Privacy Policy 

The Company processes personal data for the following purposes

The Company will process personal data only when it has obtained consent from the data subject or where there is a lawful basis under the Personal Data Protection Act B.E. 2562 (2019), and solely for the purposes specified below. The personal data collected will not be used for any other purposes beyond those stated herein.

In accordance with the Personal Data Protection Act B.E. 2562 (2019).

1. Where the Company is required to process personal data of a child under 18 years of age, the Company shall obtain consent from the child’s legal guardian in accordance with applicable law.

2. For the purpose of obtaining such consent, the Company may collect only the personal data necessary from the child, such as the name and contact details of the legal guardian.

1. The Company shall retain and process personal data for the period required by applicable law or as agreed by the data subject at the time of collection.

2. The retention period for each category of personal data is as specified below.

1. The Company shall take appropriate measures to erase, destroy, or anonymize personal data so that the data subject can no longer be identified without undue delay upon the expiration of the retention period specified in Article 4, or when such data is no longer necessary for the purposes for which it was collected, disclosed, or processed, in accordance with Section 37 of the Personal Data Protection Act B.E. 2562 (2019).

2. The Company shall erase or destroy personal data prior to the expiration of the retention period if it is determined that

   1. The personal data is no longer necessary for the purposes previously notified

   2. The data subject withdraws consent and there is no other lawful basis for processing

   3. The relevant user account has been terminated and there is no necessity to retain such data

   4. Retention is no longer required by law, court order, or an order issued by a competent authority.

3. In cases where the purpose of processing has been fulfilled or the retention period has expired, but applicable law requires continued retention, the Company shall restrict access to and segregate such personal data from general processing activities, and shall retain it solely for the purpose of complying with legal obligations.

※ Note: For details regarding categories of personal data, retention periods, and legal bases for retention, please refer to Article 4 (Retention Period and Processing of Personal Data).

Procedures and Methods for Personal Data Destruction

1. Data Destruction Procedures

The Company shall regularly review the necessity of retaining personal data and shall promptly destroy such data when the retention period has expired or when it is no longer required.

In the case of account deletion, the Company may retain personal data for a temporary period not exceeding 14 days for the purposes of account recovery or fraud prevention. Upon the expiration of such period, the Company shall permanently destroy the personal data, unless there is a lawful basis for continued retention.

2. Methods of Data Destruction

- Personal data in electronic form shall be securely deleted using appropriate methods, such as secure deletion techniques or other industry-standard data destruction methods, to ensure that the data cannot be reconstructed or retrieved.

- Personal data in physical or paper form shall be destroyed by appropriate means, such as shredding or other methods that render the data unreadable or irrecoverable.

The Company shall maintain appropriate controls and records of data destruction activities to ensure compliance with the principle of accountability as required by applicable law.

The Company shall disclose personal data only to the extent necessary and in accordance with Sections 24 and 27 of the Personal Data Protection Act B.E. 2562 (2019), under the following circumstances

1. Disclosure for the purposes previously notified and with the consent of the data subject (Section 24(1))

2. Disclosure necessary for the performance of a contract (Section 24(3))

3. Disclosure required for compliance with applicable laws (Section 24(2))

4. Disclosure based on the legitimate interests of the Company (Section 24(5))

5. In the event of a personal data breach, the Company shall strictly comply with Section 26 of the Personal Data Protection Act. 

The Company may appoint external parties to process personal data on its behalf. Such appointment shall be carried out in accordance with Section 37 of the Personal Data Protection Act B.E. 2562 (2019).

At present, the Company has not appointed any external data processor.

Any cross-border transfer of personal data shall be conducted in accordance with Sections 28–29 of the Personal Data Protection Act B.E. 2562 (2019).

At present, the Company does not transfer personal data to foreign countries.

The Company implements the following measures to ensure the security and protection of personal data

1. Organizational Measures: Establishment and implementation of internal data protection policies, employee training programs, and oversight by the data protection team.

2. Technical Measures: Access control to personal data processing systems, installation and regular updates of security software, and the use of authentication mechanisms (e.g., unique user identification credentials).

3. Physical Measures: Controlled access to data storage areas and secure facilities, including entry and exit monitoring procedures.

The Company may use cookies and similar technologies to collect information regarding users’ use of the website and/or services. Such processing shall be conducted in accordance with Section 24 of the Personal Data Protection Act B.E. 2562 (2019), and users shall be provided with mechanisms to manage their consent.

1. Categories of Information Collected Automatically

• Usage Data: IP address, date and time of access, pages visited.

• Device Information: Device type, operating system, browser version.

• Behavioral Data: Login activity, usage behavior, navigation path.

• Online Identifiers: Cookie ID, Advertising ID (ADID, IDFA).

The Company recognizes and upholds the rights of data subjects in accordance with Sections 19, 23, 30–36, and 41 of the Personal Data Protection Act B.E. 2562 (2019).

The Company has appointed a Data Protection Officer in accordance with Section 41 of the Personal Data Protection Act B.E. 2562 (2019), where required by law.

1. f a data subject suffers damage as a result of a personal data breach, the data subject has the right to file a complaint or seek consultation regarding personal data protection with the relevant authority under Thai law, as follows

▶ Personal Data Protection Committee (PDPC)

Website: https://www.pdpc.go.th

Email: saraban@pdpc.or.th 

Tel: 02-111-8800 

※ The data subject may lodge a complaint with the Office if the data controller or data processor violates or fails to comply with the Personal Data Protection Act B.E. 2562 (2019).

2. The data subject has the right to claim compensation from the data controller or data processor if damage is incurred as a result of unlawful processing of personal data, in accordance with the provisions of the Personal Data Protection Act B.E. 2562 (2019).

3. If the data subject believes that a government authority has acted unlawfully or failed to comply with a request to exercise rights under Sections 30, 31, 32, 33, or 34 of the Personal Data Protection Act B.E. 2562 (2019), the data subject may pursue legal remedies in accordance with applicable law. 

4. The Company is committed to protecting the rights of data subjects and shall promptly investigate, rectify, and remedy any damage arising from personal data breaches. 

For inquiries, complaints, or requests relating to personal data, please contact : ▶ Department Responsible for Personal Data Protection 

Email: Nanastories.co@gmail.com

The Company’s website may contain links to external websites or third-party sources. The Company does not control the content or privacy practices of such external websites and shall not be responsible for the accuracy, legality, reliability, or availability of such content or services. When users click on external links, they are advised to review the privacy policies of those websites independently of the Company. 

This Privacy Policy is effective as of 9 January 2025