Effective on May 1st , 2020
BSS Holdings Company Limited
BSS Holdings Co., Ltd. (the “Company”, “we”, “us”, or “our”) recognizes the importance of the protection of personal data for our potential customers, customers, or retail merchants (“you”, “your”, or “yours”) of our products and services. We follow strict security procedures when collecting, using, disclosing and/ or internationally transferring your Personal Data (as defined in Section 1 below) outside of Thailand. The information you share with us allows us, Companies under Rabbit’s Data Ecosystem (as defined in Section 3.1 below), affiliates and subsidiaries and our business partners, to provide the products and services you may need and want, while giving you the very best personalized experience and customer services.
1. WHAT PERSONAL DATA WE COLLECT
We may collect your Personal Data directly or indirectly from other sources including Companies under Rabbit’s Data Ecosystem, affiliates and subsidiaries, our service providers, and our business partners who are third parties. The specific type of data collected will depend on the context of your interactions with us, and the services or products you need or want from us. The following are example of Personal Data that may be collected:
1) Personal details, such as title, name, surname, gender, age, occupation, job title, position, business type, nationality, date of birth, marital status, marriage certificate, number of family members and child, information on government-issued cards (e.g., national identification number, copy of national identification card, passport number, driver’s license details), house registration, signature, voice, voice record, picture, photo, photograph, VDO records, video clip, educational backgrounds, workplace, electronic know-your-customer information (e-KYC), income tier, and income/salary/bonus, weight and height, CCTV records, license plate details, driving license picture, car registration picture, vehicle details (e.g. vehicle identification number and vehicle plate number), policy photocopy, relationship to the policyholder or claimant person, insurance policy, and electronic insurance policy;
2) Contact details, such as address, delivery details, billing details, phone number, mobile phone number, business phone number, email address, business email, LINE ID, Facebook account, Google account, Twitter account, and other account-related to the social networking sites;
3) Account details, such as credit/debit card holder number, credit/debit card information, bank account number, member ID, customer ID, member type, customer type, Rabbit Card number, Rabbit Line Pay ID, customer credit score, service and product applications (e.g., service registration form, financial or insurance application), joined month and payment details, and copy of bank account/ bank book;
4) Transaction details, such as payment information, card usage and transaction data (such as Rabbit Card usage/ transaction data and records, Rabbit Rewards point transaction data, lead and customer data of Rabbit Finance (as defined in Section 3.1 below)), campaign response data, payment slip details about refund, refund amount, points, and date and location of purchase, purchase/order number, appointment date for service, complaints and claims, transaction, transaction history, location, transaction status, past sales transaction, prediction data (e.g., loan prediction score, credit scoring), and purchasing behaviour and other details of products and services you have purchased;
5) Technical details, such as Internet Protocol (IP) address, web beacon, log, devicetype, hardware-based identifiers such as universal device identifier (UDID) or Mac Address, software-based identifier such as identifier for advertisers for iOS operation system (IDFA), or identifier for advertisers for Andriod operation system (AAID), network, connection details, access details, single sign-on (SSO), login log, access time, time spent on our page, cookies, your login data, search history, browsing detail, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on devices you use to access the platform;
6) Behaviour details, such as information about your purchasing behavior and data supplied through the use of our products and services, such as your location, train station and train exit you usually use;
7) Profile details, such as your username and password, profile, purchase, historical order, past order, purchase history, items bought, item quantity, orders or product recalls made by you, orders via websites, order ID, financial records, PIN, your interests, preference, feedback and survey responses data, satisfaction survey, social media engagement, participation details, loyalty programs, your use of discount codes and promotions, customer order description, customer service, attendance to trade exhibitions and event, and insurance policy details;
8) Usage details, such as information on how you use the websites, platforms, products and services, Q&A record; and/or
9) Marketing and communication details, such as your preference in receiving marketing from us, Companies under Rabbit’s Data Ecosystem, affiliates and subsidiaries, third parties, business partners and your communication preferences.
