurisdiction has not been recognised by the PDPC as providing adequate protection, we rely on:

  • Standard Contractual Clauses (SCCs) with the processor, mirroring the EU model and approved under PDPA §28.
  • Your explicit consent, captured at registration.
  • Contractual necessity for cross-border counterparty introduction (a Thai buyer’s data shared with a Japanese supplier they engage).

6. How long we keep data (retention)

DataRetention period
Account profile + login credentialsUntil account closure + 90 days
KYC documents5 years post account closure (AMLA §22 requirement)
Trade contracts + signed PDFs + audit logs10 years (Civil and Commercial Code limitation period)
Payment metadata5 years (AMLA + Revenue Code)
Marketing-consent records3 years from latest interaction or until withdrawn
Cookie-consent records1 year, then re-prompt
Audit logs (security, login events)2 years rolling

7. Your rights as a data subject (PDPA §30-§35)

You have the following rights with respect to your personal data:

  • Right of access (§30) — request a copy of all data we hold about you.
  • Right to rectification (§35) — correct inaccurate or incomplete data.
  • Right to erasure (§33) — request deletion of your data, subject to overriding legal retention duties (AMLA, tax).
  • Right to restrict processing (§34) — pause processing while a dispute is resolved.
  • Right to object (§32) — object to processing on legitimate-interest basis.
  • Right to data portability (§31) — receive your data in a machine-readable format.
  • Right to withdraw consent (§19) — at any time, with no effect on past lawful processing.
  • Right to complain (§73-§76) — to the Personal Data Protection Committee (PDPC) of Thailand.

Exercise any of these rights at /privacy/my-data. We respond within 30 days per PDPA §32.

8. Breach notification

In the event of a personal-data breach, we notify the PDPC within 72 hours of becoming aware (per PDPA §37(4)). If the breach poses high risk to data subjects, we also notify affected users without undue delay through the platform and the registered email address.

9. Cookies

We use cookies in four categories. You can change your preferences any time through the cookie banner or below.

  • Strictly necessary — session ID, CSRF token, language preference. Always on.
  • Functional — remembers your active vertical, last viewed listings. Off by default.
  • Analytics — aggregated, anonymised platform-usage stats. Off by default.
  • Marketing — for outbound product news. Off by default; requires explicit opt-in.

Manage cookie preferences from the banner that appears on first visit, or email dpo@mpbxchange.com to reset.

10. Children

The platform is for B2B use by registered legal entities. We do not knowingly collect data from children under 20 (the age of majority in Thailand).

11. Changes to this Policy

Material changes (additions to processor list, change in retention period, changes to lawful basis) require re-consent via the platform login flow, recorded against your auth_consents row. Non-material updates take effect on publication.

12. Contact

Data Protection Officer: dpo@mpbxchange.com
Postal: [Operating Entity, address in Thailand]
Complaint regulator: Personal Data Protection Committee (PDPC) — pdpc.or.th

See also: Terms of Service · Manage my data & rights →