Fitwhey Company Limited (from now on shall be referred to as the “Company”, “it” and “its”) is committed to meet and uphold all obligations under the Personal Data Protection Act (2019) (the “PDPA”). This Customers’ Privacy Policy (the “Policy”) will provide a framework to ensure this and elaborate upon the procedures Customers’ Personal Data will be stored and processed during and after the term of the sale and/ or service agreements according to the purposes and scope of the Company.
     This Policy applies to all Processing of the Company’s existing Customers’ Personal Data, (from now on shall be referred to as the “Customers” and “their”), irrespective of whether the Personal Data is processed on non-Company equipment or by third parties. This should be read and comprehended by all related parties to ensure a complete understanding of the procedures that Customers’ Personal Data will be stored and processed.
     For purposes of this Policy, the following terms shall have the meanings set forth below:
          • “Personal Data” means any information relating to an identifiable living individual who can be identified from that data or from that data and other data; and
          • “Processing” means anything done with Personal Data, including collection, storage, use, disclosure and deletion.
     Should the Customers have further questions or recommendations regarding this Policy, please contact the Company through the following channel.

Data Controller Contact Information Fitwhey Company Limited 20, Nak Niwat Road, Latphrao Sub-district, Ladphrao District, Bangkok, 10230 Tel.: Jutirat Tokul E-mail: jutirat@fitwhey.com

Data Protection Officer (DPO) Contact Information Jutirat Tokul E-mail: jutirat@fitwhey.com

          The Company acts as the data controller for all Customers’ Personal Data. Therefore, it has the role and responsibility in determining the purposes and means of the Processing in accordance with the PDPA.
     Customers’ Personal Data from subscription form and other sources will be used by the Company’s employees and other related third parties identified in the following sections to carry out tasks as required by the Company.

The Company collects and stores the following Customers’ Personal Data:
     • identity data including, but not limited to, full name and ID number;
     • financial data including, but not limited to, credit card number;
     • membership details including, but not limited to, membership number and reward point;
     • transaction data including, but not limited to, order history, order details and evidence of payments;
     • address/contact including, but not limited to, address, email and telephone number; and
     • IT data including, but not limited to, username, password, ci session and server ID.

In any cases, the Company does not collect and store Personal Data of individuals who are under the age of 20 (twenty).

     In general, the Company will directly collect and store Customers’ Personal Data through the subscription registration process and when Customers make orders through the Company’s website or other channels, such as social networks. However, the Company may collect additional Personal Data through third parties, including related organizations in the private sector.

     Cookies are small text files that are placed on Customers’ computers and/or communication tools such as smartphones, tablets, etc. through a web browser when Customers visit the Company’s website without harming the Customers’ computers and/or communication tools.

• Necessary Cookies	These cookies are used for the Company’s website’s in order to specify display status in the website;
• Analytics / Performance Cookies	These cookies are used for the Company’s website in order to acknowledge and keep statistics and behavior of web surfing;
• Functionality Cookies	These cookies are used for the Company’s website in order to remember re-visiting of the website and also not to show popup of system notification.; and
• Advertising Cookies	These cookies are used for the Company’s website in order to acknowledge Customers’ behavior and interests specifically for marketing purposes, such as offering products and promotions.

     Customers may delete or reject cookies that are set by the Company’s website through web browser setting by learning how to delete cookies from each web browser, which may include, but not limited to, Chrome, Firefox, Internet Explorer and Safari.

     The Company uses Customers’ Personal Data to carry out tasks per the Company’s scope and purposes of providing groups of activities, including:
          • registering Customers’ subscriptions;
          • managing orders and administering payment;
          • delivering purchased products;
          • offering reward points;
          • conducting online direct marketing;
          • offering rewards and making appointment with Customers in order to obtain such rewards;
          • conducting surveys to encourage the Company’s products and services development;
          • conducting audits; and
          • complying with applicable laws and regulations.

     The Company has the following legal bases to store and process Customers’ Personal Data. Not all Customers’ Personal Data will apply to every legal base stated below, and may be based upon one single or a combination of several legal bases.

