B
Back to home
Legal

Privacy Policy

We take your data seriously and comply with the Personal Data Protection Act B.E. 2562 (PDPA).

Effective date: May 25, 2026
Last updated: May 25, 2026

1. Introduction

This Privacy Policy ("Policy") explains how BEST SOLUTION (THAILAND) CO.,LTD. ("we", "BestsoGroup") collects, uses, discloses, and protects the personal data of users ("you", "user") of our platforms, including BestsoGroup.com, sso.bestsogroup.com, account.bestsogroup.com, our mobile applications, and all 50 platforms within the ecosystem (collectively, the "Service").

By signing up for or using our Service, you accept and agree to the terms of this Policy.

2. Information We Collect

We only collect personal data necessary to operate the Service. Categories include:

Account information

Email, full name, phone number, password (stored as bcrypt hash only — we cannot view your password), date of birth, gender, language, timezone.

Social login data

When you sign in with Google, Facebook, or LINE, we receive a user ID from that provider along with your email, name, and profile photo (only what you authorize). We do not store your social account password.

Transaction data

Order history, payments, BestaCoin balance, shipping addresses, payment methods (credit card numbers are stored only as tokens — the actual card data is held by PCI-DSS-compliant payment processors).

Technical data

IP address, browser type, operating system, device data, usage metrics (pages viewed, time spent), cookies, and other tracking technologies to maintain security and improve user experience.

3. How We Use Your Data

We use your data for the following purposes:

  • Provide the Service you requested — account creation, order processing, delivery of goods/services.
  • Authenticate and secure your account (2FA, anomalous-login detection).
  • Send service-related communications (password reset, email verification, security alerts).
  • Send marketing and promotional content (only with your explicit opt-in — you can unsubscribe anytime).
  • Comply with legal obligations, such as keeping tax invoices under Thai accounting law, AML/KYC requirements.
  • Prevent fraud, abuse, and misuse of the Service.
  • Analyze usage to improve the Service (aggregated, non-identifiable data).

4. Legal Basis for Processing (PDPA)

We process your data on the following legal grounds under Section 24 of the PDPA:

  • Consent — e.g. for sending marketing materials.
  • Contract performance — providing the Service you subscribed to.
  • Legitimate interest — security and fraud prevention.
  • Legal obligation — tax record-keeping, anti-money-laundering compliance.

5. Sharing Your Data with Third Parties

We do not sell your data, but we may share it with third parties in the following cases:

  • Essential service providers — Cloudflare (CDN/Hosting), Railway (servers), Resend (email), ThaiBulkSMS (SMS), payment gateways (e.g. Omise, PromptPay).
  • Partner platforms within the BestsoGroup ecosystem — when you sign in via SSO, basic profile data (name, email, photo) is shared with the child platform you log in to.
  • Government agencies — pursuant to a court order, search warrant, or lawful request from the Revenue Department, DSI, or law-enforcement bodies.
  • Business transfers — if the company is sold or merged, your data may be transferred to the acquiring party (with advance notice to you).

6. International Data Transfers

Most of your data is stored on servers in Thailand (Railway data center). However, some services we use (e.g. Resend, Cloudflare) may store data in Singapore or the United States. We choose only providers with data-protection standards equivalent to or stricter than PDPA.

7. Data Retention

We retain your data only as long as needed:

  • Active accounts — for as long as the account remains open.
  • Closed accounts — kept for 90 days to allow recovery, then permanently deleted.
  • Transaction records — kept for 10 years per Thai accounting and tax law.
  • Audit logs — kept for 7 years (for fraud prevention and legal investigation).

8. Your Rights as a Data Subject (PDPA Sections 30–37)

Under the PDPA, you have the following rights:

  • Right of access — request a copy of the data we hold about you.
  • Right to rectification — correct inaccurate data.
  • Right to erasure — request deletion (subject to legal limits, e.g. accounting records).
  • Right to restrict processing — limit how we use your data.
  • Right to object — object to processing in certain cases.
  • Right to data portability — receive your data in a machine-readable format.
  • Right to withdraw consent — revoke previously-given consent.
  • Right to file a complaint with the Personal Data Protection Committee (PDPC).

Exercise your rights at account.bestsogroup.com → Security → Data Controls, or email our DPO at privacy@BestSoGroup.com.

9. Security Measures

We use technical and administrative controls to protect your data:

  • Passwords hashed with bcrypt (rounds=12) — your plaintext password is never stored.
  • All data in transit encrypted with HTTPS/TLS 1.3.
  • Multi-factor authentication (2FA) — TOTP and SMS OTP supported.
  • JWT token rotation + refresh-token denylist on logout.
  • Audit logs record every access to sensitive data.
  • Regular internal security audits.

10. Cookies and Tracking Technologies

We use cookies to manage login sessions (essential cookies — required for the Service) and may use analytics cookies to understand usage (optional — you may decline) via vetted partners. You can manage cookies through your browser settings.

11. Children's Data

Our Service is designed for users aged 18 or older, or those with parental consent. If you are a parent and believe your child has provided data to us without consent, please contact us to delete the data immediately.

12. Changes to This Policy

We may update this Policy from time to time. Material changes will be communicated at least 30 days in advance via email or in-app notice. The "Last updated" date at the top of this page reflects the latest version.

13. Contact Us

For questions about this Privacy Policy or to exercise your rights, contact our Data Protection Officer (DPO):

BEST SOLUTION (THAILAND) CO.,LTD.
599/30 Ratchadapisek Rd., Chatuchak, Bangkok 10900, Thailand
DPO email:
privacy@BestSoGroup.com