Privacy Policy

  1. Introduction
    1.1 Data Controller Identification

This Privacy Policy applies to the website kdsiamdistribution.com (hereinafter referred to as “the Website”, “we”, “us”, “our”). The entity responsible for the collection, use, and disclosure of your Personal Data (the Data Controller) under Thailand’s Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) is:

(Note: The client, kdsiamdistribution.com, must verify and confirm the exact legal name and registered address of the Data Controller entity).

Clearly identifying the Data Controller is a fundamental requirement for transparency under the PDPA. This ensures you know who is responsible for protecting your data and whom to contact to exercise your rights regarding your Personal Data. Failure to provide this identification hinders accountability, a core principle of data protection mandated by Section 23 of the PDPA.  

1.2 Commitment to Privacy

We are committed to protecting the privacy and security of your Personal Data. This Privacy Policy outlines how we collect, use, disclose, transfer, and store your Personal Data in compliance with the PDPA and its relevant sub-regulations and guidelines issued by the Personal Data Protection Committee (PDPC). While the PDPA draws inspiration from international standards like the EU’s General Data Protection Regulation (GDPR), it possesses unique characteristics, particularly concerning consent and specific requirements under Thai law, which this policy adheres to.  

1.3 Scope of this Policy

This policy applies to all Personal Data collected through your interaction with the Website. This includes information provided via forms, account creation, order processing, newsletter subscriptions, cookie usage, and any communications with us through the Website.

Importantly, the PDPA has extraterritorial reach. This means the policy and the protections described herein apply to the processing of Personal Data of individuals located within Thailand, even if we operate from outside the country, particularly when offering goods or services to individuals in Thailand or monitoring their online behaviour within Thailand. Understanding this scope is crucial because interactions with our Website from within Thailand trigger these specific data protection obligations under Thai law, regardless of our physical location.  

1.4 Key Definitions

To ensure clarity, here are definitions of key terms used in this policy, based on the PDPA:

Personal Data: Any information relating to a living individual that enables the identification of such individual, whether directly or indirectly. This does not include information of deceased persons. Examples include your name, address, email address, phone number, identification number, location data, online identifiers (like IP addresses or cookie IDs), and order history.  
Sensitive Personal Data: A specific category of Personal Data requiring higher protection and explicit consent (or specific legal exemptions) for processing. This includes data pertaining to racial or ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behaviour, criminal records, health data, disability, trade union information, genetic data, biometric data (e.g., fingerprints, facial recognition data), or any other data which may affect the data subject in a similar manner as prescribed by the PDPC.  
Processing: Any operation or set of operations performed on Personal Data, whether or not by automated means. This includes collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.  
Data Subject: The identified or identifiable living individual to whom the Personal Data relates (e.g., you, the user of the Website).  
Data Controller: The natural or juristic person (in this case, us, as identified in Section 1.1) who has the power and duties to make decisions regarding the collection, use, or disclosure of Personal Data.  
Data Processor: A natural or juristic person who collects, uses, or discloses Personal Data on behalf of, or under the instructions of, the Data Controller.  

  1. What Personal Data We Collect
    (Important Assumption Note): The website kdsiamdistribution.com was inaccessible during the preparation of this policy. Therefore, the types of Personal Data listed below are based on assumptions about the standard features and functionalities typically found on an e-commerce or distribution website. It is essential that kdsiamdistribution.com verifies this section against its actual data collection practices and updates it accordingly to ensure accuracy and compliance.  

