Privacy Policy and Personal Data Protection

1. Data Controller

MAF Excellent Co., Ltd. ('Company') is the Data Controller for personal data collected through the EZWeb Platform. Address: Bangkok, Thailand Email: privacy@ezweb.co.th

2. Personal Data We Collect

• Identity data: Full name, email address, phone number
• Account data: Username, password (bcrypt hashed), profile picture
• Business data: Company name, address, website, business profile information
• Payment data: Subscription history (no card data stored directly — processed via Stripe)
• Usage data: IP address, browser type, pages visited, session duration
• User-generated content: Text, images, videos, and data uploaded to the platform
• Referral data: Affiliate codes and referral relationships

3. Purpose and Legal Basis for Processing

• Contract performance: Account creation, Website Builder service, and content management system
• Legitimate interest: Usage analytics, service improvement, and fraud prevention
• Legal obligation: Accounting records and statutory reporting requirements
• Consent: Marketing emails and promotional notifications

4. Data Retention

• Account data: Retained for the lifetime of the account + 30 days after cancellation
• Payment data: 7 years, per Thai accounting requirements
• Usage logs: 90 days
• Referral/Affiliate data: Lifetime of the referring account

5. Disclosure to Third Parties

• Stripe, Inc.: To process payments and manage subscriptions (PCI-DSS Level 1 compliant)
• DigitalOcean / Vercel: Data processing infrastructure and hosting
• Google Analytics: Website usage analytics (aggregated data only)
• Government authorities: Only when required by court order or applicable law
• The Company does not sell your personal data to third parties for marketing purposes.

6. Your Rights Under PDPA

• Right of Access: Request to view personal data the Company holds about you
• Right of Rectification: Request correction of inaccurate data
• Right to Erasure: Request deletion of personal data when no longer necessary
• Right to Data Portability: Request your data in a machine-readable format
• Right to Object: Object to processing in certain circumstances
• Right to Restriction: Request temporary suspension of data processing
• Right to Withdraw Consent: Withdraw previously given consent at any time
• To exercise your rights: Email privacy@ezweb.co.th — the Company will respond within 30 days

7. Security Measures

• TLS/HTTPS encryption for all data transmission
• Passwords hashed with bcrypt — no plaintext passwords are stored
• JWT Token authentication with limited expiry
• Role-Based Access Control (RBAC) for data access
• Automated backups and disaster recovery systems

8. Cookies and Tracking Technologies

The Company uses cookies for system functionality and usage analytics. See the Cookie Policy at /cookies for full details.

9. International Data Transfers

Your data may be processed on servers outside Thailand, such as Singapore and the United States. The Company implements appropriate safeguards in line with GDPR/PDPA standards for international transfers.

10. Policy Changes

The Company may update this policy periodically. Material changes will be communicated at least 30 days in advance via email or in-platform notification.