Privacy Statement for Customers
This Privacy Statement aims to clarify what personal data we process, why we process it, who receives your data and how you can exercise your legal rights.
In this Privacy Statement, “personal data” refers to any information which enables identification of a living individual, whether directly (like your full name, email address, phone number, etc.) or indirectly (like a user ID connected to your identity) as defined in the Personal Data Protection Act B.E. 2562 (as amended) (“PDPA”). Similarly, “processing” refers to any operation performed on your personal data, for example the collection, storage, use, disclosure, or destruction of your personal data as defined in the PDPA.
Who are we and how can you reach us?
We are Delivery Hero (Thailand) Co., Ltd. (“DepachikaThailand”, “we”, “us” or “our”) and we are located at 60/17 moo 7, Soi Phon praphanimit 22/2 Nong Prue, Bag Lamug, Chon Bur 20150. With regard to your privacy, it is us who decide how and for what purposes your personal data is processed. In data protection language that makes us a so-called “data controller” (i.e. the entity having the power and duties to make decisions regarding the processing of your personal data ). If you have any questions related to how your personal data is processed or if you would like to reach our data protection officer, please contact Mae@depachikathailand.com
Minors
Our services are intended for a general audience and not specifically intended for minors aged below 20 years old. If you are a minor, you represent and warrant that, where it is required by applicable laws, you have duly obtained consent from your parent or legal guardian to enable us to process your personal data for the relevant purposes specified in this Privacy Statement. You also agree that DepachikaThailand reserves the right to request for any proof of said consent at any time as DepachikaThailand deems appropriate or necessary, and to suspend or terminate your account if you failed to provide us with said proof within the required timeframe. To the extent necessary, we may take appropriate actions to verify your age before or any time during your use of our services.
What categories of personal data do we process?
When you use our platform or any other services, we process personal data actively provided by you, collected from your device when you interact with us or obtained from third parties. Broadly speaking we will process the following categories of personal data:
Account data
including your name, address, ID card number, email address, password, telephone number, country, age, gender, user ID, language, communication, username or account name on other social media platforms, interests, preferences and other profile settings
Order and delivery data
including delivery details (e.g., delivery address, date and time of the delivery, type of collection), order IDs, order history, product names and quantities
Location data
including address, postcode, city, country, longitude and latitude
Device information
including device ID, IP address, session information, device configuration settings, operating system, platform interactions such as items added to the cart, and other data obtained through web-trackers (e.g. cookies, SDKs, pixels)
Payment data
including bank account details, credit card data, tax ID, payment method data, payment amount, payment recipient details, refund details, and bank receipts
Customer support data
including content of your customer support requests, response from our customer care teams and images attached
You can find all details about how we process your personal data below.
What do we do with your personal data?
A. When you create an account
Account Creation
When creating a customer account we need to process your account data such as your name, email address, password, telephone number, country, and language. Once you have created an account, we will assign you a unique user ID. This measure will allow us to recognize you in our system without needing to use all of your account-related information. This user ID cannot be used by any outside parties.
The information we request during the account creation process is necessary to take the first step in establishing a customer relationship with you so that we can provide you with our services. If you do not provide us with your personal data for these purposes, we will not be able to create your account and you will not be able to use our platform and/or receive our service, either in whole or in part.
The legal basis for this processing is therefore “entering into or performance of a contract” under the Article 24(3) under PDPA.
We store this personal data as long as you remain our customer and in the ordinary course of things, we delete it when you close your account, or after 103 years of inactivity, unless statutory legal requirements mandate longer retention or as may otherwise be permitted by the applicable law such as when we need to retain your personal data to establish our legal claims.
Single-Sign-On (“SSO”) Options
We offer you the option to register on our platform by using one of the commonly used social networking systems such as Facebook, Google, or Apple. If you already have an account with any of these services, you can sign up and log in to our platform using your user data from those identity management providers.
When logging in with the SSO option, we may get access to SSO data such as your name, email address, telephone number, country, user ID, and your date of birth, if you have shared this data with the SSO provider.