We may collect the following categories of Personal Data:

2.1 Information You Provide Directly

Account Registration Data: When you create an account, we may collect your full name, email address, phone number, a chosen password, and potentially your business name if applicable. This information is necessary to establish and manage your user account.
Order and Transaction Data: When you place an order, we collect information necessary for fulfillment, including your full name, delivery address, billing address, phone number, email address, and details of the products ordered.
Contact and Communication Data: If you contact us via contact forms, email, or other customer support channels, we collect your name, email address, phone number (if provided), and the content of your messages or inquiries. This allows us to respond effectively.
Marketing Subscription Data: If you choose to subscribe to our newsletters or marketing communications, we will collect your email address and potentially your name. This collection is based solely on your explicit consent.
Payment Information (Clarification): We prioritize your financial security. We typically do not directly collect or store your full credit card numbers or complete bank account details. Payments are processed through secure, third-party payment gateways that comply with relevant security standards. We may receive confirmation of payment success, a transaction identifier, order details, and potentially masked details (like the last four digits of a card number) from the payment provider for verification, record-keeping, and fraud prevention purposes only.


2.2 Information Collected Automatically

When you visit and interact with our Website, we may automatically collect certain technical information:

Device and Connection Information: This includes your Internet Protocol (IP) address, the type and version of your web browser, your device’s operating system, device type (e.g., desktop, mobile), screen resolution, and potentially unique device identifiers (UDID or MEID) if you interact via a mobile device. This data helps ensure website compatibility, security, and basic analytics.  
Usage Data: We collect information about how you use the Website, such as the specific pages you visit, the time and date of your visit, the time spent on those pages, the links you click, the website you came from (referring URL), and your interaction patterns. This helps us understand user behaviour and improve the Website’s functionality and user experience.  
Cookies and Similar Technologies: We use cookies and potentially other tracking technologies (like web beacons or pixels) to collect data about your browsing activities and preferences. This can include session information, language preferences, and identifiers used for analytics and marketing. Detailed information about our use of cookies and how you can manage them is provided in Section 9 (Cookies and Similar Technologies).  


2.3 Information from Third Parties

In some instances, we might receive Personal Data about you from third-party sources, such as:

Business partners (e.g., marketing affiliates, data enrichment services).
Social media platforms, if you choose to log in or interact with our Website using your social media account credentials.
Publicly available sources.
We will only process such data if permitted by law and will ensure transparency regarding these sources where applicable.  

2.4 Sensitive Personal Data

We generally do not collect Sensitive Personal Data (as defined in Section 1.4) through this Website, as it is typically not necessary for our business operations as a distributor. Should a situation arise where collecting Sensitive Personal Data becomes necessary (which is highly unlikely for our core services), we will only do so with your explicit prior consent obtained separately for that specific purpose, or where permitted by a specific legal exemption under the PDPA, and always with enhanced security measures.  

  1. How and Why We Use Your Personal Data (Purposes & Legal Basis)
    The PDPA mandates that Personal Data must be processed lawfully, fairly, and transparently for specified, explicit, and legitimate purposes (Purpose Limitation). We cannot collect your data without a valid reason and legal justification, and we cannot use it for purposes incompatible with those originally stated without informing you and obtaining consent if required.  

We process your Personal Data based on one or more of the following legal bases permitted under the PDPA :  

Contractual Necessity (Section 24(3)): Processing is necessary for the performance of a contract to which you are a party (e.g., fulfilling your order) or to take steps at your request before entering into a contract (e.g., creating your account).
Legal Obligation (Section 24(6)): Processing is necessary for compliance with a legal obligation to which we are subject (e.g., tax reporting, accounting requirements).
Legitimate Interests (Section 24(5)): Processing is necessary for our legitimate interests or those of a third party, provided these interests are not overridden by your fundamental rights and freedoms. We conduct a balancing test when relying on this basis.
Consent (Section 19): You have given explicit, freely given, specific, and informed consent to the processing of your Personal Data for one or more specific purposes (e.g., subscribing to marketing emails, using non-essential cookies).
Vital Interests (Section 24(2)): Processing is necessary to protect your vital interests or those of another natural person (rarely applicable in our context).
Public Task/Official Authority (Section 24(4)): Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us (unlikely applicable to our commercial activities).
Research/Statistics (Section 24(1)): Processing is for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, with appropriate safeguards.
The following table details our main processing activities, the types of data involved, the purposes, and the primary legal basis we rely upon under the PDPA. This table structure enhances transparency, making it easier for you to understand how and why your data is used, which is a key requirement under Section 23 of the PDPA regarding notification obligations.  

