This Privacy Policy, hereinafter referred to as the "Policy," is effective from April 3, 2024, and includes the following details:
Definitions Within this Policy
(a) "Website" refers to the website named CABAL: INFINITE COMBO, located at www.combocabalm.com
(b) "Data Controller" refers to the service provider or owner of the Website as specified in this Policy, which is CBCSoft Co., Ltd., with corporate registration number 0125566036499, located at 94/402 Moo 4, Bangyai Subdistrict, Bangyai District, Nonthaburi Province. Contact: [email protected].
(c) "Data Processor" refers to third parties who process data for the benefit or on behalf of the Data Controller.
(d) "Data" refers to information that communicates facts or content, regardless of its form, including documents, files, reports, books, charts, maps, drawings, photographs, films, recordings, computer data, electronic methods, or any other means that makes the recorded information visible.
(e) "Personal Data" refers to information about any natural person that can identify that person, directly or indirectly.
(f) "Sensitive Data" refers to personal data about race, ethnicity, political opinions, religious or philosophical beliefs, sexual behavior, criminal records, health data, disabilities, genetic data, biometric data (e.g., facial images, retina scans, fingerprints), union membership, or other data deemed sensitive by the Personal Data Protection Committee.
(g) "User" refers to you, the visitor, user, or member of the Website, who is the owner of personal data as per this Policy.
(h) "Data Protection Officer" refers to the officer appointed by the Data Controller to ensure compliance with data protection laws.
By using this Website, users consent to the collection and use of their personal data as follows:
(a) Purposes of Data Collection and Use Users acknowledge and consent to the Data Controller collecting and using personal data solely for the purposes of online and offline marketing, mobile phone messages, and telemarketing.
(b) Collected Personal Data Users acknowledge and consent to the Data Controller collecting and using the following personal data: name, surname, gender, address, country, phone number, email, and date of birth.
(c) Data Retention Period Users acknowledge and consent to the Data Controller retaining personal data for five (5) years from the date of consent.
Users acknowledge and consent to the Data Controller linking user data with third-party service providers, with prior notification to the user. Users can express consent through various means, such as clicking accept, allowing, linking, sharing, or other explicit consent actions.
The user acknowledges and consents to allow the data controller to use the following systems and/or technologies to track user behavior on the website
Cookies technology
Pixel Tags usage
Google Analytics Tag
This data will be used solely to improve services and offer products that meet the user's needs.
The user has the right to withdraw consent given to the Data Controller under this policy at any time by selecting "Do not consent" in the privacy settings menu on
the website.
Effect of Consent Withdrawal: The user will no longer have access to special services within the website, retaining only visitor rights, and accepts the consequences of
withdrawing consent.
In using the website, the Data Controller may provide individual user accounts. The Data Controller has the sole discretion to approve account creation, determine account
types, access rights, usagerights, fees, and user responsibilities.
The user agrees to keep their account name, password, and any other information confidential and not to allow others to use their account. The user must take all reasonable
efforts to prevent others
from using their account.
If another person uses the user's account, the user agrees and warrants that such use is done as the user's representative and is binding as if the user performed the action
themselves.
The user understands and consents to the use of personal data under this policy and acknowledges their rights as the owner of the personal data under the Personal Data Protection Act, which include but are not limited to:
(a) The user may withdraw consent given under this policy at any time by written notice to the Data Controller through the methods and channels specified in this policy.
(b) The user has the right to access and request a copy of their personal data or data related to them that the Data Controller has collected under this policy.
(c) The user has the right to disclosure from the Data Controller regarding the source of their personal data or data related to them if they did not consent. If such a case arises, the user may exercise this right.
(d) The user may request the Data Controller to send or transfer their personal data or related data to another Data Controller and receive the data directly from the transferring Data Controller.
(e) The user may object to the collection, use, or disclosure of their personal data or related data in the following cases:
(1) The Data Controller will collect, use, or disclose the user's personal data when necessary for the legitimate interests of the Data Controller or others, which the user can prove they have a superior right over the Data Controller.