In addition, your Personal Data may be collected from our business partners in case you purchase a product from one of our business partners whose products are displayed on our websites. Your Personal Data related to the product you have purchased will be sent to us for the purposes of sale tracking and service improvement.
We do not intentionally collect your sensitive data (“Sensitive Data”). However, in case that we do, we will only collect, use, and/or disclose Sensitive Data on the basis of your explicit consent or where permitted by law.
We only collect the Personal Data of children, quasi-incompetent person and incompetent person where their parent or guardian has given their consent. We do not knowingly collect Personal Data from customers under the age of 20 without their parental consent when it is required, or from quasi-incompetent person and incompetent person without their legal guardian’s consent. In the event that we learn that we have unintentionally collected Personal Data from anyone under the age of 20 without parental consent when it is required or from quasi-incompetent person and incompetent person without their legal guardians, we will delete it immediately or process if we can rely on other legal basis apart from consent.
2. WHY WE COLLECT, USE AND/OR DISCLOSE YOUR PERSONAL DATA
We may collect, use or disclose your Personal Data for the following purposes:
2.1 THE PURPOSE OF WHICH YOU HAVE GIVEN YOUR CONSENT:
We rely on your consent for the collection, use, and/or disclosure of your Personal Data by us, Companies under Rabbit’s Data Ecosystem, affiliates and subsidiaries, and our business partners for the following purposes:
1) Marketing and Communications: To provide marketing communications, information, special offers, promotional materials, tele-marketing, privilege, advertisement, newsletter, and any marketing and communications, both online and offline channels, about products and services from us, Companies under Rabbit’s Data Ecosystem, affiliates and subsidiaries, and business partners which we cannot rely on other legal bases;
2) Data Analytics Services: To conduct data analytics services; and
3) For Other Businesses: To conduct other businesses, which are digital marketing, banking and financial, reward and loyalty programs, credit scoring, loans, insurance, telecommunications, asset management, investment, retail, e-commerce, including their related products and services.
2.2 THE PURPOSE THAT WE MAY RELY ON OTHER LEGAL GROUNDS FOR PROCESSING YOUR PERSONAL DATA
We may also rely on (1) contractual basis, for our initiation or fulfilment of a contract with you; (2) legal obligation, for the fulfilment of our legal obligations; (3) legitimate interest, for the purpose of our legitimate interests and the legitimate interests of third parties. We will balance the legitimate interest pursued by us and any relevant third party with your interest and fundamental rights and freedoms in relation to the protection of your Personal Data; (4) vital interest, for preventing or suppressing a danger to a person’s life, body or health; and/or (5) public interest, for the performance of a task carried out in the public interest or for the exercising of official authorities for the following purposes:
1) To provide products and services to you: To register and/or to enable you to use our products or services, including, but not limited to, for registration of Rabbit Card via online channels or Rabbit Kiosk, for membership of Rabbit Rewards, or for retails/ merchants registration; to enable you to use our websites, mobile applications, and platforms (e.g., to top-up your Rabbit Card, or register via Rabbit Finance channels); to process a request for service application or benefits in connection with Rabbit Card, Rabbit Rewards, or Rabbit Finance; to enter into a contract and manage our contractual relationship with you; to support and perform other activities related to such services or products; to sell our products or services via online and offline channels; to deliver or ship to you the Rabbit Card or other products via online sale; to provide bulk sales of our products or services to our corporate customers; to lease you the retails space on BTS stations; to provide our online media performance and digital marketing service; to process transaction between you and our business partners; to complete and manage bookings and to carry out financial transaction and service related to the payments including transaction check and verification and cancellation; to process your orders, delivery, suspension, replacement, reimbursement, refund and exchange of products or services; to protect your remaining balance when the Rabbit Card is lost or stolen; and to provide customer service operation, including call center;
For customers of Rabbit Finance: To provide a free and instant fee quotation and pricing of our products and services; to provide a price comparison of, including, but not limited to, financial and/or insurance related products or services of business partners; to deliver your request of products or services and you relevant information to those business partners for approval or underwriting purposes; to deliver/ receive contractual documents to/ from you; and to send annual insurance renewal quotes based on information you previously provided to use if you have requested insurance quotes.
