Privacy Policy

1. Data Controller and Customer Content

The data controller responsible for your personal data (the account-holder data we process to provide and bill our services) is Craft Intertech (Thailand) Co., Ltd., operating under the brand name DriteStudio, with its registered address at 100/280 Soi 17, Delight Village, Bang Khun Thian-Chai Talay, Phantai Norasing, Samut Sakhon 74000, Thailand. For any matter relating to this Privacy Policy or the exercise of your rights under the PDPA, please use the contact information at the end of this policy. For personal data that you upload, store, or process within VPS, Web Hosting, Dedicated Server, Game Server, Colocation, or any other service that you control, you act as the data controller of such data and we act as a data processor to the extent necessary to operate the services for you, unless a separate Data Processing Agreement or applicable law provides otherwise. You are responsible for ensuring lawful basis, transparency, and the rights of data subjects regarding any personal data you choose to store on our services.

2. Information We Collect

We collect personal data in the categories below. The specific data collected depends on the services you use and how you interact with us.

• Identification and account data — name, email address, phone number, billing address, tax identification number, company name
• Billing and payment data — payment method type, transaction history, invoices, partial payment-instrument identifiers; full card numbers and CVV are processed by our payment partners and are not stored by us
• Authentication data — password hashes, two-factor authentication secrets, passkey credentials, recovery codes, and session tokens
• Service usage data — IP addresses, service identifiers, resource consumption metrics, server access and error logs
• Technical and device data — browser type, operating system, device identifiers, language, and referrer URL
• Support and communication data — support tickets, email correspondence, chat transcripts, satisfaction surveys
• Marketing preferences and consent records

3. How We Use Your Personal Data

We use personal data for the purposes below. Each purpose is grounded in a lawful basis under PDPA Section 24 (necessary for performance of a contract, legitimate interests, legal obligation, or consent).

• Provide, operate, maintain, and improve the services — contractual necessity
• Process payments, issue invoices, and send billing-related communications — contractual necessity and legal obligation
• Authenticate access, manage sessions, and enforce account security — contractual necessity and legitimate interests
• Respond to support requests and provide customer service — contractual necessity
• Detect, prevent, and investigate fraud, abuse, AUP violations, and security incidents — legitimate interests
• Comply with tax, anti-money-laundering, court orders, and other legal obligations under Thai law — legal obligation
• Send service announcements, security alerts, and maintenance notices — contractual necessity
• Send marketing and promotional communications — consent (which you may withdraw at any time)
• Conduct aggregated analytics to understand and improve service performance — legitimate interests

4. Information Sharing and Subprocessors

We do not sell, rent, or trade your personal data. We share data only when necessary and only with the following categories of recipients, each bound by appropriate confidentiality and data-protection obligations:

• Payment processors and acquiring banks (to process payments; full card data is not stored by us)
• Cloud, datacenter, and network infrastructure providers used to operate our platform
• Email, SMS, and messaging providers used for transactional and support communications
• Domain registries and registrars (when you register a domain through us; required by ICANN and registry policies)
• Analytics, logging, and error-monitoring providers (data is pseudonymized or aggregated where feasible)
• Affiliates and group companies of Craft Intertech under equivalent privacy obligations
• Professional advisors such as auditors and lawyers, under duties of confidentiality
• Law enforcement, regulators, and courts where required by law or necessary to protect rights, property, or safety
• Successors in interest in the event of a merger, acquisition, restructuring, or sale of assets, provided continued protection under terms at least as protective as this policy

5. International Data Transfers

Some of our subprocessors and infrastructure providers are located outside Thailand. When we transfer personal data internationally, we ensure adequate safeguards consistent with PDPA Sections 28-29, including transfers to jurisdictions recognized as providing adequate protection, the use of contractual safeguards such as Standard Contractual Clauses, or your explicit consent. You may request details of specific transfer mechanisms by contacting us.

6. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by Thai law. Indicative retention periods are:

• Account information — while your account is active, plus up to 12 months after closure
• Billing records, invoices, and accounting documents — 10 years (as required by the Thai Revenue Code and Accounting Act)
• Server operational logs — 90 days
• Security, abuse, and audit logs — up to 12 months
• Support tickets and correspondence — 36 months after resolution
• Marketing consent records — until withdrawal, plus 12 months for audit purposes
• Where data relates to a dispute, AUP violation, security incident, legal claim, or government order, we may retain the relevant data for longer than the above indicative periods, only to the extent necessary and lawful

7. Your Rights under the PDPA

Subject to the limitations in the PDPA, you have the following rights regarding your personal data. To exercise any of these rights, contact us using the details at the end of this policy. We will respond within 30 days of receiving a verifiable request.

• Right to access — obtain confirmation and a copy of the personal data we hold about you
• Right to rectification — correct inaccurate or incomplete data
• Right to erasure — request deletion of personal data, subject to our legal retention obligations
• Right to restriction of processing — limit how we use your data in specific circumstances
• Right to object — object to processing based on legitimate interests, including for direct marketing
• Right to data portability — receive your data in a structured, commonly used, machine-readable format
• Right to withdraw consent — for any processing that relies on consent, without affecting the lawfulness of prior processing
• Right to lodge a complaint — with Thailand's Personal Data Protection Committee (PDPC) if you believe your rights have been infringed

8. Cookies and Tracking Technologies

We use cookies and similar technologies in the categories below. You can manage non-essential cookies through our cookie banner or your browser settings.

• Strictly necessary — required for authentication, security, and core site functionality; cannot be disabled
• Functional — remember your language, theme, and other preferences (set only with your consent where required)
• Analytics — measure aggregated site usage to improve performance (set only with your consent)
• Marketing — measure campaign performance and personalize content (set only with your consent)

9. Data Security

We implement appropriate technical and organizational measures designed to protect personal data, including TLS encryption in transit, encryption at rest where applicable, secure password hashing, two-factor authentication, role-based access controls, least-privilege practices, network segmentation, and periodic security reviews. No method of transmission or storage is perfectly secure; while we strive to use commercially reasonable means to protect your data, absolute security cannot be guaranteed.

10. Children's Privacy

Our services are intended for individuals who have reached the age of majority under Thai law (20 years of age) or who have verifiable parental or guardian consent. We do not knowingly collect personal data from anyone under 20 without such consent. If you believe a minor has provided us with personal data, please contact us so we can take appropriate action.

11. Data Breach Notification

If a personal data breach poses a risk to your rights and freedoms, we will notify Thailand's Personal Data Protection Committee (PDPC) within 72 hours of becoming aware of the breach, as required by the PDPA. When the breach is likely to result in a high risk, we will also notify affected individuals without undue delay, providing the nature of the breach, the data involved, likely consequences, and the measures we have taken or recommend.

12. Changes to This Policy and Contact

We may update this Privacy Policy from time to time. Material updates will be posted on this page and the "Last Updated" date will be revised. Where required by law, we will notify you by email or through the services. For questions about this policy, to exercise your rights under the PDPA, or to lodge a complaint, please contact us at: