Privacy Policy

1. Data Controller

Bodhi Reach operates as the data controller for personal data collected through this website and in the course of providing our compliance advisory services. Our registered place of business is:

Bodhi Reach
199/3 Sukhumvit Road, Soi 21 (Asoke)
Watthana, Bangkok 10110, Thailand
Telephone: +66 2 664 8173
Email: [email protected]

Questions relating to this Privacy Policy or our data handling practices may be directed to the contact details provided in Section 13 of this document.

2. Personal Data We Collect

We collect personal data only where reasonably necessary for the purposes described in this notice. The categories of personal data we may collect include:

• Identity and contact data: full name, job title, organisation name, business email address, business telephone number, and business mailing address
• Enquiry data: the content of messages or questions submitted through our contact form, including descriptions of your organisation's data privacy situation
• Engagement data: records of our communications, meeting notes, and service correspondence
• Technical data: IP address, browser type, operating system, referring URLs, and pages visited on our website, collected automatically via standard web server logs and analytics tools
• Cookie data: preferences and identifiers stored in browser cookies where consent has been obtained — see Section 10 and our Cookie Policy for detail

We do not intentionally collect special categories of personal data (sensitive personal data as defined under PDPA Section 26) through this website. Where sensitive data is inadvertently provided in a free-text enquiry field, we will handle it with additional care and will not retain it beyond the immediate purposes of the enquiry.

3. Lawful Basis for Processing

We rely on the following lawful bases for processing personal data under the PDPA:

• Contractual necessity (Section 24(3) PDPA): processing required to perform a service agreement with you or to take pre-contractual steps at your request, including responding to service enquiries
• Legitimate interests (Section 24(5) PDPA): processing necessary for our legitimate business interests, including website operation, security, fraud prevention, and service improvement, where such interests are not overridden by your interests or rights
• Legal obligation (Section 24(6) PDPA): processing required to comply with applicable Thai laws, court orders, or regulatory requirements
• Consent (Section 19 PDPA): where we have obtained your prior, freely given, specific, informed, and unambiguous consent, including for non-essential cookies and optional marketing communications. Consent may be withdrawn at any time

4. Purposes of Processing

We process personal data for the following purposes:

• Responding to enquiries submitted through our website contact form
• Communicating with prospective and current clients about service proposals, project progress, and deliverables
• Preparing and issuing service proposals, invoices, and engagement documentation
• Delivering the compliance advisory services you have engaged us to provide
• Operating, maintaining, and improving the functionality and security of our website
• Analysing aggregate and anonymised website traffic patterns to understand how visitors use our site
• Complying with our legal and regulatory obligations as a service provider in Thailand
• Sending service-related communications where you are an existing client
• Sending optional information about our services where you have consented to receive such communications

We will not use your personal data for purposes that are incompatible with those listed above without first notifying you and, where required, obtaining your consent.

5. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected and to comply with applicable legal retention requirements. Our general retention guidelines are as follows:

• Enquiry records: contact form submissions that do not proceed to an engagement are retained for up to 12 months from the date of submission
• Client records: records relating to completed service engagements are retained for a minimum of 5 years from the close of the engagement, in accordance with standard professional service record-keeping practice and applicable Thai commercial law
• Website analytics data: aggregate analytics data is retained for up to 26 months; individual IP-level data is not retained beyond 30 days
• Marketing consent records: records of consent and consent withdrawal are retained for 3 years following the last interaction

When personal data is no longer required, we will delete or anonymise it securely. Where full deletion is not immediately practicable (for example, in back-up archives), we will isolate the data from further processing until deletion is possible.

6. Sharing and Disclosure

We do not sell, rent, or trade your personal data. We may share personal data in limited circumstances with:

• Technology service providers: companies that provide website hosting, email delivery, analytics, and similar technical services on our behalf, acting as data processors under written data processing agreements
• Professional advisors: lawyers, accountants, or auditors where necessary in connection with our business operations, subject to professional confidentiality obligations
• Regulatory authorities: Thai government agencies, courts, or law enforcement where required by applicable law or a lawful order
• Business successors: a purchaser or successor entity in the event of a merger, acquisition, or transfer of substantially all of our business assets, subject to the successor being bound by this Privacy Policy

Any third party receiving personal data from us is required to handle it in a manner consistent with applicable data protection law and our instructions.

7. Cross-Border Transfers

Some of our technology service providers may process personal data on infrastructure located outside Thailand. Where personal data is transferred to a country or territory outside Thailand, we ensure that such transfers are conducted in compliance with the cross-border transfer requirements of the PDPA, including by:

• Transferring to destination countries that the PDPA Committee has recognised as providing an adequate level of protection
• Implementing appropriate safeguards such as standard contractual clauses approved under the PDPA, where applicable
• Relying on binding corporate rules where the receiving organisation has established and enforces such rules

You may request further information about the specific safeguards in place for any cross-border transfer by contacting us using the details in Section 13.

8. Your Rights Under the PDPA

As a data subject under Thailand's Personal Data Protection Act, you have the following rights in relation to your personal data:

To exercise any of these rights, please contact us using the details in Section 13. We will respond within 30 days of receipt of a valid request. We may ask you to verify your identity before processing your request. There is no charge for submitting a request, although we may charge a reasonable fee for manifestly unfounded or excessive requests. If you believe your rights have not been respected, you have the right to lodge a complaint with the Personal Data Protection Committee of Thailand.

9. Security Measures

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, alteration, or disclosure. These measures include:

• HTTPS encryption for all data transmitted through our website
• Access controls limiting personal data access to personnel with a legitimate need
• Regular review of access permissions and security configurations
• Secure handling procedures for data received through client engagements
• Staff awareness of data protection obligations

No system is entirely without risk. If we become aware of a personal data breach that poses a risk to your rights and freedoms, we will notify the Personal Data Protection Committee within 72 hours and, where the risk is high, we will also notify affected individuals without undue delay.

10. Cookies

Our website uses cookies and similar tracking technologies. Essential cookies necessary for the website to function are placed on the basis of our legitimate interests. Non-essential cookies, including analytics and marketing cookies, are placed only with your consent, which you may provide or withdraw using the cookie consent tool presented on your first visit to our site.

For full details of the cookies we use, their purpose, their duration, and how to manage your preferences, please see our Cookie Policy.

11. Minors

Our website and services are directed at business professionals and organisations. We do not knowingly collect personal data from individuals under the age of 20 years. If we become aware that personal data of a minor has been collected without appropriate parental or guardian consent, we will take steps to delete it promptly. If you believe we have inadvertently collected such data, please contact us using the details in Section 13.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, applicable law, or regulatory guidance. When we make material changes, we will update the "Last Revised" date at the top of this page. We encourage you to review this notice periodically. Where changes are significant, we may also notify clients directly by email. Continued use of our website or services after an updated policy has been posted constitutes your acknowledgment of the revised terms.

13. Contact Us

To exercise your data subject rights, submit a privacy enquiry, or raise a concern about how we handle your personal data, please contact us through any of the following channels:

We aim to respond to all privacy-related enquiries within 30 calendar days. For complex requests, this period may be extended by a further 60 days, in which case we will inform you of the extension and the reasons for it.