Aidy

Avis PDPA — Thaïlande

Dernière mise à jour : 26/05/2026

This document supplements our Privacy Policy to address the Thai Personal Data Protection Act B.E. 2562 (2019) requirements applicable to data subjects located in Thailand.

1. Data Controller

Aidy is operated by [entity to be completed]. The Data Protection Officer can be reached at privacy@aidy.world.

2. Sensitive Personal Data

Under PDPA section 26, health data (blood type, allergies, chronic conditions, current treatments) is classified as sensitive personal data and requires explicit consent. Aidy collects such data only when the user voluntarily fills the medical profile screen during onboarding, and surfaces a granular skip option for each field.

3. Lawful Basis

• Vital interest (PDPA s.24(2)) — transmission of medical packet to a partner hospital during an SOS event, when the data subject is or may become unable to give consent.
• Explicit consent (PDPA s.19) — storage of the medical profile, ongoing communications.
• Contract performance (PDPA s.24(3)) — account authentication via OTP.

4. Cross-Border Transfer

Aidy uses Supabase servers in Singapore (AP-Southeast-1), Brevo servers in Ireland (EU), and Vercel servers in EU/US. These countries do not all have an adequacy decision under PDPA s.28. Aidy mitigates this by:

• Signing the Standard Contractual Clauses with each processor.
• Encrypting all data in transit and at rest.
• Minimising the data sent to each processor (e.g. Brevo only sees OTP codes and dispatch email content, not medical profiles).

5. Data Subject Rights

• Right of access (PDPA s.30).
• Right to rectification (s.36).
• Right to erasure (s.33).
• Right to restriction of processing (s.34).
• Right to data portability (s.31).
• Right to object (s.32).
• Right to withdraw consent at any time, without effect on prior lawful processing.

Requests : privacy@aidy.world. Response within 30 days.

6. Complaints

Complaints may be lodged with the Office of the Personal Data Protection Committee (pdpc.or.th).

7. Retention

Same retention schedule as the main Privacy Policy: account deletion within 30 days of request, SOS event log kept 5 years for legal traceability.