Privacy Policy Of Neighbors and Friend Company Limited
Neighbors and Friend Company Limited (“the Company”) values and respects the rights to privacy, including the security of personal data of data subjects. To ensure that data subjects receive protection for their personal data, the Company has established this Personal Data Protection Policy (“Policy”) to assure you that your personal data received by the Company will be used in accordance with your needs and in compliance with the law.
The company places importance on and emphasizes the protection of personal data, recognizing that data processing within the company must be conducted under the following principles:
• Lawfulness, fairness, and transparency: The company will process data only based on lawful grounds and will clearly define the methods of collecting and using personal data.
• Purpose Limitation: The company will process data only for the purposes specified and communicated at the time the company receives personal data, unless it is processing for related purposes or performing a clearly defined legal duty.
• Data Minimization: The company will collect and use personal data only as necessary to achieve the purposes of data processing.
• Data Accuracy: The company will take appropriate measures to ensure that the personal data it collects is accurate, complete, and up-to-date, considering the purposes of processing.
• Storage Limitation: The company will retain data only as long as necessary, unless the company is required to keep it in accordance with document retention standards or state regulations.
• Integrity and Confidentiality: The company will implement appropriate technical and managerial measures to ensure that the personal data stored by the company is kept secure at an appropriate level.
• Accountability: The company will act appropriately to demonstrate that it has adhered to the various principles mentioned above.
Clause 1. Scope of Application
For personal information collected before the Personal Data Protection Act B.E. 2562 came into effect, the company may continue to collect and use that personal information for the original purposes. Disclosures and other actions that do not involve the collection and use of the aforementioned personal data must comply with the Personal Data Protection Act B.E. 2562.
Clause 2. Definitions
“Personal Data Protection Policy” means the announcement made by the company to inform data subjects about the company’s data processing and various details as stipulated by the Personal Data Protection Act B.E. 2562.
“Person” means an individual.
“Personal data” means information about an individual that can identify that person, either directly or indirectly, such as name, surname, nickname, address, telephone number, national ID number, passport number, social security number, driver’s license number, taxpayer identification number, bank account number, credit card number, email address, occupation, status, job position, family status, employment information, profession, position, work experience, and/or personnel evaluation, educational information, vehicle registration, land title deed, house registration, signature, voice, audio recordings, images, photographs, video recordings, video clips, information about purchases and/or services, IP address, computer traffic data (log file), LINE ID, Facebook ID, Google ID, X ID, and user accounts on other social media websites, etc.
However, the following information is not personal data, such as business contact information that does not identify individuals, including company name, company address, company registration number, workplace phone number, work email address, company group email address like [email protected], anonymous data, or pseudonymous data that has been technically rendered unidentifiable, as well as information about deceased individuals, etc.
“Sensitive Data” refers to information that is inherently personal to an individual but is sensitive and may pose a risk of unfair discrimination, such as race, ethnicity, political opinions, religious or philosophical beliefs, sexual behavior, criminal history, health information, disability, union information, genetic data, biological data, or any other information that similarly affects the data subject as defined by the Personal Data Protection Committee.
“Data Subject” refers to the individual who owns the personal data, but it does not refer to cases where a person has ownership of the data or is the creator or collector of that data. The data subject specifically refers to natural persons only and does not include “Juridical Persons” established by law, such as companies, associations, foundations, or any other organizations.
The data subject includes the following individuals:
1. Data subjects who are of legal age mean:
1.1 Individuals aged 20 years or older, or
1.2 Those who have married at the age of 17 or older, or
1.3 Those who married before the age of 17 with court permission, or
1.4 Minors whose legal representatives consent to engage in commercial activities or other businesses, or to enter into an employment contract in relation to the aforementioned business or employment, granting the minors the status equivalent to that of individuals who have reached legal age.
In this regard, for any consent given, data subjects who are of legal age can provide consent on their own.
2. The Data Subject who is a minor means a person under the age of 20 years old and not of legal age as defined in item 1. In this regard, any consent must be obtained from the guardian who has the authority to act on behalf of the minor as well.
3. The Data Subject who is deemed incapacitated means a person whom the court has declared to be incapacitated due to physical disabilities, mental incompetence, habitual drunkenness, or any similar circumstances that prevent them from managing their own affairs or conducting activities that may harm their own or their family’s property. In this regard, any consent must be obtained from the guardian who has the authority to act on behalf of that incapacitated person first.