2) To provide marketing communications: To provide marketing communications, information, special offers, promotional materials, tele-marketing, privilege, advertisement, newsletter, and any marketing and communications, both online and offline channels, about products and services from us, Companies under Rabbit’s Data Ecosystem, affiliates and subsidiaries, and business partners;
3) To offer promotions, special offers, loyalty programs, reward programs, prize draws, competitions and other offers/promotions to you: To allow you to participate in promotions, promotional campaign, special offers, promotional offer, loyalty programs, co-registration program with our business partners, sweepstakes, privilege, prize draws, competitions and other offers/promotions (e.g., to send reminder emails), events and seminars. This includes to process and administer your account registration, gift registration, event registration; to process points collection, addition, exchange, earning, redemption, and transfer of points; to examine your entire user history, both online and offline; and to provide and issue gift voucher, gift cards and invoices;
4) To contact and communicate with you: To provide you with information, marketing communications, campaign, advertisement, required notices, special offers, benefits, and promotional materials of our products or services; to send you news, electronic newsletters, marketing messages and information about the products, services, brands, and operations;
5) To manage our relationship with you: To communicate with you in relation to the products and services you obtain from us, Companies under Rabbit’s Data Ecosystem, affiliates and subsidiaries, and from our business partners; to handle customer service, call center and/or hotline-related queries, request, feedback, complains, claims, disputes or indemnity; to provide technical assistance and deal with technical issues; to process and update your information; and to facilitate your use of the products and services;
6) To conduct data cleansing, profiling and analytics: To measure your engagement with the products and services; to undertake data cleansing and matching, data profiling and data analytics; to conduct market research, surveys, assessment, behaviour, statistics and segmentation, consumption trends and patterns; to know you better and understand your characteristics; to improve business performance; to better adapt our content to the identified preferences of our customers; to determine the effectiveness of our promotional campaigns; to identify and resolve of issues with existing products and services; to enhance the qualitative information development; to establish whether you already has a relationship with the selected business partners; and to provide the lead generation service to our business partners via Facebook or co-registration pages or any other social media or messenger platforms;
7) To select and provides products or services that are likely to be of your interest and tailored to your needs: To use the result from data cleansing and matching, data profiling and data analytics of your Personal Data to recommend products and services that might be of interest to you from us, Companies under Rabbit’s Data Ecosystem, affiliates and subsidiaries, and our business partners; to identify your preferences, and personalize your experience; and to develop future editorial content targeted to your interests;
8) To improve business operation, products and services: To evaluate, develop, manage, improve existing and design new services, products, system and business operation for you and all of our customers, including but not limited to, customers of Companies under Rabbit’s Data Ecosystem, affiliates and subsidiaries, and our business partners; to track and follow-up with your sale transaction (sale tracking) for our service improvement; to identify and resolve issues; to create aggregated and anonymized reports and measure the performance of our physical products, digital properties, and marketing campaigns; and to manage, operate and maintain our payment systems. We may monitor and/or record our call with you to train our staff and improve our services;
9) To learn more about you: To learn more about the products and services you receive, and other products and services you may be interested in receiving, including profiling based on the processing of your Personal Data, for instance by looking at the types of products and services that you use from us, how you like to be contacted and so on;
10) To ensure the function of our websites, mobile applications, and platforms: To administer, operate, track, monitor and manage our websites, mobile applications, and platforms to facilitate and ensure that they function properly, efficiently and securely; to facilitate and enhance your experience on our websites, mobile applications, and platforms; and improve layout and content of our websites, mobile applications, and platforms;
11) To manage IT system: For our own business management purpose including for our IT operations, management of communication system, operation of IT security and IT security audit; internal business management for internal compliance requirements, policies and procedures; and to update our database;
