Privacy Policy

Who we are: "D&A Group", "we", "us" or "our" means any and/or all of: (i) Dej‑Udom & Associates, (ii) Dej‑Udom & Associates Ltd., (iii) Business Guardian Ltd., (iv) Wisdom Guardian Co., Ltd., and (v) Digital Corporate Management Co., Ltd.

This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and the rights you can exercise under Thailand's Personal Data Protection Act B.E. 2562 (2019) (PDPA). Nothing in this Policy limits your rights under the PDPA.

1) Scope

This Policy applies to personal data we process when you use our websites, apps, and online services that link to it; when you engage our legal, consulting, or digital services; when you visit our premises or attend events; and when you communicate with us (collectively, the Services).

2) Key definitions

• Personal Data (PD): information relating to an identified or identifiable person (excluding deceased persons).
• Sensitive Personal Data: e.g., health, biometric, genetic, criminal records, racial/ethnic origin, political opinions, religious or philosophical beliefs, sexual life/behaviour, disability, trade‑union information.
• Data Controller / Data Processor: as defined by PDPA.

3) What we collect

Depending on how you interact with us, we may collect:

• Identity & contact: name, national ID/passport details, date of birth, job title, organization, addresses, phone, email, signatures.
• Matters & engagement data: information you provide to obtain advice or services, instructions, documents, filings, due‑diligence/KYC data, conflict‑check information.
• Payment & commercial: invoices, payments, tax details.
• Communications & preferences: enquiries, emails, call notes/recordings (where lawful), marketing preferences.
• Online & device data: log files, IP address, device/browser type, pages viewed, referrers, approximate location, cookie identifiers and similar technologies.
• Events & premises: event registrations and CCTV at our Bangkok offices for safety and security.
• Recruitment: CVs, qualifications, references, background checks (where lawful).

We do not seek to collect sensitive personal data unless necessary and lawful (e.g., client representation, employment screening), and we apply additional safeguards.

4) Where we get your data

• Directly from you (forms, emails, calls, meetings, events, webinars).
• Automatically from your device when you use our sites/apps (see "Cookies").
• From third parties (referrers, counterparties, professional advisers, regulators, public records, screening/KYC providers), as permitted by law.

5) Our legal bases (PDPA)

We process PD where one or more of the following apply:

• Consent (including explicit consent for sensitive data).
• Contract (to enter into or perform a contract with you or your organisation).
• Legal obligation (e.g., KYC/AML, accounting, court orders).
• Vital interests (to protect life).
• Public interest (exercising official authority where applicable).
• Legitimate interests (e.g., to deliver and improve our Services, manage security, prevent fraud), balanced against your rights.

6) How we use personal data

• Deliver Services: provide legal and consulting services, manage files, filings, and court/agency submissions; client onboarding, KYC/AML, engagement administration.
• Operate our business: record‑keeping, billing, accounting, audits, risk management, training, quality assurance.
• Communications: respond to enquiries, send service messages, updates on your matter, and—where permitted—marketing communications you can opt out of at any time.
• Recruitment: assess applications, schedule interviews, manage offers.
• Security & fraud prevention: protect our systems, premises, and users.
• Compliance: meet legal obligations, cooperate with authorities, enforce rights.

7) Marketing choices

• Emails & newsletters: use the unsubscribe link in any email or email us at dej‑udom@dejudom.com.
• Push notifications (apps): manage via your device settings.
• Cookies/analytics: see "Cookies" below to control optional cookies.

8) Cookies & similar technologies

We use necessary cookies to run the site and optional analytics cookies to understand usage and improve content. Where required, we obtain consent for optional cookies. You can manage preferences via our Cookie banner or your browser settings. (If you'd like, we can publish a separate Cookie Notice and link it here.)

9) Sharing your data

We share PD only as needed, with safeguards:

• D&A Group companies (see "Who we are") for intra‑group operations.
• Service providers/processors: IT hosting, cloud, email, videoconferencing, analytics, e‑signature, records management, marketing platforms, payment processors—bound by contracts and confidentiality.
• Professional advisers & counterparties: counsel, experts, consultants, investigators, translators.
• Authorities & courts: regulators, law enforcement, courts, arbitral bodies, when required or advisable.
• Corporate transactions: business reorganization, merger, or acquisition (subject to protections).

We do not sell personal data.

10) International (cross‑border) transfers

When we send or transfer PD outside Thailand, we comply with PDPA and applicable PDPC subordinate regulations (including "adequacy/whitelist", Binding Corporate Rules and appropriate safeguards). Where required, we put contractual and technical measures in place, or rely on PDPA exceptions (e.g., performance of a contract, establishment/defences of legal claims). New 2023/2024 rules on cross‑border transfers came into force on 24 March 2024; our approach reflects those rules.

11) Retention

We keep PD only as long as necessary for the purposes above, to comply with legal and professional obligations (e.g., limitation periods, KYC/AML record‑keeping), and to establish, exercise or defend legal claims. We apply documented retention schedules and securely dispose of data when no longer needed.

12) Security

We maintain administrative, technical, and physical safeguards proportionate to risk, and we review them as technology and threats evolve—consistent with the PDPC's Security Measures of the Data Controller B.E. 2565 (2022).

13) Data breaches

If a personal data breach is likely to risk your rights and freedoms, we will assess, document and notify the PDPC without undue delay and, where feasible, within 72 hours of becoming aware; if there is a high risk, we will also notify affected individuals without undue delay, consistent with PDPC guidance (with limited allowances for late reporting and explanation).

14) Your rights

Subject to legal limits and exemptions, you can:

• Access your PD and obtain a copy.
• Rectify inaccurate or incomplete PD.
• Erase PD (where applicable).
• Restrict or object to certain processing.
• Data portability (where technically feasible and lawful).
• Withdraw consent at any time (this won't affect past lawful processing).

We will respond without undue delay and within 30 days of receiving a valid request (extensions may be available where permitted by the PDPC; we will inform you if we need more time).

How to exercise your rights: email dej‑udom@dejudom.com or write to us (see Contact). We may need to verify your identity and clarify the scope of your request.

Right to complain: you may lodge a complaint with the PDPC if you believe your PDPA rights have been infringed.

15) Children and minors

Our Services are intended for adults. Under Thai law, a minor is generally a person under 20 years old (unless legally married) and special consent rules apply; if we learn we have collected PD from a minor without appropriate consent, we will delete it.

16) Third‑party links

Our sites may link to third‑party websites or services we do not control. We are not responsible for their privacy or security practices.

17) Changes to this Policy

We may update this Policy from time to time. We will post the updated version with a new effective date, and we may notify you directly where appropriate.

18) Contact – Data Controller