Document 1 of 4

Privacy Policy

How CAIKU.ai handles your personal data

Effective: 1 May 2026
Version: 1.0
URL: caiku.ai/en/privacy

1. About This Policy

This Privacy Policy ('Policy') describes how CAIKU collects, uses, discloses, and protects your personal data when you use our services, including caiku.ai, the CAIKU AI Agent platform, and related services (the 'Services').

By using our Services, you accept this Policy. If you do not accept it — please stop using the Services.

This Policy complies with Thailand's Personal Data Protection Act B.E. 2562 (2019) ('PDPA') and other applicable Thai laws.

📋 Bilingual Notice

This English version is provided for convenience. In case of any conflict between the Thai and English versions, the Thai version shall prevail for matters governed by Thai law.

2. Data Controller

📋 Data Controller
Company
HelloAds Co., Ltd.
Address
14 Soi Vibhavadi Rangsit 16/29, Ratchadaphisek Subdistrict, Din Daeng District, Bangkok 10400, Thailand
Tax ID
0205558029691
Email
privacy@caiku.ai
Phone
+66 2 038 5565

2.1 Data Protection Officer (DPO)

CAIKU has appointed a DPO to oversee privacy compliance:

DPO Name
Pitsanuchai Thongtha
Email
dpo@caiku.ai
Phone
+1 437 669 6615
Office Hours
Mon–Fri 9:00–18:00 (GMT+7)

3. Information We Collect

We collect four main categories of personal data:

3.1 Account Data

  • Full name
  • Email address
  • Phone number
  • Company name and job title (if provided)
  • Password (stored as encrypted hash)

3.2 Usage Data

  • Conversation logs (chat and voice transcripts)
  • Lead data you upload to the system
  • Knowledge base content
  • Configuration and settings
  • Activity logs (login, actions performed)

3.3 Technical Data

  • IP address
  • Browser type and version
  • Device type and OS
  • Cookies and similar tracking technologies
  • API request logs

3.4 Payment Data

  • Payment details — stored by our payment processor (Stripe / Omise), not by CAIKU
  • CAIKU only retains: transaction ID, date, amount, and status
  • Tax invoice information — as required by Thai law

3.5 What We Do Not Collect

❌ CAIKU Does Not Collect
  • Full credit card details (handled exclusively by payment processor)
  • Sensitive data under PDPA Section 26 (race, religion, health data, genetic data) — except with explicit consent
  • Data of minors under 20 years of age — end-users under 20 are not permitted to use the Services

4. Purposes & Legal Basis

We process your data for the following purposes and on the following legal bases:

Purpose Data Used Legal Basis (PDPA) Retention
Providing the AI Agent service you subscribed to Account + Usage + Technical Section 24(3) Contract performance Subscription period + 90 days
Improving and developing our services Usage data (anonymized) Section 24(5) Legitimate Interest 5 years (anonymized)
Maintaining security and preventing misuse Technical + Activity logs Section 24(5) Legitimate Interest 1 year
Complying with law — tax, financial reporting Account + Payment data Section 24(6) Legal obligation 5 years (as required by law)
Sending marketing communications Account + email Section 24(1) Consent Until consent is withdrawn
Voice cloning (Pro+ tier feature) Voice samples Section 24(1) Explicit Consent Subscription period — deleted upon cancellation
📋 LIA Available

For Legitimate Interest basis — we maintain a Legitimate Interest Assessment (LIA) document that has passed the 3-part test (purpose, necessity, balancing test). You may request access by contacting our DPO.

5. Disclosure & Data Transfers

We may disclose your data to the following recipients:

5.1 Service Providers (Data Processors)

Vendor Service Data Shared Location
OpenAIGPT + Realtime API + WhisperConversation contentUSA
AnthropicClaude APIConversation contentUSA
Google CloudGemini + Cloud infrastructureConversation + storageUSA / Asia
TwilioVoice telephonyPhone call audio + metadataUSA
Retell AI / VapiVoice agent infrastructureVoice + conversationUSA
SupabaseDatabase + authenticationAccount + usage dataUSA / EU
RailwayApplication hostingAll operational dataUSA
CloudflareCDN + securityTechnical metadataGlobal
Stripe / OmisePayment processingPayment dataUSA / Thailand
🔒 Data Processing Agreements

All vendors listed above act as 'Data Processors' under PDPA — we have signed a Data Processing Agreement (DPA) with each. The DPA explicitly prohibits vendors from using your data for purposes other than those we instruct.

