Privacy & Data Protection Policy隐私与数据保护政策นโยบายความเป็นส่วนตัวและการคุ้มครองข้อมูล

This Policy applies to all personal data processed by LOUIS THAI, including:本政策适用于 LOUIS THAI 处理的所有个人数据，包括：นโยบายนี้ใช้บังคับกับข้อมูลส่วนบุคคลทั้งหมดที่ LOUIS THAI ประมวลผล รวมถึง:

1. Data collected from Users during enrollment, transactions, Services (e.g., fortune-telling, rituals under MSIC 96092), Products (e.g., talismans under MSIC 46909), feedback, voice recordings, or interactions via the Platform (https://louisthai.com), Webapp, social media, or other channels.Data collected from Users during enrollment, transactions, Services (e.g., fortune-telling, rituals under MSIC 96092), Products (e.g., talismans under MSIC 46909), feedback, voice recordings, or interactions via the Platform (https://louisthai.com), Webapp, social media, or other channels.Data collected from Users during enrollment, transactions, Services (e.g., fortune-telling, rituals under MSIC 96092), Products (e.g., talismans under MSIC 46909), feedback, voice recordings, or interactions via the Platform (https://louisthai.com), Webapp, social media, or other channels.
2. All employees, Board of Directors, Nominee Directors, staff, affiliates, and third-party service providers handling Data on behalf of LOUIS THAI.All employees, Board of Directors, Nominee Directors, staff, affiliates, and third-party service providers handling Data on behalf of LOUIS THAI.All employees, Board of Directors, Nominee Directors, staff, affiliates, and third-party service providers handling Data on behalf of LOUIS THAI.
3. Cross-border data transfers, including storage in EU-based servers via pCloud and Google Drive.Cross-border data transfers, including storage in EU-based servers via pCloud and Google Drive.Cross-border data transfers, including storage in EU-based servers via pCloud and Google Drive.

It covers all stages of data lifecycle: collection, processing, storage, disclosure, retention, and deletion. Exclusions: This Policy does not apply to anonymized or aggregated data that cannot identify individuals, or data processed solely for journalistic, artistic, or literary purposes as exempted under PDPA.本政策涵盖数据全生命周期：收集、处理、存储、披露、保留与删除。除外：本政策不适用于无法识别个人的匿名化/汇总数据，或仅为新闻、艺术或文学用途而处理且在 PDPA 下豁免的数据。ครอบคลุมทุกช่วงของวงจรชีวิตข้อมูล ได้แก่ การเก็บรวบรวม การประมวลผล การจัดเก็บ การเปิดเผย การเก็บรักษา และการลบ ข้อยกเว้น: นโยบายนี้ไม่ใช้กับข้อมูลที่ทำให้ไม่สามารถระบุตัวตนได้หรือข้อมูลแบบรวมที่ไม่สามารถระบุตัวบุคคล และข้อมูลที่ประมวลผลเพื่อวัตถุประสงค์ด้านสื่อสารมวลชน ศิลปะ หรือวรรณกรรมเท่านั้นซึ่งได้รับการยกเว้นภายใต้ PDPA

