English 
Thai 
Chinese 
Hindi 
Our Website Address is: https://smartposhub.com/ Created by Smart Block Tech Co., Ltd.
In today’s digital age, the collection, use, and disclosure of personal data has become increasingly easy and convenient due to advancements in information technology and telecommunications. This can lead to inconvenience or harm if the data is misused or disclosed without consent or prior notice. Smartblocktech Co., Ltd. ("the Company") recognizes the importance of protecting personal data and complying with the Personal Data Protection Act B.E. 2562. To assure data subjects that their personal data will be properly cared for and that appropriate and effective security measures will be in place in accordance with the Personal Data Protection Act B.E. 2562, the Company has established this Privacy Policy to explain the details of data governance, processing methods, and policies and practices for the protection of personal data.
This privacy policy applies to employees of Smart Blocktech Co., Ltd. and individuals involved in personal data processing at the direction of or on behalf of Smart Blocktech Co., Ltd.
"Personal Data" refers to information about an individual that can identify that person, either directly or indirectly, but does not include information about deceased persons.
"Sensitive Data" refers to personal data regarding race, ethnicity, political opinions, beliefs in cults, religions or philosophies, sexual behavior, criminal records, health data, disability, labor union data, genetic data, biometric data, or any other data that similarly affects the data subject as determined by the Personal Data Protection Committee.
"Data Subject" means a natural person who owns the personal data. "Data Controller" means a person or legal entity who has the authority to decide on the collection, use, or disclosure of personal data.
"Data Controller" means a person or legal entity who has the authority to decide on the collection, use, or disclosure of personal data.
"Processing" refers to the collection, use, or disclosure of personal data.
The company has established a Personal Data Protection Committee and appointed Data Protection Officers with roles, duties, and responsibilities in accordance with the company personal data protection policy and legal requirements.
4.2.1 The Company will collect, use, and disclose personal data only as necessary, within the purposes of the Company, and in compliance with legal, fair, and transparent practices.
4.2.2 The Company will inform data subjects about the purposes of collecting, using, and disclosing personal data, as well as their rights, before requesting consent to ensure transparency and compliance with the law.
4.2.3 The Company must obtain explicit consent from the data subject before or at the time of collecting personal data according to the Company's specified procedures, except in cases exempted by the Personal Data Protection Act B.E. 2562 or other applicable laws.
4.2.4 The Company will establish mechanisms to verify the accuracy of personal data and provide mechanisms to correct personal data to ensure its accuracy.
4.2.5 In cases where the Company transfers, discloses, or allows others to use personal data, the Company will establish agreements with the recipient to define rights and duties in accordance with the law and the Company's personal data protection policies.
4.2.6 The Company will maintain the confidentiality of personal data according to its measures to ensure fairness and transparency for the data subject.
4.3.1 The company provides measures and channels for receiving requests to exercise data subject rights as required by law through the channels specified by the company.
4.3.2 The company's data controller will consider and respond to the requests without delay, but no later than thirty days from the date the request is received.
4.3.3 The company provides channels for reporting personal data breaches. The data protection officer will assess and compile the information to notify the Personal Data Protection Committee within the time prescribed by law, including informing the data subject of the breach incident and the remedial measures without delay.
4.4.1 To prevent destruction, alteration, and unauthorized access to personal data, the company implements security measures for the collection of personal data in accordance with legal requirements.
4.4.2 The company collects personal data only as necessary for the stated purposes of collection, use, and disclosure as communicated to the data subject. The company will not collect, use, and/or disclose sensitive personal data.
4.4.3 The company will assess risks and implement measures to mitigate risks and reduce impacts related to the collection, use, and disclosure of personal data.
