6. International Data Transfers

Some of our service providers, suppliers, and design partners may process your data outside Thailand. When this occurs, we ensure adequate protection through appropriate safeguards as required by the Thailand PDPA and international data protection standards.

6.1 Transfer Mechanisms and Safeguards

We use recognized transfer safeguards where required, including:

• Adequacy Decisions: Relying on jurisdictions deemed to have adequate data protection standards

• Standard Contractual Clauses: Using model contracts approved by data protection authorities

• Binding Corporate Rules: For multinational suppliers with internal data protection policies

• Explicit Consent: Obtaining your consent for specific international transfers when required

• Additional Technical Measures: Encryption, pseudonymization, and secure transfer protocols

6.2 Common International Data Processing Scenarios

Cloud Service Providers:

• Google Workspace (USA/Global) - email, cloud storage, collaboration

• Microsoft Office 365 (USA/Global) - productivity software

• iCloud (USA/Global - Apple) - file storage

• Adobe Creative Cloud (USA/Global) - design software

• Infomaniak (Switzerland) - domain and email hosting

• Wix (USA/Global) - website hosting

International Communication Platforms:

• WhatsApp (USA - Meta/Facebook)

• Instagram (USA - Meta/Facebook)

• Facebook (USA - Meta)

• TikTok (China/Singapore - ByteDance)

• LinkedIn (USA - Microsoft)

• LINE (Japan)

Architecture & Design Software:

• Various international software providers for CAD, 3D modeling, rendering

AI & Machine Learning Services:

• AI LLMs and related services (various international providers)

International Suppliers & Brands:

• European furniture brands and manufacturers (Italy, Germany, Scandinavia)

• American lighting and fixture suppliers

• Asian furniture manufacturers (China, Vietnam, Indonesia)

• Custom manufacturing partners in various countries

Payment Processing:

• International payment gateways for credit card processing

• Cross-border transactions for international supplier payments

6.3 Supplier and Partner Data Transfers

• Limited Scope: International suppliers receive only information necessary for order fulfillment

• Purpose Limitation: Data shared only for specific project purposes

• Independent Controllers: Once shared, international partners act as independent data controllers responsible for their own compliance

• Contractual Obligations: We require partners to protect your data and use it only for agreed purposes

• Client Awareness: When selecting international suppliers or services, you are informed which companies will receive your data

6.4 Your Rights and Transparency

• Informed Choices: We inform you when selecting international suppliers or services

• Right to Object: You may object to international transfers and request alternative solutions where feasible

• Data Subject Rights: Your PDPA rights apply regardless of where your data is processed

• Alternative Options: Where possible, we can suggest local alternatives if you prefer to avoid international transfers

6.5 Specific Country Transfers

Switzerland:

• Infomaniak (domain and email hosting)

• Swiss suppliers and brands

United States:

• Google (Workspace, Analytics)

• Microsoft (Office, Cloud services)

• Apple (iCloud)

• Adobe (Creative Cloud)

• Meta/Facebook (WhatsApp, Instagram, Facebook)

• LinkedIn

• TikTok operations

• Wix (website platform)

• Various design software providers

• Some furniture and lighting brands

Japan:

• LINE (messaging platform)

European Union (EU/EEA):

• Furniture and materials suppliers

• Design software and cloud services

• Some payment processors

China/Singapore:

• TikTok (ByteDance)

Asia Pacific:

• Furniture manufacturers (Vietnam, Indonesia, Malaysia)

• Materials suppliers

• Regional logistics companies

6.6 Ongoing Compliance Monitoring

We continuously monitor the legal landscape regarding international data transfers, including:

• PDPA Compliance: Ensuring transfers comply with Thailand's Personal Data Protection Act

• Adequacy Decisions: Monitoring changes in recognized adequate jurisdictions

• Enhanced Safeguards: Implementing additional security measures for sensitive data transfers

• Transfer Impact Assessments: Evaluating risks associated with specific international transfers

• Vendor Due Diligence: Regular review of international service providers' data protection practices

Note: The regulatory landscape for international data transfers continues to evolve. We are committed to adapting our practices to ensure continued compliance with applicable data protection laws while maintaining the quality and functionality of our design services.

7. Data Retention

7.1 General Retention Principle

We retain personal data only as long as necessary for project execution, client relationship management, and compliance with legal obligations. Once our business relationship ends and all legal retention requirements are satisfied, personal data is deleted or anonymized.

This typically includes:

• Contact and registration information

• Project specifications and design documents

• Communication records

• Payment and financial records

• Project photography and documentation (subject to consent and usage rights)

7.2 Specific Retention Periods

Active Client Projects:

• All project-related data retained throughout the duration of the project

• Retention continues through warranty periods and after-sales support

• Data maintained while actively working on your project(s)

Completed Projects:

• Project files, drawings, and specifications: 5 years after project completion

• Purpose: Warranty support, future renovation reference, professional liability

• Client can request earlier deletion after warranty period ends

Financial & Payment Records:

• 7 years after the end of the fiscal year in accordance with Thai Revenue Code requirements

• This applies regardless of other deletion requests

• Includes invoices, receipts, contracts, payment records, tax documents

Communication Records:

• Email and message correspondence (WhatsApp, LINE, email): 3 years after last communication

• Meeting notes and consultation records: 3 years after project completion

• Purpose: Reference for disputes, clarifications, or future projects

Marketing & Portfolio Content:

• Project photography with client consent: Retained indefinitely until consent is withdrawn

• Client testimonials: Retained indefinitely until consent is withdrawn

• Case studies: Retained indefinitely until consent is withdrawn

• Social media content (Instagram, Facebook, TikTok, LinkedIn): Until consent withdrawn

• Clients may request removal from marketing materials at any time

Website Analytics Data:

• Wix analytics data: Anonymized after 2 years maximum

• Cookie data: As specified in cookie settings

• Aggregate statistics: May be retained indefinitely in anonymized form

Legal Compliance & Dispute Records:

• Records retained as required by applicable law or pending legal proceedings

• Typically 10 years for professional liability purposes

• May be extended if active litigation or disputes exist

Cloud Storage & Backups:

• iCloud, Google Workspace, Microsoft Office files: Per active project and retention schedules