Category of Personal Data Purpose of Processing Legal Basis under PDPA Explanation
Contact Info (Name, Address, Email, Phone), Order Details Processing and Fulfilling Orders, Delivery, Invoicing Contractual Necessity (Sec 24(3)) Necessary to perform the purchase agreement and deliver the goods/services you ordered.
Contact Info, Account Credentials Creating and Managing User Accounts Contractual Necessity (Sec 24(3)) Necessary to provide the account service you requested when registering.
Contact Info, Communication Content Customer Support & Responding to Inquiries Contractual Necessity / Legitimate Interest Necessary to fulfill service requests related to orders/accounts (Contract) or respond to general inquiries based on our legitimate interest in providing good service, balanced against your rights (Legitimate Interest).
Usage Data, Device Info, IP Address, Essential Cookies Website Operation, Functionality & Security Legitimate Interest (Sec 24(5)) Necessary for the technical functioning, security, and basic operation of the Website. Our interest in providing a functional and secure site is balanced against minimal privacy impact.
Usage Data, Device Info, IP Address, Non-Essential Cookies Website Improvement, Analytics, Performance Monitoring Consent (Sec 19) / Legitimate Interest Explicit Consent required for cookies used for detailed analytics, tracking, or profiling. Basic, aggregated, anonymized analytics might rely on Legitimate Interest after careful balancing.
Contact Info (Email, Name) Sending Marketing Communications (Newsletters, Promotions) Consent (Sec 19) Requires your explicit, freely given, specific, and informed opt-in consent. You can easily withdraw this consent (opt-out) at any time.
Transaction Data, Contact Info, Business Info (if applicable) Legal & Regulatory Compliance (Tax, Accounting, Audits) Legal Obligation (Sec 24(6)) Necessary to comply with mandatory Thai laws regarding financial reporting, taxation, and business registration.
IP Address, Usage Data, Transaction Data, Account Info Fraud Prevention, Security Monitoring, Protecting Legal Rights Legitimate Interest (Sec 24(5)) Necessary to protect our business, our users, and our rights from fraudulent activities, security threats, and potential legal disputes. This interest is balanced against your rights.
 
Choosing the most appropriate legal basis is crucial. While consent is one option, relying on it for essential services like order processing can be problematic if consent is withdrawn. Therefore, we use ‘Contractual Necessity’ for core functions directly related to your requests or purchases. ‘Legitimate Interest’ is used for operational aspects like security or basic analytics, always involving an internal assessment to ensure our interests do not unfairly override your privacy rights. ‘Consent’ is the required standard for activities like direct marketing emails and the use of non-essential cookies. ‘Legal Obligation’ applies where Thai law mandates processing, such as for tax purposes. Using the correct basis ensures compliance and respects the different contexts of data processing under the PDPA.  

  1. Data Retention
    4.1 Principle of Storage Limitation

In line with the PDPA’s storage limitation principle, we are committed to retaining your Personal Data only for as long as it is reasonably necessary to fulfill the specific purposes for which it was collected. This includes satisfying any legal, regulatory, accounting, or reporting requirements, or for the establishment, exercise, or defense of legal claims. We will not keep your Personal Data indefinitely without a valid justification.  

4.2 Notification of Retention Period

As required by PDPA Section 23, we inform you of the applicable retention period, or the criteria used to determine that period, at or before the time we collect your Personal Data. This information is typically provided in point-of-collection notices (like cookie banners or form disclosures) and summarized here. While the PDPA mandates this notification, it does not prescribe specific retention durations itself; these must be determined based on purpose and legal context. Simply stating data will be kept “as long as necessary” is insufficient for the required notification; specific criteria or periods must be defined internally and communicated appropriately.  

