---

title: Personal Data Protection Policy documentCode: OP-PI-01 effectiveDate: 'January 15, 2024' organization: Smart Finder Co., Ltd.

Personal Data Protection Policy

Smart Finder Co., Ltd. ("the Company") [cite: 392, 393]

The Company recognizes the importance of personal data and other information relating to you (collectively referred to as "Data")[cite: 394]. In order for you to be assured that the Company operates with transparency and accountability in collecting, using, or disclosing data in accordance with the Personal Data Protection Act B.E. 2562 ("Personal Data Protection Law") as well as other relevant laws, the key provisions are as follows[cite: 395, 396]:

What is Personal Data? And Definitions

• Personal Data means information about a natural person that enables the identification of such person, whether directly or indirectly, but does not include information of deceased persons specifically[cite: 397, 398].
• Sensitive Personal Data means personal data as prescribed under Section 26 of the Personal Data Protection Act B.E. 2562, which includes data on racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, labor union information, genetic data, biometric data, or any other data that similarly affects the data subject[cite: 399, 400].
• Processing of Personal Data means any operation performed on personal data, such as collecting, recording, copying, organizing, storing, updating, altering, using, retrieving, disclosing, transmitting, disseminating, transferring, combining, deleting, or destroying, etc[cite: 401].
• Data Subject means the natural person who is the owner of the personal data that the Company collects, uses, or discloses[cite: 402].
• Data Controller means a person or legal entity who has the authority and duty to make decisions regarding the collection, use, or disclosure of personal data[cite: 403].
• Data Processor means a person or legal entity who performs operations relating to the collection, use, or disclosure of personal data pursuant to the orders of or on behalf of the Data Controller[cite: 404]. Such person or legal entity is not the Data Controller[cite: 405].

We Collect the Following Personal Data

General Personal Data:

• Personal information: including name and surname, information as specified on national identity cards and passports, copies of ID cards or ID card numbers[cite: 407, 408].
• Contact information: including address, telephone number, workplace[cite: 409].
• Job details: Job title, department or organization[cite: 410].
• Electronic system usage data: including email or conversation history in various applications, or employee check-in records via the SeaTalk program or Service Desk program[cite: 411].
• Provided Information: Information you have provided when contacting or participating in any activities with the Company, etc[cite: 412].

Channels of Data Collection

We may receive your personal data through 2 channels as follows[cite: 413]:

1. Directly from you: Collected during the service process, such as applying for services, submitting requests, registering, applying for a job, submitting quotes, signing contracts, or completing surveys[cite: 414, 415, 416]. This includes communication at the Company’s office or through other controlled channels, and voluntary participation via email or the Service Desk[cite: 417, 418].
2. From other sources: Collected from sources where there is a lawful basis or consent has been obtained, including public information disclosed by the data subject on various platforms[cite: 419].
   • Note: If you provide third-party personal data, you are responsible for informing them of this policy and obtaining necessary consent[cite: 420].

Legal Basis for Data Processing

The Company may rely on the following legal bases[cite: 421, 422]:

• Contract [cite: 423]
• Legal Obligation [cite: 424]
• Legitimate Interest [cite: 425]
• Consent [cite: 426]
• Legitimate Interest for data analysis in aggregate and service development[cite: 427].

Purposes of Data Processing

1. For procuring or distributing products and providing or receiving services[cite: 428, 429].
2. For financial and tax transactions related to contractual obligations[cite: 430].
3. For aggregate data analysis, statistical data (Aggregated Data), and anonymized data to improve services and develop new products[cite: 431].
4. For improving operational quality and business-related operations[cite: 432].
5. For participation in Company activities[cite: 433].
6. For access control, security, and prevention of danger to life or health, including communicable disease control[cite: 434].
7. To comply with present and future laws or regulations[cite: 435].

Necessary data is required for contract performance or legal compliance[cite: 436]. Failure to provide such data may result in a violation of law or inability to manage contracts[cite: 437]. Any change in purposes will be notified and recorded as evidence[cite: 438].

Use of AI Technology and Automated Systems

The Company may use AI to analyze usage data, improve services, and provide services via chatbots[cite: 439, 440, 441, 442, 443]. The Company will not use personal data to train AI models without authorization[cite: 444].