4. The Data Subject who is legally incompetent means a person whom the court has declared to be legally incompetent due to being mentally ill. In this regard, any consent must be obtained from the custodian who has the authority to act on behalf of that legally incompetent person first
If the request for consent from the Data Subject does not comply with the Personal Data Protection Act, it shall not bind the owner of personal data.
“Data Controller” means a person or legal entity that has the authority and duty to make decisions regarding the collection, use, or disclosure of personal data.
“Data Processor” means a person or legal entity that processes the collection, use, or disclosure of personal data on the instruction or on behalf of the Data Controller. In this regard, the person or legal entity that carries out such actions is not the Data Controller.
Clause 3. Source of Personal Data
Generally, the company does not collect personal data unless in the following cases:
3.1 The company receives personal data directly from the data subject, as the company will collect personal data from the service provision process as follows:
(1) The process of using services with the company or the process of submitting requests for various rights with the company, such as service registration, receiving information, job applications, etc.
(2) Data collection by the voluntary consent of the data subject, such as completing surveys or interactions through email addresses or other communication channels between the company and the data subject.
(3) Data collection from the use of the company’s website through the data subject’s browser cookies and the use of electronic transaction services.
3.2 The company receives personal data of the data subject from third parties, believing in good faith that such third parties have the right to collect the personal data of the data subject and disclose it to the company.
Clause 4. Purpose of Processing Personal Data
4.1 The Company may collect, use, and disclose your personal data
(1) to create, improve, manage, and deliver products and services, benefits, and various privileges
(2) to provide services to you, including but not limited to processing any of your transactions
(3) to act on your requests prior to entering into a contract or to fulfill a contract in which you are a party with the company, such as selling goods and/or services to you or fulfilling any contracts in which you are a party, including managing your user account, product delivery, account and financial transactions, after-sales service, and product returns, and any actions necessary for you to receive goods and/or services or as you have requested
(4) to create a database and service history of the company through any communication channels
(5) to publicize content that is information from the company sent to you, including creating promotional listings related to such content suitable for you
(6) for analysis, processing, marketing activities, research, and sales, including publicizing products and services, whether from the company itself, its affiliates, partners, or others through notifications on mobile device screens, via SMS, or on social media
(7) to use for improving service delivery, enhancing the company’s website and applications to meet user needs and operating efficiently
(8) To serve as a contact channel for receiving feedback and suggestions to improve the content of the company’s programs to meet your needs.
(9) To comply with the contracts, agreements, and terms and conditions that have been made with you.
(10) To comply with laws and regulations of government agencies, such as the Personal Data Protection Act, the Electronic Transactions Act, the Civil and Criminal Code, and the Civil and Criminal Procedure Code, etc.
(11) To conduct marketing, sales promotion, and data analysis, including sending advertisements, coupons, news, and other information about promotions or special activities directly to you on the website and/or application, from which you may choose to opt-out of certain types of advertising messages by following the provided instructions.
(12) To use for identity verification, proof of identity, and qualification checks when you apply for the company’s services.
4.2 The company has no policy to collect sensitive personal data from you. However, if there is a case where the company needs to collect such personal data, the company will obtain your explicit consent before proceeding with the collection of such personal data, unless there are legal grounds allowing the collection of such data without consent.
4.3 The company would like to inform you that in cases where the company needs to request identification documents such as ID cards, passports, work history, or other documents that may contain Sensitive Data including religion, nationality, or blood type, etc., the company does not intend to retain such information. Therefore, we ask that you cross out or obscure that part of the information. If you do not act as advised, the company reserves the right to cross out or obscure such information in order to protect your sensitive data.
4.4 You agree not to provide any incorrect and/or misleading information to the company, and you agree to inform the company of any inaccuracies or changes to that information. The company reserves the right to request additional documents to verify the information you have provided to the company as deemed appropriate by the company.
4.5 If you have provided the personal information of a third party to the company (such as property owners, beneficiaries, emergency contacts, referees, and references) including names, surnames, addresses, phone numbers, family members’ income, and other personal and contact information for emergency contact, filling out your application, or conducting transactions with the company, you guarantee that such information is legally accurate. Please inform those individuals about this privacy policy and/or obtain their consent.
