XSpring Digital Company Limited (the "Company", "we", "us," or "our") recognizes the importance of the protection of your Personal Data (as defined below).
This privacy policy (the "Privacy Policy") applies to the Personal Data (defined below in section 1) of: (1) our individual customer, which includes prospective customers, current customers and former customers; (2) employees, personnel, officers, representatives, shareholders, authorized persons, members of the board of directors, contact persons, agents; other natural persons in connection with our prospective, current and former corporate customer, (3) visitors and users of our platforms, such as websites, mobile applications; and (4) any other persons with whom we interact in the course of our business operation or any related services including, but not limited to, business partners.
Natural/individual persons, collectively referred to as "you" or "your" and the individual client and the corporate client, collectively referred to as the "Client".
This Privacy Policy describes how we collect, use, disclose and cross-border transfer your Personal Data. This Privacy Policy applies to our business operations, activities on the websites, mobile applications, call centers, events and exhibitions, online communication channels, other locations and any means where we collect, use disclose and/or cross-border transfer your Personal Data.
1. Personal Data we collect
"Personal Data" means any identified or identifiable information about you, directly or indirectly, as defined in the Personal Data Protection Act, B.E. 2562 (2019) and all subsidiary legislation related thereto ("PDPA"). In order to offer our services to the Client, we might collect your information in a variety of ways. We may collect your Personal Data directly from you, e.g., through online/ offline account opening , the registration to participate in various activities of us , our salesperson, agent or call center; or indirectly from other sources, e.g., social media, third party’s online platforms, government authorities and other publicly available sources, and/or through our group companies, affiliates, service providers, business partners, official authorities, or third parties, e.g., Digital Asset Exchange and ICO Portal, which specific types of data collected depends on the Client's relationship with us, and which services or products the Client requires from us.
"Sensitive Data" means Personal Data classified by law, including PDPA, as sensitive data. We will only collect, use, disclose and/or cross-border transfer Sensitive Data if we have received your explicit consent or as permitted by law.
We will collect, use, disclose and/or cross-border transfer the following categories and types of your Personal Data, including but not limited to:
- Personal details, such as your title, name-surname, gender, age, occupation, job title, salary, source of income, country of income, work place (e.g. job title, type of business, company you work for), education, nationality, date of birth, marital status, information on government-issued cards (e.g. national identification number, passport number), tax identification number, signature, voice recording, phone records, picture, motion, image, motion from closed circuit television (CCTV), house registration, background information, politically exposed persons information, relationship information with politically exposed persons and other identification information.
- Contact details, such as your address, work address, telephone number, mobile number, fax number, email address, social media account, and other electronic communication ID.
- Account and financial details, such as your passbook, credit card and debit card information, account number and account type, prompt pay details, investment details, net assets, current assets, income and expenses, as well as payment details, service and product application details.
- Transaction details, such as the type of digital asset, price and quantity, referral code, conditions (if any), trading history and balance, payment and transaction history relating to your assets, financial statements, liabilities, taxes, incomes, earnings and investments, source of wealth and funds, representation, investment information, default history, value referred to underlying assets and deposit and withdrawal digital assets.
- Technical details, such as your Media Access Central (MAC), Internet Protocol address (IP address), web beacon, log, device ID and network, connection details, access details, single sign-on (SSO) details, login log, access times, time spent on our page, cookies, login data, search history, browsing details, browser type and version, operating system, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on devices you use to access the platform.
- Profile details, such as your account identifiers, username and password, PIN ID code for trading, interests and preferences, activities, investment objectives, investment knowledge and experience, and risk tolerance.
- Usage details, such as information on how you use the websites, platform, products and services including the conversations in any of our platforms.
- Information for marketing communications, such as satisfaction surveys, Investment attitude.
- Complaint details, such as any complaints, feedback, problem reports or responses through any channels related to our services.
