Privacy Policy
Finisit ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, share, and safeguard your personal data when you use our Platform. It is written to align with Thailand's Personal Data Protection Act B.E. 2562 (PDPA) and applicable cross-border equivalents (GDPR, CCPA) where relevant.
1. Data Controller
For the purposes of the PDPA, the data controller is Finisit (Thailand). All inquiries about how your personal data is processed should be directed to privacy@finisit.app.
2. Information We Collect
- Account data: Name, email address, password (bcrypt-hashed), referral code, preferred language
- Wallet data: Public wallet addresses you connect (never private keys or seed phrases)
- Transaction data: Purchase history, commission records, and payout requests tied to your account
- Usage data: Pages visited, features used, device type, IP address (hashed in long-term logs), approximate region
- Communications: Email correspondence with support, newsletter subscription state
3. Lawful Basis for Processing (PDPA §24)
We process personal data on the following lawful bases:
- Performance of a contract — to operate the Platform and deliver paid features you've signed up for
- Legitimate interest — fraud prevention, security monitoring, product improvement (always weighed against your rights)
- Consent — for marketing emails, optional analytics cookies, and newsletter subscriptions (you can withdraw consent at any time)
- Legal obligation — financial-record retention, tax reporting, lawful requests from competent authorities
4. How We Use Your Information
- To operate, secure, and improve the Platform
- To process affiliate commissions and payouts
- To send transactional emails and important account updates
- To detect and prevent fraud and abuse
- To comply with legal and regulatory obligations
5. Data Sharing & Cross-Border Transfer
We do not sell your personal data. We share data only with the following categories of recipients, under contractual safeguards:
- Payment processors — Stripe (USA), to process card payments and payouts
- Email delivery — Resend (USA), for transactional and marketing email
- Print fulfilment — Printful (Latvia / USA), for physical merchandise orders
- Hosting / database — Vercel (USA), Neon Postgres (USA / EU)
- Analytics — Plausible (EU), anonymised / aggregated only
- Legal authorities — when compelled by lawful order or to protect users' safety
Some recipients are located outside Thailand. Where the destination country is not on the PDPC adequacy list, transfers are made under appropriate safeguards (data-processing addenda, Standard Contractual Clauses, or your explicit consent).
6. Blockchain Data
7. Data Retention
We retain account data for as long as your account is active, plus up to 5 years thereafter for legal, accounting, and anti-fraud compliance. Hashed IP addresses in audit logs are retained 90 days. Newsletter subscription records are retained until you unsubscribe; unsubscribe records are retained 1 year for compliance.
8. Your Rights (PDPA §30–§37)
Subject to applicable exceptions, you have the right to:
- Access — request a copy of personal data we hold about you (self-serve via Settings → Export)
- Rectification — correct inaccurate or incomplete data
- Erasure — request deletion of off-chain personal data (note: on-chain records cannot be erased)
- Restriction — pause processing in specific circumstances
- Portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interest
- Withdraw consent — at any time for any consent-based processing
- Lodge a complaint — with the Personal Data Protection Committee (PDPC) of Thailand if you believe your rights have been violated
To exercise any right, email privacy@finisit.app. We respond within 30 days.
9. Cookies & Tracking
We use cookies and similar technologies grouped into the following categories:
- Strictly necessary (always on):
fin_session,fin_admin_session,fin_csrffor authentication and CSRF protection. - Functional (always on, no personal identifier):
fin-theme,fin-langremember your theme + language preference. - Analytics (consent-based): Plausible Analytics — first-party, no cross-site identifier, no fingerprinting. Loaded only after consent on jurisdictions that require it; can be disabled per session.
- Marketing: We do not use third-party advertising cookies, retargeting pixels, or social trackers.
You can opt out of analytics at any time by clearing the fin-consent-analytics cookie or by enabling Do-Not-Track in your browser. You can also block all non-essential cookies in your browser settings (this may affect Platform functionality).
10. Security
We hash passwords with bcrypt (cost 12+), encrypt data in transit with TLS 1.2+, restrict admin access by role, and log all admin actions to a tamper-evident audit trail. We notify affected users without undue delay (and within 72 hours where required) of any personal-data breach that is likely to result in a risk to your rights.
11. Children
The Platform is not intended for users under 18. We do not knowingly collect personal data from minors. If you believe a minor has provided data, contact privacy@finisit.app and we will delete it.
12. Governing Law
This Privacy Policy is governed by the laws of the Kingdom of Thailand and, in particular, the Personal Data Protection Act B.E. 2562 (PDPA). Any dispute arising under this Policy is subject to the exclusive jurisdiction of the courts of Bangkok, Thailand.
13. Updates to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent change. Material changes will be communicated via email or in-Platform notice.
14. Contact
For privacy inquiries, contact privacy@finisit.app. For complaints to the supervisory authority: Personal Data Protection Committee, Office of the Permanent Secretary, Ministry of Digital Economy and Society, Bangkok 10210, Thailand.