Tact Privacy Statement

Last updated: 1 May 2026

This Privacy Statement is issued by Tact Ai Co., Ltd. (“Tact,” “we,” “us,” or “our”). Tact values your privacy and is committed to protecting the Personal Data you share with us.

This Privacy Statement explains how we collect, use, disclose, transfer, store, and protect Personal Data that identifies, or may identify, an individual, either directly or indirectly (“Personal Data”), through various channels, both online and offline.

This Privacy Statement applies to our websites, business communications, consulting services, training programs, events, software implementation services, digital platforms, AI-enabled tools, project platform, and other services operated or provided by Tact, unless a separate privacy notice or agreement applies.

Your Personal Data will be processed in accordance with applicable laws, including Thailand’s Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) and, where applicable, other relevant data protection laws.

This Privacy Statement is intended to provide general information about Tact’s data processing activities. Where we process Personal Data on behalf of an enterprise customer, project owner, or other organization, additional terms may apply under the relevant contract, data processing agreement, project terms, or service-specific privacy addendum.

Who We Are and How to Contact Us

The data controller or service provider responsible for this Privacy Statement is:

Tact Ai Co., Ltd.
Head Office: 8/12 Soi Vibhavadi Rangsit 44, Lat Yao Subdistrict, Chatuchak District, Bangkok 10900, Thailand
Email: [email protected]

For privacy-related questions, requests, or complaints, you may contact us at the email address above. We may request additional information to verify your identity before processing certain requests.

Scope of This Privacy Statement

This Privacy Statement applies to Personal Data collected, used, disclosed, or otherwise processed by Tact through externally facing services, activities, tools, websites, and other data processing activities where Tact acts as a data controller or equivalent role under applicable law. This includes interactions with our clients and their current, former, or prospective employees, suppliers, business contacts, partners, website users, event participants, trainees, job applicants, and other individuals who interact with Tact. This Privacy Statement also applies, in a general manner, to Personal Data processed through Tact-operated digital platforms, project platform, certification or assessment platform, sustainability and carbon accounting tools, e-learning systems, AI-assisted workflow tools, and other technology-enabled services. Certain services may involve additional data processing activities that require more specific information. In such cases, this Privacy Statement may be supplemented by a service-specific privacy addendum, privacy notice, data processing agreement, or contractual terms. For example, the Tact GSTC Readiness platform may have a separate privacy addendum describing uploaded evidence, AI-assisted document mapping, certification-body access, audit logs, and related workflow data.

Tact’s Role: Data Controller and Data Processor

Depending on the context, Tact may act either as a Data Controller or a Data Processor.

When Tact determines the purposes and means of processing Personal Data, Tact acts as a Data Controller. This may include processing Personal Data for website operations, business development, customer relationship management, marketing communications, event registration, training administration, billing, recruitment, legal compliance, security, and general business administration.

When Tact processes Personal Data on behalf of an enterprise customer, project owner, platform customer, or other organization according to their instructions, Tact may act as a Data Processor. This may include hosting, configuring, analyzing, validating, mapping, or otherwise processing data submitted by users through Tact-operated platforms or project environments.

Where Tact acts as a Data Processor, the relevant customer or organization is generally responsible for determining the lawful basis for processing, providing required notices to data subjects, obtaining any required consent, and ensuring that Personal Data submitted to Tact is lawful, accurate, relevant, and limited to what is necessary. Tact will process such Personal Data in accordance with the relevant agreement and applicable law.

Personal Data We Collect

We may collect and process the following types of Personal Data:

