This Policy applies to personal data of individuals who have or may have a relationship with the Company, where such personal data is processed by the Company. It also covers contractors or third parties who process personal data on behalf of the Company (“Data Processors”) in connection with services such as websites or application systems (collectively, the “Services”). Individuals in relation to the Company under this Policy include visitors or users of the website https://quantumyoung.co.th and related application systems (collectively, “you”). In addition to this Policy, the Company may issue specific Privacy Notices for certain Services to explain what personal data is collected, the purposes and lawful bases of Processing, the retention period, and the rights of data subjects applicable to those Services. In the event of any material inconsistency between such Privacy Notices and this Policy, the provisions of the specific Privacy Notice shall prevail.

    (a.) Company means Quantum Young Co., Ltd.

    (b.) Personal Data means information relating to an individual which enables the identification of such individual, whether directly or indirectly, but excludes the data of deceased persons.

    (c.) Sensitive Personal Data means personal data as prescribed under Section 26 of the PDPA, including race, ethnicity, political opinions, religious or philosophical beliefs, sexual behavior, criminal records, health information, disabilities, trade union membership, genetic data, biometric data, or any other data that may similarly affect the data subject as determined by the Personal Data Protection Committee.

    (d.) Processing means any operation performed on Personal Data, such as collection, recording, copying, organizing, storing, modifying, altering, using, retrieving, disclosing, transferring, disseminating, merging, deleting, or destroying.

    (e.) Data Subject means the individual who owns the Personal Data collected, used, or disclosed by the Company.

    (f.) Data Controller means a person or juristic person with the authority to make decisions regarding the collection, use, or disclosure of Personal Data.

    (g.) Data Processor means a person or juristic person who processes Personal Data on behalf of or in accordance with the instructions of the Data Controller, and who is not the Data Controller.

    The Company collects or obtains various types of Personal Data from the following sources:

    3.1 Directly from you, through channels such as applications, registrations, service use, or communications with the Company at our office or via controlled communication channels.

    3.2 Automatically, through your interaction with the Company’s websites or applications (e.g., tracking website usage behavior via cookies or through software installed on your device).

    The Company may collect or obtain the following types of data:

    4.1 Identification Data (e.g., title, first name, last name, nickname, signature, ID card number, nationality, passport number, household registration data).

    4.2 Personal Characteristics (e.g., date of birth, gender, age, marital status, photographs, spoken language, preferences).

    4.3 Contact Information (e.g., phone number, email address, postal address, online account usernames, residence location).

    4.4 Service Usage Data (e.g., account username, password, PIN, SSO ID, OTP, IP address, geolocation data, browsing history, cookies, device ID, browser details, operating system, photos, videos, voice recordings).

    4.5 Sensitive Personal Data (e.g., race, religion, political views, disabilities, criminal records, biometric data such as facial recognition, health-related data including weight, height, diet, exercise habits, or participation in Company events). Sensitive Personal Data is collected only with your explicit consent, unless otherwise permitted by law.

    The Company uses cookies and similar technologies on its websites (e.g., https://quantumyoung.co.th) or on your devices to ensure service security, enhance user experience, and tailor services to your needs. You may configure or delete cookies through your web browser settings.

    Where consent is legally required, the Company will not collect Personal Data from minors, incompetent persons, or quasi-incompetent persons without obtaining consent from their legal guardian, custodian, or curator, as applicable.

    If the Company later becomes aware that such data was collected without valid consent, it will delete or destroy the data promptly unless otherwise permitted by law.

    The Company collects your personal data for various purposes. The purposes specified below serve only as a general framework for the Company’s use of personal data. Only the purposes related to the services you use or are connected with will be applicable to your data.

    7.1 To perform the Company’s duties and responsibilities, such as achieving the objectives of managing and organizing daily calorie-related activities, including eating, sleeping, traveling, leisure, working, or exercising.

    7.2 To monitor, operate, track, inspect, and manage services to facilitate and align with your needs.

    7.3 To maintain and update information relating to you.

    7.4 To prepare records of personal data processing activities as required by law.

    7.5 To analyze data, including resolving issues related to the Company’s services.

    7.6 For identity verification, authentication, and information validation when you register for the Company’s services, request services, or exercise legal rights.

    7.7 To improve and develop the quality of the website and application to remain up to date.

    7.8 To send notifications, confirm transactions, communicate, and provide information to you.

    7.9 To verify identity, prevent spam, or prevent unauthorized or illegal actions.

    7.10 For any other purposes as agreed between the Company and you from time to time.

    7.11 For public relations and invitations for you to participate in activities, trainings, or seminars, as well as for preparing documents or materials to accompany such activities, trainings, or seminars.

    Under the purposes specified in Clause 7 above, the Company may disclose your personal data to the following categories of persons. The categories listed below are only a general framework for the Company’s disclosure of personal data. Only the recipients relevant to the services you use or are associated with will apply.

    8.1 Internal personnel of the Company, where disclosure will be limited to what is necessary for internal management purposes.

