Privacy Policy

Privacy Policy

1. Introduction

Upon Meditech Co., Ltd. ("Company") is committed to conducting its business ethically and respecting the privacy of its users. Accordingly, the Company has established this Privacy Policy ("Privacy Policy") to inform users ("Users" or "Data Subjects") about the Company's practices related to personal data and the reasons for collecting, using, and disclosing Users' personal data. This Privacy Policy covers the types of personal data collected, the purposes for which such data is collected, the disclosure of Users' personal data to third parties, the security measures taken to protect Users' personal data, the retention period for personal data, and the rights of Users as data subjects under the Personal Data Protection Act B.E. 2562 ("Personal Data Protection Act") and other applicable laws and regulations ("Applicable Laws"). This Privacy Policy applies to the website "www.uponmeditech.com" ("Website") and the application Nick Of Time ("Application"). By using the services, Users confirm that they have read, understood, and agree to be bound by this Privacy Policy.

2. Purposes of Personal Data Collection, Use and Disclosure

The Company will collect, use, and disclose (collectively referred to as "process") Users' personal data only as necessary and in accordance with the law. The Company will process Users' personal data only if there is a legal basis for processing that allows the Company to carry out its activities, including but not limited to:

  • Processing personal data to fulfill the Company's contractual obligations to Users
  • Complying with the Company's legal obligations
  • For the Company's legitimate interests, such as preventing or mitigating harm to the life, health, or safety of Users or others
  • Carrying out of the Company's mission or for the public benefit of the Company
  • Performing a function of a public authority
  • Obtaining Users' consent
  • And/or under other legal bases as specified by the Personal Data Protection Law

2.1 Enhanced User Experience: The Company will process Users' personal data to provide services as Users have subscribed to, requested, and/or to comply with agreements or contracts that Users have entered into with the Company. This includes but is not limited to the following purposes:

  • Storing in a database that meets international security standards
  • Using data to process health information or complications from aesthetic procedures and provide appropriate consultation
  • Disclosing data for follow-up on complications symptoms. In this case, the persons or entities to whom the Company may disclose Users' personal data are as follows: attending physicians, physicians using the services, third parties, or companies providing remote healthcare consultation services
  • Registration and login for the Company's services
  • Verification of registration, confirming and verifying identity, and confirming contact information
  • Providing services as requested by the user, according to user's interests, and providing services as requested and/or complying with company contracts
  • Communication of products and services, including sending bills, invoices, payment reminders, and receipts
  • Payment for company services and fees
  • Answering questions, supporting use, providing information, receiving complaints, and resolving problems and obstacles
  • Company operations such as analysis, surveys, performance measurement, and improvement/maintenance of existing services for normal operation
  • Informing you of changes to services and terms of service

2.2 Legal Compliance: As the Company is obliged to comply with applicable laws and orders of competent authorities, the Company is required to collect, use, and disclose Users' personal data for various purposes, including but not limited to the following purposes:

  • Complying with the Personal Data Protection Agreements and other relevant laws
  • Complying with hospital laws and other relevant laws
  • Complying with other laws (such as the Computer-Related Crime Act, the Electronic Transactions Act, the Consumer Protection Act, and other laws that the Company must comply with)
  • Complying with regulations and/or orders of competent authorities (such as court orders, orders of state agencies, or authorized officials)

2.3 For the legitimate interests of the Company and third parties: The Company will process Users' personal data for the legitimate interests of the Company, taking into account the interests of the Company or other persons or legal entities with the fundamental rights of Users' personal data. This includes but is not limited to the following purposes:

  • Preventing fraud, corruption, and enforcing the Company's terms, conditions, and policies and/or exercising related legal rights. This means that the Company may use Users' personal data to investigate and prevent fraud, corruption, and other illegal activities, as well as to enforce its terms of service and other agreements with Users.
  • Protecting the security of the Company's data and service networks and reporting to Users if any suspicious activity is found, such as attempts to log into accounts abnormally. This means that the Company may use Users' personal data to identify and prevent security threats, such as unauthorized access to its systems or data.
  • Studying how the Company's users use the Company's products and services to improve the standard of service, including planning and tracking marketing campaigns, analyzing and improving the services used by members to be efficient and responsive to their needs. This means that the Company may use Users' personal data to understand how Users use its products and services, and to improve the quality of its offerings. This could include conducting research, analyzing usage data, and developing new features or services.
  • Developing new products that are appropriate to the needs of Users and determining the type of membership for new products or services. This means that the Company may use Users' personal data to develop new products and services that are tailored to the needs of its Users. This could include identifying new market opportunities, developing new features, and pricing new products and services.
  • Contacting, recording images, recording voices about meetings, training, recreation, or booth activities. This means that the Company may use Users' personal data to contact Users about meetings, training, recreational activities, or booth activities. This could include sending emails, text messages, or push notifications.
  • De-identifying personal data. This means that the Company may remove all personally identifiable information (PII) from Users' personal data, so that it can no longer be used to identify them. This could be done for research purposes, such as analyzing usage data, or for marketing purposes, such as creating targeted advertising campaigns.
  • Conducting research and publishing in academic journals, which do not identify individuals to the public, taking into account the privacy rights of Users. This means that the Company may use Users' personal data to conduct research and publish the results in academic journals. However, the Company will take steps to protect Users' privacy by removing all PII from the research data before it is published.

2.4 According to your consent: The Company must obtain Users' consent before processing certain personal data. This includes:

  • Collecting sensitive personal data. This includes data such as a User's race, ethnicity, religion, sexual orientation, and health information. The Company will only collect this data if it is necessary for a specific purpose, such as providing medical care or preventing discrimination.
  • Sending news updates, deals and promotions from the Company's business partners and advertising various content based on Users' information and interests. This means that the Company may use Users' personal data to send them marketing communications, such as emails, text messages, or push notifications. The Company will only do this if the User has consented to receive such communications.
  • Sending or transferring Users' personal data to foreign countries, which may have inadequate personal data protection standards (unless the Personal Data Protection Law allows for processing without consent). This means that the Company may transfer Users' personal data to countries that do not have the same level of data protection as the User's home country. The Company will only do this if it has taken steps to protect the User's personal data, such as by entering into a data transfer agreement with the recipient organization.
  • In the case of minors under the age of 20 or with legal limitations, incompetent persons, quasi-incompetent persons, who must obtain consent from the User's parents, guardians, guardians or legal guardians as may be required by law (unless the Personal Data Protection Law allows for processing without consent). This means that the Company must obtain consent from the User's parents or guardians before processing the personal data of a minor. The Company will only do this if it is necessary for a specific purpose, such as providing medical care or preventing discrimination.

3. Personal Data Collection and Data Retention Period

The Company will retain User's Personal Data in both hardcopy and electronic formats for the period necessary during the User's active use of the Services, or as long as the User maintains a relationship with the Company. Additionally, the Company may retain User's Personal Data for any period required to fulfill the purposes outlined in this Policy. Upon the expiration of the aforementioned purposes or the retention period, the Company will, unless otherwise required by law, delete, destroy, or anonymize User's Personal Data in a manner that prevents its re-identification. The following types of Personal Data that the Company collects, uses, discloses, and/or transfers are illustrative and not exhaustive:

3.1 General Personal Data:

  • Personal Information such as title, name, middle name, surname, date of birth, gender, nationality, country of residence, etc.
  • Contact Information such as address, mobile phone number, landline number, email address, etc.
  • Personal Data for System Access such as username, as well as personal data from other accounts that the User chooses to disclose to the Company, such as email address, phone number, etc.
  • Data Collected Automatically When Using the Services: access time, device ID, unique identifier, IP address, MAC address, overall usage data, usage history, settings, language information, device name and model, location and time zone, network provider, operating system information, and time spent on the system, etc.

3.2 Sensitive Personal Data:

  • Data related to patient care, healthcare services, and cosmetic procedure services, which may include Sensitive Personal Data such as health information related to complications from filler injections or complications from aesthetic surgery, information about symptoms requiring consultation, disability information, medication, filler, or allergy information, health reports, laboratory test results, diagnoses, as well as photographs and videos for consultation purposes, etc.
  • For Sensitive Data appearing on copies of identity cards, such as religion and blood type, the Company will notify the User to request that the User redact such information (if applicable) on their photographs/copies of identity cards. If the User does not redact such information, the Company will redact it instead, unless technically impossible. The Company will only collect such data as part of the identity verification process.