Identity and Personal Details Name, surname, photo, gender, identification number, passport number, nationality, country of residence, organization, department, job title, position, and other information that may identify you.
Contact Details Email address, telephone number, mailing address, business address, Line ID, social media contact details, and other communication information.
Business and Professional Information Professional role, employer, organization, department, work location, business contact history, stakeholder category, project role, decision-making authority, and information related to your interaction with Tact.
Marketing and Technical Information IP address, browser type, device information, operating system, cookies, website usage data, log data, analytics data, marketing preferences, survey responses, email engagement data, and information related to your interaction with our website or digital communications.
Commercial and Service Information History and records of products or services you have obtained from Tact, enquiries, proposals, quotations, contracts, project documents, correspondence, feedback, support requests, account receivable information, and commercial follow-up records.
Financial and Billing Information Payment details, invoicing information, tax information, billing address, purchase orders, receipts, payment status, and other information required for accounting, finance, and tax administration.
Audiovisual Materials Photographs, images, video footage, audio recordings, CCTV footage, webinar recordings, meeting recordings, event recordings, training recordings, transcripts, and related security or monitoring materials.
System, Application, and Platform Usage Data Information about your interactions with software solutions, applications, project environments, or digital platforms that we implement, operate, or support, including system configurations, user feedback, access logs, activity logs, usage patterns, technical diagnostics, and operational insights. This may include login records, IP address, device identifiers, user role, permission settings, uploaded file metadata, download history, submission history, review status, comments, timestamps, workflow actions, and audit trails.
Uploaded Content and Project Data Where you or your organization use Tact-operated platforms, project platform, certification platform, assessment tools, or implementation environments, we may process documents, files, photos, forms, reports, certificates, policies, contracts, invoices, operational records, evidence files, templates, spreadsheets, images, survey results, training records, supplier records, environmental data, carbon accounting data, sustainability data, and other content uploaded, submitted, or generated through the relevant service. Uploaded content may contain Personal Data relating to employees, customers, guests, suppliers, contractors, community members, auditors, reviewers, or other third parties. Users and customer organizations should avoid uploading unnecessary Personal Data and should redact or minimize Personal Data where possible.
AI Processing and Analytical Data Where our services use AI-enabled or automated tools, we may process classification outputs, mapping results, confidence scores, recommendations, validation results, summaries, system-generated comments, reviewer comments, audit or assessment workflow status, and other analytical outputs generated from data submitted to the relevant service.
Training, Event, and Learning Data For training, workshops, seminars, e-learning, or certification-related programs, we may process registration details, attendance records, learning progress, pre-test and post-test results, certificates of completion, feedback forms, event photographs, videos, dietary requirements, accessibility requirements, and related participation records.
Talent Management and Recruitment Information Information provided during recruitment, employment screening, interviews, candidate evaluation, and hiring processes, including CVs, employment history, education records, qualifications, references, interview notes, expected salary, and other professional information, to the extent permitted by applicable law.
Sensitive Personal Data Certain types of sensitive Personal Data may be processed where permitted by law or where appropriate consent has been obtained. This may include health or medical information, disability status, dietary requirements, allergies, religious dietary restrictions, biometric information, or other sensitive data as defined by applicable law. Tact does not seek to collect sensitive Personal Data unless it is necessary for a specific purpose, required by law, provided by you voluntarily, or included in content uploaded by you or your organization. Where sensitive Personal Data is not required, you should not provide it and should remove or redact it before submission.
Other Information Any additional information you provide to us voluntarily during communications, project engagements, platform use, surveys, events, support requests, or other interactions with Tact.

How We Collect Personal Data

We may collect Personal Data through the following means:

Direct Interactions
Information provided by you when filling out forms, contacting us, subscribing to updates, requesting consulting services, registering for events or courses, submitting project information, using our platforms, or providing feedback during project engagements.
Automated Technologies
Information collected through cookies, log files, analytics tools, tracking technologies, application logs, system logs, security logs, and platform usage monitoring when you visit our website or use software solutions, applications, or platforms that we implement, operate, or support.
Third-Party Sources
Information received from publicly available sources, business partners, referrals, software providers, platform administrators, customer organizations, project owners, certification bodies, auditors, reviewers, consultants, or other parties involved in delivering the relevant service.
Software Implementation and Platform Processes
Data generated or collected during the configuration, customization, integration, testing, deployment, support, operation, or improvement of software solutions, platforms, tools, or project environments tailored to your organization’s needs.
This may include data imported from customer systems, spreadsheets, forms, enterprise applications, cloud environments, sustainability management tools, carbon accounting systems, certification workflows, or third-party software integrations.

