Privacy Policy
Last updated: 1 January 2026 • PDPA Compliant
This Privacy Policy explains how Veyya Co., Ltd. ("Veyya", "we", "us") collects, uses, shares, and protects your personal data when you use the Veyya platform, in compliance with Thailand's Personal Data Protection Act B.E. 2562 (2019) (the "PDPA").
1. Data Controller
Veyya Co., Ltd. is the data controller for personal data collected through the Veyya platform. Our Data Protection Officer (DPO) can be reached at privacy@veyya.com for any privacy enquiry or to exercise your rights.
2. Data We Collect
We collect: (a) contact information — name, phone number, email; (b) the service address you provide for booking delivery; (c) booking history, used to personalise and improve your service experience; (d) payment data — handled by our PCI-DSS Level 1 certified payment processor; we never store your full card number; (e) device and usage data, used to maintain security and improve the platform.
3. Legal Basis for Processing
We process your data on the following PDPA bases: (a) contract performance — to fulfil the bookings you request; (b) legitimate interests — to keep the platform secure and improve it; (c) legal obligation — for tax, accounting, and regulatory compliance; (d) consent — for marketing communications and non-essential analytics, which you may withdraw at any time.
4. Data Sharing
When you book a service, we share only your service address and first name with your assigned provider — nothing more. Under the PDPA, your provider acts as an Independent Data Recipient and is responsible for its own handling of that data. We never sell your personal data. We rely on a PCI-DSS compliant payment processor for transactions, Google Cloud Platform for infrastructure (under a Data Processing Agreement), and our messaging providers for booking notifications.
5. Data Retention
Booking, financial, and tax records are retained for 7 years to meet Thai tax and accounting obligations. Other operational account data is retained for up to 24 months after your last activity, or until you request deletion. Marketing consent records are kept until you withdraw consent.
6. Your Rights Under PDPA
You have the right to access, rectify, erase, restrict, port, and object to the processing of your personal data, and to withdraw consent at any time. To exercise any of these rights, email privacy@veyya.com or use our data deletion request form. We respond within 30 days.
7. International Transfers
Your personal data is stored on Google Cloud Platform in the asia-southeast3 (Bangkok) region. We do not transfer your data outside Thailand for core processing. Where a sub-processor operates abroad, we apply appropriate safeguards as required by the PDPA.
8. Security
We protect your data with AES-256 encryption at rest, TLS 1.3 in transit, and role-based access controls. We conduct regular security reviews, and all staff with data access are trained in PDPA compliance.
9. Cookies
We use cookies and similar technologies as described in our Cookie Policy. You can manage non-essential cookies at any time through our consent banner. See the Cookie Policy at /legal/cookies for details.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be notified through the platform or by email. The "Last updated" date above reflects the latest revision.