Privacy Policy
Table of Contents
1. Introduction
SpaManager ("we," "us," "our," or the "Company") is committed to protecting the privacy and personal data of our users, customers, website visitors, and all individuals whose data we process. This Privacy Policy explains how we collect, use, store, disclose, and protect your personal data in compliance with:
- Thailand's Personal Data Protection Act B.E. 2562 (2019) ("PDPA")
- General Data Protection Regulation (EU) 2016/679 ("GDPR"), where applicable to individuals in the European Economic Area
- California Consumer Privacy Act ("CCPA") / California Privacy Rights Act ("CPRA"), where applicable
- All other applicable national and international data protection laws
By accessing or using our website (spamanager.io), platform, services, or providing us with your personal data, you acknowledge that you have read and understood this Privacy Policy.
2. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, directly or indirectly, as defined under the PDPA and GDPR.
- "Sensitive Data" means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health data, sexual orientation, criminal records, or disability information.
- "Processing" means any operation performed on personal data, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, dissemination, erasure, or destruction.
- "Data Subject" means the individual to whom personal data relates.
- "Data Controller" means the entity that determines the purposes and means of processing personal data.
- "Data Processor" means the entity that processes personal data on behalf of the Data Controller.
3. Data Controller
The data controller responsible for your personal data is:
SpaManager
Email: privacy@spamanager.io
Website: spamanager.io
Data Protection Officer (DPO): dpo@spamanager.io
4. Data We Collect
4.1 Data You Provide Directly
| Category | Examples | Purpose |
|---|---|---|
| Account Information | Full name, email address, phone number, company/spa name | Account creation, service delivery, communication |
| Business Information | Spa name, team size, branch locations, business type | Service customization, onboarding |
| Billing Information | Billing address, tax ID (where required) | Payment processing, invoicing, tax compliance |
| Communication Data | Messages, support tickets, demo requests, feedback | Customer support, service improvement |
| Staff Data (uploaded by you) | Employee names, contact details, schedules, certifications, wage data | Platform functionality as requested by you |
| Customer Data (uploaded by you) | Your spa customers' names, contact info, visit history, preferences | CRM functionality as requested by you |
4.2 Data Collected Automatically
| Category | Examples | Purpose |
|---|---|---|
| Device & Browser Data | IP address, browser type and version, operating system, device type, screen resolution | Security, compatibility, analytics |
| Usage Data | Pages visited, features used, click patterns, session duration, referral source | Service improvement, analytics |
| Cookie Data | Session identifiers, preference cookies, analytics cookies | See our Cookie Policy |
| Log Data | Server access logs, error logs, timestamps | Security monitoring, debugging, compliance |
4.3 Sensitive Data
We do not intentionally collect sensitive personal data as defined under the PDPA or GDPR. If you upload sensitive data to the platform (e.g., customer health information for spa treatment notes), you do so as the data controller of that data, and you are responsible for obtaining appropriate consent from your data subjects.
5. Legal Basis for Processing
Under the PDPA and GDPR, we process your personal data based on the following legal grounds:
| Legal Basis | Application |
|---|---|
| Consent (PDPA §19, GDPR Art. 6(1)(a)) | Marketing communications, non-essential cookies, newsletter subscriptions |
| Contractual Necessity (PDPA §24(3), GDPR Art. 6(1)(b)) | Providing the SpaManager platform, processing free trial signups, account management, customer support |
| Legitimate Interest (PDPA §24(5), GDPR Art. 6(1)(f)) | Security monitoring, fraud prevention, service improvement, analytics, business communications |
| Legal Obligation (PDPA §24(4), GDPR Art. 6(1)(c)) | Tax compliance, financial record-keeping, responding to lawful government requests, court orders |
6. How We Use Your Data
We use your personal data for the following purposes:
- Service Delivery: Provision, operation, and maintenance of the SpaManager platform
- Account Management: User authentication, authorization, and account administration
- Communication: Responding to inquiries, sending service notifications, onboarding assistance
- Billing: Processing payments, generating invoices, managing subscriptions
- Improvement: Analyzing usage patterns to improve features, fix bugs, and enhance user experience
- Security: Detecting, preventing, and addressing fraud, abuse, security incidents, and technical issues
- Legal Compliance: Meeting legal obligations, enforcing our terms, protecting our legal rights
- Marketing: Sending promotional communications (only with your explicit consent, and with opt-out available at all times)
We will never sell your personal data to third parties. We will never use your data to build advertising profiles without your explicit consent.
7. Data Sharing & Third Parties
We may share your personal data with the following categories of recipients, only to the extent necessary:
7.1 Service Providers (Data Processors)
- Hosting Providers: Cloud infrastructure for platform hosting and data storage
- Payment Processors: For secure payment handling (we do not store credit card numbers)
- Email Service Providers: For transactional and marketing email delivery
- Analytics Providers: For anonymized/aggregated usage analytics
All service providers are contractually bound to process data only as instructed by us, maintain confidentiality, and implement appropriate security measures. Data Processing Agreements (DPAs) are in place with all processors.