4.4.4 A system is in place to enable the deletion or destruction of personal data under the following conditions:
a. The retention period of personal data ends as notified to the data subject or does not exceed the period specified by law.
b. The necessity for collecting, using, and/or disclosing personal data under the company’s objectives no longer exists.
c. The data subject withdraws consent for collecting, using, and/or disclosing personal data, and the company has no legal authority to continue collecting, using, and/or disclosing such personal data.
d. Such personal data was collected, used, and/or disclosed unlawfully.
4.5.1 The Company establishes a process to monitor changes in laws and regularly updates policies and measures to align with the laws.
4.5.2 The Company reviews its personal data protection policies and practices at least once a year to ensure compliance with laws and current circumstances.
5.1.1 Appoint the Personal Data Protection Committee to establish an organizational structure for overseeing personal data protection.
5.1.2 Define policies and guidelines for personal data protection.
5.1.3 Supervise and support the implementation of policies and guidelines to ensure effective personal data protection in compliance with the law.
5.2.1 Monitor and ensure that the relevant departments comply with the company's personal data protection policy.
5.2.2 Support and promote awareness of the importance of personal data among company employees.
5.3.1 Establish a structure for personal data governance and related internal controls, including policies for managing incidents related to personal data and guidelines for responding to such incidents, ensuring that they are identified and resolved promptly.
5.3.2 Evaluate the implementation of the company's personal data protection policy and report the results to the company's board of directors at least annually.
5.3.3 Ensure that risks related to personal data are managed appropriately and that there is an effective risk management approach.
5.3.4 Define and review operational standards and procedures to ensure that the company's operations comply with the law and the company's personal data protection policy.
5.4.1 Provide advice on personal data protection laws to people within the organization and ensure awareness creation on proper personal data management for employees.
5.4.2 Monitor the implementation of personal data protection policies to ensure compliance.
5.4.3 Coordinate with regulators in case of personal data breaches. The Data Protection Officer is responsible for sending a notification of the data breach to the Office of the Personal Data Protection Committee (PDPC) within 72 hours.
5.4.4 Notify data subjects about the purpose of collecting, using, and/or disclosing their personal data before or during the data collection process, including informing them of their rights.
5.4.5 Process data subject requests regarding their rights, such as correction, modification, or deletion/destruction of personal data as requested, while keeping records and documentation of such transactions.
5.4.6 Responsible for storing, safeguarding, and protecting personal data from unauthorized use or disclosure according to the purpose specified to the data subjects or their consent, as outlined in the company policies and operational guidelines.
5.4.7 Maintain confidentiality of organizational information obtained during the performance of duties.
5.5.1 Comply with the company's policies and practices for personal data protection.
5.5.2 Report any incidents related to personal data protection violations or non-compliance with the company's data protection laws and policies to the relevant supervisor.
The company’s board of directors, executives, data protection committee, data protection officers, and all employees who fail to comply with the company’s data protection policy may be subject to disciplinary action and legal penalties as defined by the law.
The personal data protection policy of Smart Block Tech Co., Ltd. is effective from October 10, 2024.
SmartBlock Tech Co., Ltd.
1.1 The protection of personal data under this policy covers the personal data of individual customers.
1.2 The company appoints a DPO to review this policy at least annually or when significant changes occur that impact the implementation of this policy. Any changes will be announced on the company's website.
1.3 The company collects, uses, or discloses personal data when obtaining consent from the data subject before or at the time of collection, unless the company anonymizes the personal data or has a lawful basis for processing as follows:
1.3.1 It is necessary for the performance of a contract or for the creation of historical documents or archives for public interest.
1.3.2 It is required to comply with the law.
1.3.3 It is necessary for legitimate interests, without exceeding the reasonable expectations of the data subject.
1.3.4 It is necessary for the performance of a task for public interest.
1.3.5 To protect or prevent harm to life.
1.3.6 To create historical documents or archives for public interest.
1.4 The company will delete, destroy, or anonymize personal data once the retention period has expired or once it is no longer necessary for the purpose for which it was collected, or when the data subject requests deletion or withdraws consent, unless there are legal or regulatory reasons that require the company to retain the data.
