privacy

privacy policy.

last updated: · en · PDPA + GDPR

1. who controls your data.

the data controller for th.piexels.co is Piexels. the bangkok studio runs with a local senior partner. european operations route through be.piexels.co under the same brand.

all data protection inquiries route to bangkok@piexels.co and are answered within 30 days.

2. data we collect.

  • contact data, when you email us or submit the intake form: name, company, email address, project type, budget band, timeline, and the message you write.
  • billing data, when you become a paying client: legal entity name, tax number, billing address, bank reference. processed via Stripe and Wise.
  • technical logs, registered automatically by Vercel as our hosting provider: IP address, user-agent, request path, timestamp. kept 30 days for security and debugging.
  • analytics, via Vercel Analytics in privacy-respecting aggregate form. no cross-site tracking, no advertising pixels, no Facebook Pixel, no Google Ads tag, no LinkedIn Insight tag.

3. legal basis.

we rely on the following legal bases under GDPR Article 6 and PDPA Sections 19 and 24.

  • consent (GDPR 6.1.a, PDPA Section 19) for marketing communication and any optional analytics triggered by the cookie banner.
  • contract performance (GDPR 6.1.b, PDPA Section 24(3)) for delivering a project, issuing invoices, and answering support requests.
  • legitimate interest (GDPR 6.1.f, PDPA Section 24(5)) for security logging, fraud prevention, and follow-up on an active prospect conversation.
  • legal obligation (GDPR 6.1.c, PDPA Section 24(6)) for accounting record retention and any statutory tax reporting that applies to the engagement.

we do not engage in automated individual decision-making in the sense of GDPR Article 22 or PDPA Section 32. any AI-assisted tooling we use internally to build faster does not touch your personal data without explicit instruction.

4. subprocessors.

we share personal data only with subprocessors who have signed an appropriate data processing agreement.

  • Vercel Inc. (United States, EU-US Data Privacy Framework certified). hosting of th.piexels.co.
  • Supabase Inc. (United States, SCC + DPF). authentication and database when an authenticated flow is in use.
  • Stripe Payments (Ireland for EU, Inc. for global). payment processing and invoicing for piexels.
  • Resend Inc. (United States, SCC + DPF). transactional email (order confirmations, ticket updates).
  • Wise Europe SA (Belgium). banking and payouts to suppliers.

we do not sell personal data. we do not run an affiliate or partner network that receives your data. there is no advertising on th.piexels.co.

5. retention.

  • inbound contact data: up to 24 months from the last interaction, unless a longer legal retention applies.
  • contract and invoice data: minimum 7 years after the billing year, per applicable accounting law.
  • technical logs: maximum 30 days, then anonymised or deleted.
  • analytics: aggregate only, no personal identifier, no retention cap on the aggregate counters.

6. PDPA-specific obligations (thailand).

the Personal Data Protection Act B.E. 2562 (2019) applies to any data subject in Thailand regardless of where the controller sits. we comply with the following sections.

  • Section 19: consent collected with clear purpose, freely given, separable from other terms.
  • Section 23: notice at the time of collection. this policy serves as that notice for the intake form and email correspondence.
  • Sections 24 to 26: lawful basis for processing, including the bases listed in section 3 above.
  • Sections 27 to 29: sensitive data is not collected via th.piexels.co. if you voluntarily share sensitive data in a message, we either delete it or request explicit consent before storing it.
  • Section 28: cross-border transfers. data may be processed by subprocessors in the United States and the European Union. we rely on PDPC-recognised mechanisms: standard contractual clauses with the subprocessor where adopted, binding corporate rules where available, or explicit Section 28(7) consent when neither applies. data subjects can request the relevant transfer mechanism documents on request.
  • Section 37: security measures. data is encrypted in transit (TLS 1.3) and at rest with the respective subprocessor. access is limited to founder-level accounts and revoked when a contract ends.

7. GDPR-specific obligations (european union).

for data subjects in the European Economic Area we apply GDPR Articles 13, 14, 28, and 32. concretely, this means transparent notice at collection, written subprocessor agreements, and technical and organisational measures proportionate to the risk. transfers to non-EU subprocessors rely on Standard Contractual Clauses adopted by the European Commission, or on the EU-US Data Privacy Framework where the subprocessor is a certified US recipient.

8. your rights.

regardless of jurisdiction, you can exercise the following rights by writing to bangkok@piexels.co. we respond within 30 days.

  • access: receive a copy of the personal data we hold about you.
  • correction: have inaccurate data fixed.
  • deletion: request erasure, subject to legal retention obligations.
  • portability: receive your data in a structured machine-readable format.
  • restriction and objection: limit how we process certain categories.
  • withdraw consent: withdraw any consent you previously gave, with effect for the future.

9. complaints.

thailand. you have the right to complain to the Personal Data Protection Committee of Thailand (PDPC), Ministry of Digital Economy and Society, Bangkok.

european union.EU data subjects can complain to the Belgian Data Protection Authority (Autorit é de protection des données / Gegevensbescher mingsautoriteit): rue de la Presse 35, 1000 Brussels, contact@apd-gba.be.

united states and other jurisdictions. data subjects outside thailand and the european union can contact piexels directly via bangkok@piexels.co.

10. changes to this policy.

we update this notice when our processing or our subprocessor list changes. the date at the top of this page shows the last revision. material changes that affect your rights are communicated at least 30 days in advance to active clients by email.