Clause 5. Processing of Personal Data
5.1 Collection of Personal Data
The company will collect personal data in a limited manner and only as necessary, depending on the type of services that the data owner uses or provides personal data to the company.
The company places importance on collecting personal data directly from you and is also aware of the need to obtain your consent as the data owner, which is your right to choose to consent to the company processing data as requested by the company. However, you must be aware that providing incomplete personal data as requested by the company or not giving consent for the collection, use, and disclosure of such personal data may limit your rights to use certain services.
In this regard, the company may not need to request your consent if the processing of data is supported by other lawful purposes (such as the necessity to fulfill a contract or comply with the law). In such cases, if the company cannot process personal data, it may result in the company being unable to provide services to you.
In some cases, the company may access information about your interests and/or preferences and/or your access data to various websites through the use of cookies on the company’s website and applications. The cookies on the company’s website and applications will store your information, and the company may access such information in order to provide services that best meet your needs.
In communications between you and the company, whether by phone, email, communication applications, customer service centers, or by any other means, the company may record information from these communications for various purposes, such as for evidence, to develop and improve services, to track your satisfaction, to train personnel, to evaluate personnel performance, to analyze data, and to develop the company’s systems for your maximum benefit.
5.2 Use of Personal Data
The company will use personal data for the purposes provided by the data subject to the company, using it appropriately and implementing security measures and access controls for personal data.
5.3 Disclosure of Personal Data
Typically, the company will not disclose personal data to external parties. However, the company may disclose your personal data to others with your consent or under the criteria permitted by law. The individuals or entities receiving such data will collect, use, and/or disclose your personal data within the scope of your consent or the relevant scope outlined in this notice.
The company may disclose your information to the following parties:
1) Various service providers that provide services to the company. The company may need to disclose your personal information to various service providers that serve the company, including government agencies that the company requests services from, such as the service providers listed below. These service providers will use your personal information only to the extent permitted by the company and must comply with this announcement. The disclosure of such information will be on a need-to-know basis only.
• The company’s distributors
• Transportation service providers, freight forwarders
• Marketing service providers, including those providing data and statistics
• Advertising, public relations, and communication service providers
• Service providers involved in document preparation, storage, and publishing
2) Company partners, The company may disclose your personal information to other individuals who have a partnership agreement with the company, such as business partners, sales representatives, and outsourced contractors in business operations.
3) External service providers that provide services and operate under the company’s control, such as assisting in transaction processing, sending advertisements for the company’s products and services, or providing assistance and services to you. Service providers related to transactions and finance (e.g., banks, payment processing companies), technology service providers (e.g., cloud systems, blockchain systems, SMS services, data analytics services), and providers of various programs and information systems.
4) Any other individuals as prescribed by law, in cases where there are laws, rules, regulations, orders from government agencies, agencies with supervisory responsibilities, or orders from judicial bodies requiring the company to disclose your personal data, the company is obligated to disclose such personal data.
The company must disclose your personal data to the transferee (including those who may potentially be transferees), and the rights and obligations of the transferee concerning your personal data will be in accordance with this announcement.
Clause 6. The transfer or transmission of personal data to foreign countries
6.1 The company may transfer or transmit your personal data to affiliated companies or other individuals abroad if necessary for the performance of a contract to which you are a party, or as part of a contract between the company and other individuals or legal entities for your benefit, or for use in processing your requests prior to entering into a contract, or to prevent or mitigate harm to your life, body, or health, or that of others, to comply with the law, or if necessary to carry out missions for significant public benefit.
6.2 The company may store your data on computers, servers, or cloud services provided by third parties, and may use third-party software or applications in the form of Software as a Service and Platform as a Service to process your personal data. However, the company will not allow unauthorized individuals to access personal data and will require those individuals to have appropriate security measures in place.
6.3 In the event that your personal data is sent abroad, the company will comply with personal data protection laws and use appropriate measures to ensure that your personal data is protected and that you can exercise your rights related to your personal data under the law. This includes requiring recipients of the data to have appropriate measures to protect your data and to process such personal data only as necessary, and to take actions to prevent unauthorized individuals from using or disclosing personal data without proper authority.
