Privacy Policy and Personal Data Protection

1. Data Controller

MAF Excellent Co., Ltd. ('the Company') is the Data Controller for personal data collected through the EZORG platform. Address: Bangkok, Thailand Email: hello@maf.co.th

2. Personal Data Collected

• Identity data: full name, email, phone number
• Account data: username, password (bcrypt-hashed), profile picture
• Employee data: employment information, job title, department, salary, social security, tax information
• Organization data: company name, address, tax ID, business type
• Payment data: subscription history (no card data stored directly — processed via Stripe)
• Usage data: IP address, browser type, pages visited, session duration
• Attendance data: clock-in / clock-out times, GPS coordinates, photos

3. Purposes and Legal Bases for Processing

• Performance of contract: creating accounts and providing HR, project, and finance services
• Legitimate interest: usage analytics, service improvement, and fraud prevention
• Legal obligation: accounting records, tax reporting, and social security reporting
• Consent: marketing emails and promotional notifications

4. Data Retention Period

• Account data: kept for the duration of use + 30 days after account closure
• Employee and employment data: per Thai labor law (not less than 2 years after employment ends)
• Payment data: 7 years per Thai accounting regulations
• Usage logs: 90 days

5. Disclosure to Third Parties

• Stripe, Inc.: payment processing and subscription management (PCI-DSS Level 1)
• DigitalOcean: data processing infrastructure and hosting
• Government authorities: only by court order or as required by law
• The Company does not sell your personal data to third parties for marketing purposes.

5.1 Trade Secret Confidentiality Between Customers

• Even when multiple organizations in the same industry use EZORG, the Company will not disclose one organization's data to another under any circumstances. Each organization's data is strictly isolated (Tenant Isolation).
• Company personnel — including developers and executives — have a standing policy of not accessing, viewing, or processing customer data even though they may have the technical privileges to do so as platform operators.
• Customer data is only accessed when explicitly requested in writing by the organization to resolve a technical issue, and every such access is recorded in the audit log.

6. Data Subject Rights Under PDPA

• Right of Access: request to see the personal data the Company holds
• Right of Rectification: request correction of inaccurate data
• Right to Erasure: request deletion of personal data when there is no longer a reason to keep it
• Right to Data Portability: receive your data in a usable format
• Right to Object: object to certain types of processing
• Right to Restriction: request a temporary halt to processing
• Right to Withdraw Consent: withdraw previously given consent at any time
• Exercising your rights: send requests to hello@maf.co.th — the Company will respond within 30 days.

7. Security Measures

• TLS / HTTPS encryption on all communications
• Passwords hashed with bcrypt — never stored in plaintext
• Authentication via short-lived JWT tokens
• Role-Based Access Control to restrict data access
• Multi-Tenant Data Isolation between organizations
• Automated backups and disaster recovery

8. Cookies and Tracking Technologies

The Company uses cookies for system functionality (such as authentication) and usage analytics. Essential cookies cannot be turned off because they are required for the service to work.

9. International Data Transfers

Your data may be processed on servers located outside Thailand, such as in Singapore. The Company applies safeguards consistent with PDPA standards for international transfers.

10. Policy Updates

The Company may update this policy from time to time. Significant changes will be communicated at least 30 days in advance via email or in-platform notification.