4. Sources of Personal Data

4.1 Personal Data Provided Directly by Users: The Company collects Personal Data from Users directly when Users:

  • Registration for services, verify their identity, update their personal information, and express their intentions regarding the Company's services at the Company's hospitals, affiliated hospitals, locations, websites, or applications.
  • Receiving medical services at the Company's hospitals, affiliated hospitals, or through remote medical channels, websites, or applications provided by the Company.
  • Communication with the Company at the Company's hospitals, affiliated hospitals, locations, websites, applications, emails, telephones, or social media platforms.
  • Participation in the Company's surveys or marketing promotions.
  • Making payments for the Company's products and services. The Company will collect payment-related information.

4.2 Personal Data Collected Automatically: The Company collects Personal Data automatically when Users interact with the Company, receive services from the Company at the Company's hospitals, affiliated hospitals, locations, areas under the Company's responsibility, websites, applications, or online systems. The Company collects the following User data:

  • User service usage data
  • User communication data with the Company
  • Data related to User devices used to communicate with the Company

4.3 Personal Data Not Collected from Users: The Company may receive Personal Data from:

  • Individuals close to Users, such as relatives, spouses, or guardians.
  • Individuals authorized by Users to act on their behalf in communicating with the Company.
  • Affiliated hospitals, in cases where Users have consented to the disclosure of their Personal Data by affiliated hospitals.
  • Individuals, legal entities, or agencies, whether public, private, or state-owned enterprises, who send Users for treatment or services with the Company (as applicable) or who pay for services on behalf of Users or invite Users to participate in the Company's services or activities.

The Company may also verify the accuracy of information obtained from Users upon registration for the Company's services with external parties for security purposes and fraud prevention.

5. Data Security

The Company will maintain the security of User's Personal Data in accordance with the principles of confidentiality, integrity, and availability. This is to prevent loss, access, use, alteration, modification, or disclosure. Additionally, we will implement Data Security Measures, which include Administrative Safeguards, Technical Safeguards, and Physical Safeguards, to control access to and use of Personal Data.

Access Control:

  • Implement access control mechanisms to restrict unauthorized access to Personal Data.
  • Grant access to Personal Data only to authorized personnel who have a legitimate business need to know.
  • Implement password controls, role-based access controls, and multi-factor authentication.

Data Encryption:

  • Encrypt Personal Data when it is stored or transmitted.
  • Use strong encryption algorithms and protocols.

Data Disposal:

  • Dispose of Personal Data securely when it is no longer needed.
  • Use secure methods for data destruction, such as shredding or incineration.

Data Breach Notification:

In the event of a Personal Data breach, the Company will notify the Personal Data Protection Commission (PDPC) as soon as possible upon becoming aware of the breach, to the extent practicable. In the event that the breach poses a high risk of affecting User's rights and freedoms, the Company will notify the User of the breach through various channels, such as email, telephone, or mail.

6. Sharing and Disclosure of Personal Data

The Company will not disclose User's Personal Data to external parties for purposes other than those stated in this Policy, unless the User has consented to such disclosure.

However, the information that the User provides to the Company may involve the transfer of User's Personal Data outside of Thailand for the purpose of data backup or disclosure to the Company's foreign agents or partners with whom the User has contacted to use the Company's services. The Company will take steps to ensure that User's privacy rights are protected by using security measures in accordance with the Company's standards.

In addition, the Company may share User's Personal Data that is in its possession with other companies in the group, partners, business partners, or external service providers, such as insurance companies, financial institutions, attending physicians, specialists, consultants, and/or medical professionals, medical laboratories, pharmaceutical and medical product manufacturers and distributors, embassies responsible for international travel arrangements, customer service providers, marketing, advertising, and communications service providers, information system providers, cloud system providers, nearby hotels that are partners with the Company, transportation providers, document storage providers, debt collection providers, accounting, legal, auditing, internal auditing, and financial auditing service providers, family, relatives, close associates, and User's employer or organization, and for any other purpose necessary for the purposes stated in this Policy for the benefit of the Company's services. The Company will ensure that these individuals will handle User's Personal Data in accordance with the Company's Privacy Policy and applicable laws.