Use of Aggregated and Anonymized Data

The Company may transform data into Aggregated & Anonymized Data[cite: 445, 446]. This data may be used for[cite: 447]:

• Analyzing industry market trends and preparing Market Intelligence reports[cite: 448, 449].
• Creating Benchmarks and comparative data[cite: 450].
• Developing and improving products and commercial services[cite: 451, 452].

The Company guarantees that[cite: 453]:

• Data is permanently anonymized and cannot be linked back to the data subject[cite: 454, 455].
• No specific hotel, customer, or guest can be identified[cite: 456].
• Confidential business information will not be disclosed[cite: 457].
• Such data is not considered personal data and is not subject to legal personal data restrictions[cite: 458, 459].
• The Company will not use data in a manner that damages any customer's business[cite: 460].

Processing and Disclosure of Personal Data

Upon receiving data, we will[cite: 461, 462]:

• Collect contact and necessary info for agreements and product delivery[cite: 463].
• Use info to offer products or services of interest[cite: 464].
• Disclose relevant info to processors (e.g., Google, subcontractors), government agencies (e.g., Revenue Department, Social Security Office), infrastructure providers, and payment services[cite: 465, 466, 467].
• Disclose to corporate clients (e.g., hotels) when acting as a processor[cite: 468, 469, 470].
• Transmit data to credit bureaus for verification and fraud prevention[cite: 468].

The Company will not disclose or sell personal data to external parties for marketing purposes, except in anonymized form[cite: 471].

Roles and International Transfers

• The Company acts as a Data Processor when providing systems to corporate clients (following their instructions as Controllers)[cite: 472, 473, 474].
• The Company acts as a Data Controller for website operations, marketing, and direct services[cite: 475].
• International transfers (e.g., to Google for email) will follow legal requirements like standard contractual clauses[cite: 476, 477, 478].
• Processor roles are further governed by the Data Protection Addendum[cite: 479].

Safeguards for Providers[cite: 480, 481]:

| Provider | Link | | :--- | :--- | | Google | Privacy Policy | | Azure | Legal Support / Microsoft DPA | | Zoho | Privacy Policy | | Service Desk (ITTS) | Privacy Policy |

Storage and Retention

• Format: Digital file and paper[cite: 482, 483, 484].
• Location: Cloud services including Google Drive, Gmail, Zoho, ITTS, GitLab, Jira, and Azure[cite: 485].
• Retention: Retained as long as necessary for collection purposes, legal requirements, or establishing/defending legal claims[cite: 486, 488, 489, 490]. If unspecified, the standard is reasonably anticipated (e.g., up to 10 years)[cite: 491].
• Destruction: Data will be deleted or destroyed within 10 days after the retention period expires[cite: 487].

Your Rights as a Data Subject

You have the following rights[cite: 492, 493]:

1. Right to Withdraw Consent[cite: 494].
2. Right of Access and request for copies[cite: 495].
3. Right to Rectification[cite: 496].
4. Right to Erasure[cite: 497].
5. Right to Restriction of Processing[cite: 498].
6. Right to Data Portability[cite: 499].
7. Right to Object[cite: 500].

Requests can be submitted to the DPO with identity verification[cite: 501]. No fees are required[cite: 502]. Results will be notified within 30 days[cite: 503].

Contact Channels

Data Controller Details[cite: 504, 505, 506]:

• Name: Smart Finder Co., Ltd.
• Address: 99/24 Moo 8, Ratchaphruek Road, Bang Krang, Mueang Nonthaburi, Nonthaburi 11000.
• Tel: 02-422-6780 / Fax: 02-422-6781
• Email: support@smartfinder.tech

Supervisory Authority Details[cite: 507, 508]:

Complaints regarding violations can be lodged with the Office of the Personal Data Protection Committee[cite: 509, 510]:

• 120 Moo 3, Floors 6-9, Ratchapratsanabhakdi Building, Government Complex, Chaengwattana Road, Bangkok 10210[cite: 511, 512, 513].
• Email: pdpc@mdes.go.th / Tel: 02-142-1033[cite: 514, 515].

---

Announced on January 15, 2024 [cite: 519] Mr. Soros Raktham [cite: 520] Chief Executive Officer [cite: 521]