Privacy Policy
Last updated: March 26, 2026
This policy complies with Thailand’s Personal Data Protection Act B.E. 2562 (2019) (“PDPA”)
NuaAI Co., Ltd. (“NuaAI,” “we,” “us,” or “our”) respects your privacy and is committed to protecting the personal data of our customers, their end users, and website visitors. This Privacy Policy explains how we collect, use, disclose, and protect personal data in compliance with the Personal Data Protection Act B.E. 2562 (PDPA) of Thailand.
1. Data Controller
NuaAI Co., Ltd.
Data Protection Officer: dpo@nuaai.org
Website: https://nuaai.org
Dual-layer data relationship:
- NuaAI as Data Controller: For customer (merchant) account data, billing, and website visitor data.
- NuaAI as Data Processor: For end-user personal data processed on behalf of the Customer (merchant). The Customer acts as the Data Controller for their end users’ personal data.
2. Data We Collect
2.1 From Customers (Business Accounts)
| Data Type | Purpose | Legal Basis (PDPA) |
|---|---|---|
| Name, email, phone | Account creation & management | Contract (Sec. 24(3)) |
| Business information | AI agent configuration | Contract (Sec. 24(3)) |
| Payment information | Billing & invoicing | Contract (Sec. 24(3)) |
| LINE User ID (LINE Login) | Authentication | Consent (Sec. 19) |
| Usage data (login, features) | Service improvement | Legitimate Interest (Sec. 24(5)) |
2.2 From End Users (Customers’ Customers)
| Data Type | Purpose | Legal Basis (PDPA) |
|---|---|---|
| Chat messages & history | Providing AI responses | Contract with Customer (Sec. 24(3)) |
| LINE/FB display name & profile | User identification | Legitimate Interest (Sec. 24(5)) |
| Preferences & purchase history (AI-extracted) | Personalized recommendations | Legitimate Interest (Sec. 24(5)) |
| Session identifiers | Conversation continuity | Contract (Sec. 24(3)) |
2.3 From Website Visitors
Cookies, IP address, browser type, pages visited, and referring URLs for analytics and service improvement. See Section 10 (Cookies).
2.4 Sensitive Data
NuaAI does not intentionally collect sensitive personal data as defined under PDPA Section 26 (race, ethnicity, political opinions, religion, health data, biometric data, sexual orientation, criminal records). If such data appears in chat conversations, it is processed solely for providing AI responses and is not used for any other purpose.
3. How We Use Personal Data
- Providing, maintaining, and improving the NuaAI platform
- Processing AI-powered customer service conversations
- Generating customer profiles and memory for personalized AI responses
- Billing, invoicing, and account management
- Sending service notifications and updates
- Analyzing usage patterns to improve our AI models and services
- Ensuring security and preventing fraud
- Complying with legal obligations
We do not use personal data for automated decision-making that produces legal effects on individuals without human oversight.
4. AI Data Processing
4.1. NuaAI uses artificial intelligence to process conversation data and generate responses. This includes:
- Natural language understanding and response generation
- Extracting customer preferences and purchase patterns from conversations
- Semantic search across knowledge bases and product catalogs
- Conversation summarization and compression for memory efficiency
4.2. AI processing is performed using third-party AI providers (such as OpenAI via OpenRouter). Data sent to these providers is subject to their data processing agreements and is used solely for generating responses. We do not permit third-party AI providers to use Customer Data for training their models.
4.3. Vector embeddings (mathematical representations) are generated from text data for semantic search. These embeddings cannot be reverse-engineered to reconstruct the original text.
4.4. NuaAI may change its third-party AI providers to improve service quality. We will update this policy when material changes occur.
5. Data Sharing & Disclosure
We may share personal data with:
- Third-party AI providers (e.g., OpenRouter/OpenAI, servers in the United States) for generating AI responses
- Cloud infrastructure providers (e.g., Railway — US, Supabase — Singapore, Upstash — Singapore) for hosting and data storage
- Payment processors for billing purposes
- LINE Corporation (Japan) for LINE Login authentication and LINE OA messaging
- Meta Platforms (US) for Facebook/Instagram messaging integration
- Legal authorities when required by Thai law, court order, or government request
We do not sell personal data to third parties. We do not share personal data for advertising or marketing purposes with third parties.