4.3 Retention Criteria Examples

The length of time we retain specific Personal Data depends on various factors, including:

Purpose of Collection: Data needed for a one-time transaction may be kept for a shorter period than data associated with an ongoing account relationship.
Duration of Your Relationship with Us: Account information is generally kept as long as your account is active and for a reasonable period afterward to handle residual issues or legal requirements.
Legal and Regulatory Obligations: Thai law may require us to keep certain records (e.g., accounting records, tax documents) for specific minimum periods (e.g., 5-7 years as per , or potentially 10 years for certain records under laws like the Labor Protection Act, although less relevant here ).  
Statute of Limitations: We may retain data relevant to potential legal claims until the relevant limitation period expires.
Operational Needs: Data may be retained for periods linked to product warranties, customer service history, or system backups (subject to minimization).
Consent Duration: Data processed solely based on consent (e.g., marketing lists) is retained until you withdraw your consent.
4.4 Deletion and Anonymization

Once the retention period expires, or if data is no longer necessary for its collected purpose, or upon a valid erasure request according to your rights (see Section 8), we will securely delete or anonymize your Personal Data. Anonymization involves removing identifiers so that the data can no longer be linked back to you. Our procedures for deletion, destruction, and de-identification aim to comply with PDPC guidelines and ensure data cannot be recovered or re-identified inappropriately. The PDPC’s focus on secure disposal methods underscores the importance of having robust end-of-lifecycle data management processes.  

  1. Sharing Your Personal Data
    5.1 Principle of Limited Sharing

We do not sell your Personal Data. We will only share your Personal Data with third parties when it is necessary for the purposes outlined in Section 3, when we have a valid legal basis to do so, and always with appropriate safeguards in place to protect your privacy. Transparency about the categories of recipients is a key requirement of the privacy notice under PDPA Section 23.  

5.2 Categories of Third-Party Recipients

We may share your Personal Data with the following categories of third parties:

Service Providers (Data Processors): We engage third-party companies and individuals to perform services on our behalf. These Data Processors handle tasks such as payment processing (secure payment gateways), order fulfillment and delivery (logistics partners), website hosting (cloud service providers ), IT support and maintenance, data analytics, and marketing campaign management (email platforms, advertising partners). These providers only process your Personal Data based on our specific instructions and are contractually obligated to protect your data.  
Business Partners: If we collaborate with other companies on joint promotions or services, we may share certain Personal Data with them. This will only occur with your explicit consent or where otherwise legally permitted, and you will be informed beforehand.
Legal and Regulatory Authorities: We may be required to disclose your Personal Data to comply with applicable laws, regulations, court orders, subpoenas, or other legal processes, or requests from government authorities (e.g., tax authorities, law enforcement).  
Professional Advisors: We may share necessary information with our lawyers, accountants, auditors, and insurers who provide professional services to us, under strict confidentiality obligations. This sharing is typically based on our legitimate interest in obtaining advice and managing business risks.
In Case of Business Transfers: If we are involved in a merger, acquisition, reorganization, sale of assets, or bankruptcy, your Personal Data may be transferred as part of that transaction. We will notify you of such an event and any choices you may have regarding your information.
5.3 Conditions for Sharing

Data Processing Agreements (DPAs): When we share Personal Data with Service Providers (Data Processors), we enter into legally binding Data Processing Agreements as mandated by the PDPA. These agreements require processors to:
Process data only according to our documented instructions.
Implement appropriate technical and organizational security measures compliant with PDPA standards.
Maintain confidentiality.
Assist us in fulfilling data subject rights requests.
Notify us of any data breaches without undue delay.
Delete or return data upon termination of the service. The distinction between Data Processors acting on our behalf and other third parties (who might be independent Data Controllers) is critical. We are directly responsible under the PDPA for ensuring our processors comply with these obligations. Failure to have compliant DPAs is a violation.  
 