1.2 Corporate Client
We will collect, use, disclose and/or cross-border transfer the following categories and types of Personal Data of the authorized persons, employees, personnel, agents, shareholders, directors, contactors, representatives or any beneficiary owner of the Corporate Client (if any), including but not limited to:
- Identity data of corporate client, such as, name-surname, title, age, gender, photos, motion, image, motion from closed circuit television, information on CV, education, work-related information (e.g., job position, function, occupation, job title, company you work for, employed at or holds shares of), information on government-issued cards (e.g., national identification number, passport number), shareholding percentage, voting rights, income, source of income, country of income, signatures, politically exposed persons information, relationship information with politically exposed persons and other identifiers.
- Contact details, such as telephone numbers, address, country, email address, and other similar information.
- Personal Data generated in connection with the Client's relationship with us, such as, account opening, administration, operation, payment, settlement, processing and reporting on behalf of the Client. Such Personal Data may include signatures, and your correspondence with us.
- Other information, collected, used, disclosed and/or cross-border transfer in connection with the relationship with us, such as, information you give us in contracts, forms or surveys or data collected when you participate in our business functions, seminars, or social events.
Other than Personal Data of individual person and corporate person we described above, we may collect, use, disclose and/or cross-border transfer your Sensitive Data, including but not limited to:
- Biometric data e.g., face recognition, iris recognition or fingerprint (if any).
- Disability data or health data (if any).
- Criminal records.
- Sensitive Data as shown in the national identification card, e.g., race as appear in passport and religion as appear in identification card.
2. The Purpose of collection, use or disclosure of your Personal Data
We may collect, use, disclose and/or cross-border transfer your Personal Data for the following purposes. (The purposes that we collect, use, disclose and/or cross-border transfer will depend on your relationship with us and/or services or products required by us.)
2.1 Purpose for which consent is required
In the case that we cannot rely on any regulations or legal basis, we may rely on your consent to:
- Provide marketing communications, special offers, promotional materials about the products and services of the Company, our group companies, affiliates, subsidiaries (if any) and the third parties which we cannot rely on any regulations or legal basis.
- Collect, use, and/or disclose your Sensitive Data for the following purposes:
- Biometric data e.g., face recognition for applying the service and for the purpose of identity verification and authentication (if any).
- Disability data for providing services and facilitation (if any).
- Criminal records for background check (if any).
- Sensitive Data as shown in the identification card, e.g., race (as appear in passport) and religion (as appear in identification card) for the purpose of identity verification and authentication.
- Cross-border transfer your Personal Data to a country which may not have an adequate level of data protection according to the rules on the protection of Personal Data as prescribed by the Personal Data Protection Committee, for which consent is required by law.
Where we rely on consent as a legal basis, you are entitled to withdraw your consent at any time. This can be done so, by contacting us via specified channels on the Company’s website. The withdrawal of consent will not affect the lawfulness of the collection, use, disclosure and/or cross-transfer of your Personal Data and Sensitive Data based on your consent before it was withdrawn.
2.2 Purpose for which we may rely on other legal grounds for processing your Personal Data
We may collect, use, disclose and/or cross-border transfer your Personal Data by relying on the following legal basis: (1) a contractual basis, for our initiation or fulfillment of a contract with you; (2) a legal obligation; (3) the legitimate interest of ourselves and/or third parties, to be balanced with your own interest and fundamental rights and freedoms in relation to the protection of your Personal Data; (4) vital interest, for preventing or suppressing a danger to a person’s life, body or health; and (5) public interest, for the performance of a task carried out in the public interest or for the exercise of official actions.
We rely on the legal basis in (1) to (5) above for the collection, use, disclosure and/or cross-border transfer of your Personal Data to our officers, employees including our affiliates, group companies or agents or assigned companies, whether domestic or international entity, of the following purposes:
2.2.1 Individual Client
- Contacting you before entering into a contract with us and for the course of entering into a contract or using services with us.
- Processing applications for account opening, account maintenance, and operations relating to your accounts, including but not limited to, processing your applications or requests for using services or products, processing your transactions, issuing your account statement, and operating and closing your accounts.
- Providing services to you, such as digital asset brokerage services, digital asset dealer services, deposit and withdraw digital asset services, digital asset wallet management, digital token subscription service, ICO portal and dealing with all matters relating to the services, g. services relating to blockchain technology and assignment of rights under the smart contract.
