Privacy Policyนโยบายความเป็นส่วนตัว
Last updated: 17 May 2026 · Applies to bookku.co and all Bookku-hosted tenant subdomains (yourshop.bookku.co)อัปเดตล่าสุด: 17 พ.ค. 2026 · ใช้กับ bookku.co และโดเมนย่อยของผู้เช่าทั้งหมด (yourshop.bookku.co)
Bookku ("we", "us", "the platform") is built and operated by Lertrak Chakatdechawong as a sole proprietor based in Bangkok, Thailand. We respect your privacy and comply with Thailand's Personal Data Protection Act B.E. 2562 (2019) — the PDPA. This policy explains what data we collect, how we use it, and the rights you have.Bookku ("เรา", "แพลตฟอร์ม") สร้างและดำเนินการโดย เลิศตรัก ฉัตรเดชาวงศ์ ในฐานะเจ้าของกิจการคนเดียว ฐานในกรุงเทพ เราเคารพความเป็นส่วนตัวของคุณและปฏิบัติตาม พระราชบัญญัติคุ้มครองข้อมูลส่วนบุคคล พ.ศ. 2562 (PDPA) นโยบายนี้อธิบายข้อมูลที่เราเก็บ วิธีใช้ และสิทธิ์ของคุณ
หมายเหตุ: ฉบับภาษาอังกฤษเป็นฉบับหลักทางกฎหมาย เนื้อหาต่อจากนี้แสดงเป็นภาษาอังกฤษ ต้องการคำอธิบายเป็นไทย ติดต่อ lertrak@bookku.co
1. Two roles, two policies1. สองบทบาท สองนโยบาย
Bookku acts in two capacities depending on whose data we're handling:
- Data Controller — for marketing-site visitors (you on bookku.co), shop owners who sign up for Bookku, and their billing data.
- Data Processor — for end-customers booking through a tenant shop's site (e.g. a clinic's customer). The shop is the Controller; we process that data only on the shop's instructions, under a data-processing agreement.
This policy covers section by section. If you booked an appointment with a specific shop on Bookku, that shop's privacy policy is the primary document — find a link on their booking page.
2. What we collect from bookku.co visitors2. ข้อมูลที่เก็บจากผู้เข้าชม bookku.co
- Pageview data — URL visited, referrer, basic device info (browser, OS, screen size). Used only in aggregate to improve the site.
- Contact data — only if you email us at lertrak@bookku.co or use the AI chat widget on bookku.co (your messages plus the email you provide).
- Cookies — strictly-necessary cookies for the AI chat session and your dark/light theme preference. No third-party advertising cookies. If we add analytics in future, we will display a PDPA-compliant consent banner before any non-essential cookie is set.
3. What we collect from shop owners (Bookku tenants)3. ข้อมูลที่เก็บจากเจ้าของร้าน (ผู้เช่า Bookku)
- Account data — your name, email, phone, shop name, business type, password (hashed bcrypt).
- Shop configuration — your services, prices, hours, staff list, branding choices, LINE OA credentials if you connect one.
- Billing data — your selected plan, billing cycle, the PromptPay reference + slip image you upload when paying for your subscription. We never store full card numbers.
- Operational logs — server access logs (IP, timestamp, endpoint) retained 90 days for security.
4. Why we use this data4. ทำไมเราใช้ข้อมูลนี้
| Purpose | PDPA legal basis (Section 24) |
|---|---|
| Provision your Bookku account + tenant subdomain | Performance of contract |
| Send service-related emails (billing, invoices, security) | Performance of contract |
| Process subscription payments via PromptPay | Performance of contract |
| Detect abuse / security incidents | Legitimate interest |
| Comply with Thai tax + accounting record-keeping (5-year retention) | Legal obligation |
| Aggregate, anonymised product analytics | Legitimate interest |
We never sell personal data. We don't share data with advertisers. We don't run third-party advertising trackers on bookku.co or on tenant booking pages.
5. Sub-processors we rely on5. ผู้ประมวลผลข้อมูลที่เราใช้บริการ
We disclose every third party that handles your data on our behalf. Current sub-processors:
| Vendor | Purpose | Region |
|---|---|---|
| Supabase | Postgres database hosting | Singapore (production) + Tokyo (UAT) |
| Railway | Application hosting | Singapore |
| Resend | Transactional email delivery | USA |
| Cloudflare | DNS + edge caching for bookku.co | Global |
| EasySlip | PromptPay slip verification | Thailand |
| Anthropic | AI admin chat (Claude API) — opt-in feature | USA |
| LINE | LINE OA messaging — opt-in per tenant | Japan |
Each sub-processor handles only the minimum data required for its purpose. Cross-border transfers comply with PDPA Section 28 (recipient country with adequate protection or equivalent safeguards).
6. How long we keep your data6. เราเก็บข้อมูลนานแค่ไหน
- Active accounts — for the lifetime of your subscription.
- Cancelled accounts — data exported and retained for 30 days for reactivation/migration. After day 30, all personally identifying data is anonymised.
- Booking records & invoices — 5 years from the transaction date, to comply with Thai accounting record-keeping. After 5 years, anonymisation strips personal identifiers while retaining the row for tax purposes.
- Server logs — 90 days.
7. Your rights under PDPA7. สิทธิ์ของคุณตาม PDPA
You have the right to:
- Access — request a copy of the personal data we hold about you. We respond within 30 days.
- Correct — fix inaccurate or incomplete data.
- Erase ("right to be forgotten") — we anonymise your data while keeping the minimum records required by Thai tax law.
- Withdraw consent — note this may end your ability to use the service.
- Object to processing based on legitimate interest.
- Data portability — receive your data in a structured, machine-readable format.
- Lodge a complaint with Thailand's Personal Data Protection Committee (PDPC) at pdpc.or.th.
8. Contact us about your data8. ติดต่อเราเรื่องข้อมูลของคุณ
For any PDPA request or privacy question:
- Email: lertrak@bookku.co
- Subject line:
PDPA request — [Access | Correct | Erase | Object | Complain] - Address: Bangkok, Thailand (full address provided in our response, as it is the sole-proprietor home address).
9. Security9. ความปลอดภัย
Data in transit is encrypted (HTTPS / TLS 1.2+). Data at rest is encrypted on Supabase Postgres. Admin access requires email-and-password sign-in with HTTP-only session cookies. We follow the principle of least privilege internally. We do not have a SOC 2 audit yet — we're an early-stage company; we will commit to one when we exceed 100 paying tenants.
10. Changes to this policy10. การเปลี่ยนแปลงนโยบายนี้
We update this policy whenever PDPA requirements change, when we add new sub-processors, or when we materially change how we collect or use data. The "Last updated" date at the top reflects the most recent change. For material changes affecting current users, we'll also notify by email.
Looking for a specific tenant shop's privacy policy? Each shop on Bookku publishes its own policy, generated from a PDPA template and customised with the shop's contact details. Visit the shop's booking page and click "Privacy" in the footer there.
