FlowAccount - Privacy Policy

FlowAccount Company Limited ("Company") provides online accounting programs and business management systems. In doing so, we may collect your personal information.

The Company is committed to protecting the security of your personal information. We have created this Personal Data Protection Policy ("Policy") to explain how we collect, store, use, and disclose your personal information, including your sensitive information as well as your various rights. This is considered part of the terms of service.

Please read this Policy carefully before using our services. This applies to both new users and existing users who register for an application, communicate with us through designated channels, or use any of our services.

By using our services, you agree to this Policy. If you do not agree to this Policy, the Company reserves the right to refuse service.

1. Definitions
Personal Information
Any information that can be used to directly or indirectly identify a natural person. This does not include information about deceased persons, legal entities, business contacts that don't identify a specific person (e.g., company name, address, registration number, work phone/email), anonymous data, or pseudonymized data (data that cannot be easily re-identified as belonging to a specific person).

Sensitive Information
Information that could lead to unfair discrimination, such as race, ethnicity, political opinions, religious beliefs, sexual orientation, criminal history, health information, disability information, trade union membership, genetic information, biological data, or other information designated as sensitive by the Personal Data Protection Commission.

Processing
Any action taken on personal information, including collection, recording, organization, storage, modification, retrieval, consultation, use, disclosure (by transmitting, transferring, disseminating, or making available), alignment, integration, blocking, restriction, deletion, or destruction.

Personal Data Controller
The individual or organization that determines the purposes and means of processing personal information.

Personal Data Processor
The individual or organization that processes personal information on behalf of the controller.

Cookies
Small computer files that store temporary personal information on your computer to improve communication convenience and speed. Cookies are only active while you are accessing our website system.

Personal Data Protection Officer (DPO)
A person appointed by the company to handle responsibilities under the Personal Data Protection Act (PDPA) Prof. 2019.

2. Categories of Personal Information Owners
The Company processes personal information based on the type of owner and the activities for which the data is used. Here's a breakdown of the categories:

2.1 Customers/Users
This includes:

(A) Individuals who register for and use our services, including FlowAccount, Payroll, Autokey, Mobile POS applications (collectively referred to as "Applications") on our websites flowaccount.com, flowaccount.com/payroll, and flowaccount.com/autokey or using our API calls. Related persons, representatives, or individuals authorized to act on behalf of a customer.

(B) Visitors to our contact website or those who contact us through Call Center, LINE Official Account, Facebook, and Twitter for information or coordination. Individuals who respond to surveys about our services (collectively referred to as "Services").

(C) Seminar registrants who participate in learning and testing to meet our evaluation criteria.

Please refer to the Privacy Notice for Customers and Service Recipients for more details.

2.2 Partners
This includes:

Individuals, such as directors, authorized signatories, delegates, employees, and workers, of legal entities participating or planning to participate in transactions with the Company.

Individuals whose personal information appears in relevant documents, such as those who submit bids to sell products or provide services to the Company, including service providers, consultants, academics, speakers, project participants, contractors, and anyone with a similar relationship with the Company.

2.3 Company Personnel
This includes:

Employees or individuals working for the Company who receive a salary, wage, or benefits, such as executives, managers, and staff.

Individuals related to Company personnel whose personal information appears in recruitment documents, such as family members, parents, spouses, children, emergency contacts, references, and beneficiaries.

2.4 Job Seekers
This includes:

Individuals who submit job applications, internship applications, or resumes to the Company.

Individuals considered for temporary, contract, or freelance positions, including those employed by recruitment agencies or outsourced providers.

Individuals associated with applicants whose personal information appears in related documents, such as family members, references, and emergency contacts.

2.5 Photographers
This includes:

Models, presenters, and individuals hired or compensated for photography services.

Personnel of award-winning companies who allow the Company to record stills or animations during interviews, training sessions, events, or general overviews.

2.6 Participants
This includes:

Individuals who participate in Company campaigns, events, or seminars.