This information is necessary for initiating our customer relationship and entering into a contract with you. We never receive or store the password you use for these systems. If you do not agree to share your SSO data with us, you may not be able to use our platform and/or receive our service, either in whole or in part.
Information on third-party SSO providers can be found here:
Facebookhttps://www.facebook.com/privacy/explanation
Google https://support.google.com/accounts/answer/112802
Apple https://support.apple.com/en-us/HT204053
The legal basis for this processing is “entering into or performance of a contract” Additionally, we may also need to process your SSO data to manage our relationship with you based on our “legitimate interest”.
We process this personal data as long as you remain our customer, or until you delete your account with the SSO provider. We may retain your personal data for a longer period if it is mandated by the statutory legal requirements or otherwise permitted by the applicable law.
Managing Your Profile
You can access your profile at any time to make changes, provide additional information about yourself, or view your previous orders. Your data is also processed to administer your profile, which includes tasks such as ensuring the accuracy of your personal details, processing any modifications you make, and managing technical issues you might have.
The information we process about you for this purpose includes account data, order and delivery data, payment data, and device information.
Managing and administering your profile is a fundamental function of our platform. Without this process, we cannot provide our services to you. Therefore, the legal basis for this processing is “performance of a contract” under the Article 24(3) under PDPA. Additionally, in certain cases, we may also rely on our “legitimate interest” under the Article 24(3) under PDPA to process your personal data as part of management and administration of your profile such as to ensure accuracy of your personal details.
We store this personal data as long as you remain our customer and in the ordinary course of things we delete it when you close your account, or after 10 years of inactivity, unless statutory legal requirements mandate longer retention. We may retain your personal data for a longer period if it is mandated by the statutory legal requirements or otherwise permitted by the applicable law.
B. When you browse our platform
Cookies and Web Tracking Technologies
We use web tracking technologies (e.g., cookies, SDKs, measuring pixels) when you browse our platform, whether you are a customer or a visitor. These technologies enable us to facilitate the functioning of our platform, improve its performance and security, or understand how our users interact with our platform. In addition, these technologies allow us to deliver customized content or targeted advertising to our users.
Cookies and web tracking technologies may be used to collect data that we classify as device information, including your device ID, IP address, session information, preferences such as language settings, platform interactions such as items added to the cart, platform performance analytics, and crash reporting.
You have the option to configure your browser to notify you when cookies are being set, allowing you to accept or reject them on a case-by-case basis or generally. Please note that a cookie banner will appear when you first visit our platform, giving you the opportunity to manage your cookie preferences. Disabling cookies may impact the functionality of our platform. You can adjust your cookie settings at any time.
Personalized Content and Suggestions
When you browse our platform, we show you a variety of vendors and products. We may customize the content on our platform so that you are shown vendors who are close to you, who you have ordered from in the past, or products we believe may be of interest to you. To make this feature available, we need your account data, location data, order and delivery data, and device information.
This process may involve customer segmentation based on the data we collect from you. Additionally, we can make predictions about our customers’ demographics (e.g., age, gender) or consumption preferences. As a result, our suggestions may highlight specific products or cuisines, such as Italian restaurants, or vegan products.
Please note that these processes will not have a legal or similar significant effect on you. The only result of this process will be that you will receive suggestions about products or vendors that match your interests and food preferences.
Our activities within personalized content and suggestions form the core of our platform, without which we could not offer you relevant products and therefore we would be unable to facilitate a ground for entering into a contract with you. We would like to highlight that personalized content that is shared in this context is separate from the marketing initiatives carried out on our platform.
The legal basis for processing your data for the purpose of suggesting products and vendors and customer segmentation is “performance of a contract”. Additionally, we rely on “legitimate interest” under Article 24(5) of PDPA for customer segmentation.
We will process the data we process for this purpose for the same duration as your other account data.