• Complete deletion from backups may take up to 90 days after deletion request

Security Logs & Access Records:

• System logs: 12 months for security and operational purposes

• Access logs for sensitive projects: 2 years

Inactive Client Accounts:

• If no activity for 3 years, we may contact you to confirm whether to retain or delete your data

• Data deleted or anonymized after 5 years of complete inactivity unless legal retention applies

7.3 Data Deletion Process

Client-Initiated Deletion:

• How to Request: Email us at contact@8kunya.com with subject "Data Deletion Request"

• Identity Verification: We verify your identity for security purposes

• Processing Timeline: Requests processed within 30 days of verification

• Scope of Deletion:

  • All non-legally required data permanently deleted

  • Financial records retained for 7 years as required by law

  • Marketing content removed if consent withdrawn

  • Project files may be anonymized rather than deleted if needed for legal compliance

  • Cloud storage (Google Workspace, iCloud, Microsoft Office) purged

  • Social media content featuring your project removed

What Gets Deleted:

• Contact information and profile data

• Communication records and correspondence (email, LINE, WhatsApp)

• Project preferences and notes (unless legally required)

• Marketing consent and newsletter subscriptions

• Website usage data and cookies

• Files stored in Google Workspace, iCloud, Microsoft Office

What May Be Retained (Legal Requirements):

• Financial records (7 years - Thai Revenue Code)

• Contracts and legal documents (professional liability period)

• Anonymized project data for internal analysis

• Data required for ongoing legal proceedings or disputes

Automatic Deletion:

• Analytics data automatically anonymized after 2 years

• Security logs automatically deleted after 12 months

• Temporary files and cache cleared regularly

• Cookie data managed per your cookie preferences

• Cloud backup rotation (90-day cycle)

7.4 Third-Party Data Retention

Contractors, Suppliers, and Service Providers:

• Once project data is shared with third parties (contractors, suppliers, vendors), they become independent controllers

• We require contractually that they use data only for project purposes and delete it afterwards

• Client Rights: To request deletion from third-party systems, you must contact them directly

• Our Assistance: We can provide you with:

  • List of contractors/suppliers who received your data

  • Contact information for each party

  • Approximate dates when data was shared

  • Guidance on exercising your rights with each party

Service Provider Retention:

• Google Workspace, Microsoft Office, iCloud, Adobe, Wix, Infomaniak: Per their respective retention policies

• LINE, WhatsApp, Instagram, Facebook, TikTok, LinkedIn: Per platform policies

• We can assist you in identifying which platforms hold your data

Marketing Photography/Videography:

• Professional photographers retain raw files per their contracts and industry standards

• Published content remains available unless you withdraw consent

• We can facilitate communication with photographers for data deletion requests

7.5 Project Portfolio & Archive Management

Internal Archives:

• We maintain anonymized project archives for design reference and portfolio development

• Personal identifiers (names, addresses, contact info) removed after retention period

• Visual documentation (photos) retained only with explicit ongoing consent

Published Portfolio:

• Projects published with your consent remain available until you request removal

• You can withdraw consent for marketing use at any time

• Removal from website typically within 14 days of withdrawal request

• Social media content (Instagram, Facebook, TikTok, LinkedIn) removed upon request

• Third-party publications (magazines, awards) cannot be retroactively removed by us

7.6 Legal and Regulatory Compliance

Thai Revenue Code: Financial records retained for 7 years regardless of deletion requests

Professional Liability: Project documentation may be retained for professional liability purposes even after client requests deletion (typically 5-10 years)

PDPA Compliance: Retention periods align with data minimization principles while respecting legal obligations

Industry Standards: Compliance with Thai architecture and design professional standards

7.7 Secure Deletion Procedures

When data is deleted:

• Operational Systems: Data permanently deleted from active databases

• Backups: Data removed from backups through regular rotation cycles (typically within 90 days)

• Cloud Storage: Data deleted from Google Workspace, iCloud, Microsoft Office, Adobe per their deletion procedures

• Physical Documents: Securely shredded or destroyed

• Documentation: Deletion actions documented where appropriate for accountability

• Legal Holds: Data subject to legal obligations retained in restricted, secure systems

• Communication Platforms: Message history removed from LINE, WhatsApp, email systems

Note: Complete deletion from all backup systems may take up to 90 days due to backup rotation schedules. However, your data will be immediately inaccessible in operational systems.

7.8 Data Retention Transparency

• We maintain internal records of retention periods for different data categories

• Upon request, we can provide information about how long specific data will be retained

• We review and update retention policies annually to ensure compliance and best practices

Recommendation: Clients should maintain their own copies of important project documents, drawings, and specifications for their records.

8. Your Rights Under Data Protection Law

Under the Thailand Personal Data Protection Act (PDPA) and international data protection laws (where applicable), you have the following rights:

8.1 Right of Access (PDPA Section 30)

What you can request:

• Confirmation of whether we are processing your personal data

• Information about how we process your data (purposes, categories, recipients)

• A copy of all personal data we hold about you

• Details about data retention periods

• Information about data sources (if not collected directly from you)

• Information about automated decision-making (if applicable)

How to access your data:

• Request by Email: Contact us at contact@8kunya.com for a complete data access report

• Data Format: We provide data in the most relevant format:

  • PDF for contracts and correspondence

  • Excel/CSV for structured data

  • ZIP file for design documents and images

  • Original formats for technical drawings and Adobe files

What we provide:

• Contact and profile information

• Project details and specifications

• Communication history (email, LINE, WhatsApp messages)

• Payment and financial records

• Design documents and approvals

• List of third parties who received your data (contractors, suppliers, cloud services)

• Consent records and preferences

• Files stored in Google Workspace, iCloud, Microsoft Office

Timeline: We respond within 30 days of your request (may be extended by 30 days for complex requests with notification)

8.2 Right to Rectification (PDPA Section 31)

Correcting inaccurate or incomplete data:

• Request Corrections: Email us at contact@8kunya.com to correct:

  • Incorrect personal details

  • Outdated project information

  • Inaccurate records or documentation

  • Incomplete information

Our Process:

• We verify the correction request

• Update our systems within 30 days

• Notify relevant third parties of corrections where necessary

• Confirm completion of updates to you

Important: For project-related technical information (specifications, measurements), corrections must be verified to ensure accuracy and safety.

