Investree (Thailand) Company Limited, as the licensed operator of the Crowdfunding Portal (hereunder referred to as the “Service Provider”) gives highest priority to the privacy of you: (a) who contact the Service Provider via various communication channels, both online and offline; (b) who visit our website; (c) who is the issuer of the equity / debt crowdfunding on the platform (the “Issuer”); and (d) the investor who invest in the equity / debt crowdfunding (the “Investor”) (collectively referred to as the “Users”).

In acknowledgement of the privacy and the information security of the Users, this Privacy Notice (the “Notice”) has bee made and announced by the Service Provider. Upon the registration to use any services provided by the Service Provider, the Service Provider shall deem that the Users acknowledge and accept the personal data processing undertaken by the Service Provider as defined under this Notice. It should be noted that the personal data being processed pursuant to this Notice is critical for the performance of the contractual and legal obligations of the Service Provider, in particular under the Terms of Services; therefore, in case the User does not accept or permit the Service Provider to process any personal data as defined under this Notice, the Service Provider reserves the right to refuse to provide relevant services to the Users.

The Service Provider reserves the right to make any amendment to this Notice from time to time to reflect the change in the relevant laws or the change in the services to be provided by the Servicer Provider to the Users; provided that the Service Provider will announce the revised Notice on the Platform. In case that the User continues to use the relevant services and the crowdfunding platform (the “Platform”) after the amendment made on the Notice, it shall be deemed that the Users accept the amended Notice.

Definitions

“Personal Data” in this Notice shall be interpreted pursuant to the Personal Data Protection Act of Thailand (“PDPA”) and shall refer to the personal identifiable information of any individual Users, including without limitation name, contact information and identification information that the Service Provider may access or obtain from the Users from the use of Platform; from any other coordination in the use of relevant services (the “Services”); or from the third party data sources that the Service Provider will notify the Users of those relevant sources.

“Data Subject” means (1) any individual who contact or visit the Platform; (2) any individual Investor; (3) any individual relating to the Issuer or the corporate Investor, including majority shareholders, the authorized directors, beneficial owner, the delegated agent, employee or other relevant individual that may be appointed to coordinate with the Service Provider for the use of the Platform and/or Services; including any other individual customer or vendors of the Issuer that the Issuer may submit their relevant personal data to the Service Provider for the due diligence and suitability assessment process of the relevant Issuers (the “Relevant Persons”).

Data Sources of the Personal Data

The Service Provider may obtain the Personal Data of the Users and/or the Data Subject from various data sources both directly and indirectly, including the following data sources:

• Directly from the Data Subject that the Data Subject may provide to the Service Provider during the registration or provide any information on the Platform or any other platform that the Service Provider may define for the collection of the Users’ information; or during the communication and coordination between the Service Provider and the relevant Data Subject via various communication channels defined by the Service Provider, including through the complaint management or the inputs made on web board that the Service Provider shall provide for the communication with the Users.

In case that the Users provide the information of the Relevant Persons to the Service Provider, the Service Provider shall deem that the Users give representations and warranties that the Users have the legitimate rights under PDPA to share and disclose the Personal Data of the Relevant Persons to the Service Providers to process pursuant to the terms and conditions of this Notice.

• Indirectly from other Sources that include: (1) from the business partners that the Users may give consent to them to disclose the Personal Data to us; or (2) from the external service provider that Service Provider may be necessary to link to transfer the Personal Data of the Data Subject to check service eligibility or for the successful completion of related transactions in the crowdfunding process, for the benefit of the Users, which may include commercial banks as custodians, including publicly available sources, government databases, Credit Bureau, or identity verification database providers.

Personal Data that the Service Provider is Necessary to Process

In order to provide a platform for crowdfunding and the sale of securities under the supervision of the Securities and Exchange Commission (the “SEC“), the Service Provider is required to collect, process, and use the personal data of the data subject in the following manner:

1.     Information for verifying the identity of the Data Subject, which the Data Subject may provide the Service Provider during initial communication or during the process of verifying the identity of the Data Subject, including name, surname, contact information (including telephone number and e-mail), and place of birth, date of birth, nationality, status, and identity card information (including number, information, the number of the laser code on the back of the identification card, issue date and expiration date, including the photograph), the address specified in the identification card and the current address, education, occupation, position, and income source, a photograph of the Data Subject’s face that must be used by the company’s system for biometric comparison, the Service Provider will first request consent from the Data Subject, but reserves the right to refuse if the Data Subject does not consent to the disclosure of such information. This may include other identity verification and qualification forms, such as FATCA forms.