1.5 The company ensures the security of personal data, considering the privacy of data subjects and the confidentiality of the data.
2.1 The request for consent to collect, use, or disclose personal data from the data subject must be done explicitly, either in writing or through an electronic system. If it is not possible to request consent through these methods, other methods of consent must have credible evidence that the data subject has shown intent to give consent.
2.2 The data subject must be clearly informed of the purpose of collecting, using, or disclosing personal data in a way that is easy to understand, not misleading or causing the data subject to misunderstand the purpose, while respecting the data subject’s autonomy in providing consent.
2.3 If the data subject is a minor who is not of legal age by marriage or lacks the capacity of an adult, consent must be obtained from the guardian who has the authority to act on behalf of the minor.
2.4 If the data subject is incapable, consent must be obtained from a guardian with the authority to act on behalf of the incapacitated person.
2.5 If the data subject is a person with limited capacity, consent must be obtained from a custodian with the authority to act on behalf of the person with limited capacity.
2.6 If the data subject, or their representative as per 2.3, 2.4, or 2.5, wishes to withdraw the consent previously given, this must be done as easily as the original consent. If withdrawing consent impacts the data subject, the consequences of withdrawal must be communicated to the data subject.
2.7 The company must only collect, use, or disclose personal data for the purposes communicated to the data subject. Collecting, using, or disclosing personal data for purposes other than those communicated is prohibited unless a new purpose is communicated and consent is obtained before collection, use, or disclosure.
3.1 The collection of personal data must be for purposes related to the operations of the company in various areas, in compliance with legal or regulatory requirements.
3.2 When collecting personal data, the data subject must be informed prior to or at the time of collection about the following details:
3.2.1 The purpose of collecting the personal data for use or disclosure.
3.2.2 The necessity for the data subject to provide personal data to comply with laws or contracts, and the potential consequences of not providing the personal data.
3.2.3 The personal data to be collected and the retention period for such data.
3.2.4 The type of individuals or entities that may receive the personal data, including the names of those individuals or entities (as applicable).
3.2.5 The rights of the data subject under the law.
3.2.6 Information about the company and the data protection officer, contact details, and methods of contact.
3.3 The personal data collected must be accurate and complete as per the information provided by the data subject. If the data changes, it must be corrected and updated.
3.4 The collection of sensitive personal data requires explicit consent from the data subject, unless there is a legal basis supporting the collection. Approval from the authorized person must be obtained.
3.5 The collection of personal data from sources other than the data subject must be communicated to the data subject within 30 days from the collection. Explicit consent from the data subject must be obtained unless there is a legal basis supporting the collection, and approval from the authorized person must be obtained.
3.6 The collection of personal data must record the purpose for which the personal data is being collected.
3.7 For each category, details about the data controller, the retention period, rights and methods of access to the personal data, and conditions regarding who can access the personal data must be provided, along with any other details required by law, to allow the data subject or auditing office to verify.
4.1 Employees of the company may access or use personal data only to the extent necessary for performing their duties and according to the rights granted by the company. If an employee needs to access personal data beyond the rights granted by the company, approval must be obtained from the authorized person.
4.2 Employees of the company must use personal data only for the purpose for which it was collected or as consented to by the data owner, unless there is a lawful basis for doing so.
4.3 System administrators and system owners must allow employees of the company to access personal data only if they have the rights as granted or have received approval from the authorized person.
The company collects personal data through the following processes
5.1 Personal data obtained directly from the data subject.
5.2 Personal data from third parties such as agents, stores, service providers, business partners, or affiliates.
5.3 Personal data obtained from website visits, such as Internet service provider name and IP address.
5.4 (IP Address) obtained through internet usage, date and time of website visit, pages visited during the session, and the URL linked directly to the company’s website.