5.2 International Data Transfers

Your data may be transferred to countries with privacy protection standards lower than Thailand (e.g., USA). We apply the following safeguards:

  1. Standard Contractual Clauses (SCCs) in our DPAs with all vendors
  2. Encryption in transit (TLS 1.3+)
  3. Access control and audit logs
  4. Vendor selection limited to providers with privacy compliance certifications (SOC 2, ISO 27001)

5.3 Disclosure Required by Law

We may disclose your data when:

  • Required by court order or government authority
  • Necessary to prevent crime or protect lives
  • Necessary to protect CAIKU's or another user's rights

5.4 What We Do Not Do

✓ CAIKU Does Not Sell Your Data

We do not sell, trade, or rent your personal data to third parties for marketing or commercial gain — under any circumstances.

6. Your Rights (Data Subject Rights)

Under PDPA Sections 30-39, you have seven rights:

Right What It Means How to Exercise
1. AccessRequest a copy of data we hold about youEmail dpo@caiku.ai
2. RectificationCorrect inaccurate dataUpdate in account settings or contact DPO
3. ErasureDelete your data (Right to be Forgotten)Email dpo@caiku.ai
4. ObjectionObject to processing for certain purposesEmail dpo@caiku.ai
5. RestrictionRestrict processingEmail dpo@caiku.ai
6. PortabilityReceive your data in a portable formatEmail dpo@caiku.ai
7. Withdraw ConsentWithdraw consent previously givenAccount settings or contact DPO

6.1 Response Time

⏰ Response Time

We will respond to your request within 30 days from receipt of a complete request. For complex cases, we may extend this period by an additional 30 days — with prior notice to you.

6.2 Fees

The first request is free. For repeated or excessive requests, we may charge a fee based on actual cost (e.g., admin processing) — but we will inform you in advance.

6.3 Right to Complain

If you believe CAIKU has violated PDPA, you may file a complaint with the Personal Data Protection Committee (PDPC):

Website
pdpc.or.th
Email
pdpc@mdes.go.th
Phone
+66-2-141-6993

We encourage you to contact our DPO first so we can resolve the issue as quickly as possible.

7. Data Security

We implement the following data protection measures:

7.1 Technical Measures

  • Encryption in transit (TLS 1.3+)
  • Encryption at rest (AES-256)
  • Multi-factor authentication (MFA) for admin access
  • Role-based access control
  • Audit logs retained for 5 years
  • Annual vulnerability scanning and penetration testing
  • Backup and disaster recovery — RPO 1 hour, RTO 4 hours

7.2 Organizational Measures

  • DPO appointed and registered with PDPC
  • Annual privacy training for all staff
  • Vendor due diligence with signed DPAs
  • Documented incident response plan
  • Privacy by Design in feature development

7.3 Data Breach Notification

In the event of a data breach affecting you:

  1. We will notify the PDPC within 72 hours (as required by PDPA)
  2. We will notify you directly as soon as practical, via email and in-app notification
  3. We will explain what happened, which data was affected, and remediation steps taken
  4. We will recommend actions you should take (e.g., change password)

8. Data Retention

Data Type Retention Period Reason
Account dataSubscription period + 90 daysRecovery and reactivation
Conversation logs12 monthsQuality and improvement
Voice recordings30 days (default — adjustable)Transcription and QA
Voice samples (cloning)Subscription period — deleted on cancellationActive service only
Activity logs1 yearSecurity and investigation
Audit logs5 yearsPDPA compliance
Payment data5 years (per Thai tax law)Tax compliance
Anonymized usage dataIndefiniteService improvement

8.1 After Retention Period Ends

  1. Data is deleted from production systems
  2. Data is deleted from backups in the next rotation cycle (up to 90 days)
  3. A deletion certificate is issued upon request

9. Cookies & Tracking

caiku.ai uses cookies to enable our services and analyze usage. See our Cookie Policy for details.

10. Policy Changes

We may update this Policy from time to time. For material changes, we will notify you 30 days in advance via email and in-app notification. Continued use of the Services after an update constitutes acceptance of the new Policy.

10.1 Version History

VersionDateChanges
1.01 May 2026Initial publication

11. Contact Us

📧 Privacy Inquiries
DPO Email
dpo@caiku.ai
General Privacy
privacy@caiku.ai
Customer Support
support@caiku.ai
Phone
+66 2 038 5565
Response SLA
30 days (per PDPA)