Privacy Policy

Effective Date: April 7, 2026 Last Updated: April 7, 2026

1. Introduction

BrandStromX Co., Ltd. (“Company”, “we”, “us”, or “our”) is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, disclose, and protect your personal data when you access or use the BrandBox Platform at https://brandstromx.co.th/.

This Policy is issued in accordance with the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) of the Kingdom of Thailand and applies to all users of the Platform.

By using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with this Policy, please stop using the Platform immediately.

For general information about our company, visit https://brandstromx.co.th/.

2. Data Controller

BrandStromX Co., Ltd. is the Data Controller responsible for your personal data collected through the Platform.

If you have any questions about this Policy or wish to exercise your rights, please contact us using the details in Section 12.

3. Personal Data We Collect

We collect only the personal data necessary to provide and improve the Platform. The categories of personal data we collect are:

3.1 Account & Identity Data

Full name
Email address
Role or position (e.g., user, superadmin)

3.2 Authentication & Session Data

Login timestamps and session tokens (managed via Supabase authentication)
JWT access tokens (stored client-side for session management)

3.3 Usage & Technical Data

IP address
Browser type and version
Device type and operating system
Pages visited and features used within the Platform
Date and time of access

3.4 Business Configuration Data

Ad account IDs you connect to the Platform
Markup and billing configuration settings associated with your accounts
Project names and associated settings

3.5 Third-Party Advertising Data

Advertising performance data retrieved via Meta (Facebook/Instagram) and Google Ads APIs on your behalf (e.g., spend, impressions, clicks, conversions). This data belongs to your business and is processed solely to display your campaign performance.

We do not collect:

Sensitive personal data as defined under Section 26 of the PDPA (e.g., health data, biometric data, financial account numbers, religious or political beliefs).
Personal data from individuals who are not registered users of the Platform.

4. How We Collect Your Personal Data

We collect personal data through the following means:

Directly from you — when you register for an account, update your profile, or contact us.
Automatically — through your use of the Platform (e.g., server logs, session cookies, browser storage).
From third-party APIs — advertising performance data retrieved via Meta and Google Ads APIs when you authorize those integrations.
From administrators — accounts may be created on your behalf by a BrandStromX administrator using the Platform’s admin tools.

5. Purposes and Legal Bases for Processing

We process your personal data only where we have a valid legal basis under the PDPA. The table below sets out our processing purposes and corresponding legal bases:

Purpose	Personal Data Used	Legal Basis
Creating and managing your account	Name, email, role	Contractual necessity
Authenticating your identity and managing sessions	Email, session tokens, IP address	Contractual necessity
Providing dashboard features and displaying campaign data	Ad account IDs, performance data	Contractual necessity
Storing markup and billing configurations	Ad account IDs, markup values	Contractual necessity
Security monitoring and fraud/abuse prevention	IP address, usage data, login timestamps	Legitimate interest
Improving Platform features and performance	Usage data, technical data	Legitimate interest
Complying with legal obligations	All relevant data	Legal obligation
Communicating service-related notices (e.g., updates, downtime)	Email	Contractual necessity / Legitimate interest

We will not process your personal data for purposes beyond those stated above without your prior consent or another valid legal basis.

6. Disclosure of Your Personal Data

We do not sell, rent, or trade your personal data. We may share your personal data with:

6.1 Service Providers (Data Processors)

We engage trusted third-party service providers to operate the Platform, who process personal data on our behalf under appropriate data processing agreements:

Provider	Purpose	Location
Supabase	Authentication, database hosting	United States

6.2 Third-Party API Platforms

When you connect ad accounts, the Platform communicates with Meta (Facebook/Instagram) and Google Ads APIs using credentials you authorize. These providers process data under their own privacy policies.

6.3 Legal and Regulatory Authorities

We may disclose personal data to competent courts, government authorities, or regulators where required by applicable Thai law, court order, or legal process.

6.4 Business Transfers

In the event of a merger, acquisition, or sale of all or part of our business assets, personal data may be transferred to the relevant successor entity. We will notify affected users in such circumstances.

7. International Data Transfers

Some of our service providers (notably Supabase) process personal data outside of Thailand. When we transfer personal data internationally, we take appropriate safeguards in accordance with Section 28 of the PDPA, including:

Ensuring the destination country has adequate data protection standards, or
Implementing contractual safeguards (Standard Contractual Clauses or equivalent) with the recipient.

8. Data Retention

We retain personal data only for as long as is necessary for the purposes described in this Policy, or as required by applicable Thai law.

Data Category	Retention Period
Account and identity data	Duration of active account + 3 years after closure
Session and authentication logs	90 days
Usage and technical logs	90 days
Business configuration data	Duration of active account + 3 years after closure
Advertising performance data	Duration of active account + 3 years after closure

When personal data is no longer required, we will securely delete or anonymize it.

9. Cookies and Local Storage

The Platform uses the following technologies strictly for operational purposes:

Technology	Purpose	Duration
Session cookies	User authentication and session continuity	Session / Until logout
Local/session storage	Storing authentication tokens (Supabase JWT)	Session / Until logout

We do not use advertising cookies, cross-site tracking cookies, or any third-party analytics cookies within the Platform.

10. Your Rights Under the PDPA

Under the PDPA, you have the following rights regarding your personal data:

Right	Description
Right to be informed	To know how your personal data is collected and used
Right of access	To request a copy of the personal data we hold about you
Right to rectification	To request correction of inaccurate or incomplete data
Right to erasure	To request deletion of your personal data where lawfully applicable
Right to restriction	To request that we limit how we use your data in certain circumstances
Right to data portability	To receive your data in a structured, machine-readable format
Right to object	To object to processing based on legitimate interests
Right to withdraw consent	To withdraw consent at any time where processing is consent-based

To exercise any of these rights, please contact us at the details provided in Section 12. We will respond within 30 days of receiving your verified request, as required by the PDPA.

Please note that certain rights may be limited where we are required by law to retain data, or where exercising a right would adversely affect the rights of others.

11. Security of Your Personal Data

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, disclosure, alteration, or destruction. These measures include:

HTTPS encryption for all data in transit
Supabase Row Level Security (RLS) policies to restrict data access
JWT-based authentication for all protected API endpoints
Role-based access control (user / superadmin) to limit data visibility
Service role keys stored securely as server-side environment variables, never exposed to the client

While we take reasonable steps to protect your data, no system is completely secure. If you believe your account has been compromised, please contact us immediately.

12. Contact Us & Data Protection Inquiries

For questions about this Privacy Policy, to submit a data subject rights request, or to contact our Data Protection Officer (DPO):

BrandStromX Co., Ltd. Website: https://brandstromx.co.th/

Please include “Privacy Request” or “PDPA Inquiry” in the subject line of your communication. We may need to verify your identity before processing your request.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Platform, or applicable laws. We will post the updated Policy on the Platform with a revised “Last Updated” date. Where changes are material, we will notify registered users via email. Continued use of the Platform following such notification constitutes acceptance of the updated Policy.

This Privacy Policy was last updated on April 7, 2026 and is effective as of the same date.