5.5 Personal data obtained from public records and non-public records.
5.6 Personal data that the company is legally entitled to collect.
5.7 Personal data obtained from government agencies or regulatory bodies with legal authority.
6.1 Disclosure of personal data to external individuals or organizations requires the consent of the data owner and approval from the data management committee, unless required by law or regulations. The company will disclose personal data to external individuals and/or organizations or external entities only in the following cases:
6.1.1 Authorized intermediaries include transport companies, data storage and aggregation service providers, system developers and maintainers involved in the company’s activities.
6.1.2 Partners, business affiliates, subsidiaries, and/or external service providers to offer benefits and services to the data owners, including data analysis, data processing, information technology services, infrastructure development, customer service platform development, email/SMS services, website and mobile app development, surveys, and customer relationship management. Confidentiality agreements regarding personal data will be established, ensuring compliance with data protection standards.
6.1.3 Government agencies or other legal entities for compliance with laws, orders, or requests.
6.1.4 Coordination with various agencies regarding legal compliance matters.
6.2 The receipt of personal data from external individuals or organizations requires confirmation that the data is legally supported and must be approved by the data management committee unless required by law or regulations. The company will collect data directly provided by the data owner or data received through the company’s services and operations via all channels, including:
6.2.1 Data received when the data owner registers or applies for participation in company activities or uses other services, such as name, surname, identification number, phone number, birthdate, address, email, etc.
6.2.2 Data from account creation or participation in activities, profile data provided to access services via mobile apps and/or company websites, including online accounts or app accounts, and data provided for various registrations such as activity participation or communication with the company.
6.2.3 Data from subscriptions, surveys, or activity participation, including satisfaction, interests, or consumption behavior.
6.2.4 Data related to transactions with the company, subsidiaries, or others, such as job applications, representative applications, bids, including credit/debit card information, bank account details, or other payment information, along with payment dates and times, depending on the type of transaction.
6.2.5 Data from website visits or use of the company’s websites or apps, or those operated by subsidiaries, including usage data from social media and interactions with online ads, device type, operating system, IP address, location data, and data about the services and products viewed or searched.
6.2.6 Data from contact records with the company, including customer service records, satisfaction surveys, research, statistics, call recordings, or CCTV footage when contacting the company through various channels such as SMS, social media, apps, or email.
6.2.7 Social media profile data obtained through social media credentials (e.g., Facebook, Twitter, Line) used to access company services, including account IDs, interests, liked items, and friends list, which the data owner can control through social media privacy settings.
6.3 If the company allows external individuals or organizations to collect, use, or disclose personal data on behalf of the company (data processors), it must use processors that implement appropriate data security measures equivalent to the company’s standards.
As part of the company’s data security policy for managing external IT service providers, there must be an agreement that outlines the purpose of collecting, using, or disclosing personal data to data processors and includes measures to prevent processors from using personal data beyond the purposes specified by the company.
In cases where the company transfers, transmits, and/or sends personal data abroad, the company will set standards for entering into agreements and/or business contracts with entities that will receive the personal data, ensuring that the entities have acceptable personal data protection standards that comply with the relevant laws to ensure that personal data will be safely protected, such as:
7.1 In cases where the company is required to store and/or transfer personal data for storage purposes
7.2 Processing in the cloud system: The company will consider organizations with internationally recognized security standards and will store personal data in an encrypted format or other methods that prevent the identification of the personal data owner. Additionally, personal data owners can check the list of third parties to whom the company may disclose personal data at https://www.advice.co.th/pdpa. This list of third parties may be updated, and the company will ensure the information is always current.
To ensure that the data owner has confidence in the company's management to prevent risks that could lead to personal data being improperly accessed, leaked, altered, or lost, the company adheres to information security policies, as well as international standards on information security and business continuity management, in accordance with legal requirements. The company implements measures to protect the privacy of the data owner by restricting access to the personal data of the data owner to only those individuals who require the information to offer the company's products and services. For example, company employees authorized to access such personal data must comply with the company's data protection measures and maintain the confidentiality of such information. The company has both physical and electronic safeguards that meet the required regulatory standards to protect personal data. When entering into contracts or agreements with third parties, the company will establish security measures for the protection of personal data and confidential information to ensure that the personal data held by the company remains secure.