Section 7. Retention Period for Personal Data
The company will retain the personal data you have provided for as long as necessary for processing. Once that period has elapsed, it will not exceed 10 years from the date you last provided the company with personal data for processing. When it is no longer necessary, the company will proceed to destroy the personal data.
Clause 8. Rights of Data Subjects
Data subjects may exercise the following rights under the law:
8.1 Right to Withdraw Consent: If you have given consent for the company to collect, use, and/or disclose your personal data (whether such consent was given prior to or after the enforcement of the Personal Data Protection Act), you have the right to withdraw your consent at any time while your personal data is with the company, unless there are legal restrictions on that right or there is a contract that benefits you.
Withdrawing your consent may affect your ability to use various products and/or services, such as not receiving benefits, promotions, or new offers, not receiving improved products or services that meet your needs, or not receiving information that is beneficial to you. Therefore, for your benefit, you should study and inquire about the implications before withdrawing your consent.
8.2 Right to Access Data: You have the right to request access to your personal data that is under the responsibility of the company and to request that the company provide you with a copy of such data, including requesting that the company disclose how it obtained your personal data.
8.3 Right to Data Portability: You have the right to request your personal data in cases where the company has prepared that personal data in a format that is readable or usable by automated tools or devices, and can use or disclose personal data by automated means. You also have the right to request that the company send or transfer your personal data in such a format to another data controller when it can be done by automated means, and you have the right to receive personal data that the company has sent or transferred in such a format to another data controller directly, unless it cannot be processed due to technical reasons.
Your personal data mentioned above must be personal data that you have consented to the company collecting, using, and/or disclosing, or personal data that the company needs to collect, use, and/or disclose for you to use the company’s products and/or services as intended, which the company has a contractual relationship with you, or to process your requests before using the company’s products and/or services, or other personal data as specified by the legal authority.
8.4 Right to Object: You have the right to object to the collection, use, and/or disclosure of your personal data at any time if the collection, use, and/or disclosure of your personal data is conducted for necessary operations under the legitimate interests of the company or another individual or legal entity, to the extent that you can reasonably anticipate, or for the purposes of carrying out a mission for the public benefit. If you submit an objection, the company will continue to collect, use, and/or disclose your personal data only to the extent that the company can demonstrate legal reasons that outweigh your fundamental rights or for the purpose of establishing legal rights, compliance with the law, or legal defense, depending on each case.
Additionally, you also have the right to object to the collection, use, and/or disclosure of your personal data conducted for marketing purposes or for scientific, historical, or statistical research purposes.
8.5 Right to Request Deletion or Destruction of Data: You have the right to request the deletion or destruction of your personal data, or to make your personal data anonymous, if you believe that your personal data has been collected, used, and/or disclosed unlawfully or if you believe that the company no longer needs to retain it for the purposes related to this notice, or when you have exercised your right to withdraw consent or your right to object as stated above.
8.6 Right to request suspension of data use: You have the right to request a temporary suspension of the use of your personal data in cases where the company is in the process of verifying your request to exercise the right to rectify personal data or your objection, or in any other case where the company no longer needs to retain or destroy your personal data according to applicable laws, but you request the company to suspend its use instead.
8.7 Right to request correction of data: You have the right to request that your personal data be corrected to be accurate, up-to-date, complete, and not misleading.
8.8 Right to complain: You have the right to lodge a complaint with the relevant legal authority if you believe that the collection, use, and/or disclosure of your personal data is conducted in a manner that violates or does not comply with applicable laws.
You can exercise your legal rights by filling out the details in the data subject’s rights request form available in Clause 14. Compliance with the Privacy Policy and contacting the company.
Your exercise of the above rights may be restricted under applicable laws, and there may be certain cases where the company may refuse or be unable to process your requests for the above rights, such as compliance with laws or court orders, for public benefit, or if the exercise of rights infringes on the rights or freedoms of others. If the company denies your request, it will inform you of the reasons for the denial.
Clause 9. Security Measures for Personal Data
9.1 The security of your personal data is important to the company, and the company has implemented appropriate technical and administrative security standards to protect personal data from loss, unauthorized access, use, or disclosure, misuse, alteration, and destruction using security technologies and procedures such as encryption and access restrictions to ensure that only authorized individuals can access your personal data, and these individuals are trained on the importance of protecting personal data.
