*Effective Date:* 30/5/2026
*Company Name:* The Ralux At Home
*Jurisdiction:* Kingdom of Thailand

## 1. Introduction
[Business Name] (“we,” “us,” “our”) operates as a mobile massage service provider in Thailand. We are committed to protecting your privacy in compliance with the *Personal Data Protection Act B.E. 2562 (2019)* (“PDPA”) of Thailand .

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you book our mobile massage services via our website, phone, or messaging platforms.

## 2. Data Controller Information
For the purposes of the PDPA, [Business Name] is the *Data Controller*. This means we determine the purposes and means of processing your personal data.

*Contact Details:*
– *Business Address:* [Your registered address in Thailand]
– *Email:* [Your Email Address]
– *Phone:* [Your Thai Phone Number]
– *Data Protection Officer (DPO):* [Name/Title] – [Email Address] [Note: Appoint a DPO if you process large amounts of sensitive data; if you are a sole trader/small business, you may list the owner here]

## 3. Personal Data We Collect
Under Thai PDPA, “Personal Data” means any information relating to an identified or identifiable natural person .

### A. General Personal Data
– *Identity Data:* Full name, gender, age.
– *Contact Data:* Home address, hotel name & room number (for mobile visits), phone number, email address.
– *Booking Data:* Appointment history, cancellation records, payment history.
– *Location Data:* GPS coordinates or address provided to help our therapist navigate to your location.

### B. Sensitive Personal Data (Section 26 of PDPA)
Because massage therapy involves health and physical assessment, we may collect the following *Sensitive Data* requiring *Explicit Consent* :
– *Health Data:* Current injuries, surgeries, disabilities, high blood pressure, allergies, pregnancy status, contagious skin conditions, or any medical history relevant to massage safety.
– *Biometric Data:* Physical observations noted by the therapist (e.g., posture analysis, muscle tension levels).
– *Criminal Record Data:* If required for specific venue access (e.g., bookings inside secured condominiums or government buildings).

## 4. Lawful Basis for Processing (PDPA Compliance)
Under Thai law, we cannot process your data without a valid legal basis. We rely on the following :

| *Processing Activity* | *Legal Basis* |
| :— | :— |
| Booking appointments & arriving at your location | *Contractual Necessity* (To perform the massage service) |
| Sending appointment reminders & receipts | *Contractual Necessity* |
| Collecting health history & injuries | *Explicit Consent* (Required for Sensitive Data under Section 26) |
| Security footage (if applicable at a fixed office) | *Legitimate Interest* (Protection of property & staff) |
| Tax invoices & accounting records | *Legal Obligation* (Revenue Department of Thailand) |
| Marketing SMS/Emails | *Consent* (You may withdraw anytime) |

## 5. Collection of Sensitive Health Data (Important)
Under *Section 26 of the Thai PDPA, the collection of health data is generally prohibited unless we obtain your **explicit written or verbal consent* .

*How we obtain it:*
– We will provide you with an intake form (physical or digital).
– By signing or checking the box next to “I consent to the collection of my health data for the purpose of receiving safe massage therapy,” you provide explicit consent under Thai law.
– *Withdrawal:* You may withdraw consent at any time, but this may limit our ability to provide the service safely (e.g., we cannot massage an area with a known injury without knowing about the injury).

## 6. Data Subject Rights (Your Rights under Thai PDPA)
The Thai PDPA grants you specific rights regarding your data . You may exercise these rights by contacting us at [Your Email].

1. *Right to Access:* You can ask us to confirm whether we process your data and request a copy.
2. *Right to Rectification:* You can correct inaccurate or incomplete data.
3. *Right to Erasure (Right to be Forgotten):* You can request deletion of your data, unless we must keep it for legal or insurance purposes (e.g., tax law requires 5-7 years of records).
4. *Right to Restrict Processing:* You can ask us to stop using your data while a complaint is pending.
5. *Right to Data Portability:* You can request your data in a machine-readable format to transfer to another service provider.
6. *Right to Object:* You can object to processing for direct marketing purposes.
7. *Right to Withdraw Consent:* You may withdraw consent for sensitive data or marketing at any time.