6. Cross-Border Data Transfer
6.1. Personal data may be transferred to and processed in countries outside Thailand, including the United States, Singapore, and Japan, where our cloud infrastructure, AI providers, and messaging platforms operate.
6.2. In accordance with PDPA Sections 28-29, we ensure adequate protection through:
- Data processing agreements with all third-party providers
- Standard contractual clauses (ASEAN Model Contractual Clauses or equivalent)
- Technical measures: encryption in transit (TLS 1.2+) and at rest (AES-256)
- Selecting providers with recognized security certifications (SOC 2, ISO 27001)
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Customer account data | Duration of subscription + 90 days |
| Conversation messages | Duration of subscription + 30 days |
| Compressed summaries | Duration of subscription + 30 days |
| Customer profiles (AI-extracted) | Duration of subscription + 30 days |
| Payment records | 5 years (Thai Revenue Code) |
| Website analytics | 26 months |
| Security logs | 12 months |
Upon account termination, Customers may request data export within 30 days. All Customer Data is permanently deleted within 60 days after the export window. Deletion is performed using secure methods and verified.
8. Data Security
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Database access controls and role-based authentication
- Regular security monitoring and vulnerability assessments
- Employee access limited to need-to-know basis
- Secure cloud infrastructure with SOC 2 compliant providers
- Secure credential storage (bcrypt hashing)
- Automatic session expiration (7 days)
9. Data Subject Rights (PDPA)
Under the PDPA, you have the following rights:
- Right of Access (Sec. 30) — Request a copy of personal data we hold about you
- Right to Rectification (Sec. 36) — Request correction of inaccurate or incomplete data
- Right to Erasure (Sec. 33) — Request deletion, subject to legal obligations
- Right to Restriction (Sec. 34) — Limit processing in certain circumstances
- Right to Data Portability (Sec. 31) — Receive your data in machine-readable format
- Right to Object (Sec. 32) — Object to processing based on legitimate interest
- Right to Withdraw Consent (Sec. 19 para. 5) — Withdraw consent at any time without affecting prior processing
- Right to Lodge a Complaint (Sec. 73) — File with the Personal Data Protection Committee
To exercise these rights, contact dpo@nuaai.org. We will respond within 30 days.
For End Users: If you interacted with a business using NuaAI, please contact that business directly. They are the Data Controller for your personal data.
10. Cookies & Tracking
- Essential cookies — Session management, authentication. Cannot be disabled.
- Analytics cookies — Understanding website usage. Can be disabled via browser settings.
We do not use advertising or tracking cookies. We do not engage in cross-site tracking.
11. Data Breach Notification
In the event of a personal data breach that poses a risk to data subjects:
- We will notify the Personal Data Protection Committee (PDPC) within 72 hours of becoming aware of the breach
- If the breach is likely to result in high risk to individuals, we will notify affected data subjects without undue delay
- Notification will include: nature of the breach, data affected, measures taken, and contact information
12. Children’s Privacy
The Services are not directed to individuals under 20 years of age (the age of majority under Thai law). We do not knowingly collect personal data from minors. If we become aware of such collection without proper parental/guardian consent, we will delete that information promptly.
13. Data Processing Agreement (DPA)
13.1. NuaAI acts as a Data Processor under the PDPA for end-user data. The Customer acts as the Data Controller.
13.2. NuaAI processes personal data only on the Customer’s documented instructions and for providing the Services.
13.3. NuaAI will assist the Customer in fulfilling PDPA obligations, including responding to data subject requests and conducting data protection impact assessments.
13.4. Enterprise customers may request a separate, signed Data Processing Agreement.
13.5. NuaAI maintains a list of sub-processors and will notify Customers before adding new sub-processors that handle personal data.
14. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification at least 14 days before taking effect.
15. Contact Us
Data Protection Officer
NuaAI Co., Ltd.
Email: dpo@nuaai.org
Website: https://nuaai.org
Personal Data Protection Committee (Thailand)
Website: https://www.pdpc.or.th
See also: Terms of Use