9.2 The company provides appropriate security measures to prevent loss, access, use, alteration, modification, or disclosure of personal data by unauthorized individuals or parties without relevant rights or duties regarding that personal data and will review such measures when necessary or when technology changes to ensure effective security measures are maintained.
Clause 10. Management of Issues in the Event of Data Breach
The company has established guidelines to manage issues in the event of a personal data breach as follows:
10.1 When a personal data breach is detected or a complaint is received regarding a personal data breach, the individual who detects or receives the complaint must report it to the Chairman of the Personal Data Committee of the company or the Data Protection Officer to conduct an investigation, coordinate with the responsible parties to identify the cause of the data breach, and report to the relevant regulatory authorities as required by law.
10.2 Upon identifying the cause which arises from
(1) The company’s operational system shall coordinate with the information technology department to suspend or temporarily shut down the operational system in order to rectify errors or notify the external service provider of that operational system to take immediate corrective action.
(2) Individuals within the company shall immediately suspend access to that person’s data and establish an investigation committee according to the company’s measures.
(3) External service providers shall investigate the cause and report back to the company within 24 hours from when the company provided the information, during which time the company will temporarily suspend data transmission to that external service provider until the issue is resolved.
10.3 For leaked information, the company will manage that data to minimize damage as much as possible, according to legal processes or other methods as appropriate.
10.4 The company will periodically inform the complainant of the progress regarding damage limitation, the cause, and the preventive measures that the company has implemented at each stage.
Clause 11. Communication from the company
11.1 Advertising Messages
The company may use your personal information to send content and advertising messages from the company or from the company’s partners (acting on behalf of the company) to you via email, SMS, notifications within the company’s platform, marketing calls, and similar communication methods.
If you do not wish to receive marketing calls or messages, you can inform the company at any time or follow the “unsubscribe” procedure or the STOP command that appears in those advertising communication methods.
11.2. Messages regarding services and billing.
The company may contact you with important information regarding the company’s services or your use of those services. For example, the company may send advance notices (by any means we have) if we temporarily suspend certain services for maintenance, or in response to your requests or emails for support, or send reminder messages or warnings regarding upcoming payment installments or late payments for current or upcoming service packages, or forward complaints about misuse related to your user website, or inform you of significant changes in the company’s services.
Therefore, it is important that you can always receive those messages. For this reason, you do not have the right to opt-out of receiving messages about services and billing unless you are no longer a user of the company (which can be done by deactivating your account).
Clause 12. Use of Cookies
Cookies refer to small pieces of data that websites send to be stored with the data subject who visits the website, to help the website remember the data subject’s visit information, such as the preferred language, system user, or other settings. When the data subject visits the website again, the website will recognize that they are a returning user and set preferences as specified by the data subject until the data subject deletes the cookies or does not allow those cookies to function anymore. The data subject can choose to accept or decline cookies. If they choose not to accept or delete cookies, the website may not be able to provide services or display them correctly.
You can study information about the Cookie Policy that the company has provided at https://addtocraft.com/cookie-policy/
Clause 13. Links to External Websites
In using the company’s application or website, there may be links to social networks, platforms, and other websites operated by third parties. The company attempts to connect only to websites that adhere to standards for personal data protection. However, the company cannot be held responsible for the content or personal data protection standards of those other websites unless otherwise specified. Any personal data you provide to third-party websites will be collected by those parties and is subject to their personal data protection notices/policies (if any). In such cases, the company requests that you review and comply with the privacy notices/policies presented on those websites separately from the company’s own.
Clause 14. Public Forums and User-Generated Content
The company’s services offer blogs, community, and forums for public assistance. Therefore, please be aware that the personal information you provide in these sections may be read, collected, and used by others who have access to that information. If you wish to request the deletion of your personal data from the company’s blog, community, or forum, please contact the company immediately here. In some cases, we may not be able to delete your personal data from those sections, such as when you use a third-party application to post comments (e.g., Facebook’s social plugin application) while logged into your profile with that third party. You will need to log into that application or contact the provider to request the deletion of the personal data you posted through that platform
In any case, the company advises that you please do not post personal data that you do not want the public to know (by any means).