(2) The Data Controller collects, uses, or discloses the user's personal data to comply with legal obligations, except when the user can prove they have a superior right over the Data Controller.
(3) The Data Controller collects, uses, or discloses personal data for direct marketing purposes.
(4) The Data Controller collects, uses, or discloses personal data for educational, scientific research, historical, or statistical purposes, where such research is not necessary for public benefit.
(f) The user may request the Data Controller to delete, destroy, or anonymize their personal data in the following cases:
(1) When personal data is no longer necessary for the purposes for which it was collected, used, or disclosed.
(2) When the user, as the owner of the personal data, withdraws their consent to the collection, use, or disclosure of the personal data, and the Data Controller has no other legal authority to collect, use, or disclose the data.
(3) When the user lawfully objects to the collection, use, or disclosure of the data.
(4) When personal data is collected, used, or disclosed unlawfully or in violation of regulations related to personal data protection.
(g) When the user finds that their personal data is incorrect, outdated, or unclear, the user has the right to request the Data Controller to correct the data to be accurate, current, complete, and not misleading.
(h) The user may file a complaint with the expert committee under the Personal Data Protection Act regarding any violation or non-compliance with the law, regulations, or directives on personal data protection by the Data Controller.
The Data Controller will implement this policy using appropriate security measures to prevent loss, unauthorized access, use, modification, alteration, or unlawful disclosure of personal data. These measures include:
- Assigning access rights to relevant persons (Access Right).
- Using encryption for data transmission.
- Securing data with Firewalls and Internet Protocol Security (IPsec).
The Data Controller has systems and measures to ensure the following:
(a) Ensuring that personal data is accurate, current, complete, and not misleading.
(b) Deleting or destroying personal data when it is no longer necessary for the purposes for which it was collected, used, or disclosed.
(c) Delete personal data that is not relevant to the use of personal data as consented by the user.
Users consent to the data controller collecting, using, and/or disclosing their personal data without prior consent, provided that such collection, use, and/or disclosure is necessary and aligns with the stated purposes. The circumstances in which the data controller may collect, use, and/or disclose personal data without prior consent include:
(a) To fulfill purposes related to the creation of historical or archival records, public interest, research, or statistics, with appropriate protective measures to safeguard the rights and freedoms of the user’s personal data.
(b) To prevent or mitigate harm to life, body, or health of any individual.
(c) When the collection, use, and/or disclosure of the user’s personal data is necessary to fulfill a contract to which the user is a party or to comply with the user's request before entering into a contract.
(d) When the use of personal data is necessary for the data controller to perform public duties or legal obligations.
(e) When the use of personal data is necessary for the legitimate interests of the data controller or a third party, provided that these interests outweigh the user’s fundamental rights and freedoms or legal benefits.
(f) To comply with legal obligations, the data controller will record details regarding the collection, use, or disclosure of personal data as described in the previous section.
Users acknowledge and agree that, apart from the collection, use, and/or disclosure of personal data for which users have given consent, the data controller may collect, use, and/or disclose sensitive personal data of users without prior consent, only to the extent necessary and for the following purposes:
(a) The data controller may collect, use, and/or disclose sensitive personal data without consent to prevent or mitigate harm to the life, body, or health of users, even if the user cannot give consent.
(b) If the information is made public with the explicit consent of the user
(c) When necessary for establishing, exercising, or defending legal claims.
(d) When necessary to comply with legal obligations related to:
(1) Preventive medicine, occupational medicine, employee work capacity assessments, medical diagnosis, health or social care services, or the management of health care systems or services.
(2) Public health benefits, such as health protection from communicable diseases or quality control of medicines and medical devices, with specific measures to protect users’ rights, including data confidentiality.
(3) Labor protection, social security, national health insurance, legal health benefits, motor vehicle accident protection, or social protection, where the collection of personal data is necessary to fulfill the rights or duties of the data controller or users.