1. Data: Any identifiable information about Users or their affiliates, including but not limited to names, email addresses, phone numbers, Service preferences, health declarations (e.g., for Thai Tattoo), voice recordings, feedback, and transaction details, as defined in CTCA Article 1.Data: Any identifiable information about Users or their affiliates, including but not limited to names, email addresses, phone numbers, Service preferences, health declarations (e.g., for Thai Tattoo), voice recordings, feedback, and transaction details, as defined in CTCA Article 1.Data: Any identifiable information about Users or their affiliates, including but not limited to names, email addresses, phone numbers, Service preferences, health declarations (e.g., for Thai Tattoo), voice recordings, feedback, and transaction details, as defined in CTCA Article 1.
2. Personal Data: As per PDPA Section 4, any information relating to a data subject who is identified or identifiable from that information.Personal Data: As per PDPA Section 4, any information relating to a data subject who is identified or identifiable from that information.Personal Data: As per PDPA Section 4, any information relating to a data subject who is identified or identifiable from that information.
3. Processing: Any operation performed on Data, such as collection, recording, holding, organization, adaptation, retrieval, use, disclosure, alignment, combination, correction, erasure, or destruction (PDPA Section 4).Processing: Any operation performed on Data, such as collection, recording, holding, organization, adaptation, retrieval, use, disclosure, alignment, combination, correction, erasure, or destruction (PDPA Section 4).Processing: Any operation performed on Data, such as collection, recording, holding, organization, adaptation, retrieval, use, disclosure, alignment, combination, correction, erasure, or destruction (PDPA Section 4).
4. Cross-Border Data Transfer: Transfer of Data to servers or entities outside Malaysia, including to EU countries via pCloud and Google Drive.Cross-Border Data Transfer: Transfer of Data to servers or entities outside Malaysia, including to EU countries via pCloud and Google Drive.Cross-Border Data Transfer: Transfer of Data to servers or entities outside Malaysia, including to EU countries via pCloud and Google Drive.
5. User/Data Subject: Any individual whose Data is processed, including Users as defined in CTCA Article 1.User/Data Subject: Any individual whose Data is processed, including Users as defined in CTCA Article 1.User/Data Subject: Any individual whose Data is processed, including Users as defined in CTCA Article 1.
6. Sensitive Personal Data: Data relating to physical/mental health, political opinions, religious beliefs, or criminal records, processed with explicit consent where applicable (PDPA Section 40).Sensitive Personal Data: Data relating to physical/mental health, political opinions, religious beliefs, or criminal records, processed with explicit consent where applicable (PDPA Section 40).Sensitive Personal Data: Data relating to physical/mental health, political opinions, religious beliefs, or criminal records, processed with explicit consent where applicable (PDPA Section 40).
7. Data Controller: LOUIS THAI, responsible for determining the purposes and means of Processing Data.Data Controller: LOUIS THAI, responsible for determining the purposes and means of Processing Data.Data Controller: LOUIS THAI, responsible for determining the purposes and means of Processing Data.
8. Data Processor: Third parties (e.g., pCloud, Google Drive) engaged by LOUIS THAI to process Data on its behalf.Data Processor: Third parties (e.g., pCloud, Google Drive) engaged by LOUIS THAI to process Data on its behalf.Data Processor: Third parties (e.g., pCloud, Google Drive) engaged by LOUIS THAI to process Data on its behalf.

LOUIS THAI adheres to the seven PDPA principles (General, Notice and Choice, Disclosure, Security, Retention, Data Integrity, and Access) in all Processing activities:LOUIS THAI 在所有数据处理活动中遵循 PDPA 的七项原则（一般原则、通知与选择、披露、安全、保留、数据完整性与访问）：LOUIS THAI ปฏิบัติตามหลักการทั้งเจ็ดของ PDPA (ทั่วไป การแจ้งและทางเลือก การเปิดเผย ความปลอดภัย การเก็บรักษา ความถูกต้องครบถ้วน และการเข้าถึง) ในทุกกิจกรรมการประมวลผล:

1. General Principle: Data is processed only with consent, for lawful purposes directly related to LOUIS THAI’s functions (e.g., Service delivery, marketing with opt-in).General Principle: Data is processed only with consent, for lawful purposes directly related to LOUIS THAI’s functions (e.g., Service delivery, marketing with opt-in).General Principle: Data is processed only with consent, for lawful purposes directly related to LOUIS THAI’s functions (e.g., Service delivery, marketing with opt-in).
2. Notice and Choice Principle: Users are notified via Privacy Policy or consent forms at collection points (e.g., enrollment, bookings) about purposes, recipients, and rights.Notice and Choice Principle: Users are notified via Privacy Policy or consent forms at collection points (e.g., enrollment, bookings) about purposes, recipients, and rights.Notice and Choice Principle: Users are notified via Privacy Policy or consent forms at collection points (e.g., enrollment, bookings) about purposes, recipients, and rights.
3. Disclosure Principle: Data is not disclosed without consent, except as required by law or for Processing purposes (e.g., to affiliates or processors).Disclosure Principle: Data is not disclosed without consent, except as required by law or for Processing purposes (e.g., to affiliates or processors).Disclosure Principle: Data is not disclosed without consent, except as required by law or for Processing purposes (e.g., to affiliates or processors).
4. Security Principle: Data is protected against loss, misuse, unauthorized access, or disclosure using appropriate measures (detailed in Section 6).Security Principle: Data is protected against loss, misuse, unauthorized access, or disclosure using appropriate measures (detailed in Section 6).Security Principle: Data is protected against loss, misuse, unauthorized access, or disclosure using appropriate measures (detailed in Section 6).
5. Retention Principle: Data is retained only as necessary (e.g., voice recordings for 6 months max); deleted securely thereafter.Retention Principle: Data is retained only as necessary (e.g., voice recordings for 6 months max); deleted securely thereafter.Retention Principle: Data is retained only as necessary (e.g., voice recordings for 6 months max); deleted securely thereafter.
6. Data Integrity Principle: Data is accurate, complete, and up-to-date; Users can request corrections.Data Integrity Principle: Data is accurate, complete, and up-to-date; Users can request corrections.Data Integrity Principle: Data is accurate, complete, and up-to-date; Users can request corrections.
7. Access Principle: Users have rights to access and correct Data (detailed in Section 5).Access Principle: Users have rights to access and correct Data (detailed in Section 5).Access Principle: Users have rights to access and correct Data (detailed in Section 5).