7. Sharing and Disclosure of Personal Data

The Company will not disclose User's Personal Data to external parties for purposes other than those stated in this Policy, unless the User has consented to such disclosure.

However, the information that the User provides to the Company may involve the transfer of User's Personal Data outside of Thailand for the purpose of data backup or disclosure to the Company's foreign agents or partners with whom the User has contacted to use the Company's services. The Company will take steps to ensure that User's privacy rights are protected by using security measures in accordance with the Company's standards.

In addition, the Company may share User's Personal Data that is in its possession with other companies in the group, partners, business partners, or external service providers, such as; Insurance companies, Financial institutions, Attending physicians, Specialists, Consultants, Medical professionals, Medical laboratories, Pharmaceutical and medical product manufacturers and distributors, Embassies responsible for international travel arrangements, Customer service providers, Marketing, advertising, and communications service providers, Information system providers, Cloud system providers, Nearby hotels that are partners with the Company, Transportation providers, Document storage providers, Debt collection providers, Accounting, legal, auditing, internal auditing, and financial auditing service providers, Family, Relatives, Close associates, User’s employer or organization. Additional for any other purpose necessary for the purposes stated in this Policy for the benefit of the Company's services. The Company will ensure that these individuals will handle User's Personal Data in accordance with the Company's Privacy Policy and applicable laws.

8. Changes to this Privacy Policy

The Company may amend this Policy from time to time. Users will be notified of any changes to this Policy by email or through a notice on the Company's website. Any changes to this Policy will be effective immediately upon posting on the Company's website or upon sending an email to Users, as applicable. By continuing to use the Company's websites and applications after any changes to this Policy, Users agree to be bound by the updated Policy. Users may choose to stop using the Company's websites and applications if they do not agree to the updated Policy.

9. Third-Party Websites

This Policy applies only to the Company's websites and applications. If Users visit other websites, even if they are linked to or from the Company's websites, they should review the privacy policies of those websites.

10. Your Rights as a Data Subject

Under the Personal Data Protection Act, users have the following rights

  • Right to Withdraw Consent: Users have the right to withdraw their consent to the collection, use, or disclosure of their Personal Data at any time. To withdraw their consent, Users should contact the Company at the address provided in the Contact Us section of the Company's website.
  • Right of Access: Users have the right to access their Personal Data that is in the Company's possession. To exercise their right of access, Users should contact the Company at the address provided in the Contact Us section of the Company's website.
  • Right to Data Portability: Users have the right to receive their Personal Data in a structured, commonly used, and machine-readable format and have the right to transmit that Personal Data to another controller without hindrance from the Company. To exercise their right to data portability, Users should contact the Company at the address provided in the Contact Us section of the Company's website.
  • Right to Object: Users have the right to object to the processing of their Personal Data in certain circumstances. To exercise their right to object, Users should contact the Company at the address provided in the Contact Us section of the Company's website.
  • Right to Erasure: Users have the right to request that their Personal Data be erased in certain circumstances. To exercise their right to erasure, Users should contact the Company at the address provided in the Contact Us section of the Company's website.
  • Right to Restriction of Processing: Users have the right to request the restriction of the processing of their Personal Data in certain circumstances. To exercise their right to restriction of processing, Users should contact the Company at the address provided in the Contact Us section of the Company's website.
  • Right to Rectification: Users have the right to request that their Personal Data be corrected if it is inaccurate, incomplete, or outdated. To exercise their right to rectification, Users should contact the Company at the address provided in the Contact Us section of the Company's website.
  • Right to Lodge a Complaint: Users have the right to lodge a complaint with the supervisory authority if they believe that the Company has violated their data protection rights. To lodge a complaint, Users should contact the supervisory authority in their jurisdiction.

11. Contact Us

If Users have any questions about this Privacy Policy or their Personal Data, you can contact the Company at the address provided in the Contact Us section of the Company's website.

Thai Version - click here