(1) Contract
     The Company is obligated to process Customers’ Personal Data to carry out the responsibilities committed according to the sale and/or service agreement. These required Personal Data make up most of the Personal Data stated in Section 3. Also, to carry out these responsibilities, third-party organizations shall process Customers’ Personal Data to carry out the required tasks.

(2) Legal Obligation
     The Company is obligated to process Customers’ Personal Data according to any legal requirements, including, but not limited to, disclosing Customers’ Personal Data to the Revenue Department.

(3) Legitimate Interests
     In specific circumstances, the Company may need to process Customers’ Personal Data in order to pursue its legitimate interests, provided that such interests are not overridden by fundamental rights of the Customers.

(4) Consent
     In some cases, the Company will request Customers’ consent to process Personal Data, including, but not limited to, when conducting personalized marketing.

The Company will process Customers’ Personal Data according to the stated legal bases, or related legal bases that do not contradict the Company’s scope and purposes. If there came upon a case where Personal Data were to be processed for purpose that has not been stated above and other legal bases do not apply, the Company would ask for Customers’ new consent to process such Personal Data.

     The Company may be required to pass on Customers’ Personal Data to external third-party organizations which shall process Personal Data in accordance with the contract or the legitimate interest of the Company. These organizations may include:

     • delivery companies;
     • payment gateway institutions;
     • banking institutions;
     • service providers including, but not limited to, cloud service providers, consulting firms and third-party analytics platforms;
     • external auditors; and
     • governmental bodies including, but not limited to, the Revenue Department.
     For the cases where Personal Data is being passed on the external third-party organizations, the Company will ensure that the minimum amount of Personal Data is being sent and consider anonymization and psuedonnymisation techniques for greater security. Nevertheless, external third-party organizations who will process Customers’ Personal Data for the Company will be required to have an appropriate privacy policy. Furthermore, the Company does not permit these external third-party organization to use Customers’ Personal Data in a way that diverge from the agreed scope and purposes.

     Social plug-ins (“plug-ins”) of social networks are used on the Company’s website, in particular the “Recommend”, “Share” or “Share with friends” buttons of Facebook and Instagram whose websites, facebook.com and instagram.com, are operated by Facebook Inc.,. The plug-ins are usually marked with Facebook and Instagram logo.

     Beside Facebook and Instagram, the Company uses plug-ins from Twitter, which is operated by Twitter, Inc.,.The plug-ins are usually marked with Twitter logo.

     For data protection reasons, there is no automatic Personal Data transmission to the above social networks once Customers access the Company’s website. Customers’ Personal Data will be transmitted to social networks only when Customers actively click on the respective social network buttons. In this case, Customers’ web browser starts a connection to the respective social networks’ servers. By clicking on the respective buttons (e.g. “Recommend”, “Share” or “Share with friends”), Customers agree that their browser will produce a link to the respective social networks’ servers and transmit the Personal Dara to the respective operators of the social networks and vice versa. The Company has no influence upon the nature and extent of the Personal Data that is then gathered by the social networks.

     The social network providers store the Personal Data collected about Customers as user profiles, and may use such Personal Data for the purposes of advertising, market research and/or demand-oriented design of such social networks’ websites. Customers have a right of objection to the creation of these user profiles, whereby Customers must contact the respective plug-in providers to exercise this right. Through the plug-ins, the Company offers Customers the possibility to interact with social networks and other users.

     The Personal Data is transferred regardless of whether Customers have an account with the plug-in providers and are logged in there. Accordingly, if a Customer is logged in with a plug-in provider, such Customer’s Personal Data collected by the Company will be directly assigned to the Customer’s existing account with a plug-in provider. Also, if the Customer clicks the activated button and, for example, link the page, the plug-in provider also stores this information in the Customer’s user account and shares it publicly with the Customer’s contacts. Therefore, the Company recommends that Customers log out regularly after using social networks, especially before activating the buttons, so that Customers can avoid being assigned to their profile with the plug-in providers.

     For more information on the purposes and scope of Personal Data collection, and the Processing carried out by the plug-in providers, please refer to the privacy policies of these providers as suggested below. These privacy policies will also provide Customers with further information about their rights in this regard, and setting options to protect their privacy.

     • Facebook Inc.,:https://www.facebook.com/privacy/explanation; and
     • Twitter, Inc.,: https://twitter.com/en/privacy.