When you place an order
Shopping Cart and Storing the Added Items for Later
Once you login to your profile and select items, they will be saved in your cart. Even if you close your browser or app, you can continue your order from where you left off. To make this feature available on our platform, we process your account data, device information, and order and delivery data.
The shopping cart function is essential to our platform as it enables us to receive and process your order. Without it, we would not be able to enter into a contract with you.
The legal basis for this processing is ‘entering into or performance of a contract’ under Article 24(3) of PDPA.
This data is deleted as soon as we no longer need it, such as once you place your order or soon after you have removed everything from your shopping cart.
Order Processing
Once you have successfully registered to our platform, you can place your order. To process the order you placed on our platform, we need to receive your personal data.
To process your order, we need your account data as well as your order and delivery data including your address, postcode, city, country, longitude and latitude, order ID, your order instructions, product names and quantities.
This information is necessary for us to forward your order for the following steps to ensure the successful delivery of your order. Without this information, we would be unable to take necessary steps to fulfill our contractual obligations to you.
Where our platform offers the delivery of prescription medicines, the data we process may include special categories of personal data (i.e. health data). In this case, we will ensure that we clearly inform you, obtain your prior consent or otherwise comply with the requirements of the applicable data protection laws. However, please note that your order of non-prescription (i.e. over-the counter) products not specifying any particular medical condition may not be regarded as involving special categories of personal data.
The legal basis for this processing is generally based on “performance of a contract under Article 24(3) of PDPA”. However, to the extent that the processing involves your special categories of personal data, our such processing will be based on your “consent” under Article 19 of PDPA.
We will process the data we process for this purpose for the same duration as your other account data, or as may otherwise be permitted by applicable laws.
Invoicing
If you decide to proceed with your order, we will need to receive the payment for the items you have selected.
When you place an order and select a payment provider, your information will be shared with your selected payment provider to initiate the payment process. As a customer of these payment providers, you can find information on their privacy practices in their separate privacy statements.
Following the payment for your order, if we are required to provide you with an invoice. To fulfill this requirement and to facilitate your payment, we need to process your account data, order and delivery data, and payment data including payment method data, payment amount, payment recipient details, refund details, and bank receipts. Without this information, we would not be able to comply with our legal obligations under applicable laws (including but not limited to tax laws).
In some cases, the vendor (e.g. restaurant, shop) that receives your order is responsible for issuing an invoice to you. In this case, personal data necessary to meet the invoicing requirements under applicable law is shared with the vendor for the sole purpose of issuing an invoice.
The legal basis for this processing is “legal obligation” under Article 24(6) of PDPA.
We store this personal data for 10 years after the invoice date.
Saving your Payment Methods
In order to make the ordering process even more convenient for you, our platform offers you the option to save your preferred payment method. This means that, if you choose to save your payment method, you will not have to re-enter your payment details the next time you need to make payments on our platform.
The information you can save within this feature is payment data including your name, bank account details, credit card data, tax ID, payment method data, payment amount, payment recipient details, refund details, and bank receipts.
The legal basis for this processing is “consent” under Article 19 of PDPA. We will keep this personal data for as long as you choose to share it with us.
When you subscribe for pandapro , we will request to store your payment data to enable regular billing in accordance with your subscription. As maintaining a regular payment process for your subscription plan is a fundamental part of this service and without this information, we would not be able to maintain said regular payment process, The legal basis for this processing is “performance of a contract” under Article 24(3) of PDPA.
We store this personal data as long as you remain our customer and in the ordinary course of things we delete it when you close your account, or after 10 years of inactivity, unless statutory legal requirements mandate longer retention, or as may otherwise be permitted by applicable laws.
D. When we deliver your order
Preparing Your Order
After receiving your order, we share your order data with the vendor (e.g. restaurants, shops) preparing your order. We minimize the information we share with our vendors so that they only see the information necessary to process your order and hand the order over to couriers. The data we share with the vendors include order and delivery related data. In addition, vendors may use our platform’s chat feature or call you by phone to contact you in exceptional cases such as if the items you ordered are out of stock. Without your personal data as described in this paragraph, we would not be able to process your order.