(4) Scientific, historical, or statistical research or other public interests, provided that only the necessary data is collected, used, and/or disclosed, with appropriate measures to protect fundamental rights and the user’s interests.
(5) Significant public benefits, with appropriate measures to protect fundamental rights and the user’s interests.
Users guarantee that they do not permit and will not permit any person described below to visit, use, or become a member of the website:
(a) A person under guardianship of the user.
(b) A person deemed incapable and under the user's custody.
If the user permits any such person to visit, use, or become a member of the website, it shall be considered that the user has exercised their authority as a guardian or custodian of that person, and the user agrees to the terms of this policy on behalf of and in the name of that person.
The data controller may transfer the user's personal data to a foreign country, but only under the following conditions:
(a) The destination country or international organization receiving the personal data must have adequate data protection standards as specified by the relevant laws, regulations, or personal data protection guidelines.
(b) The user has given consent, having been informed and acknowledged the inadequate data protection standards of the destination country or international organization receiving the data.
(c) To comply with legal obligations.
(d) When necessary to fulfill a contract to which the user is a party or to comply with the user's request before entering into such a contract.
(e) To comply with a contract between the data controller and another party intended for the benefit of the user.
(f) To prevent or mitigate harm to the life, body, or health of the user or others when the user cannot give consent at that time.
(g) When necessary to perform tasks of significant public interest.
When the data controller becomes aware of a personal data breach, regardless of who caused the breach, the data controller will take the following steps:
(a) If there is a risk of impact on the rights or freedoms of any individual, the data controller will notify the Office of the Personal Data Protection Commission without delay, within 72 hours of becoming aware of the breach.
(b) If there is a high risk of significant impact on the rights or freedoms of any individual, the data controller will notify both the Office of the Personal Data Protection Commission and the affected user of the breach and the remedial actions taken, without delay, and if possible, within 72 hours of becoming aware of the breach.
Users may file complaints and report personal data issues, including but not limited to requesting the data controller to correct or update the data and/or to object to data collection or suspend data use. Complaints should be directed to the Data Protection Officer at: [email protected]
otherwise stipulated by personal data protection laws, the data controller must keep records of important items related to the retention, use, or disclosure of data in either physical or electronic form for auditing purposes. These records must be accessible to data users or governmental authorities and should include the following:
(a) Personal data collected.
(b) The purpose of collecting each type of personal data.
(c) Information about the data controller.
(d) The retention period of personal data.
(e) The rights and methods of accessing personal data, including conditions regarding who has the right to access the data and the conditions for such access.
(f) The collection, use, or disclosure of personal data exempted from requiring the data subject's consent.
(g) The refusal of requests and objections.
(h) Details regarding the security measures for personal data.
Amendment of the Policy The data controller reserves the right to amend or change this policy at any time, in whole or in part, without any limitations. The data controller will notify the users of any changes, allowing them to review and accept electronically or by other means. Once the user has accepted, the amended policy will become part of this policy.
Relationship of the Parties Both parties acknowledge and agree that the execution of this policy does not establish an employer-employee relationship under labor laws or a partnership under partnership and company laws between the parties and their respective employees.
Assignment of Rights Except as explicitly provided otherwise in this policy, neither party may assign their rights, duties, and/or liabilities under this policy to any third party without prior written consent from the other party.
Waiver of Rights Failure or delay by the data controller in exercising any right in any instance shall not be deemed a waiver of that right. Similarly, if the data controller exercises only part of a right or waives a right in a specific instance, it shall not be considered a waiver of any other rights or in any other instance.
Severability If any provision or agreement in this policy is found to be void, incomplete, or unenforceable for any reason, the parties agree that the remaining provisions and agreements in this policy shall remain valid and binding as if the void, incomplete, or unenforceable part was not included in this policy.
Governing Law This policy shall be governed by the laws of Thailand.
Dispute Resolution In the event of any disputes or conflicts arising from this policy, if the parties cannot reach an agreement, the parties agree to submit the dispute to the courts of Thailand for resolution.
Update 3 april 2024
CB Soft Co., Ltd.