8.3 Right to Erasure / "Right to be Forgotten" (PDPA Section 32)

When you can request deletion:

• Personal data no longer necessary for the purpose collected

• You withdraw consent (for consent-based processing)

• You object to processing and no overriding legitimate grounds exist

• Personal data processed unlawfully

• Legal obligation requires deletion

How to request deletion:

• Email: contact@8kunya.com

• Subject: "Data Deletion Request - [Your Name]"

• Include: Full name, project details, email address used

What gets deleted:

• Contact information and profile data

• Communication records (email, LINE, WhatsApp)

• Marketing preferences and subscriptions

• Non-essential project documentation

• Website usage and analytics data (Wix)

• Files in cloud storage (Google Workspace, iCloud, Microsoft Office)

• Social media content featuring your project (Instagram, Facebook, TikTok, LinkedIn)

What may be retained (Legal Limitations):

• Financial records: 7 years (Thai Revenue Code requirement)

• Contracts: Professional liability period (5-10 years)

• Legal documents: Required for compliance or ongoing disputes

• Anonymized data: Statistical and analytical data with identifiers removed

Third-Party Data:

• For data held by contractors, suppliers, vendors, or cloud service providers (Google, Microsoft, Apple, Adobe, etc.), we provide contact information

• You must request deletion directly from third parties

• We can assist by providing necessary contact details and guidance

Timeline: Processing within 30 days (immediate removal from operational systems; backup rotation may take up to 90 days)

8.4 Right to Restrict Processing (PDPA Section 33)

When you can request restriction:

• You contest the accuracy of personal data (until we verify accuracy)

• Processing is unlawful but you prefer restriction over deletion

• We no longer need the data, but you need it for legal claims

• You object to processing (pending verification of our legitimate grounds)

What restriction means:

• Data stored but not actively processed

• Limited use only for:

  • Legal claims or proceedings

  • Protection of rights of others

  • Important public interests

  • With your explicit consent

How to request:

• Email us at contact@8kunya.com with specific reasons for restriction

• We evaluate each request case-by-case

• Restriction implemented within 30 days if approved

Example scenarios:

• Disputing billing or project records during investigation

• Legal proceedings requiring data preservation

• Transitional period while resolving complaints

8.5 Right to Data Portability (PDPA Section 34)

What you can receive:

• Personal data you provided to us

• In structured, commonly used, machine-readable format

• Only for data processed based on consent or contract

Included data:

• Contact and profile information (CSV, JSON, or Excel)

• Project specifications and requirements (PDF, Excel)

• Communication records (PDF or text format)

• Preferences and selections (CSV or JSON)

• Uploaded documents and images (original formats)

• Design files (original formats from Adobe, architecture software)

Excluded data:

• Data generated by us (internal notes, evaluations)

• Third-party proprietary information

• Data affecting rights of others

Transmission options:

• Direct download from secure link

• Email transfer (encrypted if sensitive)

• Cloud storage link (Google Drive, iCloud, OneDrive)

• Direct transmission to another provider (where technically feasible)

Timeline: Provided within 30 days of request

8.6 Right to Object (PDPA Section 35)

Processing you can object to:

• Marketing communications and direct marketing

• Processing based on legitimate interests

• Profiling and automated decision-making

• Use of data for purposes beyond original consent

Absolute Right to Object:

• Direct Marketing: You can opt out at any time, no questions asked

• Effect: We immediately stop sending marketing materials (email, LINE messages, social media)

Conditional Right to Object:

• Legitimate Interest Processing: We must stop unless we demonstrate compelling legitimate grounds

• Essential Processing: We cannot stop processing necessary for contract performance or legal compliance

How to object:

• Marketing: Unsubscribe link in emails, or contact us at contact@8kunya.com

• Other Processing: Email with specific objection and reasons

• Selective Objection: Object to specific uses while continuing the relationship

Timeline: Marketing opt-outs processed immediately; other objections evaluated within 30 days

8.7 Right to Withdraw Consent (PDPA Section 19)

When consent can be withdrawn:

• For any processing based solely on your consent

• At any time, for any reason

• Withdrawal does not affect lawfulness of prior processing

Consent-based processing areas:

• Newsletter and promotional communications

• Marketing photography and portfolio use

• Social media sharing of project content (Instagram, Facebook, TikTok, LinkedIn)

• Optional data collection (beyond contract requirements)

• Non-essential cookies and tracking (Wix analytics)

• Testimonials and case studies

• AI-assisted design explorations (if optional)

How to withdraw consent:

• Email: contact@8kunya.com

• Subject: "Withdraw Consent - [Specific Purpose]"

• Unsubscribe Links: In marketing emails

• Cookie Settings: Via website cookie banner (Wix)

• Written Notice: For marketing photo/content usage

Effect of withdrawal:

• Immediate cessation of consent-based processing

• Removal from marketing materials within 14 days

• Social media content removal upon request

• No impact on contract-based services

• No penalties or negative consequences

Note: Withdrawing consent for essential project communications may affect our ability to complete your project.

8.8 Right to Lodge a Complaint (PDPA Section 78)

If you believe we have not adequately addressed your data protection concerns:

Thailand:

• Personal Data Protection Committee (PDPC)

• Website: https://www.pdpc.or.th

• Email: pdpc@mdes.go.th

• Phone: +66 (0) 2141 6993

• Address: Office of the Personal Data Protection Committee Ministry of Digital Economy and Society 120 Moo 3, Government Complex, Chaengwattana Road Laksi, Bangkok 10210 Thailand

EU (for EU residents):

• Your local data protection authority

• List available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

Before filing a complaint:

• We encourage you to contact us first so we can address your concerns directly

• Many issues can be resolved through direct communication

• We take data protection concerns seriously and respond promptly

8.9 Rights of Children and Minors

• We do not knowingly collect data from individuals under 20 years old without parental consent (as per Thai law)

• Parents/guardians can exercise rights on behalf of minors

• Special care taken with family residential projects involving children

8.10 Assistance with Third-Party Rights Requests

For data held by contractors, suppliers, vendors, or service providers:

Our support:

• Provide contact information for relevant third parties

• Share details of when and what data was transferred

• Provide documentation of data sharing

• Offer guidance on exercising your rights with each party

• Facilitate communication upon request

What we can provide:

• Complete list of contractors/suppliers who received your data

• List of service providers (Google, Microsoft, Apple, Adobe, Wix, Infomaniak, LINE, WhatsApp, etc.)