If you upload user-generated content to your account or post that content on your user website and/or provide information in other ways that are considered part of using the service, it will be deemed that you are doing so at your own discretion. The company has implemented appropriate security measures to protect and safeguard your personal information. However, the company cannot control the actions of users or other public members who may access your user-generated content, and the company is not responsible for circumventing the privacy settings or security measures that you or the company have set on your user website (including sections of your user website that are password-protected, etc.). You understand and acknowledge that even after you or the company delete content, copies of the user-generated content may still appear on pages that are backed up and archived, or in cases where third parties (including your users) have made copies or stored such content. For clarity, we recommend that you do not upload or post any information that you do not want the public to know.
Clause 15. Personal data from your users
The company may collect, store, and process certain personal data of your users (“your users’ data”) only on behalf of and at the direction of your company. For example, each user can import email contact lists from third-party providers, such as Gmail, or collect and manage contact lists through their user website. Those contact lists will be stored on behalf of the user with the company.
For the purposes mentioned, the company acts and should be considered as a “Processor” and not a “Controller” of the user data of the user (both terms starting with capital letters are defined in the General Data Protection Regulation or GDPR).
The user who controls and oversees the user’s website will be considered the “Controller” of the user data of the user and has the obligation to comply with all laws and regulations that may apply to the collection and control of the user data of the user, including privacy and data protection laws of all relevant jurisdictions.
The processing of personal data of the user’s users will occur within the territory of the European Union, or in Israel, or in a third country, in the territory or in at least one part of the third country where the European Commission has decided that the level of protection is adequate. Therefore, such processing and transfer will be subject to the Data Processing Annex – User (“DPA”).
Regarding the transfer of data to third countries outside the European Union and processing in such countries that do not have an adequate level of protection as defined by the European Commission, the initial actions must be under an approved transfer mechanism as detailed in the DPA.
You are responsible for the security, ethics, and use of personal data concerning the authorized users of the user, including obtaining consent and permissions, and providing the rights of data subjects and the necessary fair processing notice required for the collection and use of such personal data.
To further study how the company handles the personal data of its users (which may relate to certain declarations you provide and/or consents you obtain from your users)
If you are a visitor, user, or customer of the company’s users, please read the following:
The company has no direct relationship with the users of the users for whom the company processes personal data. If you are a visitor, user, or customer of the company’s users and wish to submit a request or inquiry regarding your personal data, please contact that user directly. For example, if you wish to access, correct, modify, or delete inaccurate personal data that the company processes on behalf of the user, please send your inquiry directly to that user (who is the “controller” of that data). If the user requests that the company delete the personal data of its users, the company will comply with such a request in a timely manner after conducting a proper review and in accordance with applicable laws (e.g., thirty (30) days under GDPR regulations), unless the company’s user specifies otherwise.
Clause 16. Updates to the Privacy Policy
The company may update or amend the privacy policy without prior notice to the data subjects. This is to ensure appropriateness and efficiency in service delivery. Therefore, the company recommends that data subjects read the privacy policy each time they visit or use the company’s services or website.
Clause 17. Compliance with Privacy Policy and Contact with the Company
In the event that the data subject has questions or suggestions regarding the privacy policy or the compliance with this privacy policy, the company is willing to answer inquiries and listen to suggestions for the benefit of improving personal data protection and the company’s services. The data subject can contact the company at the address below:
Neighbors and Friend Company Limited
Contact Address: 414 Siam Patumwan House 19th floor Room No. 1911-5-7 Phaya Thai Road, Wang Mai, Pathumwan, Bangkok 10330
Phone Number: (+66)2-821-5532
Email: [email protected]
Data Protection Officer
Contact Address: 414 Siam Patumwan House 19th floor Room No. 1911-5-7 Phaya Thai Road, Wang Mai, Pathumwan, Bangkok 10330
Phone Number: (+66)2-821-5532
Email: [email protected]
Clause 18. Governing Law
This privacy policy is governed by and interpreted in accordance with Thai law, and Thai courts have the authority to adjudicate any disputes that may arise.
Promulgated on 1st March 2025
Get started with an intuitive dashboard,
fully customizable templates, and a
seamless product management experience
Quick Links
Get In Touch
© 2025 All Rights Reserved.