2.7 Cookies
We may use automated technology to collect personal information when you use our website or mobile app. This includes data such as your IP address, browser type, operating system, visited pages, and referring website. This technology may include cookies and other similar tools. Please refer to our Cookies Policy for more information.

3. Privacy Notice
To comply with personal information protection laws, the Company will provide a Privacy Notice. This notice will detail how we collect your personal information. We will notify you electronically, via text message, or by another method designated by the Company. This notification will occur before or at the time of collection and will detail at least the following:

1. Who: The type of individual whose personal information we collect.

2. Why: The purpose and method of collecting your personal information.

3. What: The specific personal data collected.

4. When: The retention period for your personal data.

5. Your Rights: A description of all your rights as the owner of your personal information.

6. Exercising Your Rights: How to exercise your rights, including withdrawing consent for collection.

7. Security Measures: The measures taken to protect your personal information.

8. Contact: Contact information for the Data Controller or Data Protection Officer (DPO) for inquiries or exercising your rights.

9. Disclosures: Any third-party organizations that may use your personal information.
Please refer to the Privacy Notice for more details.

4. Personal Information Collection
The Company takes appropriate measures to maintain the security and confidentiality of your personal information. We prevent unauthorized access, destruction, use, modification, disclosure, or correction of your information. We will only collect your personal information under the following conditions:

4.1 General Collection
We will process the personal data you provide, limiting access rights and using legitimate and fair methods for collection. It will only be processed for the purposes specified by the Company. Before doing so, we will obtain your electronic consent via text message or another approved method.

4.2 Exceptions to Consent
The Company may process personal data as necessary for a legitimate purpose, notifying you before or at the time of collection. We may collect personal information without your consent in the following situations:

Public Benefit: To achieve historical, archival, research, or statistical purposes, we will take appropriate safeguards to protect your rights and freedoms.

Harm Prevention: To prevent or mitigate danger to a person's life or health.

Contractual Necessity: To fulfill a contract you are a party to, or to process a request before entering a contract.

Public Interest or Legal Duties: To perform duties in the public interest or exercise state power assigned to the Company.

Legitimate Interests: To pursue the legitimate interests of the Company or another legal entity, unless those interests outweigh your privacy rights.

Legal Compliance: To comply with the law.

4.3 Sensitive Personal Information
The Company must first obtain your explicit consent before or while collecting sensitive personal information. We may collect sensitive information to provide specific services, with your explicit consent, when you voluntarily disclose information publicly, or when permitted by the Personal Data Protection Act under at least one of the following legal bases:

Explicit Consent: The data owner explicitly consents to the processing.

Harm Prevention: To prevent or suppress danger to a person's life or health where they cannot give consent.

Non-Profit Activities: For legal activities of non-profit organizations with appropriate safeguards.

Publicly Disclosed Information: Information you have already made public.

Legal Claims: To establish, exercise, or defend legal claims.

Public Interest: To comply with the law for preventive medicine, occupational medicine, employee benefits, public health, labor protection, national health insurance, medical care, scientific research, history, statistics, or other significant public benefits.

4.4 Additional Information or Announcements
In the event we process your personal data for purposes beyond those specified, the Company will provide additional policies or announcements regarding personal data protection. These may explain the processing of your information in more detail. You should review these additional policies or announcements relevant to this Policy.

5. Artificial Intelligence - usages of data
FlowAccount trains by using artificial intelligence (AI) models to enhance our Optical Character Recognition (OCR) systems. This process improves the accuracy of reading and extracting various financial documents submitted by our clients, including receipts, bills, invoices, bank statements, and other documents. If you have any questions or concerns regarding our use of AI technology, please contact us using the information provided in Section 13 of this policy.

6. Use and disclosure of personal information
6.1 Use Limitations
The Company will only use your personal information for the purposes originally disclosed to you at the time of collection. If the Company wishes to collect, use, or disclose your personal information for additional purposes, or change the original purpose, we will notify you before processing the information. We will only do this unless the law requires or permits such action.

