Data Protection & PDPA Compliance
How we protect your personal data across ContentVelo and ChatMai platforms, in compliance with Thailand's Personal Data Protection Act B.E. 2562 (PDPA) and Shopee Open Platform requirements.
Data Controller Information
The data controller responsible for personal data processed through ContentVelo (AI content creation for Facebook) and ChatMai (unified messaging inbox) is:
NB Digital Co., LTD.
Bangkok, Thailand
Email: [email protected]
Data Protection Officer: [email protected]
Legal Basis for Processing (PDPA)
Under Thailand's PDPA, we process personal data based on the following lawful grounds:
- Consent — You explicitly agree to data processing when creating an account, connecting social platforms, or authorizing Shopee/Facebook integrations.
- Contractual Necessity — Processing required to deliver ContentVelo and ChatMai services you have subscribed to.
- Legitimate Interest — Analytics, service improvement, and fraud prevention where your rights are not overridden.
- Legal Obligation — Compliance with Thai law, tax regulations, and platform partner requirements.
Data We Collect by Platform
We collect and process different categories of data depending on the platform you use:
| Platform | Data Categories | Purpose |
|---|---|---|
| ContentVelo | Facebook page tokens, AI-generated content, post analytics, user profile (name, email), billing information | AI content creation, scheduling, publishing to Facebook, usage analytics |
| ChatMai | Platform conversations (Shopee, LINE, Facebook Messenger), order context, buyer/sender identifiers, team collaboration data | Unified inbox messaging, AI auto-reply suggestions, conversation analytics |
Data Protection Measures
We implement comprehensive technical and organizational measures to protect your data across both platforms:
lock Technical Measures
- TLS 1.3 encryption for all data in transit
- AES-256 encryption for all data at rest, including API tokens and messages
- Web Application Firewall (WAF) and DDoS protection
- Automated vulnerability scanning and weekly dependency audits
groups Organizational Measures
- Role-Based Access Control (RBAC) for production systems
- Mandatory data protection training for all personnel
- Principle of least privilege for all system accounts
- Comprehensive audit logging for all data access events
Data Retention Policy
We retain personal data only as long as necessary. Retention periods vary by data type and platform requirements:
| Data Type | Retention Period | Post-Expiry Action |
|---|---|---|
| Account data | Until account deletion | Permanently deleted within 30 days |
| AI-generated content | Until user deletes | Permanently deleted from all storage |
| Shopee/platform messages | Maximum 90 days | Secure deletion per NIST SP 800-88 |
| API access tokens | Until revoked or expired | Immediately purged upon revocation |
Your Rights Under PDPA
As a data subject under Thailand's PDPA, you have the following rights regarding your personal data:
Request a copy of all personal data we hold about you across both platforms.
Correct inaccurate or incomplete personal data in your account.
Request deletion of your personal data. Processed within 30 days.
Object to data processing based on legitimate interest.
Receive your data in a structured, machine-readable format.
Withdraw consent at any time. Disconnect platforms from settings.
To exercise your rights, contact our Data Protection Officer at [email protected] or use the Privacy Contact form. For Shopee-specific data, you can also revoke access through Shopee Seller Centre.
International Data Transfers
Your data may be transferred to and processed in countries outside Thailand for the following purposes:
- AI processing via OpenAI (USA) and Google Gemini — content generation only, no personal data stored by AI providers
- Cloud hosting infrastructure with data centers meeting international security standards (ISO 27001)
- All transfers are protected by adequate safeguards as required by PDPA Section 28
Data Breach Response
In the event of a security incident affecting personal data, we follow a strict breach response protocol:
- Immediate containment — Affected systems isolated within 1 hour. Compromised tokens revoked immediately.
- Platform notification — Shopee and affected platform security teams notified within 24 hours.
- Regulatory notification — PDPC notified within 72 hours as required by PDPA.
- User notification — All affected users informed without delay with breach scope and remediation steps.
ChatMai integrates with the Shopee Open Platform to provide unified messaging for Shopee sellers. This section specifically addresses how we handle data received through Shopee APIs, in compliance with Shopee's Platform Partner Rules and Data Protection Policy.
Shopee Data Categories
| Category | Specific Data | Purpose |
|---|---|---|
| Shop Info | Shop ID, shop name, authorized user ID | Identify and authenticate seller shops in ChatMai |
| Conversations | Chat messages between sellers and buyers, timestamps | Display conversations in unified inbox, enable replies |
| Order Info | Order ID, status, tracking number | Show order context alongside customer conversations |
| Buyer Info | Buyer username, buyer ID (as provided by Shopee API only) | Identify buyers in conversations; never used for direct contact |
Shopee Data Retention (90-Day Maximum)
In strict compliance with Shopee Open Platform policies, all Shopee data is retained for a maximum of 90 days:
- Conversation messages and buyer data: permanently deleted after 90 days via secure deletion
- Order references: purged after 90 days, only anonymized metrics retained
- Sellers can trigger immediate deletion by disconnecting their Shopee shop from ChatMai
Secure Data Disposal
- Electronic records overwritten using cryptographic erasure per NIST SP 800-88 guidelines
- Database records permanently deleted with transaction logs verifying removal
- Backup copies rotated out within 90 days — no Shopee data persists beyond this window
warning Strict Prohibitions
We never use Shopee data to: contact buyers outside Shopee messaging, sell or share data with third parties, build buyer profiles for advertising, or for any purpose not authorized by Shopee's Terms of Service.
Security & Compliance
We implement comprehensive security measures across both ContentVelo and ChatMai to protect your data at every layer of our infrastructure.
lock Data Handling
- All tokens and credentials encrypted with AES-256 at rest
- Minimal data collection — we only store what is necessary
- Complete workspace data isolation between customers
key Token Security
- OAuth 2.0 for all platform connections (Facebook, Shopee, LINE)
- Automatic token rotation and secure refresh flows
- Revoke access anytime from your account settings
history Audit & Monitoring
- Complete history of all content and publishing actions
- Detailed access logs with user, timestamp, and action type
- Exportable audit trails for compliance reporting
verified Compliance Status
Filing Complaints
If you believe your data protection rights have been violated, you may file a complaint with us first, or directly with the regulatory authority:
Personal Data Protection Committee (PDPC)
You have the right to lodge a complaint with the PDPC if you believe we have violated your rights under the Personal Data Protection Act B.E. 2562.
Contact Us
For any questions about this Data Protection Policy, your rights, or how we handle your data: