Privacy Policy

WiseLogic Co., Ltd. ("WiseLogic," "we," "us," or "our") operates the SQUID AI platform (the "Service"), a document processing, AI analysis, and workflow automation solution. This Privacy Policy explains how we collect, use, disclose, and protect your personal data in accordance with Thailand's Personal Data Protection Act B.E. 2562 (2019) ("PDPA") and other applicable data protection laws. By accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree with this policy, please do not use the Service. This policy applies to all users of SQUID AI, including visitors to our website, registered users, and administrators of organizational accounts.

We collect the following categories of personal data: 2.1 Account Information: When you register for SQUID AI, we collect your full name, email address, password (encrypted), organization name, and role/position. For paid plans, we also collect billing information such as your billing address, tax identification number, and payment method details (processed securely through Stripe). 2.2 Documents and Content: When you upload documents for processing, we temporarily store and process the content of those documents, including any personal data contained within them. This may include text, images, tables, and metadata extracted during AI analysis. 2.3 Usage Data: We automatically collect information about how you interact with the Service, including features used, documents processed, workflow configurations, credit consumption, API calls, timestamps, and session duration. 2.4 Technical Data: We collect your IP address, browser type and version, operating system, device identifiers, referring URLs, and general geolocation data (country/region level). 2.5 Communication Data: When you contact our support team or provide feedback, we collect the content of your communications, including email addresses and any attachments. 2.6 Analytics Data: We collect anonymized and aggregated analytics data through PostHog and Google Analytics to understand usage patterns and improve the Service.

We use your personal data for the following purposes: 3.1 Service Delivery: To provide, maintain, and operate the SQUID AI platform, including document processing, AI analysis, workflow automation, and account management. 3.2 Payment Processing: To process subscription payments, manage billing cycles, issue invoices and tax documents, handle credit purchases, and process overage charges through our payment processor, Stripe. 3.3 Communication: To send you service-related notifications, including account verification, billing confirmations, credit usage alerts, system updates, security notices, and responses to your support inquiries. 3.4 Service Improvement: To analyze usage patterns, diagnose technical issues, develop new features, optimize performance, and improve the overall user experience. 3.5 Security and Fraud Prevention: To detect, prevent, and respond to security incidents, unauthorized access, fraud, and other malicious activities. 3.6 Legal Compliance: To comply with applicable laws, regulations, legal processes, and government requests, including Thai tax and accounting requirements. 3.7 AI Model Improvement: We do NOT use your uploaded documents or processed content to train general-purpose AI models. Your document data is used solely to provide the Service to you.

Under the PDPA, we process your personal data based on the following legal grounds: 4.1 Contractual Necessity (Section 24(3)): Processing necessary to perform our contract with you, including providing the Service, managing your account, and processing payments. 4.2 Legitimate Interests (Section 24(5)): Processing necessary for our legitimate business interests, such as improving the Service, ensuring security, preventing fraud, and conducting analytics, provided these interests are not overridden by your fundamental rights. 4.3 Consent (Section 19): Where required by law, we obtain your explicit consent before processing certain categories of personal data, such as the use of non-essential cookies and marketing communications. You may withdraw your consent at any time. 4.4 Legal Obligation (Section 24(6)): Processing necessary to comply with our legal obligations under Thai law, including tax reporting, accounting requirements, and responses to lawful government requests. 4.5 Vital Interests (Section 24(1)): In rare circumstances, processing necessary to protect your vital interests or those of another person.

We share your personal data with the following third-party service providers who act as data processors on our behalf. Each processor is contractually obligated to protect your data and process it only as instructed by us: 5.1 Supabase (Database and Authentication): Stores account data, application data, and manages authentication services. Data is hosted in Singapore. Privacy policy: https://supabase.com/privacy 5.2 Microsoft Azure (AI Document Processing): Processes uploaded documents using Azure AI Document Intelligence for text extraction, layout analysis, and structured data extraction. Data is processed in the Southeast Asia region. Privacy policy: https://privacy.microsoft.com/privacystatement 5.3 OpenAI (AI Analysis): Provides advanced AI analysis capabilities for document understanding, data extraction, and content classification. Data is processed in the United States. We use the API with data processing agreements that prohibit the use of your data for model training. Privacy policy: https://openai.com/privacy 5.4 Stripe (Payment Processing): Processes all payment transactions, manages subscriptions, and stores payment method details. Stripe is PCI DSS Level 1 certified. Data is processed in the United States and globally. Privacy policy: https://stripe.com/privacy 5.5 Resend (Email Delivery): Delivers transactional emails including account verification, billing notifications, and system alerts. Data is processed in the United States. Privacy policy: https://resend.com/legal/privacy-policy 5.6 PostHog (Product Analytics): Collects anonymized product usage analytics to help us understand feature adoption and improve the Service. Data is processed in the European Union. Privacy policy: https://posthog.com/privacy 5.7 Google Analytics (Web Analytics): Collects anonymized website traffic and usage data. Data is processed in the United States. Privacy policy: https://policies.google.com/privacy We ensure that all cross-border data transfers comply with PDPA requirements and that adequate safeguards are in place, including data processing agreements and standard contractual clauses where applicable.