As the preparation of your order is a fundamental part of the services provided on our platform, the legal basis for this processing is “performance of a contract” under Article 24(3) of PDPA .
We will process the data we process for this purpose for the same duration as your other account data, or as may otherwise be permitted by applicable laws.
Delivering Your Order
Once your order has been prepared by the vendor, it is handed over to couriers (also called “riders”) who are responsible for delivering your order. In order to enable the delivery of your order, and thus fulfill our contractual obligations to you, we need to process your personal data and share some of that data with the rider who will deliver your order.
This data includes your delivery related data such as your name, telephone number, and delivery address. In addition, riders may use our platform’s chat feature or call you by phone to contact you if there are any exceptional delivery-related issues such as if the rider needs assistance during the delivery process. We will always ascertain that the rider receives as little information about you as possible. Without your personal data as described in this paragraph, we would not be able to process your order or deliver your order.
As the delivery of your order is a fundamental part of the services provided on our platform, the legal basis for this processing is “performance of a contract” under Article 24(3) of PDPA.
In some cases, our riders will be asked to provide proof of delivery. This proof of delivery may include details such as the time and date of delivery, your name, and in some cases, a signature or photo as evidence. In case of any disputes or issues, having this information helps us investigate and resolve matters efficiently, providing you with a higher level of customer satisfaction.
The legal basis for proof of delivery is “legitimate interest” under Article 24(5) of PDPA under.
We will process the data we process for this purpose for the same duration as your other account data, or as may otherwise be permitted by applicable laws.
Customer Care
In case you have questions or issues regarding your order, depending on the nature of your request, we will need your account data, order and delivery data, delivery related data, payment data, customer support data, and the data you share with us when submitting your request. This information allows us to understand the specifics of your order, enabling us to provide you with relevant and accurate assistance (e.g. to assist you in tracking your orders, real time chat to respond to your questions or concerns, etc.)
As part of our customer care service, we may use automation for certain functions. For example, actions such as canceling your order or changing delivery instructions may be automated. In addition, our support agents may utilize algorithmic decision making processes for the purpose of calculating compensation for any issues you may experience, and for issuing a refund or voucher.
We may use artificial intelligence technology such as chatbots powered by large language models as part of our customer care processes. When we do so, we will ensure that we remain the controller of your data and that your data is not shared with third parties to train their AI models.
As resolving your issues is an essential part of the complete fulfillment of the service we provide to you and without this information, we would not be able to fulfill our full service to you under contractual obligations; hence, the legal basis for processing your data for this purpose is “performance of a contract” under Article 24(3) of PDPA, and in certain cases, our processing of your personal data for the customer care-related purposes may also be based on the “legitimate interest” under Article 24(5) of PDPA.
We will keep the data we process within the customer care center feature for the duration of the statutory limitation periods for legal claims in your jurisdiction (for Thailand, the general statutory limitation period is 10 years).
User Reviews
Once your order has been delivered, you can rate and review the vendor you have ordered from. In this case, your first name will be displayed on our platform next to the content of your review. For this purpose, your account data; and the content of your review will be processed.
The legal basis for this “processing is consent” under Article 19 of PDPA.
We will keep your reviews for as long as you choose to share it with us. If you no longer wish your review to be available, you can delete it at any time.
E. When we promote our platform or vendor services
App/SMS Notifications and Email Newsletters
We may send you in-app or push notifications, as well as newsletters via email, or text messages informing you about new restaurants, offers and promotions on our platform. We use a range of criteria to ensure that the content we provide is similar to the products you have previously ordered. As such, these communications may emphasize specific products or cuisines, such as sushi deals, or vegan products.
To make this possible, we use your account data, location data, as well as order and delivery data. This information enables us to promote products and services available on our platform.
You are always free to opt-out from such communications. To ensure we comply with your choice to opt-out, we will keep your contact details on a separate list of customers who prefer not to receive direct marketing communications. In this case, we will unsubscribe you from customized communications and you will not receive such communications in the future.