7.2 Legal Requirements
We may disclose your data if required to do so by law, court order, or governmental request, including requests from Thai authorities under applicable law.
7.3 Business Transfers
In the event of a merger, acquisition, or sale of assets, your personal data may be transferred to the acquiring entity, subject to the same privacy protections described in this policy. You will be notified of any such transfer.
8. International Data Transfers
Your personal data may be transferred to and processed in countries outside of Thailand. When we transfer personal data internationally, we ensure adequate protection through:
- Ensuring the destination country has adequate data protection standards as recognized by the PDPC (Personal Data Protection Committee of Thailand)
- Implementing Standard Contractual Clauses (SCCs) or equivalent safeguards
- Obtaining your explicit consent for the transfer where required under PDPA §28
- For EU data subjects: transfers are conducted in compliance with GDPR Chapter V requirements
9. Data Retention
We retain personal data only as long as necessary for the purposes described in this policy, or as required by law:
| Data Category | Retention Period | Basis |
|---|---|---|
| Active account data | Duration of account + 30 days | Contractual necessity |
| Financial/billing records | 7 years from transaction date | Thai Revenue Code, tax law compliance |
| Support communications | 3 years from last interaction | Legitimate interest (service quality) |
| Marketing consent records | Duration of consent + 1 year | Legal obligation (proof of consent) |
| Server/security logs | 12 months | Legitimate interest (security) |
| Free trial data (not converted) | 90 days after trial expiry | Legitimate interest |
| Deleted account data | 30 days (grace period), then permanently deleted | Contractual terms |
After the applicable retention period, personal data is securely deleted or irreversibly anonymized.
10. Data Security
We implement robust technical and organizational measures to protect your personal data:
- Encryption in Transit: All data transmitted between your device and our servers uses TLS 1.3 encryption
- Encryption at Rest: Stored data is encrypted using AES-256 encryption
- Access Control: Role-based access control with least-privilege principle; multi-factor authentication for administrative access
- Infrastructure Security: Firewalls, intrusion detection systems, DDoS protection, regular security patching
- Monitoring: Continuous security monitoring, anomaly detection, and incident alerting
- Backup: Regular encrypted backups with tested recovery procedures
- Personnel: Background checks for employees with data access; regular security awareness training; confidentiality agreements
- Incident Response: Documented breach response plan with notification procedures compliant with PDPA §37(4) (within 72 hours to PDPC)
NO ABSOLUTE SECURITY GUARANTEE: While we implement industry-standard and commercially reasonable security measures, no method of electronic transmission or data storage is 100% secure. We cannot guarantee that unauthorized third parties will never be able to defeat our security measures. You transmit data to us at your own risk and are responsible for maintaining the security of your account credentials, devices, and networks used to access our platform. For additional detail on shared security responsibilities, please see our Terms of Service, Section 12.
11. Your Rights
Under the PDPA, GDPR, and other applicable laws, you have the following rights regarding your personal data:
| Right | Description | Legal Reference |
|---|---|---|
| Right of Access | Request a copy of the personal data we hold about you | PDPA §30, GDPR Art. 15 |
| Right to Rectification | Request correction of inaccurate or incomplete data | PDPA §35, GDPR Art. 16 |
| Right to Erasure | Request deletion of your personal data (subject to legal retention requirements) | PDPA §33(5), GDPR Art. 17 |
| Right to Restrict Processing | Request limitation of processing in specific circumstances | PDPA §34, GDPR Art. 18 |
| Right to Data Portability | Receive your data in a structured, commonly used, machine-readable format | PDPA §31, GDPR Art. 20 |
| Right to Object | Object to processing based on legitimate interest or direct marketing | PDPA §32, GDPR Art. 21 |
| Right to Withdraw Consent | Withdraw previously given consent at any time (without affecting prior lawful processing) | PDPA §19(5), GDPR Art. 7(3) |
| Right to Lodge a Complaint | File a complaint with the Personal Data Protection Committee (PDPC) of Thailand or relevant EU supervisory authority | PDPA §73, GDPR Art. 77 |
To exercise any of these rights, contact us at privacy@spamanager.io. We will respond within 30 days of receiving your verified request, as required by law. We may need to verify your identity before processing your request.
All data subject requests are logged and tracked for compliance purposes.
12. Children's Privacy
SpaManager is a business-to-business platform designed for spa and wellness business operators. Our services are not intended for individuals under the age of 20 (the age of legal majority under Thai law, Civil and Commercial Code §19) or under 16 (under GDPR). We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without appropriate parental or guardian consent, we will take immediate steps to delete such data.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:
- We will update the "Last Updated" date at the top of this page
- For material changes, we will provide prominent notice (e.g., email notification or in-platform banner)
- Where required by law, we will seek your renewed consent
We encourage you to review this Privacy Policy periodically.
15. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Privacy Inquiries: privacy@spamanager.io
Data Protection Officer: dpo@spamanager.io
General Contact: hello@spamanager.io
If you are not satisfied with our response, you have the right to lodge a complaint with:
- Thailand: Personal Data Protection Committee (PDPC), Office of the Personal Data Protection Committee, Thailand
- EU: Your local data protection supervisory authority