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required or permitted by law: 6.1 Account Data: Retained for the duration of your active account and for 90 days after account deletion to allow for reactivation requests. 6.2 Uploaded Documents: Processed documents are retained for the duration specified in your plan settings. On the Free plan, documents are automatically deleted after 30 days of inactivity. Paid plans offer configurable retention periods. 6.3 Processed Results: AI analysis results, extracted data, and workflow outputs are retained for the duration of your active subscription and deleted within 30 days of account termination. 6.4 Billing and Transaction Data: Retained for 5 years after the transaction date to comply with Thai tax and accounting regulations under the Revenue Code. 6.5 Usage and Analytics Data: Anonymized analytics data may be retained indefinitely for statistical and service improvement purposes. Identifiable usage logs are retained for up to 12 months. 6.6 Support Communications: Retained for 2 years after the last interaction to maintain service quality and resolve recurring issues. Upon expiration of the applicable retention period, personal data is securely deleted or anonymized using industry-standard methods.

As a data subject under the PDPA, you have the following rights: 7.1 Right of Access (Section 30): You have the right to request access to your personal data and to obtain a copy of the personal data we hold about you. 7.2 Right to Rectification (Section 36): You have the right to request correction of inaccurate or incomplete personal data. 7.3 Right to Erasure (Section 33(5)): You have the right to request deletion of your personal data when it is no longer necessary for the purposes for which it was collected, subject to legal retention requirements. 7.4 Right to Restrict Processing (Section 34): You have the right to request that we restrict the processing of your personal data in certain circumstances. 7.5 Right to Data Portability (Section 31): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another data controller. 7.6 Right to Object (Section 32): You have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes. 7.7 Right to Withdraw Consent (Section 19): Where processing is based on your consent, you have the right to withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal. 7.8 Right to Lodge a Complaint: You have the right to lodge a complaint with the Personal Data Protection Committee (PDPC) if you believe your rights have been violated.

To exercise any of your rights under the PDPA, you may contact our Data Protection Officer (DPO) using the details provided below. We will respond to your request within 30 days of receipt. To verify your identity, we may request additional information such as your registered email address and account details. This is necessary to ensure the security of your personal data and prevent unauthorized access. In certain circumstances, we may be unable to fully comply with your request, such as when processing is required for legal compliance or for the establishment, exercise, or defense of legal claims. In such cases, we will provide you with a clear explanation of the reasons. You may submit your request through the following channels: - Email: privacy@wiselogic.co.th - In-app: Navigate to Settings > Privacy > Data Rights Request - Mail: Data Protection Officer, WiseLogic Co., Ltd., [PLACEHOLDER] There is no fee for exercising your rights. However, we reserve the right to charge a reasonable fee for manifestly unfounded or excessive requests.

We implement appropriate technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include: 9.1 Encryption: All data is encrypted in transit using TLS 1.2 or higher. Sensitive data at rest is encrypted using AES-256 encryption. 9.2 Access Controls: We enforce role-based access controls, multi-factor authentication for administrative access, and the principle of least privilege across all systems. 9.3 Infrastructure Security: Our infrastructure is hosted on enterprise-grade cloud platforms with SOC 2 Type II certification, regular security audits, and 24/7 monitoring. 9.4 Application Security: We conduct regular security assessments, vulnerability scanning, and code reviews. Input validation and output encoding are implemented to prevent common attack vectors. 9.5 Incident Response: We maintain a documented incident response plan and will notify affected users and relevant authorities within 72 hours of discovering a data breach, in accordance with PDPA requirements. 9.6 Employee Training: All employees with access to personal data receive regular training on data protection and security best practices. While we strive to protect your personal data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to continuously improving our security posture.

We use cookies and similar tracking technologies on the SQUID AI platform. For detailed information about the types of cookies we use, their purposes, and how to manage them, please refer to our Cookie Policy. Essential cookies are necessary for the basic operation of the Service and cannot be disabled. Non-essential cookies, including analytics cookies from PostHog and Google Analytics, are only activated with your consent.

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or business operations. When we make material changes, we will: - Notify you via email at least 30 days before the changes take effect - Display a prominent notice within the SQUID AI platform - Update the "Last updated" date at the top of this policy Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree with the changes, you should discontinue use of the Service and may request deletion of your account and personal data.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us: Data Protection Officer (DPO) WiseLogic Co., Ltd. Address: [PLACEHOLDER] Email: privacy@wiselogic.co.th Support: support@wiselogic.co.th Tax ID: [PLACEHOLDER] You may also contact the Personal Data Protection Committee (PDPC) of Thailand if you wish to lodge a complaint regarding our handling of your personal data.