Purposes and Legal Bases for Processing Personal Data

We process Personal Data for the purposes described below. The applicable legal basis may depend on the type of Personal Data, the context of collection, the relevant service, and the jurisdiction that applies.
Where Tact acts as a Data Controller, we rely on one or more lawful bases such as contractual necessity, steps prior to entering into a contract, legitimate interests, legal obligation, consent, vital interests, or other lawful grounds permitted by applicable law. Where Tact acts as a Data Processor, we generally process Personal Data according to the instructions of the relevant customer or organization.

Processing Activity	Purpose	Indicative Legal Basis
Website and enquiry management	To respond to enquiries, provide information, manage contact forms, and communicate with interested users	Contractual necessity, pre-contractual steps, legitimate interests
Consulting and project delivery	To provide consulting services, implementation support, technical advisory, project management, and project reporting	Contractual necessity, legitimate interests
Account and platform administration	To create user accounts, authenticate users, manage access rights, user roles, user rights, and operate digital platforms	Contractual necessity, legitimate interests, customer instruction where Tact acts as processor
Uploaded documents and project data	To provide platform services, document analysis, evidence review, workflows, reporting, project management, and project support	Contractual necessity, legitimate interests, customer instruction where Tact acts as processor
AI-assisted tools	To classify documents, map evidence, summarize content, validate information, detect potential gaps, generate recommendations, support review workflows, and improve service quality	Contractual necessity, legitimate interests, customer instruction, consent where required
Training and events	To register participants, manage attendance, issue certificates, evaluate training outcomes, collect feedback, and document events	Contractual necessity, legitimate interests, consent where required
Marketing and outreach	To send service updates, newsletters, event invitations, publications, product information, and other communications that may be relevant to you	Consent or legitimate interests, depending on context
Billing, accounting, and tax	To issue quotations, invoices, receipts, tax documents, payment records, and financial reports	Contractual necessity, legal obligation
Security and fraud prevention	To protect our systems, prevent unauthorized access, investigate misuse, maintain audit logs, and ensure platform integrity	Legitimate interests, legal obligation
Legal and compliance	To comply with applicable laws, regulatory requests, court orders, contractual obligations, and dispute resolution requirements	Legal obligation, legitimate interests
Recruitment	To assess applications, manage interviews, verify qualifications, and administer hiring processes	Pre-contractual steps, legitimate interests, consent where required
Supplier management	To manage contracts, vendor selection, operational data, and supplier performance to improve our services and platform	Legitimate interests, contract where required

We will not process Personal Data for purposes that are materially different from those described in this Privacy Statement or in an applicable service-specific notice unless permitted by law or unless we provide additional notice and, where required, obtain appropriate consent.

AI-Enabled Tools and Automated Processing

Tact may use AI-enabled tools, machine learning, automation, or rule-based systems to support our services. These tools may be used for document classification, evidence mapping, sustainability analysis, carbon accounting workflows, data validation, summarization, recommendation generation, workflow routing, reporting, and service improvement. AI-generated outputs are intended to support human review and decision-making. Unless explicitly stated otherwise in a service-specific agreement, AI outputs do not constitute final certification decisions, audit conclusions, legal advice, professional assurance, or regulatory determinations. Tact will not use identifiable customer-uploaded content to train public AI models or third-party foundation models unless expressly agreed in writing. Where data is used to improve internal systems, prompts, classifiers, templates, workflows, or service quality, Tact will use appropriate safeguards such as data minimization, access controls, aggregation, anonymization, de-identification, or contractual restrictions where appropriate. Where we use third-party AI service providers, cloud providers, or technology partners, we will apply appropriate contractual, technical, and organizational measures to protect Personal Data in accordance with applicable law and the relevant agreement.

Cookies, Analytics, and Similar Technologies

We may use cookies, log files, analytics tools, and similar technologies when you visit our website or use our digital services.
Cookies and similar technologies may be used for the following purposes

Strictly necessary cookies: to operate the website or platform, manage sessions, enable login, and maintain security.
Functional cookies: to remember preferences and improve user experience.
Analytics cookies: to understand website or platform usage, performance, traffic, and service quality.
Marketing cookies: to support marketing communications, campaign measurement, and relevant outreach, where permitted by law.