*Response Time:* We will respond to your request within *30 days* as required by the PDPC .

## 7. Data Retention
We retain your personal data only as long as necessary for the purposes outlined in this policy, or as required by Thai law .

– *Client Intake Forms & Health Data:* Retained for *[e.g., 5 years]* from the date of your last appointment to comply with professional liability insurance requirements.
– *Booking & Payment Records:* Retained for *[e.g., 7 years]* to comply with the Thai Revenue Code.
– *Marketing Data:* Retained until you withdraw consent.

When the retention period expires, we will securely delete, destroy, or anonymize your data.

## 8. Security Measures
We implement appropriate organizational, technical, and physical security measures to protect your data from unauthorized access, loss, or disclosure, as required by the PDPC Notification on Security Measures .

– *Digital Files:* Encrypted storage with password protection.
– *Paper Records:* Locked filing cabinets at our office (not stored in mobile therapy bags).
– *Mobile Devices:* Therapists use locked devices; client names are not visible on external screens.

## 9. Data Breach Notification
If a personal data breach occurs that poses a high risk to your rights and freedoms, we will notify:
1. *The Personal Data Protection Committee (PDPC):* Within 72 hours of becoming aware of the breach .
2. *You (the Data Subject):* Without undue delay, along with details of the breach and remedial actions.

## 10. Disclosure to Third Parties
We do not sell your personal data. We may share data only in the following circumstances:

– *Third-Party Processors:* We use [e.g., Booking Software, Google Drive, WhatsApp] to manage bookings. We have Data Processing Agreements (DPA) with these vendors as required by Section 38 of the PDPA .
– *Legal Obligations:* To comply with a court order or a request from Thai law enforcement.
– *Insurance Claims:* To submit records to our liability insurance provider in the event of a claim.

## 11. Cross-Border Transfer of Data
If we use cloud software whose servers are located outside of Thailand (e.g., servers in Singapore, USA, or Europe), this may constitute a cross-border transfer of personal data under the PDPA .

We ensure compliance by:
– Using software providers that have adequate data protection standards; or
– Signing the PDPC-approved Standard Contractual Clauses (SCCs) with the data processor.

## 12. Consent for Minors
We do not knowingly collect personal data from persons under the age of 10 without parental consent.
– For children aged 10-18: We require consent from the individual *and* the parent/legal guardian .

## 13. Changes to this Privacy Policy
We reserve the right to update this policy to reflect changes in Thai law (PDPA amendments or PDPC notifications). Material changes will be notified via SMS or email to our active clients.

## 14. Complaints to the Regulator
If you are not satisfied with how we handle your data or a privacy complaint, you have the right to lodge a complaint with the *Office of the Personal Data Protection Committee (PDPC)* .

*PDPC Contact Info:*
– *Website:* [https://www.pdpc.or.th](https://www.pdpc.or.th)
– *Address:* [Government Center, Chaeng Watthana Rd, Bangkok]

—

### Instructions for Mobile Massage Therapists in Thailand:

1. *Translation (Thai Language):* While this English version is for your website, the *PDPA requires* that privacy notices be in clear and plain language. If your clients are Thai nationals, you should provide a Thai translation of the “Consent for Health Data” section. Failing to do so may invalidate your explicit consent .
2. *SME Exemption (RoPA):* If you are a small business (e.g., a sole trader with less than [specific revenue/employee threshold]), you may be *exempt* from maintaining a full “Record of Processing Activities” (RoPA), but you are *NOT exempt* from having this Privacy Policy or protecting Sensitive Data .
3. *Consent Record:* Keep a log of when and how a client gave you consent (e.g., “Client checked box on intake form on Jan 1, 2025”). The burden of proof is on you, the Data Controller .