Privacy Policy

Our two roles (controller and processor)

Depending on the data involved, Vansales acts in one of two roles under data-protection law:

• Controller — for this website and for the personal data of people who register and manage a Vansales account (such as the account owner and its users). We decide why and how this data is used, and this policy governs it.
• Processor — for the business data a customer enters into the app (their shops, orders, and their own staff and customers). The customer is the controller of that data; we process it only on their instructions, under a Data Processing Agreement (DPA). See “Data we process for our customers” below.

Information we collect

Depending on how you interact with us, we may collect the following:

• Website enquiries: your name, company or shop name, email, phone number and sales team size.
• Account & registration: your name, email, phone number, business name and address, and your tax registration number — used to set up your account and to issue invoices and tax documents.
• Account credentials: your username and password (stored securely).
• Usage & technical data: log data, device and browser information, and a language cookie, when you use the website or app.

We collect your tax registration number only to issue invoices and tax documents and to meet legal requirements. We do not collect payment-card details, and we do not collect special-category sensitive data such as health, religion or biometric data. If you choose not to provide the details needed to open an account or issue tax documents, we may be unable to provide the service.

Why we use your data, and our legal basis

We use personal data for the purposes below, each with a legal basis under the PDPA (and equivalent laws where they apply):

• To provide and operate the service and manage your account — performance of a contract.
• To issue invoices and tax documents, and meet our legal obligations — contract and legal obligation.
• To respond to enquiries, demos and support requests — your consent and our legitimate interest.
• To improve, maintain and secure the service — our legitimate interest.
• To send product or marketing updates, only if you opt in — your consent, which you can withdraw at any time.

How we share data

We share personal data only with:

• Service providers (sub-processors) who help us run the service — for example, cloud hosting and Web3Forms, which forwards website enquiries to our inbox. They may use the data only to provide their service to us.
• Professional advisers and government authorities, where required or permitted by law.

We do not sell your personal data.

International data transfers

Our service uses cloud infrastructure and tools that may store or process data outside Thailand. Where we transfer personal data abroad, we take the steps required by the PDPA (and other applicable laws) to ensure an adequate level of protection — for example, using providers with recognised security standards and appropriate contractual safeguards.

How long we keep data

We keep personal data only as long as it is needed for the purposes above, or as required by law (for example, tax and accounting records must be kept for the period set by Thai law). Website enquiry details are kept only as long as needed to follow up, then deleted. When data is no longer needed, we delete or anonymise it.

Your rights

Subject to the conditions in the law, you may ask us to:

• access or obtain a copy of your personal data;
• correct data that is inaccurate or incomplete;
• delete your data or withdraw your consent;
• object to or restrict certain processing;
• have your personal data ported to you or another provider.

We will respond within the timeframe required by law (generally within 30 days). You also have the right to lodge a complaint with the Personal Data Protection Committee (PDPC) in Thailand, or with your local supervisory authority.

Security

We protect personal data with measures appropriate to the risk: HTTPS for the website, access controls, encryption where appropriate, and cloud systems that follow recognised security standards. No method of transmission or storage is ever completely secure, but we take reasonable steps to protect your information and to respond to any incidents.

Data breaches

If a personal data breach occurs that is likely to affect your rights, we will notify the PDPC without undue delay and, where feasible, within 72 hours, and will inform affected individuals where the law requires. We will also take steps to contain the incident and prevent it from happening again.

Children's data

Vansales is a business tool and is not directed at children. We do not knowingly collect personal data from anyone under 20. If you believe a minor has given us their data, please contact us and we will delete it.

Data we process for our customers (processor role)

When a customer uses the Vansales app, they upload business data about their own shops, orders, staff and customers. For that data, the customer is the controller and Vansales is the processor: we process it only to provide the service, on the customer’s documented instructions, under a Data Processing Agreement signed at registration.

If you are a data subject of one of our customers (for example, a shop contacted by a Vansales user), please direct your privacy requests to that customer, and we will support them as required.

International users and regional terms

Vansales is based in Thailand and this policy follows the PDPA. If you use our service from another country, additional local data-protection laws may apply to you. We will add region-specific terms here as we expand. In general, the following applies:

• Thailand — the PDPA applies and your supervisory authority is the PDPC.
• Other countries — where local laws apply (such as the EU GDPR or other national data-protection laws), you keep the rights those laws give you.

Where requirements differ, we apply the standard that gives you the stronger protection.