12) To comply with regulatory and compliance obligations: To comply with legal obligations, legal proceedings or government authorities’ orders which can include orders from government authorities outside Thailand and/or cooperate with court, regulators, government authority and law enforcement bodies when we reasonably believe that we are legally required to do so and when disclosing your Personal Data is strictly necessary to comply with the said legal obligations, proceedings or government orders. This includes to issue tax invoice or full tax form; to comply with electronic e-payment business, financial, and anti-money laundering related legal obligation; to record and monitor communications; to disclose to tax authorities, financial service regulators, other regulatory and governmental bodies; and to investigate or prevent crime;
13) To protect our interests: To protect the security and integrity of our business; to exercise our rights or protect our interest where it is necessary and lawfully to do so, for example to detect, prevent and respond to fraud claims, intellectual property infringement claims or violations of law; to manage and prevent loss of our assets and property; to secure the compliance of our terms and conditions; to produce report relating our products and services to Companies under Rabbit’s Data Ecosystem, affiliates and subsidiaries, and business partners; to detect and prevent misconduct within our premises; to follow up on incidents; to prevent and report criminal offences and to protect the security and integrity of our business;
14) To detect, suppress, and prevent fraud/ illegal actions: To authenticate and verify your identity, and to conduct legal and other regulatory compliance checks (e.g., to comply with e-payment business, financial, insurance, and anti-money laundering related laws and regulations, to perform Know-Your-Customer (KYC) process or e-KYC process; and to prevent fraud and detected suspicious transactions). This includes to perform sanction list checking, internal audits and records, asset management, system and other business controls;
15) To transfer in the event of merger: sale, transfer, merger, reorganization or similar event we may transfer your Personal Data to one or more third parties as part of that transaction;
16) Risks: To perform risk management, audit performance and risk assessments; to conduct credit checks and customer financial due diligence; and/or
17) Life: To prevent or suppress a danger to a person’s life, body or health.
Where the Personal Data we collect from you is needed to meet our legal or regulatory obligations or enter into an agreement with you, if you do not provide your Personal Data when requested, we may not be able to provide (or continue to provide) our products and services to you.
3. TO WHOM WE MAY DISCLOSE OR CROSS-BOARDER TRANSFER YOUR PERSONAL DATA
3.1 Companies under Rabbit’s Data Ecosystem
•“Rabbit’s Data Ecosystem” refers to a group of companies whose names are listed in this link [link to list of Companies under Rabbit’s Data Ecosystem];
•“Rabbit Finance” refers to Rabbit Internet Co., Ltd., Rabbit Insurance Broker Co., Ltd. and Ask Direct Group Co., Ltd. which are also part of Rabbit’s Data Ecosystem.
As BSS Holdings Co., Ltd. is part of Companies under Rabbit’s Data Ecosystem which all collaborate and partially share customer services and systems, including website-related services and systems, we may need to transfer your Personal Data to, or otherwise allow access to such Personal Data by Companies under Rabbit’s Data Ecosystem, and their affiliates and subsidiaries, for the purposes set out above.
3.2 Our service providers
We may use other companies, agents or contractors to perform services on behalf or to assist with the provision of products and services to you. We may share Personal Data including but not limited to (1) infrastructure, software and website developer and IT service providers; (2) warehouse and logistic service providers; (3) data storage and cloud service providers; (4) data cleansing and matching, data profiling, and data analytics service providers; (5) marketing, advertising media and communications agencies; (6) research agencies; (7) survey agencies; (8) campaign and event organizers; (9) tele-sale service providers; (10) call center service providers; (11) payment, payment system, authentication service providers; (12) outsourced administrative service providers; (13) telecommunications and communication service providers; (14) licensed credit-referencing agencies to carry out certain credit checks for certain insurance products; (15) consultancy service providers and/or (16) transportation service providers.
In the course of providing such services, the service providers may have access to your Personal Data. However, we will only provide our service providers with the Personal Data that is necessary for them to perform the services, and we ask them not to use your Personal Data for any other purposes. We will ensure that all the service providers we work with will keep your Personal Data secure.