- Tracking and recording your transactions.
- Providing investment products, offering choices to you from time to time and dealing with all matters relating to the investment products.
- Managing your relationship with us and administration of your account with us.
- Proceeding with your instructions or responding to your inquiries or feedback and resolving your complaints.
- Conducting identity verification and credit checks, know-your-customer (KYC), National Digital ID (NDID) and customer due diligence (CDD) processes, non-U.S. person status checks (FATCA), bankruptcy status check, politically exposed persons checks, relationship with politically exposed persons status checks, background check, screening against sanction lists, other checks and screenings, and ongoing monitoring that may be required under any applicable law, assessing suitability and qualifications for conducting a suitability test.
- Preventing, detecting and investigating fraud, misconduct, or any unlawful activities, whether or not requested by any government or regulatory authority, and analyzing and managing risks.
- Complying with all applicable laws, regulations, rules, directives, orders, instructions and requests from any governmental, tax, law enforcement or other authorities or regulators (whether local or foreign), such as the Bank of Thailand, Office of the Securities and Exchange Commission, Anti-Money Laundering Office, Department of Provincial Administration, Office of the Personal Data Protection Committee, Revenue Department, etc.
- Managing our infrastructure, internal control, internal audit and business operations, preparing reports and complying with our policies and procedures that may be required by applicable laws and regulations including those relating to risk control, security, legal opinion, examination or reference where it’s necessary (e.g., as a supporting evidence of financial statements, notes to financial statements and annual financial statements audit), finance and accounting, systems and business continuity.
- Detecting, preventing, managing, investigating and retaliating any complaints, claims or disputes (including disclosure of information related to the process or legal proceedings).
- Provide marketing communications, information, special offers, promotional materials about the products and services of the Company, our group companies, affiliates and subsidiaries (if any) and third parties.
- Developing new services and products and providing an update to you on our services and products from time to time.
- Carrying out research, planning and statistical analysis, for example, on your investment limit and investment behavior, for the purpose of developing our services and products.
- Organizing our promotional campaign or events, conferences, seminars, and company visits.
- Enforcing our legal or contractual rights including, but not limited to, recovering any and all debts owed to us.
- Dispute management, resolving disputes to enforce our contracts and to establish, exercise or raise against legal claims.
- Facilitating financial audits to be performed by an auditor or receiving legal advisory services from legal counsel appointed by you or us.
- Performing our obligations under any agreements to which we are a party, e.g., agreements with our business partners, vendors, or other asset management companies, or under which we are acting as an agent.
- Providing services and maintaining security in connection with our platforms, such as websites and mobile applications.
- Changes in the business, such as in the case of business reorganization, business restructuring, merger acquisitions, sales, acquisitions, joint ventures, transfers, liquidation or any similar event in connection with the transfer or disposition of all or any part of our business, assets, or shares. We may disclose your information to third parties as part of such a process.
If the Personal Data we collect from you is required to meet our legal obligations or enter into an agreement with you, we may not be able to provide (or continue to provide) our products and services to you if we cannot collect your Personal Data when requested.
2.2.2 Corporate Client
- Business communication, such as communicating with the Client about our products or services (e.g., by responding to inquiries or requests).
- Selection process, such as verifying your identity and the Client status, relationship with politically exposed persons status checks, bankruptcy status check, conducting due diligence or any other form of background checks or risk identification on you and the Client (including screening on sanction lists publicly available by law enforcement agencies and/or public authorities as required by law), evaluating suitability and qualifications of you and the Client, issuance of request for quotation and bidding, execution of contract with you or the Client.
- Enter into a contract or provide services to you or your entity.
- Data management, such as maintaining and updating lists/directories of the Clients (including your Personal Data), keeping contracts and associated documents in which, you may be referred to.
- Relationship management, such as planning, performing, and managing the (contractual), e.g., by performing transactions and orders of products or services, processing payments, performing accounting, auditing, billing and collection activities, arranging shipments and deliveries, providing support services.
- Business analysis and improvement, such as conducting research, data analytics, assessments, surveys and reports on our products, services and your performance or the Client's performance, development and improvement of marketing strategies and products and services.