• Project timeline and data sharing dates

• Copies of data sharing agreements (where applicable)

• Templates for rights requests to third parties

Note: Third parties are independent data controllers responsible for their own compliance. We cannot control their response times or decisions, but we will assist you in contacting them.

9. How to Exercise Your Rights

9.1 Contact Information for Rights Requests

Email: contact@8kunya.com

Subject Line: "Data Protection Request - [Your Name] - [Specific Right]"

Postal Address: Kunya Interior 25 Lat Phrao 101 Road, Soi 50 Khlong Chan, Bang Kapi Bangkok 10240 Thailand

Communication Channels:

• Email (preferred): contact@8kunya.com

• LINE: [Your LINE Official Account if applicable]

• WhatsApp: [Your WhatsApp Business number if applicable]

9.2 Required Information for Requests

To process your request efficiently and securely, please provide:

Essential Information:

• Your full name (as provided to us)

• Email address and/or phone number on file

• Project name or reference number (if applicable)

• Specific right you wish to exercise

• Clear description of your request

Identity Verification:

• Copy of ID card or passport (for security purposes)

• Additional verification may be required for sensitive requests

• We may ask security questions to confirm your identity

Optional but Helpful:

• Approximate dates of our business relationship

• Specific data categories you're inquiring about

• Preferred format for data delivery (for access requests)

• Preferred communication channel (email, LINE, WhatsApp)

9.3 Response Timeline

Standard Timeframe:

• 30 days from receiving a valid request

• If verification or clarification needed, the clock starts once we have complete information

Extensions:

• For complex requests, we may extend by an additional 30 days

• We will notify you within the initial 30 days if extension is needed

• We will explain the reason for any delay

Urgent Requests:

• Marketing opt-outs: Immediate (within 24 hours)

• Security or safety concerns: Priority handling

• Consent withdrawal: Immediate cessation of affected processing

9.4 Fees and Charges

Generally Free:

• First request for each right: No charge

• Reasonable requests: No charge

• Standard data formats: No charge

Fees May Apply:

• Manifestly unfounded requests: Administrative fee may apply

• Excessive requests: Repeated requests within short timeframe

• Large-volume data exports: Complex requests requiring significant resources

• Physical copies: Printing and shipping costs for physical document requests

Fee Notification:

• We notify you before applying any fee

• You can withdraw or modify your request before incurring charges

• Fees are reasonable and reflect actual costs

9.5 Request Evaluation Process

Upon receiving your request:

1. Acknowledgment: We confirm receipt within 3 business days

2. Verification: We verify your identity for security

3. Evaluation: We assess the request for validity and scope

4. Processing: We gather and prepare the requested information or action

5. Response: We provide complete response with explanation

6. Follow-up: We ensure your satisfaction with the resolution

9.6 Reasons We May Decline Requests

We may refuse or limit requests if:

• Identity cannot be verified: Security concerns prevent processing

• Legal obligations prevent deletion: Required retention periods apply (e.g., 7-year financial records)

• Manifestly unfounded or excessive: Repeated unreasonable requests

• Rights of others affected: Your request impacts privacy of others

• Legal proceedings: Active litigation requires data preservation

• Public interest: Important public health or safety reasons

If we decline:

• We explain the specific reason for refusal

• We provide information about complaint mechanisms (PDPC contact)

• We suggest alternative solutions where possible

9.7 Format and Delivery of Information

Data Access Requests:

Electronic Delivery (Preferred):

• Secure download link (password-protected)

• Encrypted email attachment

• Google Drive, OneDrive, or iCloud shared link

• WeTransfer or similar secure file sharing

Physical Delivery:

• Printed documents sent by registered mail (fees may apply)

• USB drive sent by courier (for large digital files)

• Available upon specific request

Data Formats:

• Structured data: CSV, Excel, JSON (machine-readable)

• Documents: PDF (for contracts, correspondence)

• Images: Original formats (JPG, PNG, RAW)

• Technical drawings: Original CAD formats (DWG, SKP) or PDF

• Design files: Adobe formats (PSD, AI, INDD) or PDF

• Mixed content: ZIP archive with organized folders

9.8 Language and Accessibility

• Requests can be made in Thai or English

• Responses provided in the language of the request

• Alternative formats available for accessibility needs

• Large print or simplified language upon request

9.9 Designated Contact Person

Data Protection Officer Email: contact@8kunya.com Subject: "Attention: Data Protection Officer"

For complex data protection inquiries, you may request direct communication with our Data Protection Officer.

9.10 Third-Party Assistance

• You may authorize a representative to make requests on your behalf

• Written authorization required with clear scope

• We may contact you directly to verify authorization

• Legal representatives (lawyers, family members) accepted with proper documentation

10. Cookies and Tracking Technologies

10.1 What Are Cookies?

Cookies are small text files stored on your device when you visit our website. They help us provide you with a better experience and understand how our website is used.

10.2 Types of Cookies We Use

Essential Cookies

• Purpose: Required for basic website functionality via Wix platform

• Examples:

  • Session management and security

  • Website functionality and navigation

  • Load balancing and performance

• Legal Basis: Legitimate interests (necessary for service provision)

• Can you opt-out? No - these are required for the website to function

• Duration: Session cookies (deleted when browser closes) or up to 1 year

Analytics Cookies

• Purpose: Understand website usage and improve user experience

• What they track:

  • Page views and navigation patterns

  • Time spent on pages

  • Click behavior and interactions

  • Device and browser information

  • Geographic location (country/city level)

• Services used:

  • Wix Analytics

  • Google Analytics (if enabled)

• Legal Basis: Consent - analytics cookies are only activated if you accept via cookie banner

• Can you opt-out? Yes - decline via cookie banner or opt-out directly with providers

• Duration: Up to 2 years

• Privacy safeguards: IP anonymization enabled, no personal identification

Functional Cookies

• Purpose: Enhanced website features and personalization

• Examples:

  • Language preferences (Thai/English)