2.     Information for assessing Issuer qualifications, including education, experience and expertise, credit bureau information of persons related to the juristic person and other information that may be collected, compiled and processed during the liaison, document review and an interview to assess the qualifications to be an Issuer, including information of Related Person of the juristic person who is a customer or a partner of the Issuer which the Issuer may submit to the Service Provider to assess the suitability of the issuance and offer for sale of crowdfunding securities.

3.     Information for assessing Investor qualifications, especially Investors with specific characteristics as defined by the SEC, which may include, but are not limited to, documents showing the financial position (assets or income) or documents showing expertise, past business or investments of such Investors.

4.     Electronic data that can identify the User’s identity (Online Identifier), including username/password information about devices used by the Users to connect to the Platform or contact the Service Provider, such as IP address , device ID, device type, mobile network data connection information, geolocation data, type of browser (Browser), platform access, log information, Website information that the Users accesses before and after connecting to the Platform (Referring Website), Platform usage behavior (Customer Behavior) (including search information use of various functions on the Platform) and information that the Service Provider collects through cookies or other similar technologies.

For the use of cookies, the Users acknowledges that the Service Provider has installed “cookies” which are computer files that temporarily store necessary information into the Users’ computer for the convenience of the Users’ use of the Platform. The Users can set the use of such cookies. However, the cookies will expire or expire at the end of the system or connect on the Platform or until the Users deletes “cookies” from the Service Provider’s computer, or the Service Provider does not allow those cookies to work anymore.

5.     All transaction data that the Users may use the Services through the Platform, including any transaction data through the Users’ account, the electronic signature data, subscription order information for crowdfunding securities, information for transferring or accepting the transfer of crowdfunding securities, transaction details, transaction purpose, transaction history, payment details and history, withholding tax information, Platform history log information (Login Log), transaction log, access time.

6.     Other Personal Data that the Users may provide to the Service Provider, including but is not limited to photographs (still and moving images) of the Users who may participate in activities or training (Event / Webinar) that the Service Provider may provide either online or offline, testimonial information or Users opinions that the Users may provide about the Service Provider, Platform and/or other services, or any other Personal Data that the Users may contact and notify the Service Provider during the communications between the Users and service providers which may include, but is not limited to, information, details, matters requiring information from the Service Provider, complaints or comments, various requests for the exercise of rights, opinion poll assessment results and record communications or interactions between you and the company; record audio, photographs, motion pictures, audio clip Log / Chat – Bot etc.

Purpose of Processing of Personal Data of the Data Subject

For the provision of services related to the Platform for fundraising and issuing crowdfunding securities to the Users, the Service Provider is necessary to collect, process, and use the Personal Data. (as stated above) of the Data Subject with the following purposes:

1.     For the performance of legal duties of the service provider, as a provider of securities issuing and offering for sale of securities for crowdfunding under the supervision of the SEC and regulatory authorities under other laws. The Service Provider is necessary to process the Personal Data of the Data Subject for the following sub-purposes:

• Identification and verification, including the operation of getting to know the Users as specified in the guidelines for using technology in getting to know customers as specified by the SEC. This includes authentication, identity verification, getting to know customers in-depth and reviewing the Users’ information as the company customers.
• Verification of identity and qualifications of the Users, especially (1) to test Investor’s understanding of investment and checking the qualifications of being a unique Investor, investigate Investor’s subscription transactions to limit the investment value of individual Investors’ equity securities and ( 2) to undertake due diligence checks and the suitability of the Issuer, assess credit and credibility in issuing crowdfunding securities and assess the creditworthiness and risk level of crowdfunding securities.
• Preparation of tax accounting documents of the Service Providers, including facilitating tax payment services for the Users. (by assignment or authorization).
• Reporting the results of the offering and fundraising to the SEC and other regulators that the company may be subject to laws, including notifications and regulations issued under such laws both in force at the moment to be further amended or to be held in the future, or court order, an order of government authorities of other regulatory authorities.