The legal basis for this processing of your data for the purpose of sending app notifications and email/sms newsletters is “legitimate interest”under Article 24(5) of PDPA for promoting similar goods and services to the one you have already ordered from our platform.
We will process the data we process within this purpose for the duration of your account with us. For the information if you have opted in to or out of receiving such communications, we will store for the duration of the statutory limitation periods for legal claims in your jurisdiction (for Thailand, the general statutory limitation periods is 10 years).
Incentives
We use a variety of incentives to make our platform more attractive to you and to ensure that you enjoy all the advantages that our platform has to offer. These incentives include, customer referral program (i.e. Refer a Friend), vouchers, customer competitions, and bonus programs.
When you use vouchers on our platform, we may process your account data, and the associated discount or promotion. We process this data to apply the voucher to your order, and ensure the proper functioning of this feature.
Our "Refer a Friend" program allows you to invite your friends to our platform and earn rewards. As part of this program, we may process your account data, the associated discount or promotion, and a record of the connection between participants.
When you participate in user competitions or bonus programs on our platform, we may process your account data, data relevant to the program, including your status, points and rewards earned. This data is processed to administer those programs and grant you prizes or discounts. Without this information we will not be able to provide you with the relevant incentives.
The legal basis for these processing activities is “performance of a contract” under Article 24(3) of PDPA . We use this data for the purpose of providing you with discounts and promotions as part of our services.
If you participate in incentives (e.g. bonus programs) offered by third parties, your data might be passed onto them. In such cases, processing of your data is based on your “consent”.
We store this personal data as long as you remain our customer and in the ordinary course of things we delete it when you close your account, or after 10 years of inactivity, unless statutory legal requirements mandate longer retention or as may otherwise be permitted by applicable laws.
Online Marketing
We utilize marketing processes to reach as many potential customers as possible. These processes encompass a range of marketing strategies, including targeted advertisements, both on our own platform, or on online media properties (e.g. websites, social platforms) owned and operated by third-party publishers.
For this purpose, we process account data, location data, order and delivery data, and device information such as session information, your configuration settings, platform interactions such as items added to the cart, and data obtained through web-trackers (e.g. cookies, SDKs, pixels).
When we perform targeted advertisements for our platform, we use customer segmentation based on the data we collect from you. This segmentation may include predictions about our users’ demographics (e.g., age, gender) or consumption preferences. These insights are typically aggregated and pseudonymized, which means that we cannot identify you individually. We use these insights when defining our online marketing strategies.
Your prior explicit “consent” under Article 19 of PDPA is requested to show you our online targeted advertisements. If you do not consent to personalized online advertisements, please note that you may still receive ads related to our service and products. However, these ads will be generic and not result from specific targeting processes.
We will keep this personal data for as long as you choose to share it with us but in any case we will delete the data we process within this purpose after deletion of your account.
Helping Business Advertising Partners Promote Their Goods and Services on Our Platform
We display various types of advertisements on our platform. Our objective is to provide you with advertisements that are truly relevant to your interests and that add value to your online experience. For this purpose, we process account data, location data, order and delivery data, and device information.
To ensure the relevance of ads, we may use user segmentation involving automated processing of your personal data. Additionally, we may make predictions about your demographics (e.g., age, gender) or your consumption preferences. These processes will not have a legal or similarly significant effect on you. The only result of this process will be that you will receive advertisements that match your interests and food preferences.
Using these insights, our platform may display both our own ads and ads from third parties (such as restaurants and food brands). These ads may take the form of standard display ads, 'featured restaurants' that appear on top of a list, or special promotions that offer you limited time deals.
We do not share your personal data with third parties who promote their products on our platform. However, in some cases, we can share advertising performance insights to these third parties. These insights are typically aggregated and anonymized, ensuring that your personal data remains protected. These insights may relate to the effectiveness of their advertisements, such as the number of clicks or engagement metrics.