  • Contact form pre-fill

  • Accessibility settings

• Legal Basis: Legitimate interests

• Can you opt-out? Yes - via cookie settings, but may affect user experience

• Duration: 30 days to 1 year

Marketing Cookies (If applicable)

• Purpose: Show relevant content and advertisements

• Examples:

  • Facebook Pixel (Meta) - for Instagram and Facebook advertising

  • TikTok Pixel

  • LinkedIn Insight Tag

  • Google Ads remarketing (if used)

• Legal Basis: Consent - only activated if you accept

• Can you opt-out? Yes - decline via cookie banner

• Duration: Up to 1 year

• What they track:

  • Pages visited on our website

  • Services viewed

  • Source of traffic

10.3 Third-Party Cookies

Wix Platform:

• Our website is built on Wix, which sets various cookies for functionality and analytics

• Wix Privacy Policy: https://www.wix.com/about/privacy

Social Media Plugins:

• Facebook, Instagram, LINE buttons may set cookies

• TikTok, LinkedIn integration

• Controlled by respective social media companies

Embedded Content:

• YouTube video players (if embedded)

• Google Maps (if embedded)

• Third-party design portfolio viewers

Note: We do not control third-party cookies. Please review their privacy policies:

• Google: https://policies.google.com/privacy

• Facebook/Meta: https://www.facebook.com/privacy

• LINE: https://line.me/en/terms/policy

• TikTok: https://www.tiktok.com/legal/privacy-policy

• LinkedIn: https://www.linkedin.com/legal/privacy-policy

• Wix: https://www.wix.com/about/privacy

10.4 Managing Cookies

Via Our Website:

• Cookie Banner: When you first visit, you'll see a cookie consent banner (Wix)

• Accept All: Enables all cookies for optimal experience

• Reject Non-Essential: Only essential cookies will be used

• Customize: Choose which cookie categories to accept

• Change Anytime: Access cookie settings in website footer

Via Your Browser:

Google Chrome:

• Settings > Privacy and Security > Cookies and other site data

Safari:

• Preferences > Privacy > Manage Website Data

Firefox:

• Options > Privacy & Security > Cookies and Site Data

Edge:

• Settings > Cookies and site permissions

Mobile Browsers:

• Similar settings in app preferences

Note: Blocking all cookies may affect website functionality (e.g., contact forms may not work properly).

10.5 Opt-Out Tools for Analytics

Google Analytics Opt-Out:

• Browser add-on: https://tools.google.com/dlpage/gaoptout

• Effect: Prevents Google Analytics from tracking you across all websites

Wix Analytics:

• Managed through cookie consent banner on our website

• Or through browser cookie settings

10.6 Do Not Track (DNT)

• We respect "Do Not Track" browser settings where technically feasible

• Note: DNT is not universally supported by all tracking technologies

• For strongest privacy, combine DNT with cookie restrictions and opt-outs

10.7 Cookie Duration and Refresh

Session Cookies:

• Deleted automatically when you close your browser

• Used for temporary functionality during your visit

Persistent Cookies:

• Remain on your device for specified duration

• Shortest duration: 30 days (functional preferences)

• Typical duration: 1 year (analytics, social media)

• Longest duration: 2 years (aggregate analytics)

• Automatically deleted when expired

10.8 Social Media Tracking

Facebook/Instagram (Meta) Pixel:

• May track your visit even if you don't interact

• Used for targeted advertising on Instagram and Facebook

• Control via cookie settings

TikTok Pixel:

• May track website visits for TikTok advertising

• Control via cookie settings

LinkedIn Insight Tag:

• May track visits for LinkedIn marketing

• Control via cookie settings

LINE Official Account Integration:

• May set cookies for LINE platform integration

• Control via cookie settings

10.9 Pixel Tags and Web Beacons

• Small transparent images embedded in emails or web pages

• Used to track email opens and engagement

• Can be blocked by disabling images in email client

• Used for analytics and marketing effectiveness measurement

10.10 Local Storage and Similar Technologies

HTML5 Local Storage:

• More persistent than cookies

• Used by Wix platform for richer features

• Can be cleared via browser settings

Flash Cookies / LSOs:

• We do not use Flash technology

10.11 Cross-Site Tracking

• We do not sell your data to third parties

• Third-party cookies (e.g., Facebook, Google, TikTok) may track you across sites

• Control via cookie settings and browser privacy features

• We use tracking only to improve our services and relevant marketing

10.12 Cookie Policy Updates

• We may update our cookie usage as technology and services evolve

• Material changes communicated via website notice

• Regular review and optimization of cookie practices

10.13 Contact About Cookies

Questions about our cookie practices?

Email: contact@8kunya.com Subject: "Cookie Inquiry"

We'll respond with detailed information about specific cookies and how to manage them.

11. Data Security

We implement comprehensive technical and organizational measures to protect your personal data from unauthorized access, alteration, disclosure, or destruction.

11.1 Technical Security Measures

Encryption:

• Data in Transit: SSL/TLS encryption (HTTPS) for all website communications via Wix

• Data at Rest: Encrypted storage for sensitive client information

• File Transfers: Secure protocols (encrypted email, secure cloud sharing via Google Drive, OneDrive, iCloud)

• Backup Encryption: Encrypted backup systems

• Database Encryption: Sensitive fields encrypted in databases

• Cloud Storage: Encrypted storage in Google Workspace, Microsoft Office, iCloud, Adobe Creative Cloud

Access Controls:

• Authentication: Strong password requirements for all systems

• Multi-Factor Authentication (MFA): Enabled for Google Workspace, Microsoft Office, iCloud, Adobe

• Role-Based Access: Team members access only data necessary for their role

• Least Privilege Principle: Minimum necessary access rights assigned

• Access Logs: All data access logged and monitored

• Automatic Logout: Sessions expire after inactivity period

Infrastructure Security:

• Secure Hosting: Wix platform with security certifications, Infomaniak for domain/email

• Firewalls: Network-level and application-level firewalls

• Intrusion Detection: Real-time monitoring for suspicious activity

• DDoS Protection: Defense against denial-of-service attacks via Wix

• Regular Updates: Security patches applied promptly to all systems

• Vulnerability Scanning: Regular automated security scans

• Penetration Testing: Periodic security assessments by professionals

Network Security:

• Wifi Security: WPA3 encryption on office networks

• Network Segmentation: Sensitive systems isolated

• Guest Network: Separate network for visitors

• VPN Access: Secure remote access when needed

Secure Development:

• Security Testing: Testing for common vulnerabilities

• Secure APIs: Authentication and rate limiting on API endpoints

• Input Validation: Protection against malicious input

11.2 Organizational Security Measures

Staff Training:

• Data Protection Training: Mandatory training for all team members

• Onboarding Security: Security briefing for new hires

• Regular Updates: Ongoing training on emerging threats

• Phishing Awareness: Training to recognize social engineering attacks

• Confidentiality Agreements: All staff sign confidentiality agreements

Access Management:

• Need-to-Know Basis: Data access limited to essential personnel

• Access Reviews: Regular audit of who has access to what data

• Offboarding Process: Immediate access revocation when employees leave

• Contractor Management: Third-party contractors bound by security requirements

• Visitor Controls: Physical access controls for office visitors

Data Handling Procedures:

• Clear Desk Policy: Sensitive documents secured when not in use

• Secure Disposal: Shredding of physical documents, secure deletion of digital files

• Document Classification: Sensitivity levels assigned to documents

• Transfer Protocols: Standardized procedures for data sharing (encrypted email, secure cloud links)

• Client File Management: Organized, secure storage of project files in Google Workspace, iCloud, Microsoft Office

Data Processing Agreements:

• Vendor Contracts: Data protection clauses with all service providers (Wix, Infomaniak, Google, Microsoft, Adobe, etc.)

• Contractor Agreements: Security requirements for contractors

• Supplier Standards: Evaluation of third-party security practices

• Regular Audits: Compliance verification with contract terms

Incident Response:

• Response Plan: Documented procedures for security incidents

• Incident Team: Designated personnel for incident response

• Communication Plan: Protocols for notifying affected parties

• Post-Incident Review: Analysis and improvement after incidents

• Business Continuity: Plans for maintaining operations during incidents

Governance and Compliance:

• Privacy by Design: Security considered from project inception

• Data Protection Officer: Designated responsibility for data protection

• Regular Audits: Internal reviews of security practices

• Compliance Monitoring: Ongoing PDPA compliance verification

• Documentation: Maintained records of security measures

11.3 Physical Security

Office Security:

• Access Control: Secure building access at 25 Lat Phrao 101 Road

• Secure Storage: Locked cabinets for sensitive physical documents

• Visitor Management: Sign-in procedures for office visitors

• After-Hours Security: Alarm systems and security protocols

Device Security:

• Laptop Encryption: Full-disk encryption on company devices

• Mobile Device Management: Security policies for mobile devices

• Lost/Stolen Protocols: Remote wipe capability for lost devices

• Secure Disposal: Professional destruction of old hardware

• BYOD Policy: Security requirements for personal devices used for work

11.4 Cloud and Backup Security

Cloud Storage Security:

• Reputable Providers: Certified cloud services

  • Google Workspace (Google Drive, Gmail)

  • Microsoft Office (OneDrive, Outlook)

  • iCloud (Apple)

  • Adobe Creative Cloud

  • Wix (website)

  • Infomaniak (domain and email)

• Access Controls: Restricted and monitored cloud access

• Encryption: Data encrypted in cloud storage

• Two-Factor Authentication: Enabled on all cloud accounts

• Geographic Location: Data stored in secure data centers

• Compliance: Cloud providers meeting international security standards (ISO 27001, SOC 2)

Backup and Recovery:

• Regular Backups: Automated daily backups of critical data

• Encrypted Backups: Backup files encrypted

• Cloud Backups: Stored across Google Drive, OneDrive, iCloud

• Off-Site Storage: Backups stored in geographically separate cloud locations

• Backup Testing: Regular verification of backup restoration

• Retention Policy: Backups retained according to retention schedule (90-day rotation)

• Disaster Recovery: Documented procedures for data recovery

11.5 Email and Communication Security

Email Protection:

• Infomaniak Email Hosting: Secure email infrastructure in Switzerland

• Google Workspace: Additional email accounts with advanced security

• Spam Filtering: Advanced spam and malware filtering

• Encryption: Encrypted email for sensitive communications (when requested)

• Phishing Protection: Tools to detect and block phishing attempts

Communication Tools:

• Secure Platforms: Use of reputable, encrypted communication tools

• WhatsApp Business: End-to-end encrypted messaging

• LINE Official Account: Secure messaging platform

• Video Conferencing: Secure Zoom/Teams with waiting rooms and passwords (if used)

11.6 Payment Security

• PCI DSS Compliance: Payment processing follows Payment Card Industry standards

• No Card Storage: We never store complete credit card numbers

• Secure Gateways: Third-party certified payment processors

• Fraud Detection: Monitoring for suspicious transactions

• Invoice Security: Secure delivery via email or cloud links

11.7 Data Breach Prevention and Detection

Prevention Measures:

• Security Monitoring: Continuous monitoring of critical systems

• Threat Intelligence: Staying informed about emerging threats

• Anomaly Detection: Automated alerts for unusual access patterns

• User Behavior Analytics: Identifying suspicious user behavior

• Regular Updates: Timely application of security patches to all platforms

Detection Measures:

• Log Analysis: Regular review of security logs

• Incident Alerts: Real-time notifications of potential breaches

• Cloud Platform Security: Leveraging security features of Google, Microsoft, Apple, Adobe

11.8 Data Breach Notification

In the event of a personal data breach affecting your data:

Our Response:

• Internal Assessment: Immediate investigation and containment within 24 hours

• Authority Notification: Report to Personal Data Protection Committee (PDPC) within 72 hours if required by law

• Client Notification: Inform affected individuals without undue delay if high risk to rights and freedoms

• Documentation: Comprehensive documentation of breach and response

• Remediation: Immediate steps to prevent further breaches

What We Will Tell You:

• Nature of the breach and data affected

• Likely consequences and potential risks

• Measures taken to address the breach

• Recommendations for protecting yourself

• Contact point for further information (contact@8kunya.com)

Your Actions:

• Follow any specific guidance we provide

• Monitor for unusual activity (if financial data affected)