- IT systems and support, such as providing IT and helpdesk supports, creating and maintaining code and profile for you, managing your access to any systems to which we have granted you access, removing inactive accounts, implementing business controls to enable our business to operate, and to enable us to identify and resolve issues in our IT systems, and to keep our systems secure, performing IT systems development, implementation, operation and maintenance.
- Security and system monitoring, such as identity authentication and access controls and logs where applicable, monitoring of system, devices and internet, ensuring IT security, prevention and solving crimes, as well as risk management and fraud prevention.
- Dispute handling, such as solving disputes, enforcing our contracts, establishing, exercising or defense of legal claims.
- Internal investigation, any investigation, complaints and/or crime or fraud prevention.
- Internal compliance, such as compliance with internal policies and applicable laws, regulations, directives and regulatory guidelines.
- Complying with laws and government authorities, such as liaising and interacting with and responding to government authorities or courts.
- Marketing purposes, such as informing you of our news and publications which may be of interest, events, offering new services, conducting surveys.
- Complying with reasonable business requirements, such as management, training, auditing, reporting, control or risk management, statistical, trend analysis and planning or other related or similar activities.
- Providing services, such as brokerage services, dealer services, digital token subscription service, ICO Portal, and related services, e.g., blockchain technology and smart contract.
3. How we disclose or transfer your Personal Data
We may disclose or transfer your Personal Data to the following third parties (including their personnel and agents) who process Personal Data in accordance with the purposes under this Privacy Policy. These third parties may locate in or outside Thailand. You can visit their privacy policies to learn more details on how they process your Personal Data.
3.1 XSpring’s Group Companies and Affiliates
We may need to disclose and/or transfer your Personal Data including but limited to your identity verification information to access any services as you request to our group companies, affiliates, such as (1) XSpring Capital Public Company Limited, (2) XSpring Asset Management Company Limited, (3) XSpring AMC Asset Management Company Limited, and/or (4) XSpring Alliance Company Limited etc., or otherwise allow access to Personal Data by other related companies for the purposes set out above.
3.2 Our service providers
We may use other companies, agents or contractors to perform services on our behalf or to assist with the provision of products and services to you. We may share your Personal Data to these service providers, including but not limited to: (a) IT service providers and data storage providers; (b) research agencies; (c) analytics service providers; (d) survey agent (e) marketing, advertising media and communications agencies; (f) payment service providers and provide withdrawal services from your account with us to your bank account; (g) administrative and operational service providers; and (h) Know Your Customer process and authentication service providers.
In the course of providing these services, the service providers may have access to your Personal Data. However, we will only provide our service providers with the Personal Data that is necessary for them to perform the services, and we ask them not to use your Personal Data for any other purposes. We will ensure that all the service providers we work with will keep your Personal Data secure and treat your Personal Data in a manner consistent with this Privacy Policy.
3.3 Our business partners
We may transfer your Personal Data to persons acting on your behalf or otherwise involved in the provision of the type of product or service you receive from us, including but not limited to payment recipients, beneficiaries, Digital Asset Exchange, Digital Asset Broker, Digital Asset Dealer, Digital Token Issuer, ICO portal, commercial banks, correspondent banks, trustees, agents, vendors, co-brand business partners, market counterparties, issuers of products, related person to whom we disclose Personal Data in the course of providing products and services to you, and whom you authorize us to disclose your Personal Data to in accordance with applicable law, provided that these data recipients agree to treat your Personal Data in a manner consistent with this Privacy Policy.
3.4 Third parties permitted by law
In certain circumstances, we may be required to disclose or share your Personal Data to a third party in order to comply with legal or regulatory obligations. This includes any law enforcement agency, court, regulator, government authority , such as Securities and Exchange Commission, Anti-Money Laundering Office, Department Of Provincial Administration, Office of the Personal Data Protection Commission, Revenue Department or other third party for which we believe disclosure or transfer is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party's or individuals’ personal safety, or to detect, prevent, or otherwise address fraud, security or safety issues.
3.5 Professional advisors
We may disclose or transfer your Personal Data to our professional advisors relating to audit, legal, accounting, smart contract and tax services who assist in running our business and defending or bringing any legal claims.