We ask your “consent” under Article 19 of PDPA in order to show you personalized advertisements. If you do not consent to personalized advertisements, please note that you will still receive ads, however, they will not be tailored to your personal interests.
We will keep this personal data for as long as you choose to share it with us but in any case we will delete the data we process within this purpose after deletion of your account.
Social Media Pages
We maintain profiles on various social media platforms through which we advertise our products and engage with customers. When you visit our pages on social media platforms such as Facebook and Instagram, the operators of these platforms process your personal data, as explained in their own privacy statements. For Facebook and Instagram the data controller is Meta Ireland Ltd. (“Meta”).
Meta provides us with aggregated statistics and insights about our social media pages, allowing us to understand the types of actions users take on their pages. Please be informed, however, that we at no point can attribute any page visit or other interaction to individual social media profiles.
In terms of collecting your personal data on our social media pages and analyzing the user interactions, both we and the respective operators of the social media platforms (such as Meta) act as joint controllers. To formalize this arrangement, we have entered into joint controller agreements with these operators.
For Facebook and Instagram, the following links will show you exactly which data is collected by Meta and how you can exercise your data subject rights in connection with the user insights:
Meta Privacy Policy
Meta Controller Addendum
The legal basis for processing of your data for the purpose of engaging with users and utilizing user insights is “legitimate interest” under Article 24(5) of PDPA.
F. When we ensure the security of our platform
IT Infrastructure, Database Hosting, and Systems Security
We use state of the art servers, network equipment and cloud services to deliver our platform, to ensure high performance and uninterrupted service. All types of personal data you provide and the information we collect about you is stored and protected within the secure environment of our platform. We also use tools such as 2-factor authentication, endpoint security detection, traffic monitoring, backup systems and data loss prevention solutions to keep your data secure at all times.
The legal basis for processing your data for the purposes of hosting and ensuring the security of your personal data is “legitimate interest” under Article 24(5) of PDPA.
We delete daily backups after 90 days.
Fraud Detection and Prevention
One of our main priorities is to provide you with a secure platform and a safe ordering experience. Part of achieving this goal involves implementing proactive measures to detect and prevent fraudulent activity.
For this purpose, we process your account data, payment data, location data, device information, and order and delivery data such as invoices, order IDs, successful orders and canceled orders.
To achieve effective fraud detection and prevention, we use this data to apply state-of-the-art fraud detection and prevention measures, which may include algorithmic decision making and machine learning processes. These measures include fraud scoring and flagging, transaction analysis, user behavior modeling, and, in confirmed cases, automated account suspension and blocking. Our fraud assessments will be based on your previous behavior and also sometimes information obtained from third parties (e.g. when you use a credit card which has been reported as stolen by its owner).
If any such decision (i) results in a negative, legally binding outcome for you, (ii) similarly significantly affects, or (iii) you believe there has been an error, you can contact our customer care team. In this case, we will individually assess the circumstances of your case.
The legal basis for processing your data for the purposes of fraud detection and prevention is “legitimate interest” under Article 24(5) of PDPA.
We will keep the data we process within fraud detection and prevention purposes for the duration of your account and, after closure, for as long as it is required to clarify if your account is linked to any other fraudulent activity on our platform. This time period will vary depending on the activity in your account. Nonetheless, the retention period will be in accordance with the applicable laws.
If you are a trusted customer, we will delete your data, as it is no longer required.
G. When we improve our services
User Surveys and Interviews
We are always aiming to improve our services, and your valuable feedback is an important part of that process. As such, we sometimes include surveys in our newsletters, asking for your feedback or inviting you to a user experience interview.
For the purposes of user surveys and interviews we process your account data, order and delivery data, device information, and the content of your feedback. We also record your usage behavior as part of the user interviews.
Participation in the surveys and interviews require your “consent” under Article 19 through your preferred communication channels, which may include email, SMS, or social communication platforms such as Whatsapp.
If you have already given your consent and would like to revoke it for the future, please let us know by contacting us. In this case we will exclude you from participating in interviews and ensure that you don't receive any further invitations.