• Consider changing passwords if credentials compromised

• Report suspicious activity to us immediately

11.9 Employee and Contractor Security

Background Checks:

• Reference verification for new hires (where legally permitted)

• Professional credential verification

Confidentiality Obligations:

• Non-disclosure agreements (NDAs) with all staff

• Confidentiality clauses in contractor agreements

• Clear policies on data handling and confidentiality

Separation Procedures:

• Immediate access revocation upon termination

• Return of all company devices and documents

• Exit interviews covering confidentiality obligations

11.10 Platform-Specific Security

Wix Platform Security:

• Website hosted on Wix with enterprise-grade security

• SSL certificates and HTTPS encryption

• Regular security updates by Wix

• DDoS protection and firewall

Infomaniak Security:

• Swiss-based hosting with strong data protection

• GDPR compliant

• ISO 27001 certified

Google Workspace Security:

• Enterprise-grade security and encryption

• Advanced threat protection

• Two-factor authentication

• Data loss prevention

Microsoft Office 365 Security:

• Enterprise security features

• Advanced threat protection

• Multi-factor authentication

iCloud Security:

• Apple's security infrastructure

• End-to-end encryption for sensitive data

• Two-factor authentication

Adobe Creative Cloud Security:

• Secure cloud storage

• Access controls and encryption

• Regular security updates

11.11 Continuous Improvement

Security Practices:

• Regular Reviews: Annual comprehensive security audits

• Industry Standards: Alignment with ISO 27001, NIST frameworks

• Threat Landscape: Continuous monitoring of security trends

• Vulnerability Management: Prompt remediation of identified vulnerabilities

• Platform Updates: Keeping all cloud services and software up to date

Investment in Security:

• Ongoing investment in security tools and training

• Subscription to enterprise-grade security features

• Consultation with security experts

• Adoption of emerging security technologies

11.12 Security Limitations and User Responsibilities

What We Cannot Control:

• Security of your personal devices

• Strength of your passwords

• Your email account security

• Physical security of your location

• Social engineering attacks targeting you directly

• Security of your home WiFi network

Your Responsibilities:

• Strong Passwords: Use unique, complex passwords for email and cloud accounts

• Device Security: Keep your devices updated and protected

• Phishing Awareness: Be cautious of suspicious emails, LINE messages, WhatsApp messages

• Secure Networks: Avoid public WiFi for sensitive communications

• Physical Security: Protect physical documents we provide

• Report Incidents: Notify us immediately of security concerns via contact@8kunya.com

11.13 Security Questions?

For security-related inquiries:

Email: contact@8kunya.com Subject: "Security Inquiry"

To report a security concern: Email: contact@8kunya.com Subject: "URGENT: Security Incident Report"

12. Third-Party Links and Services

12.1 Third-Party Websites and Links

Our website and communications may contain links to external websites and services not operated by Kunya Interior. This Privacy Policy does not apply to third-party sites.

Examples of third-party links:

• Supplier and manufacturer websites

• Furniture brand catalogs

• Design inspiration platforms (Pinterest, Houzz, etc.)

• Social media profiles (Instagram, Facebook, TikTok, LinkedIn)

• Review platforms

• Industry associations

• Blog references and resources

Important:

• We are not responsible for privacy practices of third-party websites

• Third-party sites have their own privacy policies

• We encourage you to review privacy policies before providing personal information

• Links do not imply endorsement of third-party privacy practices

12.2 Third-Party Services We Use

Website & Hosting Services:

Wix

• Purpose: Website platform, hosting, and content management

• Location: USA/Global CDN

• Data collected: Website analytics, visitor behavior, form submissions

• Privacy policy: https://www.wix.com/about/privacy

• Opt-out: Cookie settings on our website

Infomaniak

• Purpose: Domain registration and email hosting

• Location: Switzerland (GDPR compliant)

• Data collected: Domain registration info, email communications

• Privacy policy: https://www.infomaniak.com/en/legal/confidentiality-policy

• Security: ISO 27001 certified, Swiss data protection

Cloud & Productivity Services:

Google Workspace

• Purpose: Email (Gmail), cloud storage (Google Drive), collaboration (Google Docs, Sheets)

• Location: USA/Global data centers

• Data collected: Email communications, stored documents, calendar data

• Privacy policy: https://policies.google.com/privacy

• Security: Enterprise-grade encryption, ISO 27001, SOC 2

• Opt-out: Not possible for essential business operations

Microsoft Office / Office 365

• Purpose: Document creation (Word, Excel, PowerPoint), cloud storage (OneDrive)

• Location: USA/Global data centers

• Data collected: Documents, email (if Outlook used), cloud files

• Privacy policy: https://privacy.microsoft.com

• Security: Enterprise-grade encryption, ISO 27001

• Opt-out: Not possible for essential business operations

iCloud

• Purpose: File storage, synchronization, backup

• Location: USA/Global (Apple)

• Data collected: Files, photos, documents

• Privacy policy: https://www.apple.com/legal/privacy

• Security: End-to-end encryption (for certain data types)

• Opt-out: Not possible for business file management

Adobe Creative Cloud

• Purpose: Design software (Photoshop, Illustrator, InDesign), cloud storage

• Location: USA/Global

• Data collected: Creative files, project data

• Privacy policy: https://www.adobe.com/privacy.html

• Security: Cloud encryption, access controls

• Opt-out: Not possible for design operations

Architecture & Design Software:

Various architecture software platforms (e.g., AutoCAD, SketchUp, Revit, etc.)