3.3 Our business partners
3.4 Social networking sites
We allow you to login on our sites and platforms without the need to fill out a form. If you log in using the social network login system, you explicitly authorize to access and store public data on your social network accounts (e.g. Facebook, Google, Instagram), as well as other data mentioned during use of such social network login system. In addition, we may also communicate your email address to social networks in order to identify whether you are already a user of the concerned social network and in order to post personalized, relevant adverts on your social network account if appropriate.
3.5 Third parties permitted by law
In certain circumstances, we may be required to disclose or share your Personal Data in order to comply with a legal or regulatory obligations. This includes any law enforcement agency, court, regulator, government authority or other third party where we believe this is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals’ personal safety; or to detect, prevent, or otherwise address fraud, security or safety issues (e.g., Anti-Money Laundering Office (AMLO), Bank of Thailand (BOT), Office of Insurance Commission (OIC) and Revenue Department).
3.6 Professional advisors
This includes lawyers and auditors who assist in running our business and defending or bringing any legal claims.
3.7 Third parties connected with business transfer
4. INTERNATIONAL TRANSFERS OF YOUR PERSONAL DATA
We may disclose or transfer your Personal Data to third parties or servers located overseas, which the destination countries may or may not have the same data protection standards. We take steps and measures to ensure that your Personal Data is securely transferred, that the receiving parties has in place suitable data protection standard and that the transfer is lawful by relying on the derogations permitted under the law.
5. HOW LONG DO WE KEEP YOUR PERSONAL DATA
We retain your Personal Data for as long as is reasonably necessary to fulfil purpose for which we obtained them and to comply with our legal and regulatory obligations. However, we may have to retain your Personal Data for a longer duration, as required by applicable law.
6. COOKIES AND HOW THEY ARE USED
If you visit our websites, we will gather certain information automatically from you by using tracking tools and cookies (including, but not limited to, Google Tag Manager, Google Analytics, Hotjar, Matomo, Zendesk, Facebook Pixel Analytics, Facebook Ad Manager, and Google Cloud). Cookies are tracking technologies which are used in analyzing trends, administering our websites, tracking users’ movements around the websites, or to remember users’ settings. Some of the cookies are necessary because otherwise the site is unable to function properly. Other cookies are convenient for the visitors: they remember your username in a secure way as well as your language preferences.
Most internet browsers allow you to control whether or not to accept cookies. If you reject cookies, your ability to use some or all of the features or areas of our websites may be limited.
7. YOUR RIGHTS AS A DATA SUBJECT
Subject to applicable laws and exceptions thereof, you may have the following rights to:
1) Access: You may have the right to access or request a copy of the Personal Data we are processing about you. For your own privacy and security, we may require you to prove your identity before providing the requested Personal Data to you;
2) Rectification: You may have the right to have incomplete, inaccurate, misleading, or or not up to date Personal Data that we process about you rectified;
3) Data Portability: You may have the right to obtain Personal Data we hold about you, in a structured, electronic format, and to transmit such data to another data controller, where this is (a) Personal Data which you have provided to us, and (b) if we are processing that data on the basis of your consent or to perform a contract with you;
4) Objection: You may have the right to object to certain processing of your Personal Data such as objecting to direct marketing;
5) Restriction: You may have the right to restrict our processing of your Personal Data where you believe such data to be inaccurate, our processing is unlawful, or that we no longer need to process such data for a particular purpose;
6) Withdraw Consent: For the purposes you have consented to our processing of your Personal Data, you have the right to withdraw your consent at any time;
7) Deletion: You may have the right to request that we delete or de-identity Personal Data that we process about you, except we are not obligated to do so if we need to retain such data in order to comply with a legal obligation or to establish, exercise or defend legal claims; and
8) Lodge a complaint: You may have the right to lodge a complaint to the competent authority where you believe our processing of your Personal Data is unlawful or non-compliance with applicable data protection law.
8. OUR CONTACT DETAIL
1.Data Protection Officer (DPO) of BSS Holdings Co., Ltd.
• Address: 21 TST Tower, 19th Floors, Viphavadi-Rangsit Road, Chomphon, Chatuchak, Bangkok 10900, Thailand
• Email Address: email@example.com