    8.2 Government agencies or authorities to whom the Company is required to disclose information for legal compliance or other significant purposes (e.g., actions for the public interest), such as law enforcement agencies, regulatory or supervisory bodies, or other authorities with important objectives. Examples include the Cabinet, relevant Ministers, Department of Provincial Administration, Revenue Department, Royal Thai Police, Courts of Justice, Office of the Attorney General, Department of Disease Control, Ministry of Digital Economy and Society, Office of the Permanent Secretary to the Prime Minister’s Office, Department of Consular Affairs, Student Loan Fund, etc.

    8.3 Technical advisors or experts.

    8.4 Service providers, contractors, or agents acting on behalf of the Company.

    In certain cases, the Company may need to transfer or transmit your personal data to foreign countries in order to fulfill service purposes, such as transferring personal data to cloud systems with platforms or servers located abroad (e.g., in Singapore or the United States) to support information technology systems situated outside Thailand. This depends on the services of the Company that you use or are involved in for specific activities.

    At the time of preparing this policy, the Personal Data Protection Committee has not yet issued a list of destination countries that are deemed to have adequate standards of personal data protection. Therefore, when it is necessary for the Company to transfer or transmit your personal data to a destination country, the Company will ensure that such data is subject to adequate protection measures in line with international standards, or will proceed under the conditions permitted by law, as follows:

    (a.) Where the transfer or transmission is required by law.

    (b.) Where you have been informed and have given your consent in cases where the destination country does not have adequate standards of personal data protection, in accordance with the list of countries announced by the Personal Data Protection Committee.

    (c.) Where it is necessary for the performance of tasks for important public interest purposes.

    The Company will retain your Personal Data for 10 years, after which it will be deleted, destroyed, or anonymized within 30 days, unless required otherwise for disputes or legal obligations. If you delete your account earlier, the Company will retain your data for 5 years from the date of deletion.

    The Company will maintain the security of your personal data in accordance with the principles of confidentiality, integrity, and availability. Appropriate technical and security standards will be applied to protect your personal data collected through the Company’s website and application from unauthorized access, misuse, loss, destruction, or improper use.

    In addition, the Company will implement personal data security measures that cover administrative safeguards, technical safeguards, and physical safeguards concerning access to or control over the use of personal data (access control).

    The Personal Data Protection Act B.E. 2562 (2019) grants several rights to data subjects. These rights will become effective once the relevant provisions of the law come into force. The details of such rights include:

    12.1 Right of Access. You have the right to request access to, obtain a copy of, and request disclosure of the source of your personal data collected by the Company without your consent, except where the Company is entitled to refuse such request as prescribed by law, court order, or where the exercise of such right may adversely affect the rights and freedoms of others.

    12.2 Right to Rectification. If you find that your personal data is inaccurate, incomplete, or outdated, you have the right to request that it be rectified so that it is accurate, up to date, complete, and not misleading.

    12.3 Right to Erasure (Right to be Forgotten). You have the right to request the Company to erase, destroy, or anonymize your personal data if you believe that it has been collected, used, or disclosed unlawfully, or if the Company no longer needs to retain it for the purposes outlined in this Policy. The exercise of this right will be subject to legal requirements.

    12.4 Right to Restriction of Processing. You have the right to request the restriction of the use of your personal data when you dispute its accuracy or completeness collected by the Company.

    12.5 Right to Object. You have the right to object to the collection, use, or disclosure of your personal data.

    12.6 Right to Withdraw Consent. Where you have given consent to the Company for the collection, use, or disclosure of your personal data (whether given before or after the Act has come into force), you may withdraw your consent at any time during the period in which your data is retained by the Company, except where legal restrictions require the Company to continue retaining such data, or where there remains a contractual obligation between you and the Company that benefits you.

    12.7 Right to Data Portability. You have the right to obtain your personal data from the Company in a format that is commonly readable or usable by automatic tools or devices and to request the Company to transmit or transfer such data directly to another data controller, where technically feasible. The exercise of this right is subject to legal requirements.

    You may exercise your rights as a data subject by contacting the Company’s Data Protection Officer using the contact details provided at the end of this Policy. The Company will notify you of the outcome of your request within 30 days from the date of receipt of your request, using the form or method prescribed by the Company. In case of a refusal, the Company will inform you of the reasons for such refusal through various channels such as SMS, email, telephone, or letter.

    The Company may, at its discretion, review, amend, or modify this Policy as deemed appropriate and will notify you via the Company’s website at https://quantumyoung.co.th, where the effective date of each revised version will be indicated, or through the Company’s application.

    Your continued use of the Company’s services after the enforcement of the updated Policy constitutes your acknowledgment and acceptance of the revised Policy. If you do not agree with the details of this Policy, please discontinue using the services.

    This Policy applies solely to the Company’s services and the use of the Company’s website. If you are redirected to other websites, even through links provided on the Company’s website, you must review and comply with the privacy policies of those websites, which are separate from the Company’s Policy.