You may be able to manage cookies through your browser settings or, where available, through cookie preference tools provided on our website. Disabling certain cookies may affect the functionality of our website or digital services.

Disclosure of Personal Data

We may disclose Personal Data to the following parties where necessary and lawful:

Tact Personnel and Authorized Representatives Tact employees, directors, officers, consultants, contractors, advisors, and authorized representatives who need access to Personal Data for legitimate business, project, operational, technical, or support purposes.
Service Providers and Vendors Vendors and service providers who assist with website operations, cloud hosting, IT infrastructure, analytics, marketing, communications, payment processing, accounting, legal services, security, technical support, and other essential business functions.
Software, Cloud, and Technology Partners Technology providers whose products, platforms, or services we implement, integrate, operate, configure, or support, including software vendors, cloud service providers, AI service providers, data storage providers, system integration partners, and analytics providers.
Customer Organizations and Project Stakeholders Where you use our services on behalf of, or under the authority of, your employer, customer organization, parent company, project owner, sponsoring organization, or group administrator, relevant Personal Data and usage information may be accessible to that organization or its authorized administrators.
Certification Bodies, Auditors, Reviewers, and Verification Partners Where a service involves certification, verification, audit, assessment, review, or assurance workflows, Personal Data and related content may be disclosed to or accessed by authorized certification bodies, auditors, reviewers, verification partners, assessors, consultants, or project stakeholders, to the extent necessary for the relevant certification, verification, audit, assessment, review, or assurance purpose. For example, in the context of a certification or assessment platform, authorized certification bodies appointed by or contracted with your organization or project owner may access uploaded documents, evidence files, AI-assisted mapping results, reviewer comments, audit workflow details, and related records for certification, verification, audit, assessment, or quality review purposes.
Regulatory, Legal, and Government Authorities Government bodies, regulators, law enforcement agencies, courts, or other authorities where required or permitted by law, court order, regulatory request, legal process, or to protect our rights, property, users, or services.
Professional Advisers Legal, tax, accounting, audit, insurance, cybersecurity, and other professional advisers where necessary for legitimate business, legal, financial, compliance, or risk management purposes.
Third Parties with Consent or Direction Any third party where you have provided consent, instructed us to disclose the data, or where disclosure is otherwise permitted by applicable law. We do not sell, trade, or rent your Personal Data to third parties for their independent marketing purposes.

International Data Transfers

Your Personal Data may be transferred to, stored in, accessed from, or processed in countries outside Thailand or outside your country of residence. This may occur where we use cloud hosting providers, software vendors, AI service providers, analytics tools, communication tools, customer support systems, or other technology partners with infrastructure, personnel, or subprocessors located in other countries. Where international transfer of Personal Data is required, we will take steps designed to ensure that such transfers are made in accordance with applicable law and are protected by appropriate safeguards, which may include contractual protections, data processing agreements, access controls, encryption, data minimization, transfer impact assessments, or other safeguards as appropriate.

Data Security

We implement technical and organizational measures designed to protect Personal Data from unauthorized access, misuse, loss, alteration, disclosure, or destruction. These measures may include encryption, secure servers, access controls, role-based permissions, authentication measures, logging and monitoring, backup and recovery processes, employee confidentiality obligations, vendor due diligence, and regular review of security practices. However, no system, transmission, or storage method can be guaranteed to be completely secure. You and your organization are responsible for maintaining the confidentiality of your account credentials, using secure devices and networks, assigning appropriate user permissions, and promptly notifying us of any suspected unauthorized access or misuse.

Security Incident and Breach Notification

If we become aware of a security incident or Personal Data breach affecting Personal Data processed by Tact, we will take appropriate steps to investigate, contain, mitigate, and remediate the incident.
Where required by applicable law or contract, we will notify the relevant customer, data controller, regulator, or affected data subject without undue delay and within the timeframe required by applicable law or agreement.
Where Tact acts as a Data Processor, we will notify the relevant Data Controller in accordance with the applicable data processing agreement, contract, or legal requirement.