The data subject has the following rights:
The right to be informed about the existence and nature of personal data, and the purposes for which the company uses personal data.
The right to access and obtain a copy of their personal data, with the company taking appropriate steps to verify the identity of the requestor.
The right to request correction or modification of their personal data to ensure it is accurate, up-to-date, and complete.
The right to object to the collection, use, or disclosure of personal data, including the right to object to the processing of personal data.
The right to request the suspension of the use or disclosure of personal data temporarily.
The right to request the deletion or destruction of personal data, or to render the personal data anonymized such that it no longer identifies the data subject.
The right to request information on how personal data was obtained, especially if the data was collected without the consent of the data subject.
The right to withdraw any previously given consent for the collection, use, or disclosure of personal data. Withdrawal of consent will not affect the collection, use, or disclosure of personal data that was already consented to.
The company has established contact channels for exercising these rights as outlined in section 17. The company will process requests and respond within 30 days from the receipt of the request. However, the company may refuse to exercise these rights in accordance with applicable laws or contracts with the company if such action would negatively impact the data subject’s rights and benefits. Deletion, destruction, or anonymization of personal data, or the cancellation of consent, can only be done in accordance with legal and contractual provisions. The exercise of these rights may affect the fulfillment of contractual obligations or other services, as it may prevent the identification of the data subject, which could limit certain services requiring personal data and may result in the data subject no longer receiving services or updates from the company.
The company will retain personal data only as long as necessary, considering the purpose and necessity for which the company needs to collect and process it, including compliance with applicable legal requirements. The company will retain personal data after the data subject has had no interaction with the company for a certain period, in accordance with the relevant statutory limitation period. The data will be stored in a suitable location based on the type of personal data. The company may also need to retain personal data beyond the legal limitation period, such as in cases where legal proceedings are ongoing.
In addition to the above purposes and under the legal requirements, the company will use personal data for marketing purposes, such as sending promotional materials via mail, email, and other methods, including direct marketing efforts to enhance the benefits that the data subject will receive as a customer of the company through the recommendation of relevant products and services. You may choose not to receive marketing communications from the company, except for communications related to the data subject and/or services provided by the company, such as receipts.
The company uses cookies to collect user data to gather information, compile statistics, conduct research, analyze trends, and improve and control the functionality of the website and/or application. This cookie collection process involves data that cannot identify the individual owner of the personal data.
Our company’s website may contain links to third-party websites, which may have privacy policies different from ours. We encourage individuals to review the privacy policies of these third-party websites to understand how their personal data is protected, and to decide whether to disclose personal information. The company is not responsible for the content, policies, damages, or actions resulting from third-party websites.
If you have any questions or concerns regarding this privacy statement or the handling of your data, you can contact us at
If you have any questions regarding the company's privacy policy, the information collected by the company, or if you wish to exercise your rights under data protection law, as outlined in Section 11, you can contact us at
Company Name: Smart Block Tech Co., Ltd.
Address: 77/39 Sin Sathorn Tower, 12D Floor, Krung Thon Buri Road, Klong Ton Sai, Klong San, Bangkok 10600, Thailand
Company Website: www.smartposhub.com
Customer Service Center: Call 1491 or 02-908-8888 for inquiries
Email: dpo@advice.co.th
If you wish to file a complaint or if you feel that the company has not addressed your concerns in a satisfactory manner, you can contact and/or file a complaint with the Personal Data Protection Committee as detailed below.
Personal Data Protection Committee
Office of the Permanent Secretary, Ministry of Digital Economy and Society
E-mail: pdpc@mdes.go.th
โทร : 02-142-1033