We will keep the data we process within user surveys and interviews for as long as you grant us consent to do so. At the latest, when you delete your account, we will consider your declaration of consent to have been withdrawn.
Data Analytics
We perform data analytics to improve our platform in terms of user experience, product development, pricing, promotions, and customer engagement. For instance, to analyze and optimize our user experience, we may show our customers different versions of our platform interface in the context of so-called A/B testing. Analyzing how users interact with different versions enables us to define which version performs better. Similarly, by analyzing customer responses to different pricing models, we are able to determine the right pricing strategies.
To achieve this, we process order and delivery data, and device information. These insights are typically aggregated (meaning process fully anonymously, so you can never be identified as a person by anybody) or pseudonymized (meaning it will be very hard to identify you as a person).
The legal basis for processing your data for this purpose is “legitimate interest” under Article 24(5) of PDPA.
Business Intelligence, Insights & Group-level Statistics Reporting
We process customer data in an aggregated form to identify market trends, and make informed decisions about our market strategy. This analysis involves processing various types of data, including account data, device information, as well as order and delivery data.
Utilizing this data, we create statistical reports at group level, such as our market statements and trading updates. Creating business insights and statistical reports allows us to draw meaningful conclusions from a wide range of customer interactions.
Similarly, as part of our business intelligence, we provide our vendors (e.g., restaurants, shops) with access to certain general information regarding sales and engagement rates (so-called vendor insights). These insights are generated by aggregated analysis of the order and delivery data and device information of our users. The purpose of this analysis is to provide vendors with recommendations to improve their services. For instance, vendor insights provide information on potential reasons why users might have chosen a different vendor. The insights are aggregated and anonymized, which means that vendors cannot identify users individually.
The legal basis for processing your data for this purpose is “legitimate interest” under Article 24(5) of PDPA.
H. When we are required to comply with laws and regulations
Legal Proceedings and Authority Requests
As with any organization, there are instances when we are required to share personal data with public authorities. Additionally, there might be instances where we have to process your personal data to initiate or defend legal claims and uphold our rights and interests. For this purpose, we may disclose and process certain data we hold about you, to the extent strictly necessary to conclude these legal proceedings and investigations.
The legal basis for processing your data for complying with public authority requests is “legal obligation” under Article 24(6) of PDPA. If you do not provide your personal data in such circumstance, it may result in us and/or you being in violation of the applicable law or regulation. Furthermore, the legal basis processing of your personal data for initiating and defending legal claims is “legitimate interest” under Article 24(5) of PDPA.
We retain this information for as long as necessary to comply with legal obligations related to ongoing proceedings and investigations. After the final closing of the respective legal proceedings we will delete your data immediately.
Responding to Data Subject Requests
Data protection laws grant you various legal rights. We are committed to respecting them at all times. When you exercise these rights, we must process your data to effectively address your request. For instance, if you choose to exercise your right to access, we need to gather all of the information we hold about to meet our obligation to provide a response. To achieve this, we may process any type of data we hold about you, only to the extent necessary to comply with our obligations. Without this information, we would not be able to comply with our legal obligations in respect to facilitating or providing you with channels to exercise any of your rights in regard to your personal data under the applicable data protection laws.
The legal basis for processing your data for complying with data subject requests is “legal obligation” under Article 24(6) of PDPA.
We retain this information for as long as necessary to comply with our legal obligations.
Regulatory Compliance in Thailand
Under various applicable regulatory frameworks in Thailand, we may be required to process your personal data to comply with regulatory requirements or disclose your personal data to relevant government agencies, such as the Revenue Department for tax-related purposes, or as mandated by competent authorities or court orders. Without your personal data, we would not be able to fulfill our legal obligations which could result in violations of applicable laws either by us and/or you.
The legal basis for processing your data to comply with data subject requests is “legal obligation” under Article 24(6) of PDPA.
We retain this information throughout the prescribed legal retention period, as stipulated under applicable laws, or as necessary to comply with requests from competent authorities.