2.     For the performance of duties that the Service Provider has under the terms of service, in which the User is a contractual party with the Service Provider or in order for the Service Provider to act upon the User’s request before entering into the agreement, the Service Provider is necessary to process the Personal Data. of the Data Subject for the following sub-purposes:

• Providing information related to the Services as the User may contact and/or request from the Service Provider before opening an account and throughout the Services. This may include, but is not limited to, providing preliminary information or providing information for the management of any complaints that the Service Provider may have.
• Identification of the Users who perform various transactions on the Platform, coordination between the execution of the transaction, the use of the Platform, and the use of other services, from the beginning until the completion of all transactions, subject to the terms of services specified by the Service Provider. This includes but is not limited to coordinating with the Issuer and Investor during the process (1) offering and subscription for crowdfunding securities, (2) matching between the Users, (3) preparation of crowdfunding securities documents, and appointment of agents of crowdfunding securities holders (if necessary), (4) tracking of crowdfunding securities subscription payment and delivery of crowdfunding securities, and (5) monitoring the performance of service users under the provisions on rights and duties of securities issuers and holders of crowdfunding securities.
• Tracking and auditing transactions made through the Platform, such as the use or execution of transactions related to the user account, data change system usage, verifying and confirming of transactions, verifying and updating transactions, of reports related to transactions for the benefit of tracking and traceability by the Users.
• Performing other rights and duties of the Service Provider, such as following up with any and all sums that the Users may owe to the Service Provider, communicating information about the Services, additional services, the service usage of the Platform, and other information that the Service Provider must notify the Users of the use of the Services and the use of the Platform, including the performance of any other contractual obligations that the Service Provider may have with the Users.

3.     For the benefit of using and maintaining the legitimate interests of the Service Provider, without overly affecting the rights of the Data Subject, the Service Provider is necessary to process the Personal Data of the Data Subject for the following sub-purposes:

• Managing, improving the business relationship and the provision of the Services that the Service Provider will perform for the Users, especially for the development and improvement of the Service Provider’s Platform and service system; to provide more efficient service handling or investigation of any complaints or disputes, troubleshooting, analyzing, researching and/or producing statistical data for use in the development of internal services of the Service Provider, including but not limited to modelling and/or study, analyze and track the total portfolio ratio.
• Other operations to protect the legitimate rights of the Service Providers, such as risk management related to the Services of the Service Provider, enforcement of statutory or contractual rights, including without limitation litigation or related legal process, compliance monitoring within the company risk management, internal supervision etc.

4.     In case of receiving consent from the Users, the Service Provider may use the Data Subject’s Personal Data according to the purposes for which each Data Subject may have given consent for a specific purpose. This may include but is not limited to:  

• Collecting, using and/or disclosing sensitive personal data, such as facial recognition or the Related Person of the juristic person that the Service Provider needs to process for identity verification of the Users.
• Marketing communications, public relations, delivering product offers and/or services of the Service Provider, including delivering news, helpful advice and appropriate promotions to the Users.

However, in the process of processing the Personal Data of the Data Subject, the Service Provider may need to send or transfer the Personal Data of the Data Subject to external service providers located abroad, which may include affiliates as the Issuer qualifications assessment committee including information technology system providers or service provider or cloud systems or servers located in foreign countries. To benefit from the performance of the Service Provider’s contractual duties to the Users, the Service Provider guarantees the security of the Personal Data that is transmitted and disclosed or transferred abroad to meet the standards as specified under the Personal Data Protection Act.

Period of the Personal Data Retention

The Service Provider is necessary to keep the Personal Data of each Data Subject (1) throughout the period in which the Service Provider is necessary to perform its rights and duties for the benefit of the Users (2) according to the period specified under the relevant laws and (3) for the benefit of providing services and protecting legitimate rights, the Service Provider reserves the right Keep the Personal Data of the User is the maximum period according to the prescription required by applicable laws.

Transferring and Disclosing of the Personal Data to Third Parties

Generally, the Service Provider will keep the Data Subject’s Personal Data confidential. However, with reference to the defined Personal Data processing purposes, the Service Provider may be required to disclose the Personal Data from time to time to third parties; provided that the Service Provider will disclose the Personal Data only on a need-to-know basis as follows:

1.     Other Users involved in the issuance and offering process of crowdfunding securities, in particular, disclosing the Personal Data of persons related to the Issuer’s juristic person to the Investor for investment consideration and disclosing the Personal Data of the Investor to the Issuer for the preparation and delivery of securities, crowdfunding, and liaison with each other for the execution of transactions under the offering documents and related terms and conditions documents.

