Privacy Policy
Effective 2026-05-05 · PDPA B.E. 2562 (2019)
1. Who is the data controller
MPBxChange, operated by [Operating Entity, registered in Thailand], is the Data Controller for personal data processed through the platform. Contact: dpo@mpbxchange.com (Data Protection Officer).
2. What data we collect
The platform collects the following categories of personal data:
- Identity: name, email, phone, employer, job title.
- Authentication: hashed password, MFA factors, session tokens, IP address, user-agent.
- KYC documents: business registration, tax ID, bank account proof, beneficial-owner declaration, ISO/IATF/IEC/UL/FDA certifications, factory licences, etc. — uploaded for the purpose of trust verification.
- Transactional: listings posted, RFQs sent, quotes received, contracts signed, milestones advanced, disputes raised, comments posted.
- Audit log: every action (create, update, sign, advance, comment) timestamped with IP address and user-agent.
- Payment metadata: bank reference numbers and payment status (we do not store card numbers; where the Parties designate an escrow arrangement, it is administered by the provider they designate — MPBxChange never holds funds).
- Cookies: see §9 — categorical consent.
3. Lawful basis (PDPA §24-§25)
We process personal data on the following lawful bases:
| Activity | Lawful basis |
|---|---|
| Account creation, login, contract execution | Contractual necessity §24(3) |
| KYC verification, sanctions screening | Legal obligation under AMLA §24(6) |
| Trust score, transaction history display | Legitimate interest §24(5) — platform integrity |
| Audit logging for regulatory + dispute purposes | Legitimate interest §24(5) + Legal obligation §24(6) |
| Marketing emails, product announcements | Consent §24(1) (revocable) |
| Cookies (analytics + marketing) | Consent §24(1) |
5. Cross-border data transfers (PDPA §28)
Some of our processors are located outside Thailand (United States, Singapore, European Union). Where the destination jurisdiction has not been recognised by the PDPC as providing adequate protection, we rely on:
- Standard Contractual Clauses (SCCs) with the processor, mirroring the EU model and approved under PDPA §28.
- Your explicit consent, captured at registration.
- Contractual necessity for cross-border counterparty introduction (a Thai buyer’s data shared with a Japanese supplier they engage).
6. How long we keep data (retention)
| Data | Retention period |
|---|---|
| Account profile + login credentials | Until account closure + 90 days |
| KYC documents | 5 years post account closure (AMLA §22 requirement) |
| Trade contracts + signed PDFs + audit logs | 10 years (Civil and Commercial Code limitation period) |
| Payment metadata | 5 years (AMLA + Revenue Code) |
| Marketing-consent records | 3 years from latest interaction or until withdrawn |
| Cookie-consent records | 1 year, then re-prompt |
| Audit logs (security, login events) | 2 years rolling |
7. Your rights as a data subject (PDPA §30-§35)
You have the following rights with respect to your personal data:
- Right of access (§30) — request a copy of all data we hold about you.
- Right to rectification (§35) — correct inaccurate or incomplete data.
- Right to erasure (§33) — request deletion of your data, subject to overriding legal retention duties (AMLA, tax).
- Right to restrict processing (§34) — pause processing while a dispute is resolved.
- Right to object (§32) — object to processing on legitimate-interest basis.
- Right to data portability (§31) — receive your data in a machine-readable format.
- Right to withdraw consent (§19) — at any time, with no effect on past lawful processing.
- Right to complain (§73-§76) — to the Personal Data Protection Committee (PDPC) of Thailand.
Exercise any of these rights at /privacy/my-data. We respond within 30 days per PDPA §32.
8. Breach notification
In the event of a personal-data breach, we notify the PDPC within 72 hours of becoming aware (per PDPA §37(4)). If the breach poses high risk to data subjects, we also notify affected users without undue delay through the platform and the registered email address.
10. Children
The platform is for B2B use by registered legal entities. We do not knowingly collect data from children under 20 (the age of majority in Thailand).
11. Changes to this Policy
Material changes (additions to processor list, change in retention period, changes to lawful basis) require re-consent via the platform login flow, recorded against your auth_consents row. Non-material updates take effect on publication.
12. Contact
Data Protection Officer: dpo@mpbxchange.com
Postal: [Operating Entity, address in Thailand]
Complaint regulator: Personal Data Protection Committee (PDPC) — pdpc.or.th