Last updated: May 17, 2026 · v1.0
PDPA Notice
This notice complies with PDPA §23 (notice to data subjects) and supplements our Privacy Policy with the technical detail PDPA requires. For everyday questions, the Privacy Policy is the easier read.
1. Data Controller
Kiangkang Co., Ltd., Bangkok, Thailand. Data Protection Officer (DPO): privacy@kiangkang.app
2. Legal basis (PDPA §24)
Contract (§24(3)): processing necessary to deliver medication reminders you signed up for. Consent (§24(1)): optional analytics, marketing, family sharing. Legal obligation (§24(6)): tax, anti-money-laundering, court orders. Legitimate interest (§24(5)): security, fraud prevention, service improvement (balanced against your rights).
3. Special-category data (PDPA §26)
We process health data (medicines, intake logs, vitals). Per §26, we require EXPLICIT consent — captured at first launch (Consent screen) and reaffirmed whenever you toggle health features. You can withdraw consent at any time via Privacy Settings → which triggers soft-deletion of the affected health data within 24 hours and permanent erasure within 30 days.
4. Retention period
Account: until deletion request + 30-day grace. Health data: same as account, OR until consent withdrawn (whichever earlier). Analytics: 14 months (GA4 default). Security logs: 90 days. Financial records: 7 years (Thai tax law).
5. Cross-border transfer (PDPA §28)
Analytics data is transferred to Google LLC in the United States under Google's Standard Contractual Clauses (SCC), which the PDPC has accepted as an adequate safeguard. No other cross-border transfers occur in normal operation.
6. Data subject rights (PDPA §30-§37)
Access (§30) — request a copy. We respond within 30 days. Rectification (§35) — fix inaccurate data. Erasure (§33) — delete your data. Restriction (§34) — limit processing. Portability (§31) — receive in machine-readable format. Objection (§32) — to direct marketing or profiling. Withdraw consent — at any time. Complaint — to PDPC (https://www.pdpc.or.th/). Request path: Privacy Settings in-app, OR email privacy@kiangkang.app
7. Children
We do not knowingly collect data from children under 10. For users aged 10-20, parental/guardian consent is required (PDPA §20). Family plan setup captures this.
8. Breach notification
We notify affected users + PDPC within 72 hours of a personal data breach, per PDPA §37(4).