Privacy Policy

Privacy Statement

This privacy statement describes how Evolution Payment Groups Company Limited (EVP) (“we,” “us,” or “our”) handles personal data in accordance with applicable data protection laws and regulations, including the Thailand Personal Data Protection Act (PDPA) and other relevant legislation.

This statement outlines our responsibilities both as a Data Controller and a Data Processor.

Part 1: EVP as Data Controller

This section applies when we determine the purposes and means of processing your personal data.

1. Information We Collect

We collect various types of personal data about you, including:

• Identity Data: This includes your full name, date of birth, nationality, and any government-issued identification numbers (e.g., ID number of Directors/Shareholders/UBO).
• Contact Data: This includes your registered address, current address, work address, and email address.
• Financial Data: While not explicitly mentioned in the table, it is likely that you collect financial data for KYM/AML purposes. This may include bank account details, source of funds information, and transaction history.
• Technical Data: This includes your IP address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our services.
• Usage Data: This includes information about how you use our services, including the pages you visit, the links you click, and the features you use.
• Marketing and Communications Data: This includes your preferences in receiving marketing communications from us and your communication preferences.

2. How We Collect Your Data

We collect your personal data in several ways, including:

• Direct Interactions: You provide us with your data when you interact with us, such as when you fill out forms, correspond with us via email, or communicate with us through other channels.
• Automated Technologies: When you interact with our website or services, we may automatically collect technical data about your equipment, browsing actions, and patterns. We may use cookies, server logs, and other similar technologies for this purpose.
• Third Parties: We may receive personal data about you from various third parties, including:
  • Regulatory bodies: To comply with KYM/AML and other legal obligations.
  • Credit reporting agencies: To verify your identity and assess financial risk, if applicable
  • Publicly available sources: Such as company registries.

3. Legal Basis for Processing

We process your personal data based on the following legal grounds:

• Contractual Necessity: Processing your data is necessary for the performance of a contract with you or to take steps at your request before entering into a contract. This includes processing your data for KYC/AML purposes to establish a business relationship.
• Legal Obligation: Processing your data is necessary for us to comply with legal obligations, such as AML regulations and reporting requirements to local regulators.
• Legitimate Interests: We may process your data when it is necessary for our legitimate interests, such as:
  • Preventing fraud and ensuring the security of our services.
  • Improving our services and developing new products and features.
  • Marketing our services to you (where permitted by law).
• Consent: In some cases, we may rely on your consent to process your personal data. You have the right to withdraw your consent at any time.

4. Purposes of Processing

We use your personal data for the following purposes:

• KYM/AML Compliance: To verify your identity, assess risk, and comply with anti-money laundering regulations.
• Onboarding: To facilitate the onboarding process and establish a business relationship with you.
• Regulatory Reporting: To fulfill our legal obligations to local regulators.
• Service Provision: To provide and manage our services, including account management, customer support, and communication with you.
• Fraud Prevention and Security: To detect and prevent fraud, protect our systems and services, and ensure the safety and security of our data and your data.
• Marketing: To provide you with information about our products and services that may be of interest to you (where permitted by law).
• Business Improvement: To analyze data, conduct research, and improve our services and offers.

5. Data Retention

We will retain your personal data for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements.

In general, we will retain your data for 10 years after the end of our business relationship with you, as indicated in the table. However, the retention period may vary depending on the type of data and the applicable legal requirements.

6. Data Sharing

We may share your personal data with the following categories of recipients:

• Internal Parties: Authorized personnel within our organization who have a legitimate business need to access your data.
• External Service Providers: Trusted third-party service providers who assist us with various business functions, such as IT support, data hosting, payment processing, and merchant services support. We have contracts with these providers requiring them to protect your data.
• Regulatory Authorities: Government agencies and regulators as required by law or to comply with legal obligations.
• Legal and Professional Advisors: Our lawyers, auditors, and other professional advisors when necessary to obtain legal or professional advice.
• Business Transfers: If we are involved in a merger, acquisition, or sale of all or a portion of our assets, your data may be transferred as part of that transaction.

7. International Data Transfers

If we transfer your personal data outside of our jurisdiction, we will take appropriate steps to ensure that your data is adequately protected and transferred in accordance with applicable data protection laws. This may include implementing standard contractual clauses approved by the respective international commissions or relying on other valid transfer mechanisms.

 Part 2: EVP as Data Processor

This section applies when we process personal data on behalf of another organization (the Data Controller).

1. Our Role as Data Processor

We may act as a Data Processor when we provide services to other organizations that involve processing personal data. In this role, we process personal data only on the documented instructions of the Data Controller and in accordance with applicable data protection laws.

2. Data Processing Activities

As a Data Processor, we may perform various data processing activities, including:

• Data storage and management: Storing and managing personal data on behalf of the Data Controller.
• Data analysis and reporting: Analyzing data and generating reports based on the Data Controller’s instructions.
• Data security and protection: Implementing appropriate technical and organizational security measures to protect personal data.

3. Data Controller Responsibilities

The Data Controller is responsible for:

• Determining the purposes and means of processing personal data.
• Providing us with lawful instructions for processing personal data.
• Ensuring the lawfulness of data processing activities.
• Complying with data protection obligations as the Data Controller.

4. Our Responsibilities as Data Processor

We are responsible for:

• Processing personal data only on the documented instructions of the Data Controller.
• Implementing appropriate technical and organizational security measures to protect personal data.
• Assisting the Data Controller in complying with data protection obligations.
• Maintaining records of processing activities.
• Notifying the Data Controller of any data breaches.

5. Subprocessing

We may engage sub processors to assist us with data processing activities. We will only do so with the prior written consent of the Data Controller and will ensure that any sub processors are subject to appropriate data protection obligations.

 General Provisions (Applicable to both Data Controller and Data Processor roles)

1. Data Security

We have implemented appropriate technical and organizational security measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include data encryption, access controls, and regular security assessments.

1. Your Data Protection Rights

You have the following rights regarding your personal data:

• Right of Access: You have the right to request access to your personal data and information about how we process it.
• Right to Rectification: You have the right to request correction of any inaccurate or incomplete personal data we hold about you.
• Right to Erasure: You have the right to request deletion of your personal data in certain circumstances, such as when it is no longer needed for the purposes for which it was collected.
• Right to Restriction of Processing: You have the right to request restriction of processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.
• Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.
• Right to Object: You have the right to object to the processing of your personal data in certain circumstances, such as for direct marketing purposes.
• Right to Withdraw Consent: If we process your data based on your consent, you have the right to withdraw your consent at any time.

1. Contact Information

If you have any questions or concerns about this privacy statement or your data protection rights, please contact our Data Controller or Data Protection Officer using the following contact details:

• Data Controller: Evolution Payments Group Company Limited, contactable at dataprotection@evp-pay.com
• Data Protection Officer: Nut Tosayanon, contactable at dataprotection@evp-pay.com

1. Updates to this Privacy Statement

We may update this privacy statement from time to time to reflect changes in our data processing practices or legal requirements. We encourage you to review this statement periodically for any updates.