Valid Legal Basis: Any sharing of Personal Data with third parties other than Data Processors must be based on a valid legal ground under the PDPA, such as your explicit consent (e.g., for sharing with marketing partners), a legal obligation (e.g., reporting to authorities), or contractual necessity directly involving you.

  1. International Data Transfers
    6.1 Statement of Practice

(Assumption: Given the nature of e-commerce and common use of global technology platforms, it is likely that kdsiamdistribution.com transfers some Personal Data outside of Thailand, for example, through the use of international cloud service providers, payment gateways, or marketing tools. This needs verification by the client.)

If we transfer your Personal Data outside of the Kingdom of Thailand, we will ensure that such transfers are conducted in compliance with the requirements of the PDPA.  

6.2 PDPA Requirements for International Transfers

The PDPA (Sections 28 and 29) restricts the transfer of Personal Data to a country or international organization outside Thailand unless one of the following conditions is met:

Adequacy Decision: The destination country or international organization has been deemed by the PDPC to provide an “adequate” level of personal data protection standards, comparable to those under the PDPA. The PDPC considers factors like the existence of comprehensive data protection laws, enforcement mechanisms, and legal remedies in the destination country.  
Appropriate Safeguards: If no adequacy decision exists, the transfer can occur if appropriate safeguards are implemented to ensure the protection of Personal Data and enforceable data subject rights. These safeguards can include :
Binding Corporate Rules (BCRs): For transfers within our corporate group (if applicable), provided the BCRs have been reviewed and certified by the Office of the PDPC.  
Standard Contractual Clauses (SCCs): Using model contractual clauses approved or recognized by the PDPC. This may include PDPC-specific clauses, the ASEAN Model Contractual Clauses, or potentially adapted versions of GDPR SCCs, provided they meet Thai requirements for enforceability and data subject rights protection.  
Certification: Adherence to a certification mechanism approved by the PDPC that demonstrates appropriate safeguards.  
Legally Binding Instruments: For transfers between public authorities, based on legally binding and enforceable agreements.  
 
Specific Exceptions (Derogations): In the absence of an adequacy decision or appropriate safeguards, a transfer may still occur under specific circumstances, such as:
You have given explicit consent to the proposed transfer after being fully informed about the potential risks due to the lack of adequate protection in the destination country.  
The transfer is necessary for the performance of a contract between you and us, or for pre-contractual steps taken at your request.  
The transfer is necessary for the conclusion or performance of a contract concluded in your interest between us and another party.
The transfer is necessary to protect your vital interests or those of other persons, where you are physically or legally incapable of giving consent.  
The transfer is necessary for compliance with the law or for important reasons of public interest.
The transfer is necessary for the establishment, exercise, or defense of legal claims.
6.3 Clarification on Cloud Services

Recent PDPC guidance suggests that using overseas cloud storage services might not be considered a restricted “transfer” under Sections 28/29 if the service provider contractually and technically cannot access the stored Personal Data. However, this interpretation requires careful assessment of the specific cloud provider’s terms of service and technical architecture to confirm lack of access. If the provider can access the data (e.g., for support or analytics), it would likely constitute a transfer requiring compliance with the mechanisms above.  

Ensuring lawful international data transfers is a complex but critical aspect of PDPA compliance, especially given the recent regulations effective from March 2024. Choosing and correctly implementing the appropriate transfer mechanism (adequacy, safeguards like SCCs/BCRs, or a valid exception) is essential to avoid significant penalties.  

  1. Data Security
    7.1 Commitment to Security

We take the security of your Personal Data seriously and are committed to implementing and maintaining appropriate measures to protect it against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

7.2 PDPA Security Obligation

We strive to comply with Section 37(1) of the PDPA, which mandates Data Controllers to provide appropriate security measures. These measures encompass administrative, technical, and physical safeguards suitable for the nature, scope, context, and purposes of processing, as well as the risks to the rights and freedoms of individuals. The requirement for “appropriate” security is risk-based, meaning the level of protection should correspond to the sensitivity of the data and the potential harm from a breach.  

