PDPA, Privacy Policy

Privacy Notice of Boiler Tracker Application in accordance with the
Personal Data Protection Act B.E. 2562

Privacy Policy for the Boiler Tracker Application, as well as the technology that is part of the Boiler Tracker Application, developed by Arrow Engineer Co., Ltd. The company recognizes the importance of the personal data that you provide to us with trust, and we have systems in place to secure your data and follow strict procedures to protect it. We also have measures in place to prevent unauthorized access, disclosure, use, or alteration of data, all in compliance with the Personal Data Protection Act of 2019. Therefore, the company has prepared this policy to provide details about the collection, use, and disclosure of personal data, the duration of data retention, data destruction, and the rights of individuals related to the company's operations and services.

The company recommends that you read and understand this Privacy Notice to be aware of the purposes for which the company collects, uses, and discloses your personal data, the duration of data retention, data destruction, and the rights of data owners relevant to the company's operations and services. You can find the details below.

1. Collection of Your Personal Data

The Company will use legal and ethical means to collect personal data only to the extent necessary for the Company's operational purposes. The Company may process personal data in various forms, including documents, images, and/or electronic formats. The types of personal data that the Company collects, uses, or discloses are as follows:

• General personal data, refers to information related to ordinary individuals that can identify a person directly or indirectly such as names, surnames, identification card numbers, passport numbers, and date of birth including sensitive data such as biometric data (fingerprints, facial data), and health-related information etc.

The Company has no intention of collecting or using information related to race, religion, blood type, or any other data beyond what is specified above as personal data, even if such information is present on identification cards, household registration documents, or any other documents that you have voluntarily provided to the Company.

• Your contact information (Contact Data), such as your address, email address, and telephone number
• Your preferences for searching for information on the internet (Technical and Usage Data), such as your search for Company products (Website Browsing) through the use of cookies or connections to other websites that you visit to search for information.
• Communication Data, such as recorded conversations when you contact the Company through the Contact Center, which may include audio or visual recordings, computer network traffic data, and any information provided by you or accessed by the Company from reputable sources, such as government agencies, financial industry companies within the Company's business group, Company partners, or consultants.

2. Purposes of Collecting, Using, Processing, or Disclosing Your Personal Data

• To fulfill the contract for opening an account or conducting transactions, or for using services through various channels related to the Company, or related to funds managed by the Company, you are required to provide personal data to the Company. This allows the Company to process the data and carry out various activities related to tracking and notifying benefits, entitlements, marketing activities, internal processes of the Company, communication with you, changes in the nature of products or services, answering queries, and notifying any changes as required under Section 24 (3) of the Personal Data Protection Act.
• For Legitimate Interest: The Company may process your personal data for the Company's legitimate interests as defined by law, pursuant to Section 24 (5) of the Personal Data Protection Act. This may include:

• Preventing, addressing, and reducing risks related to unlawful activities, including sharing personal data to enhance the Company's operational standards within the same business sector to prevent and address the aforementioned risks.
• Recording images of individuals who interact with the Company on CCTV systems, as well as card exchanges upon entering the Company's premises, for the purpose of maintaining security within the Company's premises.
• Managing risks, conducting audits, and internal management within the organization, including transferring data to other companies within the corporate group for the aforementioned purposes under the Binding Corporate Rules policy.
• Possibly disclosing customer personal data to external service providers for data storage in cloud computing systems and for the purpose of developing the Company's information technology.
• Monitoring email communications or internet usage of employees with customers to prevent the unauthorized disclosure of Company confidential information to external parties.
• Analyzing data to present products similar to those held by customers with the Company and other products of the Company, as well as conducting market research for the development of Company products.
• Maintaining relationships with customers, such as managing complaints and offering special benefits without marketing purposes to customers, among others.
  • Based on Consent: The Company may use your personal data for processing to design or develop products and services, present and recommend products and services, market activities of the Company, or collect, use, or disclose your personal data for direct marketing purposes. If you wish to withdraw your consent for such processing, you can contact the Company as specified in Section 9.

3. Disclosure of Personal Data

The Company may disclose your personal data to external individuals or entities for processing purposes related to personal data in the following cases:

• Disclosure to representatives, contractors, or external service providers to provide services to individuals and/or legal entities, such as business partners of the Company, professionals, experts, and service providers in various fields, including information technology and communication, travel coordinators for seminars, event organizers, and collaborators for services related to the Company's products and services.
• Disclosure to external service providers (Outsource/Service Provider) with whom the Company has contractual agreements, both within Thailand and abroad, such as cloud computing service providers, registrars, marketing service providers, research service providers for the Company, and technology development service providers for the Company.
• Disclosure for the exercise of the Company's rights or legal claims or in accordance with contracts or laws.