     The Company may be required to make cross-border transfer of Customers’ Personal Data in the case where related external third-party organizations are located in foreign countries. For such case, the Company will pass on Customers’ Personal Data only when one of these requirements has been met. The requirements include:

          • receiving foreign country has been accounced by the Personal Data Committee to have a substantial Personal Data regulation in place;
          • receiving organization has a substantial privacy policy in place and certified by the Personal Data Committee;
          • receiving organization is obligated to follow a substantial privacy policy with sufficient remedial measures in accordance with the procedures identified by the Personal Data Committee (including, but not limited to, standard contract, data processing agreement);
          • a necessary task to exercise legal rights;
          • consent has been received from Customers agreeing to the pass on of their Personal Data to a foreign country that does not have a substantial privacy policy;
          • a necessary task to carry out contractual agreements of the Customers, or in order to take steps at the request of the Customers prior to entering into a contract;
          • a necessary task to carry out under a contractual agreement between two entities for the benefit of the Customers;
          • ensuring the safety or limiting further damages to an individual’s health who cannot give consent at the current time; and
          • a necessary task for the good of the public.

     The Company has implemented security measures to ensure the security of Customers’ Personal Data. External third-party organizations must carry out the Processing in accordance with the Company’s Policy and agrees to ensure the security of Customers’ Personal Data

     The Company will store Customers’ Personal Data throughout for the appropriate period according to Company’s scope and purposes.

Customers’ Personal Data rights include:
     • right of access – Customers have the right to request a copy of all their Personal Data to assess whether the Company is processing such Personal Data in accordance with the law;
     • right to data portability – for the case where the Company has an automated platform allowing Customers to access their Personal Data automatically:
            Customers have the right to ask for their Personal Data to be transferred automatically to other organizations;
            Customers have the right to ask for their Personal Data which have been directly transferred to other organizations, with the exceptions of cases where there is a technological limitation;
     • right to object – Customers have the right to object to any Processing of their Personal Data for specific purposes, including:
            public task or legitimate interest;
            direct marketing purposes;
            scientific, historical or statistic research purposes, unless it is necessary to performance of a task carried out for reasons of public interest by the Company;
     • right to erasure – Customers have the right to request data deletion or anonymization, in accordance to the following cases:
            expiration of the Processing required terms;
            consent has been withheld;
            objections raised on the Processing;
            the Processing is not in accordance with the law;
     • right to restrict the Processing – Customers have the rights to restrict any Processing, in accordance with the following cases:
            during the process of Personal Data assessment as requested;
            for cases related to Personal Data which has initially asked for deletion and erasure but was followed by an additional request of Processing restriction instead;
            for cases when Processing terms have passed, but the Customers have requested for the Processing restriction for the purposes of the establishment, compliance, or exercise of legal claims, or the defense of legal claims;
            during the process of Processing objection verification; and
     • right to rectification – Customers have the right to edit their Personal Data to be correct and concurrent to the present. If any mistake was detected, the Company might not edit this itself.

     In the cases where the Company may not be able to carry out and exercise the Customers rights, including, but not limited to, the cases where a legal process is taking place, Customers whose Personal Data has been processed by the Company based on consent basis will continue to have the rights to retract their consent by contacting all related parties. In that case, the Company will be required to terminate all Processing of such Customers’ Personal Data as soon as possible. However, the retraction only is carried out to all Processing after the retraction. Any Processing carried out before the retraction will not be reversed.

     Please be informed that the Company does record all requests to ensure all issues are resolved. For any queries regarding Customers’ Personal Data protection and rights, more details are available at: https://www.law.chula.ac.th/wp-content/uploads/2021/04/TDPG3.0-Extension-20210413.pdf

     In the cases where Customers have the intention to exercise their Personal Data protection rights, please contact the Company through the above contact channel. Upon receiving of requests, the Company will process such requests in a secure and timely manner. Also, in case that the Company fails to preserve Customers’ rights under the PDPA, Customers can file complaint to Office of the Personal Data Protection Commission (‘PDPC’).

     This Policy was last updated on 31/10/2021. The Company holds the rights to review and edit the Policy as the Company sees fit. Any revision made will be notified to all related parties regarding the changes in the Processing procedures.