7.3 Examples of Security Measures

While we cannot disclose specific security architecture details for safety reasons, our measures generally include (but are not limited to):

Technical Measures:
Use of encryption technologies (e.g., SSL/TLS for data transmission, encryption for stored sensitive data where applicable ).  
Implementation of firewalls and intrusion detection/prevention systems.
Secure server configurations and patching protocols.
Access control mechanisms (e.g., password policies, multi-factor authentication where appropriate).  
Regular vulnerability scanning and security assessments.
Organizational Measures:
Internal data protection policies and procedures.
Staff training on data privacy and security responsibilities.  
Restricting access to Personal Data on a “need-to-know” basis according to job roles.
Conducting due diligence and requiring contractual security commitments from third-party service providers (via DPAs).  
Implementing procedures for secure data handling, storage, and disposal.
Regular reviews and audits of security practices.  
7.4 Continuous Improvement

The threat landscape is constantly evolving. We regularly review and update our security measures considering technological advancements, emerging threats, and changes in our processing activities or legal obligations.  

7.5 Data Breach Notification

In the unfortunate event of a Personal Data breach, we have procedures in place to assess and respond promptly. In accordance with the PDPA and PDPC guidelines, if a breach occurs that is likely to result in a risk to your rights and freedoms, we are obligated to notify the Office of the PDPC without undue delay, and where feasible, within 72 hours of becoming aware of it. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, informing you about the nature of the breach and the remedial measures being taken. Our assessment of risk and notification timing follows the criteria and clarifications provided by the PDPC. The strict 72-hour deadline for notifying the PDPC necessitates robust internal incident detection, assessment, and response capabilities.  

  1. Your Data Protection Rights
    Under the Thailand PDPA, you have specific rights regarding your Personal Data. We are committed to facilitating the exercise of these rights. Providing clear and accessible ways for you to exercise these rights is not only a legal requirement under PDPA Sections 30-36 but also fundamental to building trust.  

Your rights include:

Right to be Informed (PDPA Section 23): You have the right to be informed about the collection, use, and disclosure of your Personal Data, including the purposes, legal basis, retention periods, potential recipients, our contact details, and your rights. This Privacy Policy serves as a primary means of providing this information.  
Right of Access (PDPA Section 30): You have the right to request access to your Personal Data that we hold and to obtain a copy of it. You can also request disclosure of how we acquired data if it was collected without your direct consent (where applicable).  
Right to Rectification (PDPA Section 35): If you believe your Personal Data held by us is inaccurate, incomplete, misleading, or not up-to-date, you have the right to request its correction or completion.  
Right to Erasure (‘Right to be Forgotten’) (PDPA Section 33): You have the right to request the deletion, destruction, or anonymization of your Personal Data under certain conditions, such as when the data is no longer necessary for the purposes collected, you withdraw consent (and no other legal basis applies), you object to processing (and there are no overriding legitimate grounds), or the data was processed unlawfully.  
Right to Restrict Processing (PDPA Section 34): You have the right to request the temporary suspension of the processing of your Personal Data in specific situations, for example, while we are verifying the accuracy of your data following a rectification request, when processing is unlawful but you oppose erasure, when we no longer need the data but you require it for legal claims, or while your objection to processing is being considered.  
Right to Data Portability (PDPA Section 31): Where processing is based on your consent or contractual necessity and carried out by automated means, you have the right to receive your Personal Data in a structured, commonly used, and machine-readable format. You also have the right to request that we transmit this data directly to another Data Controller, where technically feasible.  
Right to Object (PDPA Section 32): You have the right to object, on grounds relating to your particular situation, to the processing of your Personal Data when it is based on legitimate interests or public task/official authority. You also have an absolute right to object to processing for direct marketing purposes.  
Right to Withdraw Consent (PDPA Section 19): Where we rely on your consent as the legal basis for processing, you have the right to withdraw that consent at any time. The withdrawal must be as easy as giving consent. Withdrawal will not affect the lawfulness of processing based on consent before its withdrawal. We will inform you of any consequences of withdrawal.  
Right to Lodge a Complaint: If you believe that our processing of your Personal Data violates the PDPA, you have the right to lodge a complaint with the expert committee at the Office of the Personal Data Protection Committee (PDPC).  
How to Exercise Your Rights:

To exercise any of these rights, please contact us using the details provided in Section 10 (Contact Us). You can typically submit your request via email to our dedicated privacy contact address.