3.6 Third parties as assignees, transferees, or novatees
We may assign, transfer, or novate our rights or obligations to a third party, to the extent permitted under the terms and conditions of any contract between you and us. We may disclose or transfer your Personal Data to assignees, transferees, or novatees, including prospective assignees, transferees, or novatees, provided that these data recipients agree to treat your Personal Data in a manner consistent with this Privacy Policy.
3.7 Third parties connected with business transfer
We may disclose or transfer your Personal Data to our business partners, investors, significant shareholders, assignees, prospective assignees, transferees, or prospective transferees in the event of any reorganization, restructuring, merger, acquisition, sale, purchase, joint venture, assignment, dissolution or any similar event involving the transfer or other disposal of all or any portion of our business, assets, or stock. If any of the above events occur, the data recipient will comply with this Privacy Policy in respect of your Personal Data.
When we transfer Personal Data to third parties, we will take steps to ensure the protection of your Personal Data, such as confidentiality arrangements or other appropriate security measures as required by law.
4. Cross-border transfers of your Personal Data
We may disclose or transfer your Personal Data to third parties or servers located overseas, (for example, the transferring of Personal Data to service providers for supporting the process of know your customers and checking customer status for identity proofing and authentication), or the destination countries may or may not have the same data protection standards as Thailand. We have taken steps and measures to ensure that your Personal Data is securely transferred, that the data recipients have suitable data protection standards in place, and that the transfer is lawful by relying on the derogations as permitted under the law.
5. How long do we keep your Personal Data
We retain your Personal Data for as long as is reasonably necessary to fulfill the purposes for which we have obtained it as set out in this Privacy Policy, and to comply with our legal and regulatory obligations. However, we may have to retain your Personal Data for a longer duration, if required by applicable law as well as our internal policies or operational requirements and other necessities, such as in the event of a dispute.
6. Other important information about your Personal Data
6.1 Cookies and how they are used
If you visit our websites, we will gather certain information automatically from you by using Cookies. Cookies are tracking technologies that are used in analyzing trends, administering our websites, tracking users’ movements around the websites, and remembering users’ settings.
Most Internet browsers allow you to control whether or not to accept Cookies. If you reject the use of Cookies, your ability to use some or all the features or areas of our websites may be limited.
You may learn more detail about Cookies Policy at: https://www.xspringdigital.com/th/cookies.
6.2 Personal Data used by minors, incompetent persons or quasi-incompetent persons
Our activities are not generally aimed at minors, incompetent persons and quasi-incompetent persons. However, if we receive these persons’ Personal Data in any cases, we do not knowingly collect Personal Data from customers who are minors without their parental or legal guardian consent, as a case maybe, when it is required, or from quasi-incompetent persons or incompetent persons without their legal guardian's consent.
In addition, if we aware that we have unintentionally collected Personal Data from any minor without parental or legal guardian consent, as a case maybe, when it is required, or from quasi-incompetent person or incompetent person without their legal guardians' consent, we will delete it immediately or continue to process such Personal Data if we can rely on other legal bases apart from consent.
6.3 Personal Data related to third parties
If you provide the Personal Data of any third party, such as your spouse and children, shareholders, directors, beneficiary, contact person, attorney-in-fact, e.g., their name, family name, email address, and telephone number and politically exposed persons. You should ensure that you have the authority to do so and to permit us to use the Personal Data in accordance with this Privacy Policy. You are also responsible for notifying the third party of this Privacy Policy and, if required, obtaining consent from the third party or rely on other legal basis which allows us to lawfully collect, use and/or disclose Personal Data of such third parties.
7. Links to other websites
In the event that you use our website or mobile application, it may contain links to other platforms, websites, applications or third parties service providers. We could not ensure their contents and their operations and could not be held responsible for any collection, use, disclosure and/or cross-border transfer of your Personal Data by such platforms, websites, applications or service providers. In this regard you should verify the privacy policy of such platforms, websites, applications or any services which linked to our website or our application (if any) to acknowledge and understand their processes of collection, use, disclosure and/or cross-border transfer your Personal Data.