1. Collection Methods: Data is collected directly from Users (e.g., via forms, bookings, voice calls) or indirectly (e.g., from third-party vendors with public sources) with consent.Collection Methods: Data is collected directly from Users (e.g., via forms, bookings, voice calls) or indirectly (e.g., from third-party vendors with public sources) with consent.Collection Methods: Data is collected directly from Users (e.g., via forms, bookings, voice calls) or indirectly (e.g., from third-party vendors with public sources) with consent.
2. Purposes: Limited to Service provision, quality assurance (e.g., voice recordings for training), marketing (with opt-in), compliance, and dispute resolution (cross-reference CTCA Clause 8: Voice Recordings; Clause 40: Feedback and Testimonials).Purposes: Limited to Service provision, quality assurance (e.g., voice recordings for training), marketing (with opt-in), compliance, and dispute resolution (cross-reference CTCA Clause 8: Voice Recordings; Clause 40: Feedback and Testimonials).Purposes: Limited to Service provision, quality assurance (e.g., voice recordings for training), marketing (with opt-in), compliance, and dispute resolution (cross-reference CTCA Clause 8: Voice Recordings; Clause 40: Feedback and Testimonials).
3. Consent: Obtained explicitly (e.g., via checkboxes or verbal notification) before Processing; revocable at any time, potentially limiting Services (cross-reference CTCA Clause 8.2: Consent to Recording; Clause 39.3: Opt-Out Option).Consent: Obtained explicitly (e.g., via checkboxes or verbal notification) before Processing; revocable at any time, potentially limiting Services (cross-reference CTCA Clause 8.2: Consent to Recording; Clause 39.3: Opt-Out Option).Consent: Obtained explicitly (e.g., via checkboxes or verbal notification) before Processing; revocable at any time, potentially limiting Services (cross-reference CTCA Clause 8.2: Consent to Recording; Clause 39.3: Opt-Out Option).
4. Sensitive Data: Processed only with explicit consent (e.g., health declarations for Sak Yant) and for specified purposes (PDPA Section 40).Sensitive Data: Processed only with explicit consent (e.g., health declarations for Sak Yant) and for specified purposes (PDPA Section 40).Sensitive Data: Processed only with explicit consent (e.g., health declarations for Sak Yant) and for specified purposes (PDPA Section 40).
5. Voice Recordings: Recorded for learning purposes with prior notice; stored securely for up to 6 months; not shared externally without consent (cross-reference CTCA Clause 8.3: Use of Recordings).Voice Recordings: Recorded for learning purposes with prior notice; stored securely for up to 6 months; not shared externally without consent (cross-reference CTCA Clause 8.3: Use of Recordings).Voice Recordings: Recorded for learning purposes with prior notice; stored securely for up to 6 months; not shared externally without consent (cross-reference CTCA Clause 8.3: Use of Recordings).
6. AI and Automated Processing: Used for support and analysis with human oversight; Users can request explanations for AI decisions (cross-reference CTCA Article 18: Artificial Intelligence Use).AI and Automated Processing: Used for support and analysis with human oversight; Users can request explanations for AI decisions (cross-reference CTCA Article 18: Artificial Intelligence Use).AI and Automated Processing: Used for support and analysis with human oversight; Users can request explanations for AI decisions (cross-reference CTCA Article 18: Artificial Intelligence Use).

Users/Data Subjects have the following rights, exercisable via written request to support@louisthai.com:用户/数据主体享有以下权利，可通过书面方式发送至 support@louisthai.com 行使：ผู้ใช้/เจ้าของข้อมูลมีสิทธิดังต่อไปนี้ โดยสามารถใช้สิทธิผ่านคำร้องเป็นลายลักษณ์อักษรไปยัง support@louisthai.com:

1. Access: Request confirmation of Processing and a copy of Data within 21 days (PDPA Section 30).Access: Request confirmation of Processing and a copy of Data within 21 days (PDPA Section 30).Access: Request confirmation of Processing and a copy of Data within 21 days (PDPA Section 30).
2. Correction: Request rectification of inaccurate/incomplete Data within 21 days (PDPA Section 34).Correction: Request rectification of inaccurate/incomplete Data within 21 days (PDPA Section 34).Correction: Request rectification of inaccurate/incomplete Data within 21 days (PDPA Section 34).
3. Withdrawal of Consent: Revoke consent for future Processing; may lead to Service limitations (cross-reference CTCA Clause 8.5: Revocation of Consent; Clause 39.3: Opt-Out Option).Withdrawal of Consent: Revoke consent for future Processing; may lead to Service limitations (cross-reference CTCA Clause 8.5: Revocation of Consent; Clause 39.3: Opt-Out Option).Withdrawal of Consent: Revoke consent for future Processing; may lead to Service limitations (cross-reference CTCA Clause 8.5: Revocation of Consent; Clause 39.3: Opt-Out Option).
4. Deletion/Erasure: Request deletion where Data is no longer necessary, subject to legal retention obligations (e.g., 6 months for recordings).Deletion/Erasure: Request deletion where Data is no longer necessary, subject to legal retention obligations (e.g., 6 months for recordings).Deletion/Erasure: Request deletion where Data is no longer necessary, subject to legal retention obligations (e.g., 6 months for recordings).
5. Restriction: Opt-out of cross-border transfers or non-essential Processing (e.g., marketing).Restriction: Opt-out of cross-border transfers or non-essential Processing (e.g., marketing).Restriction: Opt-out of cross-border transfers or non-essential Processing (e.g., marketing).
6. Portability: Request Data transfer in a structured format where feasible.Portability: Request Data transfer in a structured format where feasible.Portability: Request Data transfer in a structured format where feasible.
7. Objection to Automated Decisions: Challenge AI-based decisions affecting them.Objection to Automated Decisions: Challenge AI-based decisions affecting them.Objection to Automated Decisions: Challenge AI-based decisions affecting them.
8. Complaints: Lodge complaints with the Personal Data Protection Commissioner if unsatisfied.Complaints: Lodge complaints with the Personal Data Protection Commissioner if unsatisfied.Complaints: Lodge complaints with the Personal Data Protection Commissioner if unsatisfied.

Requests are processed free of charge unless excessive; responses provided within 21 days. For transition of existing customers, separate PDPA notifications are issued (cross-reference CTCA Article 16: Transition for Existing Customers).除非请求过于频繁或不合理，否则我们免费处理；并在 21 天内回复。针对现有客户的过渡安排，将另行发出 PDPA 通知（参照 CTCA 第16条：现有客户过渡）。โดยทั่วไปคำขอจะได้รับการดำเนินการโดยไม่คิดค่าใช้จ่าย เว้นแต่จะมากเกินสมควร และจะตอบกลับภายใน 21 วัน สำหรับการเปลี่ยนผ่านลูกค้าเดิม จะมีการออกประกาศ PDPA แยกต่างหาก (อ้างอิง CTCA มาตรา 16: การเปลี่ยนผ่านลูกค้าเดิม)

1. Technical Safeguards: Data encrypted (e.g., 256-bit AES for storage and transmissions); access controls, firewalls, and regular vulnerability scans.Technical Safeguards: Data encrypted (e.g., 256-bit AES for storage and transmissions); access controls, firewalls, and regular vulnerability scans.Technical Safeguards: Data encrypted (e.g., 256-bit AES for storage and transmissions); access controls, firewalls, and regular vulnerability scans.
2. Organizational Measures: Staff training on PDPA compliance; data breach response plan with notification to affected Users and authorities within 72 hours if required.Organizational Measures: Staff training on PDPA compliance; data breach response plan with notification to affected Users and authorities within 72 hours if required.Organizational Measures: Staff training on PDPA compliance; data breach response plan with notification to affected Users and authorities within 72 hours if required.
3. Physical Safeguards: Secure servers in EU data centers via pCloud and Google Drive, with restricted access.Physical Safeguards: Secure servers in EU data centers via pCloud and Google Drive, with restricted access.Physical Safeguards: Secure servers in EU data centers via pCloud and Google Drive, with restricted access.
4. Breach Notification: In case of breaches, notify Users and the PDPA Commissioner as per PDPA Section 40A.Breach Notification: In case of breaches, notify Users and the PDPA Commissioner as per PDPA Section 40A.Breach Notification: In case of breaches, notify Users and the PDPA Commissioner as per PDPA Section 40A.
5. Audits: Quarterly internal audits and annual external reviews to ensure security.Audits: Quarterly internal audits and annual external reviews to ensure security.Audits: Quarterly internal audits and annual external reviews to ensure security.

