Privacy Policy

Versotis ("we," "our," or "us") is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our enterprise chat management platform and related services.

This policy complies with the General Data Protection Regulation (GDPR), Thailand's Personal Data Protection Act B.E. 2562 (2019) ("PDPA"), and other applicable data protection laws.

Thai Users: In accordance with Section 37(5) of the PDPA, we have designated a representative in Thailand who can be contacted regarding personal data protection matters. Contact details are provided in Section 12 below.

2.1 Personal Information

We collect the following types of personal information:

• Account Information: Name, email address, username, password, and profile picture
• Contact Information: Phone number, business address, and communication preferences
• Professional Information: Job title, department, organization details, and role permissions
• Authentication Data: Login credentials, two-factor authentication codes, and session tokens

2.2 Usage Information

• Platform Activity: Messages sent/received, chat interactions, response times, and feature usage
• Technical Data: IP address, device information, browser type, operating system, and access logs
• Analytics Data: Page views, session duration, click patterns, and performance metrics
• Location Data: General geographic location based on IP address (when permitted)

2.3 Customer Communication Data

When you use our platform to communicate with customers, we process message content, attachments, and metadata to provide our services. This includes conversations across multiple platforms (WhatsApp, LINE, Telegram, etc.).

2.4 Sensitive Personal Data (PDPA Section 26)

In accordance with Section 26 of the PDPA, we do not intentionally collect sensitive personal data such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sexual behavior, except where:

• Explicit consent has been provided by the data subject
• Processing is necessary for legal claims or compliance with legal obligations
• Data has been made publicly available by the data subject
• Processing is necessary for substantial public interest purposes

Note: If sensitive data is inadvertently included in customer communications processed through our platform, we implement appropriate safeguards and limit processing to what is necessary for service provision.

We use your personal information for the following purposes:

3.1 Service Provision

• Providing and maintaining our chat management platform
• Processing and routing customer communications
• User authentication and access control
• Enabling real-time messaging and notifications
• Generating reports and analytics for your organization

3.2 Platform Improvement

• Analyzing usage patterns to improve functionality
• Developing new features and services
• Optimizing platform performance and reliability
• Conducting research and development activities

3.3 Legal Basis for Processing

Under GDPR:

• Contract Performance: Processing necessary to provide our services
• Legitimate Interests: Platform security, fraud prevention, and service improvement
• Legal Compliance: Meeting regulatory requirements and legal obligations
• Consent: Optional features like marketing communications and analytics (where required)

Under PDPA (Sections 24 & 26):

• Consent: Explicit consent for service provision and optional features
• Contract Performance: Processing necessary for contract execution (Section 24(3))
• Legitimate Interests: Data Controller's legitimate interests that don't override data subject rights (Section 24(5))
• Legal Compliance: Processing required by applicable laws (Section 24(6))
• Vital Interests: Protection of life, body, or health (Section 24(2))

We do not sell, trade, or rent your personal information. We may share information in the following limited circumstances:

4.1 Within Your Organization

Information may be shared with authorized users within your organization based on role-based access controls and business need-to-know principles.

4.2 Service Providers

We may share information with trusted third-party service providers who assist us in operating our platform, conducting business, or providing services, subject to appropriate data processing agreements.

4.3 Legal Requirements

• When required by law, regulation, or court order
• To protect the rights, property, or safety of our users or the public
• To investigate fraud or security incidents
• In connection with legal proceedings

4.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, personal information may be transferred as part of the transaction, subject to appropriate notifications and protections.

We implement comprehensive security measures to protect your personal information from unauthorized access, alteration, disclosure, or destruction:

• Encryption: Data is encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Controls: Role-based permissions and multi-factor authentication
• Infrastructure Security: Secure cloud hosting with regular security audits
• Monitoring: Continuous monitoring for security threats and anomalies
• Incident Response: Established procedures for handling security breaches
• Staff Training: Regular security awareness training for all personnel

We retain personal information for the following periods:

• Account Data: For the duration of your account plus 7 years for legal compliance
• Communication Records: As required by your organization's retention policies
• Analytics Data: Up to 26 months for performance analysis
• Security Logs: Up to 12 months for security monitoring
• Legal Hold: Extended retention when required for legal proceedings

Data is securely deleted or anonymized when no longer needed for legitimate business purposes.