8. Security of your Personal Data
The Company takes administrative measures, appropriate technical and physical measures to protect your Personal Data under our control from destruction, loss, access, use, alteration. or disclosure whether by accident, unlawful or without permission which includes accessing or controlling access to your Personal Data to maintain a confidentiality, accuracy, and the availability of personal data under our control, in accordance with the minimum requirements required by law.
The Company has established measures to control access to your Personal Data and the use of equipment for storing and processing Personal Data which is safe and appropriate for the collection, use and disclosure of Personal Data. Moreover, the Company has provided the measures to limit access to Personal Data and the use of devices for storing and processing Personal Data by assigning the right to access the data to the authorize designated employees to access information and the responsibilities for preventing unauthorized access to Personal Data, disclosure, awareness or illegal copying of personal data or stealing of Personal Data storages or processing devices. In addition, the Company has provided the measures for retrospective review of access, change, deletion or transfer of Personal Data.
9. Rights regarding your Personal Data
Subject to the applicable laws and exceptions thereto, you may have the following rights regarding your Personal Data:
- Access: you may have the rights to access or request a copy of the Personal Data we are processing about you including information as to which categories of Personal Data we have in our possession or control;
- Data Portability: you may have the rights to obtain Personal Data hold about you, in a structured, electronic readable format, and to transmit this data to another data controller, where technically feasible, provided that the processing is based on your consent or necessary for the performance of a contract;
- Objection: in some circumstances, you may have the rights to object the means we process your Personal Data in certain activities which specified in this Privacy Policy;
- Erasure or Destruction: you may have the rights to request that we erase, destroy, or de-identify your Personal Data that we process about you, e.g., if the data is no longer necessary for the purposes of processing or withdraw the consent on which the collection or processing is based, and where we have no legal ground for such collection or processing or where the Personal Data has been unlawfully processed;
- Restriction: you may have the rights to restrict our processing of your Personal Data if you believe such data to be inaccurate, that our processing is unlawful, or that we no longer need to process this data for a particular purpose;
- Rectification: you may have the rights to have Personal Data that is incomplete, inaccurate, misleading, or out-of-date rectified;
- Consent withdrawal: you may have the rights to withdraw consent that was given to us for the processing of your Personal Data, unless there are restrictions on the right to withdraw consent as required by the law, or a contract that benefits you; and
- Lodge a complaint: you may have the right to lodge a complaint to the competent authority if you believe our processing of your Personal Data is unlawful or non-compliance with applicable data protection law.
To the extent permitted by law, we will try to fulfill your request within an appropriate period or any other period stipulated by the laws of Thailand. However, the period may be extended due to specific reasons relating to the specific legal right or the complexity of your request.
In certain situations, we may not be able to give you access to all or some of your Personal Data due to statutory provisions. If we deny your request for access, we will advise you of the reason for the refusal.
10. Changes to this Privacy Policy
From time to time, we may change or update this Privacy Policy. We encourage you to read this Privacy Policy carefully and periodically review any changes that may occur in accordance with the terms of this Privacy Policy on our website/ mobile application. We will notify you or obtain your consent again if there are material changes to this Privacy Policy, or if we are required to do so by law.
11. Contacting us
If you wish to contact us to exercise the rights relating to your Personal Data or if you have any queries or complaints about your Personal Data under this Privacy Policy, please contact us or our Data Protection Officer via the following detail:
(a) XSpring Digital Company Limited
- 59 Siri Campus, Building D, 1st Floors, Soi Rim Khlong Phra Khanong, Phra Khanong Nuea, Watthana, Bangkok 10110 Thailand
- Telephone: 02-030-3730
(b) Data Protection Officer
- Data Protection Officer of XSpring Digital Company Limited, 59 Siri Campus, Building D, 1st Floors, Soi Rim Khlong Phra Khanong, Phra Khanong Nuea, Watthana, Bangkok 10110 Thailand
- Email: dpo@xspringgroup.com
However, you can request to exercise your rights as specified under Clause 9 via the online channel at https://www.xspringdigital.com in the button "Data Subject Rights" or scanning the QR Code below.