1. Storage Locations: Client databases are stored outside Malaysia in EU countries using pCloud (Switzerland/EU-compliant) and Google Drive (EU data centers), selected for their robust data protection frameworks equivalent to or exceeding PDPA standards.Storage Locations: Client databases are stored outside Malaysia in EU countries using pCloud (Switzerland/EU-compliant) and Google Drive (EU data centers), selected for their robust data protection frameworks equivalent to or exceeding PDPA standards.Storage Locations: Client databases are stored outside Malaysia in EU countries using pCloud (Switzerland/EU-compliant) and Google Drive (EU data centers), selected for their robust data protection frameworks equivalent to or exceeding PDPA standards.
2. Legal Basis: Transfers occur only with User consent (obtained at collection) and where recipient countries/jurisdictions provide adequate protection (e.g., EU GDPR equivalence, as recognized under PDPA Section 129).Legal Basis: Transfers occur only with User consent (obtained at collection) and where recipient countries/jurisdictions provide adequate protection (e.g., EU GDPR equivalence, as recognized under PDPA Section 129).Legal Basis: Transfers occur only with User consent (obtained at collection) and where recipient countries/jurisdictions provide adequate protection (e.g., EU GDPR equivalence, as recognized under PDPA Section 129).
3. Safeguards: Standard contractual clauses, binding corporate rules, and processor agreements with pCloud and Google ensure PDPA compliance; data minimized and encrypted during transfer.Safeguards: Standard contractual clauses, binding corporate rules, and processor agreements with pCloud and Google ensure PDPA compliance; data minimized and encrypted during transfer.Safeguards: Standard contractual clauses, binding corporate rules, and processor agreements with pCloud and Google ensure PDPA compliance; data minimized and encrypted during transfer.
4. Opt-Out: Users may restrict transfers to Malaysia-only servers via written request, subject to operational feasibility and potential Service limitations (cross-reference CTCA Clause 39.3: Opt-Out Option).Opt-Out: Users may restrict transfers to Malaysia-only servers via written request, subject to operational feasibility and potential Service limitations (cross-reference CTCA Clause 39.3: Opt-Out Option).Opt-Out: Users may restrict transfers to Malaysia-only servers via written request, subject to operational feasibility and potential Service limitations (cross-reference CTCA Clause 39.3: Opt-Out Option).
5. Risk Assessments: Regular assessments of transfer risks, with alternatives offered if equivalence lapses.Risk Assessments: Regular assessments of transfer risks, with alternatives offered if equivalence lapses.Risk Assessments: Regular assessments of transfer risks, with alternatives offered if equivalence lapses.

1. Retention Periods: Data retained only as necessary (e.g., transaction data for 7 years per tax laws; voice recordings for 6 months; loyalty data for 12 months post-expiration).Retention Periods: Data retained only as necessary (e.g., transaction data for 7 years per tax laws; voice recordings for 6 months; loyalty data for 12 months post-expiration).Retention Periods: Data retained only as necessary (e.g., transaction data for 7 years per tax laws; voice recordings for 6 months; loyalty data for 12 months post-expiration).
2. Deletion: Automated deletion post-retention; secure erasure methods (e.g., overwriting) to prevent recovery.Deletion: Automated deletion post-retention; secure erasure methods (e.g., overwriting) to prevent recovery.Deletion: Automated deletion post-retention; secure erasure methods (e.g., overwriting) to prevent recovery.
3. Archiving: Anonymized data may be retained for statistical purposes.Archiving: Anonymized data may be retained for statistical purposes.Archiving: Anonymized data may be retained for statistical purposes.

1. Processors: Engaged only with PDPA-compliant agreements (e.g., pCloud, Google Drive for storage; debt recovery agencies for defaults) (cross-reference CTCA Clause 36: Enforcement and Debt Recovery).Processors: Engaged only with PDPA-compliant agreements (e.g., pCloud, Google Drive for storage; debt recovery agencies for defaults) (cross-reference CTCA Clause 36: Enforcement and Debt Recovery).Processors: Engaged only with PDPA-compliant agreements (e.g., pCloud, Google Drive for storage; debt recovery agencies for defaults) (cross-reference CTCA Clause 36: Enforcement and Debt Recovery).
2. Disclosures: Limited to consented purposes or legal requirements (e.g., to authorities for investigations); no sales or unauthorized sharing.Disclosures: Limited to consented purposes or legal requirements (e.g., to authorities for investigations); no sales or unauthorized sharing.Disclosures: Limited to consented purposes or legal requirements (e.g., to authorities for investigations); no sales or unauthorized sharing.
3. Sub-Processors: Monitored for compliance; Users notified of material changes.Sub-Processors: Monitored for compliance; Users notified of material changes.Sub-Processors: Monitored for compliance; Users notified of material changes.