Who will receive your data and under what circumstances?
You can trust that, within our company, only those staff members will receive access to your personal data who need them in order to fulfill their professional duties, such as providing you with a great online experience, or looking into your support request. In certain scenarios, we also need to share your personal data with recipients outside of our company. Please be assured that your data is shared with these recipients only to the extent necessary for the specified purposes and only as we are legally permitted to do so.
In addition to sharing data with the parties already specified above, we will only share your data as follows:
A. Delivery Hero group companies
We are part of an international group of companies with legal entities in many parts of the world, including our group’s headquarters located with Delivery Hero SE in Berlin, Germany. In order to utilize our resources efficiently and ensure that our business processes function properly, we utilize our group-wide shared technological support services that sometimes necessitate sharing personal data with our parent company, Delivery Hero SE, or with the locations of our global tech hubs. In certain situations, we might also share limited data with other group companies, for example, to assist with payment collection or to implement platform security measures.
Delivery Hero group companies are bound by strict intra-group data transfer agreements ascertaining compliance with data protection requirements whenever sharing personal data with group companies.
B. Data processors
We use various third-party service providers to perform our operations. Many of these providers process your personal data as so-called “data processors”. This means they are only allowed to process your personal data under our instructions and have no claims whatsoever to process your personal data for their own, independent purposes. Our data processors are strictly monitored and we only engage data processors who meet our high data protection standards. The main data processor for cloud technology on our platform is our group’s headquarters located with Delivery Hero SE in Berlin. Delivery Hero SE provides us with a wide range of services of technology, such as cloud hosting, platform security, marketing or customer relationship management tools.
Delivery Hero SE will also use data processors (as so-called “sub-processors”), as follows:
Our user platforms and databases run on cloud resources provided by the EU subsidiaries of Google Cloud Platform and Amazon Web Services. We use marketing and communications tools by companies such as SalesForce or Braze. Our finance and accounting platforms are provided by SAP. If you would like to request the full list of recipients of your personal data, you are free to do so at any point in time.
C. Other third parties and service providers
In addition to data processors, we also work with third parties, to whom we share your personal data, but who are not bound by our instructions and instead will process your data independently. These may be our consultants, lawyers or accountants who receive your data from us under a contract and process your personal data for legal reasons, or to protect our own interests. Under no circumstances will we sell or rent your personal data to third parties without your explicit, informed consent.
D. Mergers & acquisitions, change of ownership
In the event of a merger with, or acquisition by, another company or group of undertakings, we may need to disclose limited information to that company and their advisors who are under professional obligations to maintain the confidentiality of your personal data. This may occur in circumstances such as mutual due diligence assessments and regulatory disclosures.
In any event, we will ensure that we only disclose the minimum amount of information necessary to conduct the transaction, while also carefully considering the feasibility of removing or anonymizing any data that could identify individuals.
E. Prosecuting authorities, courts and other public authorities
From time to time we may be requested to disclose personal data to public authorities. In some circumstances, we may disclose personal data with public bodies in order to bring or defend legal claims, to protect our rights and interests, or to address security concerns.
Examples of such situations include cooperating in the detection and prevention of crime, responding to legal processes such as court orders or subpoenas, or sharing data with tax authorities for tax-related purposes. The public authorities involved in these scenarios may include law enforcement agencies, courts, tax authorities, or other government bodies.
How do we transfer your personal data to other countries?
We and the parties we share your personal data with may transfer personal data to countries other than the country in which you use our services. Where such transfers take place, we take appropriate measures to ensure that your data is always afforded an adequate level of protection in the countries to which it is transferred; and in any event, we will ensure that the transfer of your personal data will be in compliance with the requirements of the applicable data protection laws.
What are your legal rights?
Under the data protection laws, you are entitled to the following rights:
Right to access
You have the right to access your personal data and obtain additional information on how we process it. You may also request a copy of your personal data. In addition, you have the right to request for us to disclose the source of your personal data, for which you did not provide consent.
Right to rectification
If you