The Company does not engage in marketing to third parties and does not provide information to third parties for marketing purposes.

4. Automated processing

Subject to your explicit consent, the Company may use your personal data for automated processing, which may affect your personal data or be used for the collection of other data. If you wish to withdraw your consent, you can contact the Company as specified in Section 9.

5. Rights of Data Subjects

The company acknowledges your personal data rights, which are rights protected by the law concerning personal data that you should be aware of. These rights include:

• Right to Withdraw Consent: You have the right to withdraw your consent at any time regarding the collection, use, or disclosure of your personal data by the company. If the company does not have a legal basis to continue collecting, using, or disclosing your data, it will delete your data.
• Right to Access: You have the right to request and receive a copy of your personal data that is under the company's responsibility or request that the company disclose how your data is being used without your consent.
• Right to Rectification: You have the right to request the company to correct your personal data to ensure its accuracy, completeness, and up-to-date status.
• Right to Data Portability: You have the right to receive your data from the company in a format that can be read or used with automated tools or devices and can be disclosed automatically.
• Right to Erasure or Right to be Forgotten: You have the right to request the company to delete or make your personal data unidentifiable in cases:
  • When the data is no longer necessary for the purposes of collection or processing
  • You withdraw your consent
  • You object to direct marketing
  • The data is processed unlawfully
  • The data subject objects to data processing (except for objections related to processing for marketing purposes), and the company has no lawful basis for the processing
• Right to Restriction of Processing: You have the right to restrict the processing of your personal data under certain conditions, such as:
  • When the processing is unlawful but you request restrictions instead of deletion
  • During the verification of data accuracy
  • When the company is in the process of proving a legitimate reason for processing
• Right to Object: You have the right to object to the collection, use, or disclosure of your data for
  • Marketing purposes
  • Where data is collected, used, or disclosed for the purposes of scientific research, history, or statistics, except when necessary for the company's public interest mission
  • Where data is collected and processed out of necessity for the company's public interest mission or in compliance with applicable laws, unless the company demonstrates a significant legal basis that overrides this requirement, or when it is done to establish, exercise, or defend legal rights or to pursue legal claims
• Right to Lodge a Complaint: You have the right to lodge a complaint with relevant government agencies if the company's employees or contractors violate data protection laws.

Any request to exercise your rights as mentioned above must be made in writing, and the company will make its best efforts to process it within a reasonable timeframe, not exceeding the time limits prescribed by law. The company will adhere to the legal requirements related to your rights as a data subject.

Furthermore, if you request the company to delete, destroy, limit data processing, temporarily suspend data usage, convert personal data into a form that does not identify you, or withdraw your consent, it may impose limitations on the company's ability to conduct transactions or provide services to you. Please note that in using these rights, the company may reserve the right to charge any associated fees related to these requests.

6. Security Measures for Personal Data Protection

The company has established policies, guidelines, and standards for safeguarding the personal data of customers, encompassing both organizational and technical measures to prevent unauthorized access or breaches of personal data. These measures include robust information security systems, customer data protection policies, and the periodic enhancement of policies, guidelines, and minimum standards in accordance with legal requirements. Additionally, employees, contractors, and external service providers of the company are obligated to uphold the confidentiality of customer's personal data as stipulated in the agreements entered into with the company.

In cases where the company is required to transmit or transfer personal data abroad to countries with lower standards for personal data management than Thailand, the company will implement necessary measures as deemed essential, at a minimum in compliance with the data protection standards established by the respective country's laws. This may include contractual agreements on data confidentiality with counterparties in such countries, among other measures.

7. Data Retention Period

The company may not be able to completely erase all of your data from its database due to data backups and other reasons. The company will retain your data for as long as it is necessary for the purposes of data collection. In cases where you terminate your business relationship with the company, the company will retain your personal data for a period of 10 years, as required by law. This includes laws related to accounting, anti-money laundering, tax laws, and various policies and guidelines regarding document storage and destruction within the company. Once the data retention period has elapsed, the company will proceed to delete, destroy, or render the data unidentifiable.

8. Changes to Privacy Policy

The company's privacy policy may be periodically amended or modified without prior notice. In the event of any changes to the privacy policy, the company will display the current policy on its website at www.arrow-energy.com

9. Contact Information

If you wish to get in touch, have inquiries, or seek further details regarding the collection, use, or disclosure of personal data, exercising your rights as per section 5, or withdrawing your consent, or if you have any complaints, you can contact the company through the following channels:

• Arrow Energy Co., Ltd.
  87/114-116, 120 Sukhumvit Soi 63 (Ekamai), Klongton Nua, Wattana, Bangkok
• Customer Service (Call Center) at (02) 115 0653.
• The company's website at arrow-energy.com