• Purpose: Technical drawings, 3D modeling, project visualization

• Location: Varies by software (USA, Europe)

• Data collected: Design files, project specifications

• Privacy policies: Available on respective software websites

• Security: Industry-standard encryption and access controls

AI & Machine Learning Services:

AI LLMs (Large Language Models)

• Purpose: Design assistance, content creation, project optimization, communication drafting

• Providers: Various AI service providers

• Location: Varies (primarily USA)

• Data collected: Text prompts, design queries, communication drafts

• Important: We do not share sensitive client personal data with AI services without consent

• Privacy: Each AI service has its own privacy policy

• Usage: AI is used as a tool to enhance creativity and efficiency, not replace human judgment

Communication & Messaging Tools:

LINE Official Account

• Purpose: Client messaging, project updates, customer service

• Location: Japan

• Data collected: Messages, contact information, interaction history

• Privacy policy: https://line.me/en/terms/policy

• Encryption: End-to-end encrypted messages

• Opt-out: You can stop using LINE and use email instead

WhatsApp Business

• Purpose: Client messaging, quick updates, media sharing

• Location: USA (Meta/Facebook)

• Data collected: Messages, phone numbers, media files

• Privacy policy: https://www.whatsapp.com/legal/privacy-policy

• Encryption: End-to-end encrypted

• Opt-out: You can choose not to use WhatsApp

Social Media Platforms:

Instagram (Meta/Facebook)

• Purpose: Portfolio showcase, client engagement, marketing

• Location: USA

• Data collected: Posts, interactions, engagement metrics, DM communications

• Privacy policy: https://help.instagram.com/519522125107875

• Business tools: Instagram Business account features

• Opt-out: Don't follow or interact with our Instagram page

Facebook (Meta)

• Purpose: Business page, client community, event announcements

• Location: USA

• Data collected: Page interactions, likes, comments, messages

• Privacy policy: https://www.facebook.com/privacy

• Facebook Pixel: May be used for advertising (with consent)

• Opt-out: Don't follow or interact with our Facebook page

TikTok

• Purpose: Design content, project showcases, marketing

• Location: China/Singapore (ByteDance)

• Data collected: Video views, interactions, engagement metrics

• Privacy policy: https://www.tiktok.com/legal/privacy-policy

• TikTok Pixel: May be used for advertising (with consent)

• Opt-out: Don't follow or interact with our TikTok account

LinkedIn

• Purpose: Professional networking, B2B marketing, project showcases

• Location: USA (Microsoft)

• Data collected: Professional profile interactions, company page engagement

• Privacy policy: https://www.linkedin.com/legal/privacy-policy

• LinkedIn Insight Tag: May be used for analytics (with consent)

• Opt-out: Don't follow or connect with our LinkedIn page

Payment Processing:

[Thai payment processors - e.g., 2C2P, Omise, Kasikorn Bank payment gateway]

• Purpose: Secure payment processing

• PCI DSS compliant: Yes

• Data collected: Transaction details, payment method

• Data storage: We do not store complete card numbers

• Privacy policy: [Link to processor's policy]

Analytics & Tracking:

Wix Analytics

• Built into Wix platform

• Website usage statistics, visitor behavior

• Privacy policy: https://www.wix.com/about/privacy

Google Analytics (if enabled)

• Website traffic analysis

• Privacy policy: https://policies.google.com/privacy

• Opt-out: https://tools.google.com/dlpage/gaoptout

12.3 Data Processing Agreements

For all third-party service providers processing personal data on our behalf:

• Contractual Protection: Terms of service and data processing agreements

• PDPA Compliance: Services selected for data protection standards

• Security Standards: Minimum security requirements verified

• Purpose Limitation: Use restricted to specified purposes

• Confidentiality: Confidentiality obligations in terms of service

• International Standards: ISO 27001, SOC 2, GDPR compliance where applicable

12.4 International Service Providers

Many services we use are provided by international companies:

United States:

• Google (Workspace, Analytics, Drive)

• Meta/Facebook (WhatsApp, Instagram, Facebook)

• Microsoft (Office 365, OneDrive, Teams)

• Adobe (Creative Cloud)

• Wix (website platform)

• Various AI LLM providers

• Various architecture software providers

Switzerland:

• Infomaniak (domain and email)

Japan:

• LINE (messaging platform)

China/Singapore:

• TikTok (social media - ByteDance)

Safeguards:

• Standard contractual clauses where applicable

• Adequacy decisions (e.g., Switzerland)

• Encryption and additional security measures

• Enterprise-grade service agreements

• Regular security audits of providers

12.5 Social Media Integrations

Embedded Social Media Content:

• Facebook Like/Share buttons

• Instagram feed embeds

• TikTok embeds

• LinkedIn sharing buttons

What this means:

• These plugins may set cookies even if you don't click them

• Social media companies may track your visit to our website

• Control via cookie settings and browser privacy features

Our Social Media Pages:

When you interact with our official social media pages (Instagram, Facebook, TikTok, LinkedIn):

• Your interactions governed by social media platform's privacy policy

• We may see basic analytics (engagement metrics, demographics)

• We do not collect additional data beyond platform-provided analytics

• Direct messages are stored by the platform per their retention policies

12.6 Supplier and Manufacturer Portals

When we coordinate orders on your behalf:

• Some suppliers require registration or data entry

• We may create accounts using your information (with permission)

• Supplier privacy policies apply to data they hold

• We recommend reviewing terms if you interact directly with suppliers

Examples:

• International furniture brand websites

• Custom manufacturing portals

• Materials specification databases

12.7 Cloud Storage and File Sharing

Google Drive

• Sharing project files, design documents, client presentations

• Privacy policy: https://policies.google.com/privacy

Microsoft OneDrive

• File sharing and collaboration

• Privacy policy: https://privacy.microsoft.com

Apple iCloud

• File storage and synchronization

• Privacy policy: https://www.apple.com/legal/privacy

Adobe Cloud

• Creative files and project assets

• Privacy policy: https://www.adobe.com/privacy.html

WeTransfer / Large File Transfer Services (if used)

• Temporary sharing of large design files

• Files typically deleted after 7 days

• Privacy policy: Available on service website

12.8 Your Control Over Third-Party Data

You can:

• Disable cookies to limit third-party tracking

• Opt out of analytics services directly

• Review and delete data held by third parties

• Close accounts with third-party services

• Exercise rights directly with service providers (Google, Microsoft, Apple, Adobe, Meta, LINE, TikTok, LinkedIn)

We can:

• Provide information about which services we use

• Assist in identifying relevant third parties for your data requests

• Consider alternative services if you have privacy concerns

12.9 Changes to Third-Party Services

• We may add, remove, or change service providers as needed for business operations

• Material changes to key services will be reflected in Privacy Policy updates

• We evaluate new services for privacy and security before adoption

12.10 Questions About Third-Party Services?

Email: contact@8kunya.com Subject: "Third-Party Service Inquiry"

We'll provide detailed information about specific services and their data practices.