2.     Third-party service providers who provide services and supporting services to the Service Providers. This may include, but is not limited to, databases service providers for identity verification and user eligibility in both the public and private sectors, banks, custodians, Information technology system providers, payment and accounting service providers or consultants for the business operation and operation of the Platform or any other services of the Service Provider.

3.     Government authorities, especially the SEC Office, where the Service Provider is obliged to disclose information in accordance with applicable laws and regulations or orders, including disclosure to the court arbitrators and/or governmental bodies of laws, regulations, and ordinances.

4.     Any other third parties that the Data Subject and/or the Users provide consent to the Service Provider to disclose information to them.

Use of Cookies

In order to provide the Platform to the Users, the Service Provider is necessary to use cookies. (or other similar technologies) which look like text files in the Users’ browser to store records of internet usage or website browsing behavior of the Users. The information will be used to improve the Platform’s performance to the Users. However, the Service Provider needs to use many types of cookies for different purposes. It is divided into 4 types as follows:

1.     Strictly Necessary Cookies, which are cookies that are very necessary for the operation of the Platform to service to the Users, e.g., the selection of crowdfunding securities, before confirmation of purchase, etc.

2.     Functionality Cookies, which are cookies that remember what the Users choose or set on the Platform, such as user account name, font language, and presentation style, to display platform content that meets the individual needs of the Users according to the selected settings.

3.     Performance Cookies, which are cookies that assess the performance of each part of the Platform. An external service provider may operate this category, and

4.     Advertising Cookies, which are cookies used to provide related services that are relevant to the interests of the Users. Third party service providers may operate such cookies.

As for cookies other than Strictly Necessary Cookies, with the consent of the Users, the Service Provider will use such cookies for the specific purpose specified.

Measures to Maintain the Confidentiality of the Personal Data

To provide security for the Personal Data of the Data Subject, the Service Provider establishes a data control policy on the confidentiality, accuracy and availability of all Personal Data the Service Provider may need to process. The right to access the Personal Data, disclosure and processing of the Personal Data is set and limited on a need to know basis. The Service Provider also establishes measures to ensure the security of the system and additional Personal Data in order to protect all the Personal Data from being destroyed or intruded on by malicious people or those who do not have the right to access information. The Service Provider uses industry-standard, advanced data security standards, and the Service Provider requires inspection and assessment of security risks on the system consequently, at least once a year, including providing appropriate backups to build confidence in the Services.

Rights of the Data Subject

The Service Provider respects the rights under the applicable laws of the Data Subject above personal of such person under the protection of the Service Provider. Therefore, the Service Provider allows the Data Subject various rights which can be exercised under the provisions of the law. Such rights are: (1) the right to withdraw consent at any time, provided that, the withdrawal of consent will not affect the collection, use and/or disclosure of the Personal Data that was carried out before the withdrawal of consent. However, except in the case of exercising the right to withdraw consent to the use of a facial recognition, if such consent is withdrawn, the Service Providers who are obligated under applicable laws to collect and compile such data may reserve the right to refuse the request to withdraw such consent; (2) the right to request access to the information; (3) the right to request a data transfer that the Service Provider will provide that Personal Data in formatted to be readable or usable by tools or devices that work automatically unless it is unable to do so due to technical reasons; (4) the right to object to the processing; (5) the right to request the deletion or destruction of the data or make the Personal Data non-identifiable if the Service Provider no longer needs to keep it for the purposes involved in this Notice. In this regard, for the User’s identity verification information that the Service Provider is legally obliged to keep, the Service Provider reserves the right to refuse to exercise the right to delete or destroy such personal data. During the period the Service Provider is required to retain such data by applicable laws (6) the right to request to suspend the use of information if it is in the process of reviewing the request to exercise the right to modify personal data or request an objection or in the case of personal data that must be deleted or destroyed; (7) the right to request that the User’s Personal Data be corrected, current, complete and does not cause misunderstanding; or (8) the right to make a complaint to the relevant authorities if the Data Subject believes that the collection, use and/or disclosure of the Personal Data is in a manner that violates or fails to comply with applicable laws.

Contact Information of the Service Provider as the Data Controller

Investree (Thailand) Company Limited

1025 Yakult Building, Floor 15th, Phahon Yothin Road, Phayathai, Phayathai, Bangkok 10400

Telephone: 02-258-6589

Data Protection Officer: DPO@investree.co.th