Privacy
Policy

Definitions

• "Service" means the BizKit application — an accounting and ERP platform for SMEs, available on web and mobile.
• "Data Controller" means Innofinite Co., Ltd., 559/55 Soi Suayai Uthit, Chankasem, Chatuchak, Bangkok 10900, Thailand. Phone +66-(0)8-0405-6226. Email support@bizkitonline.com.
• "Data Processor" means a third party that processes personal data on behalf of, or for the benefit of, the Data Controller.
• "Personal Data" means any information about an identifiable natural person, whether directly or indirectly identifiable.
• "Sensitive Data" means personal data covered by section 26 of the PDPA, such as race, religion, political opinions, sexual behaviour, health data, genetic data, or biometric data.
• "You" / "User" means a visitor, user, or member of the Service whose personal data is the subject of this policy.

Consent

By using the Service, you agree and consent to our collection and use of your personal data as follows:

1. Purposes — to provide the Service, maintain user accounts, respond to inquiries and provide support, send marketing communications, improve our products, and comply with applicable law.
2. Categories of data — name, address, phone number, email, date of birth, your company information, payment data (handled by external payment providers), and Service usage data.
3. Retention — marketing data is retained for 90 days from the date of consent. Data used to deliver the Service or to meet accounting/tax obligations is retained for the statutory period (up to 10 years).

Sharing data with third parties

We may share your data with third-party service providers necessary for the Service — for example cloud infrastructure, payment processors, email providers, and analytics providers. In each instance we will notify you and only proceed where you have given clear consent, unless another lawful basis applies (see Section 9).

Withdrawing consent

You may withdraw any consent given under this policy at any time by either (a) writing to support@bizkitonline.com, or (b) using the relevant in-product setting.

User accounts

We may issue user accounts for use of the Service, and we determine the account types, access levels, and any associated fees. You agree to keep your username, password, and account details strictly confidential and to take reasonable steps to prevent unauthorized access. Any access to or use of your account by another person is your responsibility as if you had performed it yourself.

Your rights under the PDPA

As the data subject, you have the following rights:

• Right to withdraw consent — at any time (see Section 4).
• Right of access — to access and obtain a copy of your personal data we hold.
• Right to be informed — about the source of personal data acquired without your consent.
• Right to data portability — to have your data transferred to another data controller in a machine-readable format.
• Right to object — to the collection, use, or disclosure of your data, particularly for direct marketing.
• Right to erasure — when data is no longer necessary, when you withdraw consent, or when data has been processed unlawfully.
• Right to restriction — to suspend the use of data while it remains stored, in cases set out by the PDPA.
• Right to rectification — to correct inaccurate, outdated, or incomplete data.
• Right to lodge a complaint — with the Personal Data Protection Committee (PDPC) in case of any breach of the PDPA.

You can exercise these rights by contacting us per Section 18. We will respond within the period required by law (typically within 30 days).

Security

We implement appropriate technical and organizational safeguards to prevent loss, unauthorized access, modification, or disclosure of your data — including encryption in transit, role-based access controls, regular backups, employee training, strict internal policies, and processing agreements with our third-party providers. We require our data processors to maintain a standard of security no lower than the one set out in this policy.

Keeping data accurate

We have systems and procedures in place to:

1. Keep personal data accurate, up-to-date, complete, and not misleading.
2. Erase or destroy personal data after the consented retention period has lapsed.
3. Erase or destroy personal data that is no longer relevant to the purposes for which consent was given.

Lawful exceptions to consent

Under section 24 of the PDPA, we may collect, use, or disclose your personal data without prior consent, only when necessary and for one of the following purposes:

• Public-interest archiving, scientific or historical research, or statistical purposes with appropriate safeguards.
• To prevent or suppress danger to a person's life, body, or health.
• To perform a contract to which you are a party, or to take pre-contractual steps at your request.
• To carry out a public-interest mission, or to exercise official authority vested in the data controller.
• For the legitimate interests of the data controller or a third party, where those interests are not overridden by your fundamental rights.
• To comply with a legal obligation of the data controller.

We keep records of any such collection, use, or disclosure for accountability.

Sensitive personal data

We do not generally collect sensitive personal data from you. Where we do, it is on the basis of your explicit consent, or under one of the lawful bases in section 26 of the PDPA — for example to prevent or suppress danger to life, for the establishment or exercise of a legal claim, or to comply with a specific law. In such cases we process only what is strictly necessary, and we apply the safeguards required by the PDPA.

Wards, minors, and dependents

You undertake not to allow (a) a minor under 20 years of age without consent of their legal guardian, (b) an incompetent person, or (c) a quasi-incompetent person under your guardianship, to use the Service unsupervised. Where any such person uses the Service under your supervision, you are deemed to have given the consents under this policy on their behalf.

Cross-border data transfers

We may transfer your personal data abroad where (a) the destination country provides an adequate level of protection as recognised by the PDPC, (b) you have consented after being informed of any inadequacy of protection, (c) the transfer is required by law, (d) it is necessary to perform a contract you are a party to, (e) it is for your benefit, or (f) it is necessary to prevent danger to life or health.

Data breach notification

If we become aware of a personal data breach we will:

1. If the breach is likely to result in a risk to a person's rights or freedoms, notify the PDPC without undue delay and in any event within 72 hours of becoming aware.
2. If the breach is likely to result in a high risk, also notify the affected data subjects, together with remediation steps, within the same 72-hour window.

Complaints and inquiries

You may raise complaints, report problems, request rectification, object to collection, or request restriction of use by emailing support@bizkitonline.com. We will respond without undue delay and within the timeframe required by law. You may also lodge a complaint with the PDPC at pdpc.or.th.

Records of processing

We maintain a record of processing activities under section 39 of the PDPA, covering:

• The personal data collected and the purpose of each category of collection.
• Information about the data controller and any processors.
• Retention periods.
• Rights and methods of access, including conditions for those entitled to access.
• Lawful exceptions to the consent requirement.
• Refused requests and objections.
• Security measures.

Cookies and tracking technology

Our website uses three categories of cookies: necessary cookies required to run the site, analytics cookies (PostHog and Google Analytics 4) to understand how visitors use the site, and marketing cookies (Google Ads and Meta Pixel) to measure ad performance and build remarketing audiences. Analytics and marketing cookies are loaded only after you give explicit consent for each category. Full details are in our separate Cookie Policy.

Updates to this policy

We may amend this policy at any time, in whole or in part. We will notify you of material changes. Continued use of the Service after changes take effect constitutes acceptance of the updated policy. The latest version is always available on this page; refer to the "Last updated" date at the top.

Contact the data controller

The earlier Thai-language policy (dated 1 December 2022) has been superseded by this version. The original is preserved for reference at privacypolicy.legacy.html.