Data Retention

We retain Personal Data only for as long as necessary to fulfill the purposes described in this Privacy Statement, comply with legal obligations, perform contractual obligations, resolve disputes, enforce agreements, maintain business records, or protect our legal rights. Retention periods may vary depending on the type of Personal Data, the service involved, the applicable contract, legal requirements, limitation periods, accounting and tax obligations, operational needs, and whether the data is processed by Tact as a Data Controller or Data Processor. Indicative retention periods may include:

Data Category	Indicative Retention Period
Website enquiries and general business contacts	1–3 years after the last interaction, unless a longer period is justified
Client and project records	For the duration of the relationship and for a reasonable period thereafter, subject to contractual, legal, accounting, and limitation requirements
Billing, accounting, and tax-related records	As required by applicable accounting, tax, and legal obligations
Platform account data	For the period the account remains active and for a reasonable period after account closure or project completion
Uploaded project documents and evidence files	As specified in the relevant contract, data processing agreement, project terms, or service-specific addendum
Security and audit logs	For a reasonable security, audit, troubleshooting, and compliance period, unless longer retention is required for investigation or legal purposes
Marketing data	Until you unsubscribe, withdraw consent, object to processing, or the data is no longer needed for the relevant purpose
Recruitment data	For the recruitment process and a reasonable period thereafter, unless longer retention is consented to or legally required

Security Incident and Breach Notification

Data Minimization and User Responsibilities

Where you submit information to Tact, including through forms, email, project communications, or digital platforms, you should ensure that the information is accurate, relevant, lawful, and limited to what is necessary for the relevant purpose. You should not upload or submit Personal Data, sensitive Personal Data, confidential information, or third-party information unless you have the authority and lawful basis to do so. Where documents contain unnecessary Personal Data, you should redact, anonymize, or minimize such information before submission whenever possible. Where you submit Personal Data relating to employees, customers, guests, suppliers, contractors, or other third parties, you are responsible for ensuring that such individuals have received appropriate privacy notices and that the submission is lawful under applicable law.

Your Rights

Depending on your jurisdiction and the context of processing, you may have the following rights regarding your Personal Data:

Right to access: request information about the Personal Data we hold about you.
Right to data portability: request a copy of your Personal Data in a structured, commonly used, and machine-readable format, where applicable.
Right to object: object to certain processing of your Personal Data.
Right to erasure: request deletion, destruction, or anonymization of your Personal Data, subject to legal exceptions.
Right to restrict processing: request suspension or restriction of certain processing activities.
Right to rectification: request correction of inaccurate, outdated, incomplete, or misleading Personal Data.
Right to withdrawal of consent: withdraw consent where processing is based on consent, without affecting the lawfulness of processing conducted before withdrawal.
Right to lodge a complaint: submit a complaint to the competent data protection authority where you believe your Personal Data has been processed unlawfully.

These rights may be subject to limitations and conditions under applicable law. In some cases, we may be unable to fulfill a request if doing so would conflict with legal obligations, contractual obligations, security requirements, confidentiality obligations, trade secrets, the rights of others, or other lawful grounds for refusal.

How to Exercise Your Rights

To exercise your rights or submit a privacy-related request, please contact us at: [email protected]

Your request should include sufficient information for us to understand and verify your request, such as your name, contact details, organization, relevant service or platform, and the nature of the request. We may request additional information to verify your identity or authority before responding.
We will respond to valid requests within the timeframe required by applicable law. Where Tact acts as a Data Processor, we may refer your request to the relevant Data Controller or customer organization, or cooperate with them in responding to your request as required by contract or law.

Consent and Withdrawal of Consent

Where we rely on consent to process your Personal Data, we will request consent in a clear and appropriate manner. You may withdraw your consent at any time by contacting us or using the available unsubscribe or preference mechanisms, where applicable. Withdrawal of consent will not affect the lawfulness of processing conducted before the withdrawal. In some cases, withdrawal of consent may affect our ability to provide certain services, features, communications, or participation opportunities.