1. PDPA Officer: Designated officer oversees compliance; contact: support@louisthai.com.PDPA Officer: Designated officer oversees compliance; contact: support@louisthai.com.PDPA Officer: Designated officer oversees compliance; contact: support@louisthai.com.
2. Training: Annual staff training on PDPA principles and data handling (cross-reference CTCA Article 21: Training and Communication).Training: Annual staff training on PDPA principles and data handling (cross-reference CTCA Article 21: Training and Communication).Training: Annual staff training on PDPA principles and data handling (cross-reference CTCA Article 21: Training and Communication).
3. Audits and Reviews: Internal audits quarterly; policy reviewed annually or upon legislative changes.Audits and Reviews: Internal audits quarterly; policy reviewed annually or upon legislative changes.Audits and Reviews: Internal audits quarterly; policy reviewed annually or upon legislative changes.
4. Enforcement: Violations (e.g., unauthorized disclosure) treated as Zero Tolerance breaches, with termination and reporting (cross-reference CTCA Clause 26: Zero Tolerance Policy).Enforcement: Violations (e.g., unauthorized disclosure) treated as Zero Tolerance breaches, with termination and reporting (cross-reference CTCA Clause 26: Zero Tolerance Policy).Enforcement: Violations (e.g., unauthorized disclosure) treated as Zero Tolerance breaches, with termination and reporting (cross-reference CTCA Clause 26: Zero Tolerance Policy).
5. Other Laws: Aligns with Consumer Protection Act 1999 (fair data practices), Communications and Multimedia Act 1998 (online data), and EU GDPR for transfers.Other Laws: Aligns with Consumer Protection Act 1999 (fair data practices), Communications and Multimedia Act 1998 (online data), and EU GDPR for transfers.Other Laws: Aligns with Consumer Protection Act 1999 (fair data practices), Communications and Multimedia Act 1998 (online data), and EU GDPR for transfers.

1. Dispute Resolution: Data-related disputes follow mediation and AIAC arbitration per the Arbitration Act 2005 (cross-reference CTCA Clause 41: Applicable Law and Conflict Resolution).Dispute Resolution: Data-related disputes follow mediation and AIAC arbitration per the Arbitration Act 2005 (cross-reference CTCA Clause 41: Applicable Law and Conflict Resolution).Dispute Resolution: Data-related disputes follow mediation and AIAC arbitration per the Arbitration Act 2005 (cross-reference CTCA Clause 41: Applicable Law and Conflict Resolution).
2. Amendments: Changes notified with 30 days’ advance via Website/email; continued use constitutes acceptance (cross-reference CTCA Clause 19: Amendment).Amendments: Changes notified with 30 days’ advance via Website/email; continued use constitutes acceptance (cross-reference CTCA Clause 19: Amendment).Amendments: Changes notified with 30 days’ advance via Website/email; continued use constitutes acceptance (cross-reference CTCA Clause 19: Amendment).
3. Force Majeure: Excuses Processing delays due to uncontrollable events, with safeguards maintained (cross-reference CTCA Clause 20: Force Majeure).Force Majeure: Excuses Processing delays due to uncontrollable events, with safeguards maintained (cross-reference CTCA Clause 20: Force Majeure).Force Majeure: Excuses Processing delays due to uncontrollable events, with safeguards maintained (cross-reference CTCA Clause 20: Force Majeure).

For Data requests, opt-outs, or inquiries, contact support@louisthai.com or louisthaiofficial@gmail.com. Complaints can be escalated to the Personal Data Protection Commissioner.如需数据请求、退出（opt-out）或咨询，请联系 support@louisthai.com 或 louisthaiofficial@gmail.com。若不满意，可向个人数据保护专员提出投诉。สำหรับคำขอเกี่ยวกับข้อมูล การขอถอนความยินยอม/จำกัดการประมวลผล หรือข้อสอบถาม โปรดติดต่อ support@louisthai.com หรือ louisthaiofficial@gmail.com หากมีข้อร้องเรียนสามารถยกระดับไปยังคณะกรรมการ/ผู้กำกับดูแลด้านคุ้มครองข้อมูลส่วนบุคคลได้

Approval:批准：อนุมัติโดย:

Wong Shee Yee, LouisWong Shee Yee, LouisWong Shee Yee, Louis

Chief Executive Officer and President首席执行官兼总裁ประธานเจ้าหน้าที่บริหารและประธาน

LOUIS THAI International Group Sdn BhdLOUIS THAI International Group Sdn BhdLOUIS THAI International Group Sdn Bhd

This policy is a compiled and complete document generated from relevant sections of the Client Terms and Conditions Agreement 2025 Edition 2.0, with enhanced detail on cross-border storage via pCloud and Google Drive in the EU, ensuring thorough PDPA compliance for clarity and reference.This policy is a compiled and complete document generated from relevant sections of the Client Terms and Conditions Agreement 2025 Edition 2.0, with enhanced detail on cross-border storage via pCloud and Google Drive in the EU, ensuring thorough PDPA compliance for clarity and reference.This policy is a compiled and complete document generated from relevant sections of the Client Terms and Conditions Agreement 2025 Edition 2.0, with enhanced detail on cross-border storage via pCloud and Google Drive in the EU, ensuring thorough PDPA compliance for clarity and reference.