6.2 Service Providers
The Company may use third-party service providers to process your personal information. We will ensure that these service providers have appropriate security measures in place to protect your information. We will also monitor service providers to ensure they only use and disclose your information for the purposes specified by the Company and do not disclose it to any unauthorized third parties.

6.3 Disclosure to Partners
The Company may disclose your personal information to partners, affiliates, individuals, or other legal entities within the scope of a mutual agreement and that you can reasonably expect.

7. Personal data processing principles
7.1 Accountability
The Company acts as both a data controller (determining the purpose and means of processing) and a data processor (processing data on behalf of others). We hold ourselves accountable for complying with data protection laws and policies.

7.2 Procedures and Controls
We have implemented procedures and controls to manage your personal information throughout its lifecycle, in accordance with relevant laws and our internal policies.

7.3 Records of Processing Activities (ROPA)
The Company maintains a record of all processing activities (ROPA). This record details the processing activities, purposes, and data retention periods for your personal information. We update this record whenever these details change.

7.4 Transparency and Consent
We provide clear and concise privacy notices explaining how we collect and process your data. These notices will also explain how you can give or withdraw your consent. We have measures in place to oversee and investigate your consent requests.

7.5 Access Controls
We only grant access to your personal information to authorized personnel who need it to perform their job duties. If we act as a data processor for another organization, we will only process your data according to their written instructions and within the scope of the agreed-upon work. We will also comply with all relevant data protection laws in this role.

7.6 Data Sharing Agreements
Whenever we share your personal information with third parties, we will enter into a written agreement with them. This agreement will define the rights and obligations of both parties regarding data use and protection, in accordance with our data protection policies and applicable laws.

7.7 International Transfers
If we transfer your personal information to other countries, we will comply with all applicable laws and regulations.

7.8 Data Retention and Destruction
We will securely destroy your personal information once it is no longer necessary for the purposes for which it was collected, in accordance with legal requirements and our own business practices.

7.9 Risk Management
The Company regularly assesses the risks associated with data processing and implements measures to mitigate these risks and minimize the impact on your personal data.

7.10 Continuous Improvement
We regularly review and update our data protection policies, procedures, and guidelines to ensure they remain current with evolving laws and best practices.

8. Period of personal data retention
The Company will retain your personal information for the period specified in the Privacy Notice on our website. This period will be determined by the type of activity and the purpose of the data collection.

Once the retention period has expired, we will delete or destroy your personal data. This may involve removing it from our systems and the systems of any service providers we use. We may also anonymize your data or take other actions as required by the Personal Data Protection Act to effectively protect your information.
However, there are some exceptions:

We may be required by law to retain your personal information for a longer period.

We may need to retain your information to establish legal claims or comply with law enforcement orders or requests from government agencies with proper authority.

We may retain your information for legitimate business purposes, as permitted by law.

9. Rights of the owner of personal information
The Company respects your rights under data protection laws. You have the following rights regarding your personal information:

9.1 Right to Withdraw Consent
You have the right to withdraw your consent to the processing of your personal information at any time.

9.2 Right to Access and Copy
You have the right to request access to and a copy of your personal information.

9.3 Right to Data Portability
You have the right to receive your personal information in a format that is commonly used and readable.

9.4 Right to Object
You have the right to object to the processing of your personal information at any time.

9.5 Right to Erasure
You have the right to request that the Company delete or destroy your personal information.

9.6 Right to Restriction
You have the right to request that the Company restrict the use of your personal information.

9.7 Right to Rectification
You have the right to request that the Company correct any inaccurate or incomplete personal information.

9.8 Right to Complaint
You have the right to lodge a complaint with a data protection authority if you believe the Company has violated your data protection rights, you can submit the request through Personal Data Processing Claim Form.

Exercising Your Rights
To exercise any of these rights, you can submit a request through the electronic systems provided on our website.