Under GDPR and PDPA, you have the following rights regarding your personal information:

7.1 Access and Portability (PDPA Sections 30-31)

• Request access to your personal information and obtain copies
• Receive your data in a readable, commonly-used format
• Request direct transfer of your data to another Data Controller (where technically feasible)
• Request disclosure of how your data was obtained (if collected without consent)

7.2 Correction and Deletion (PDPA Sections 33-36)

• Request correction of inaccurate, incomplete, or misleading information
• Request deletion/destruction of your personal data when no longer necessary
• Request anonymization of data when deletion is not possible
• Request deletion when consent is withdrawn and no other legal basis exists
• Request deletion of unlawfully processed data

7.3 Objection and Restriction (PDPA Sections 32-34)

• Object to processing based on legitimate interests or public tasks
• Object to direct marketing activities
• Request restriction of processing in certain circumstances
• Withdraw consent at any time (where processing is based on consent)
• Object to automated decision-making and profiling

PDPA Note: Consent withdrawal must be as easy as giving consent initially. We will inform you of any consequences of withdrawing consent before you proceed.

7.4 How to Exercise Your Rights

To exercise these rights, contact us at [email protected] or use our Data Subject Request Form. We will respond within 30 days and may require identity verification.

If we transfer personal information outside your country, we ensure appropriate safeguards are in place in accordance with GDPR and PDPA Section 28:

8.1 GDPR Safeguards

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions for countries with approved data protection standards
• Binding Corporate Rules for intra-group transfers
• Specific consent for transfers where legally required

8.2 PDPA Requirements (Section 28)

For data transfers from Thailand to foreign countries, we ensure:

• Destination countries have adequate data protection standards as determined by the Personal Data Protection Committee
• Explicit consent where destination countries lack adequate protection
• Contractual safeguards for legitimate business purposes
• Compliance with Committee-prescribed protection guidelines

Note: Where transfers are necessary for contract performance, legal compliance, or vital interests protection, additional safeguards may apply as prescribed by Thai law.

We use cookies and similar technologies to enhance your experience. For detailed information about our cookie practices, please see ourCookie Policy.

You can manage your cookie preferences through our cookie banner or your browser settings.

In accordance with GDPR and PDPA Section 37(4), we are committed to promptly addressing any personal data breaches:

10.1 Our Obligations

• Notify the Office of Personal Data Protection Committee within 72 hours of becoming aware of a breach (where required by PDPA)
• Notify relevant supervisory authorities under GDPR within 72 hours
• Notify affected individuals without undue delay if the breach poses high risk to their rights and freedoms
• Maintain records of all data breaches for regulatory review

10.2 What We Will Tell You

If we need to notify you of a data breach, we will provide:

• Description of the nature of the breach
• Categories and approximate number of individuals affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach
• Contact information for further inquiries

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. We will:

• Post the updated policy on our website
• Notify you via email for material changes
• Update the "Last Modified" date
• Provide appropriate notice period for significant changes

If you have questions about this Privacy Policy or our privacy practices, please contact us:

12.1 General Inquiries

12.2 Thailand Representative (PDPA Section 37(5))

For data protection inquiries specific to GDPR, you may also contact your local data protection authority. For PDPA matters, you may contact the Office of Personal Data Protection Committee.

This privacy policy is designed to comply with:

• EU General Data Protection Regulation (GDPR)
• Thailand Personal Data Protection Act (PDPA) B.E. 2562 (2019)
• California Consumer Privacy Act (CCPA)
• Other applicable international data protection laws