We will respond to your request without undue delay and generally within 30 days of receipt, although this period may be extended in complex cases as permitted by law (recent draft guidelines suggest up to 60 days for deletion requests , but the standard is often 30 days ). We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.  

There is usually no fee required to exercise your rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

  1. Cookies and Similar Technologies
    9.1 What are Cookies?

Cookies are small text files that are placed on your computer or mobile device when you visit a website. They are widely used to make websites work, or work more efficiently, as well as to provide information to the website owners. Cookies can collect Personal Data, such as your IP address, browser type, device ID, and browsing behaviour, making their use subject to PDPA regulations.  

9.2 Types of Cookies We Use

(Assumption: Based on typical e-commerce website functionalities. Client must verify and update based on actual cookies deployed, potentially using a cookie scanning tool.)

Our Website may use the following types of cookies:

Strictly Necessary Cookies: These cookies are essential for the basic operation of our Website. They enable core functionalities like user logins, shopping cart management, and security features. Without these cookies, the Website cannot function properly. Under PDPA, explicit consent is generally not required for these cookies, but transparency about their use is still necessary. Processing may be based on legitimate interest or implied necessity for service provision.
Performance and Analytics Cookies: These cookies collect information about how visitors use our Website, such as which pages are visited most often, how users navigate the site, and if they encounter error messages. The data collected is typically aggregated and anonymized and helps us improve the Website’s performance and user experience. Under PDPA, these cookies are generally considered non-essential and require your explicit consent before being placed.  
Functionality Cookies: These cookies allow the Website to remember choices you make (such as your username, language preference, or region) and provide enhanced, more personalized features. For example, they might remember your login details so you don’t have to re-enter them. These are generally non-essential and require your explicit consent.  
Targeting and Marketing Cookies: These cookies are used to track your browsing activity across websites to build a profile of your interests and show you relevant advertisements on other sites. They are often placed by third-party advertising networks with our permission. These cookies require your explicit consent.  
9.3 Cookie Consent Mechanism

Compliance with PDPA requires an active, explicit opt-in approach for all non-essential cookies. This means:  

We will not place any Performance/Analytics, Functionality, or Targeting/Marketing cookies on your device before you provide your explicit consent.
We use a cookie consent banner or management tool that appears when you first visit our Website. This tool provides clear information about the types of cookies used and their purposes, in plain language.  
The banner allows you to actively Accept all cookies, Reject all non-essential cookies, or Customize your preferences by choosing which categories of cookies you consent to.
Implied consent (e.g., “By continuing to browse this site, you accept cookies”) is not valid under PDPA. You must take a clear affirmative action to consent.  
We record your consent preferences securely as proof of compliance.  
The use of a functional Consent Management Platform (CMP) is practically necessary to achieve this level of granular control, blocking, and consent recording required by the PDPA.  

9.4 Managing Your Cookie Preferences

You can change your cookie preferences or withdraw your consent at any time. The process for withdrawal must be as easy as giving consent. You can typically do this through:  

Our Cookie Preference Center: Click on the to manage your choices.
Browser Settings: Most web browsers allow you to control cookies through their settings. You can usually find these settings in the ‘Options’ or ‘Preferences’ menu of your browser. Blocking all cookies through browser settings might affect the functionality of our Website, including essential features.

  1. Contact Us
    If you have any questions about this Privacy Policy, our data protection practices, or if you wish to exercise any of your rights regarding your Personal Data, please contact us.