Withdrawal of Consent: Use the Consent Withdrawal Request Form

Other Requests: Use the Personal Information Owner's Request Form.

The Company will respond to your request in writing within a reasonable timeframe

10. Security for personal information
The Company takes your privacy seriously and implements appropriate security measures to protect your personal information from loss, unauthorized access, destruction, misuse, modification, or disclosure. Here's how we safeguard your data:

10.1 Clear Policies and Procedures
We have established clear policies and procedures to protect your information and manage it securely according to the law.

10.2 Data Privacy Commitment
We never sell or share your personal information with anyone except our data processors who are required by contract to comply with strict data protection standards.

10.3 Access Controls
We limit access to your personal information to authorized employees who need it to perform their job duties.

10.4 Technical Safeguards
We use various security measures to protect your information, including data encryption, identity verification, and virus detection technology.

10.5 Third-Party Partner Security
We carefully vet our business partners and require them to comply with data protection regulations and restrict their use of your information.

10.6 Website Monitoring
We use specialized security agencies to monitor our website for potential vulnerabilities.

10.7 Employee Training
We train our employees on data protection best practices to ensure they handle your information responsibly.

10.8 Regular Reviews
We regularly review and update our data security policies, procedures, and technology to stay ahead of evolving threats.

10.9 Data Deletion Process
We have a system in place to securely delete or destroy your personal information once the retention period has expired or it is no longer needed for the purposes for which it was collected.

10.10 Data Breach Reporting
We are committed to reporting data breaches to the relevant authorities within 72 hours if there is a risk that the breach could affect your rights and freedoms.

11. Link to website External service
11.1 Third-Party Websites and User Data
Our website may contain links to third-party websites. These websites may collect information about your use of their services, including your personal information. The Company is not responsible for the privacy practices of these third-party websites. We encourage you to review the privacy policies of any third-party website before using their services.

Here are some things to keep in mind when using third-party websites:

You may be disclosing your data to other people or organizations responsible for operating those websites.

Other users of those websites may be able to access your data.

We recommend you be cautious about disclosing personal information on third-party websites.

Review the website's privacy policy to understand how they use your information.

11.2 Data Export and Third-Party Applications
Our platform allows you to export your data to third-party applications and websites, including social networking sites. When you do this, you are sharing your data with those third parties.

We do not own or control these third-party applications or websites.

We recommend you be cautious about disclosing personal information when using these features.

Review the privacy policies of these third-party applications and websites to understand how they use your information.

11.3 Analytics Services
We use analytics services, such as Google Analytics and Growthbook, to improve our platform and user experience. These services collect information about your use of the platform, such as browsing data, device data, and your approximate location.

We use this information to improve the platform and deliver targeted advertising that may be of interest to you.

We do not share this information with any third parties outside of the Company.

Opting Out of Analytics
If you do not want Google Analytics to collect your data, you can opt out using this tool: marketingplatform.google.com/about/analytics
Learn More About Growthbook
For more information about Growthbook's privacy practices, please visit their website:
www.growthbook.io/legal/privacy-policy/01-01-2020

12. Pre-existing Personal Information
If the Company collected your personal information before the Personal Data Protection Act came into effect, we will continue to use it for the original purpose you consented to. However, you have the right to withdraw your consent at any time by contacting us through the Consent Withdrawal Request Form.

13. Contact Information for Data Protection Inquiries
The Company has appointed Mr.Warodom Kasiolarn as our Data Protection Officer. If you have any questions about your data or want to exercise your rights under this policy, you can contact him through the following channels:

Email: dpo@flowaccount.com

Address: 141/12 Floor 11 Unit 12 B Building, Surname Thai Wong Tower, Sukharn Sukhang Sukhuri Wong District, Bang Rak, Bangkok

14. Updates to this Policy
We may update or change this privacy policy from time to time to comply with the law. We will announce any changes through our website and/or platform channels.

This Terms of Policy was last reviewed on August 15, 2024.