ICAC Secure Physical Destruction FrameworkICAC 安全实体销毁框架กรอบมาตรฐานการทำลายเอกสารทางกายภาพอย่างปลอดภัย (ICAC)

6A. ICAC Secure Physical Destruction Framework6A. ICAC 安全实体销毁框架6A. กรอบ ICAC สำหรับการทำลายเอกสารทางกายภาพอย่างปลอดภัย

Effective Date: May 01, 2025Effective Date: May 01, 2025Effective Date: May 01, 2025

Version: 1.1Version: 1.1Version: 1.1

Update Note: Incorporation of the ICAC Secure Physical Destruction Framework as part of Section 6: Data Security Measures.更新说明：将 ICAC 安全实体销毁框架纳入第6节：数据安全措施的一部分。บันทึกการปรับปรุง: บูรณาการกรอบการทำลายเอกสารทางกายภาพอย่างปลอดภัย ICAC เป็นส่วนหนึ่งของหัวข้อ 6: มาตรการความปลอดภัยของข้อมูล

To strengthen compliance with the PDPA Security, Retention, and Data Integrity Principles, LOUIS THAI International Group adopts a proprietary physical destruction standard known as the ICAC Framework (Internal Compliance & Assurance Criteria).为加强对 PDPA 安全、保留与数据完整性原则的遵循，LOUIS THAI International Group 采用专有的实体销毁标准——ICAC 框架（Internal Compliance & Assurance Criteria，内部合规与保证准则）。เพื่อเสริมความสอดคล้องกับหลักการด้านความปลอดภัย การเก็บรักษา และความถูกต้องครบถ้วนของข้อมูลตาม PDPA กลุ่มบริษัท LOUIS THAI จึงนำมาตรฐานการทำลายเอกสารทางกายภาพแบบเฉพาะที่เรียกว่า ICAC Framework (Internal Compliance & Assurance Criteria) มาใช้

This framework applies to all physical documents containing personal data, sensitive personal data, operational records, or any printed matter that may identify Users, Clients, or internal staff.该框架适用于所有包含个人数据、敏感个人数据、运营记录或任何可能识别用户、客户或内部人员的纸本文档/印刷材料。กรอบนี้ใช้กับเอกสารทางกายภาพทั้งหมดที่มีข้อมูลส่วนบุคคล ข้อมูลส่วนบุคคลอ่อนไหว บันทึกการปฏิบัติงาน หรือสื่อสิ่งพิมพ์ใด ๆ ที่อาจระบุผู้ใช้ ลูกค้า หรือพนักงานภายในได้

I — IrreversibilityI — 不可逆性I — ไม่อาจย้อนคืนได้

All documents containing Personal Data are destroyed using a Class-3 crosscut shredding machine, producing micro-fragments that make reconstruction impossible.所有含个人数据的文件均使用 Class-3 级十字切碎纸机销毁，形成微碎片，确保无法重组还原。เอกสารทั้งหมดที่มีข้อมูลส่วนบุคคลจะถูกทำลายด้วยเครื่องทำลายเอกสารแบบตัดไขว้ระดับ Class-3 ทำให้เป็นชิ้นส่วนขนาดเล็กมากจนไม่สามารถประกอบคืนได้

This ensures irreversible elimination of personal data in compliance with PDPA Section 9 (Security Principle).此举确保以不可逆方式消除个人数据，符合 PDPA 第9条（安全原则）。เพื่อให้มั่นใจว่าการกำจัดข้อมูลส่วนบุคคลเป็นไปอย่างถาวรและสอดคล้องกับ PDPA มาตรา 9 (หลักการด้านความปลอดภัย)

C — ConsistencyC — 一致性C — ความสม่ำเสมอ

Shredding is performed according to a documented Standard Operating Procedure (SOP), ensuring uniform treatment of all sensitive documents, regardless of the personnel handling them.碎纸作业依照书面标准作业程序（SOP）执行，确保所有敏感文件无论由谁处理，均采用一致标准。การทำลายเอกสารดำเนินการตามขั้นตอนการปฏิบัติงานมาตรฐาน (SOP) ที่เป็นลายลักษณ์อักษร เพื่อให้การจัดการเอกสารอ่อนไหวเป็นไปอย่างสม่ำเสมอ ไม่ว่าบุคลากรคนใดจะเป็นผู้ดำเนินการ

Each destruction activity follows the same procedural standards approved by the PDPA Officer.每次销毁活动均遵循由 PDPA 负责人批准的统一流程标准。ทุกกิจกรรมการทำลายเอกสารจะดำเนินตามมาตรฐานขั้นตอนเดียวกันที่ได้รับอนุมัติโดยเจ้าหน้าที่ PDPA

A — AuditabilityA — 可审计性A — ตรวจสอบได้

All destruction sessions are recorded in an ICAC Destruction Log, which includes:所有销毁过程均记录于 ICAC 销毁日志（ICAC Destruction Log），内容包括：ทุกครั้งที่ทำลายเอกสารจะถูกบันทึกลงใน ICAC Destruction Log ซึ่งประกอบด้วย:

• Date and time of destructionDate and time of destructionDate and time of destruction
• Type of documents destroyedType of documents destroyedType of documents destroyed
• Volume/weight of materialsVolume/weight of materialsVolume/weight of materials
• Name and signature of the authorised handlerName and signature of the authorised handlerName and signature of the authorised handler
• Optional photographic evidence (especially for high-sensitivity batches)Optional photographic evidence (especially for high-sensitivity batches)Optional photographic evidence (especially for high-sensitivity batches)

Logs are retained for internal and external audits for up to 24 months unless otherwise required by law.除法律另有要求外，日志将保留最长 24 个月，供内部与外部审计使用。บันทึกจะถูกเก็บรักษาเพื่อการตรวจสอบภายในและภายนอกเป็นระยะสูงสุด 24 เดือน เว้นแต่กฎหมายกำหนดเป็นอย่างอื่น

C — Client AssuranceC — 客户保证C — การสร้างความมั่นใจแก่ลูกค้า

To strengthen transparency and reinforce trust, LOUIS THAI may provide:为加强透明度并提升信任，LOUIS THAI 可提供：เพื่อเพิ่มความโปร่งใสและเสริมสร้างความเชื่อมั่น LOUIS THAI อาจจัดให้มี:

• Photographic evidence of destruction (where appropriate)Photographic evidence of destruction (where appropriate)Photographic evidence of destruction (where appropriate)
• Documentation confirming secure disposalDocumentation confirming secure disposalDocumentation confirming secure disposal
• Visible process demonstrations in compliance training sessionsVisible process demonstrations in compliance training sessionsVisible process demonstrations in compliance training sessions

This ensures Users and Clients understand that their data has been managed with uncompromising confidentiality.此举确保用户与客户理解其数据以毫不妥协的保密标准被管理。เพื่อให้ผู้ใช้และลูกค้าเข้าใจว่าข้อมูลของตนได้รับการจัดการด้วยความลับอย่างเคร่งครัด

Integration with ESG & SDG Commitments与 ESG 与 SDG 承诺的整合การบูรณาการกับพันธสัญญา ESG และ SDG

ICAC supports LOUIS THAI’s environmental and governance obligations under:ICAC 支持 LOUIS THAI 在以下方面的环保与治理义务：ICAC สนับสนุนพันธกรณีด้านสิ่งแวดล้อมและธรรมาภิบาลของ LOUIS THAI ภายใต้:

• ESG (G: Governance) — establishing verifiable internal controlsESG (G: Governance) — establishing verifiable internal controlsESG (G: Governance) — establishing verifiable internal controls
• SDG 12 — Responsible consumption and recycling pathwaysSDG 12 — Responsible consumption and recycling pathwaysSDG 12 — Responsible consumption and recycling pathways
• SDG 16 — Strong institutions and justice through ethical data handlingSDG 16 — Strong institutions and justice through ethical data handlingSDG 16 — Strong institutions and justice through ethical data handling

Shredded fragments may be recycled or repurposed as packaging filler for non-sensitive products to minimise waste.碎纸微片可回收或再利用为非敏感产品的包装填充物，以减少浪费。เศษเอกสารที่ถูกทำลายอาจนำไปรีไซเคิลหรือปรับใช้เป็นวัสดุรองกันกระแทกสำหรับผลิตภัณฑ์ที่ไม่อ่อนไหว เพื่อลดของเสีย

Policy Enforcement under ICACICAC 下的政策执行การบังคับใช้นโยบายภายใต้ ICAC

Failure to comply with ICAC SOP—including bypassing shredding, improper disposal, unauthorised removal of printed materials, or destruction outside approved methods—constitutes a Zero Tolerance Breach and may result in immediate disciplinary action under CTCA Clause 26.不遵守 ICAC SOP（包括绕过碎纸、处置不当、未经授权带离印刷材料或采用未批准方式销毁）构成“零容忍”违规，并可能依据 CTCA 第26条立即采取纪律处分。การไม่ปฏิบัติตาม SOP ของ ICAC—รวมถึงการหลีกเลี่ยงการทำลายเอกสาร การทิ้งอย่างไม่เหมาะสม การนำสื่อสิ่งพิมพ์ออกไปโดยไม่ได้รับอนุญาต หรือการทำลายนอกวิธีที่ได้รับอนุมัติ—ถือเป็นการฝ่าฝืนแบบ Zero Tolerance และอาจนำไปสู่การดำเนินการทางวินัยทันทีตาม CTCA ข้อ 26

Repeated incidents may escalate to termination or legal reporting.重复发生者可能升级至解雇或依法通报。หากเกิดซ้ำอาจยกระดับไปสู่การเลิกจ้างหรือการรายงานตามกฎหมาย