1.​ Definitions

"Company" refers to FinNet Ventures Co., Ltd.

"Personal Data" means any information that can identify you, either directly or indirectly.

"Personal Data Processing" refers to the collection, use, and disclosure of personal data.

"Personal Data Protection Act" refers to the Personal Data Protection Act B.E. 2562 (2019) and any relevant laws and regulations.

2.​ Data Subjects

This Privacy Notice applies to the following individuals:

2.1 Customers of the Company, including:

(1) Former and current individual customers of the Company.

(2) Corporate customers, including directors, shareholders, employees, or authorized representatives of former and current corporate customers, as well as any other individuals authorized to act on behalf of such corporate customers. The Company recommends that its corporate customers take appropriate measures to ensure that all authorized representatives or related individuals are informed of this Privacy Notice.

3. Purposes of Personal Data Processing

The Company collects, uses, and discloses your personal data only to the extent necessary for purposes such as:

(1) Entering into and/or fulfilling contracts, including complying with the Companys terms of service;

(2) Providing services or customer care under the contract, such as after-sales service or resolving system usage issues;

(3) Recording conversations and communications with customers through all communication channels (e.g., email, fax, telephone interviews, or other means) for the purpose of improving the Companys service management;

(4) Conducting or entering into transactions and/or making or receiving payments, such as processing payments or transactions, completing transactions, debt repayment, billing, account deduction, managing business relationships with the Company, and performing registration activities with the Company related to your account as a customer or service provider of the Company;

(5) Carrying out processes related to disputes, debt collection, or debt transfer, including legal proceedings.

(6) Verifying and authenticating the identity of customers, service users, business facilitators, partners, or business affiliates of the Company;

(7) Recording the information of individuals who visit the Companys premises, as well as capturing photographs or video footage during events for safety and property protection purposes, including for use in investigations in the event of accidents or criminal incidents;

(8) Managing the Companys corporate structure, internal controls, business operations, and compliance with the Companys policies and procedures, which include risk management, security, audit, finance and accounting, system operations, and business continuity planning;

(9) Ensuring security risk prevention, such as monitoring network activity logs, identifying security incidents, conducting data security assessments, and preventing malicious, deceptive, fraudulent, or unlawful acts;

(10) Pursuing legitimate interests of the Company or other individuals or legal entities, unless such interests are overridden by your fundamental rights and freedoms regarding personal data for example, personal data disclosed to the Department of Business Development or data that forms part of official government announcements or has been published in the Royal Gazette;

(11) Complying with applicable laws, rules, and regulations that the Company is obligated to follow, such as those of the Stock Exchange of Thailand, the Customs Department, the Revenue Department, and others.

4. Legal Basis

The Company may rely on various legal bases for the collection, use, and disclosure of your personal data as specified under the Personal Data Protection Act, including:

• Contractual basis for entering into or fulfilling contractual obligations;
• Legal obligation where the Company is required to comply with legal or regulatory requirements;
• Legitimate interest such as verifying an individuals status or identity, fraud prevention, or protection against misconduct, provided that such interests do not override your fundamental rights and freedoms as a data subject; or
• The Company may also seek your explicit consent on a case-by-case basis where required.

5. Types of Personal Data Collected

5.1 The Company collects, uses, and discloses your personal data as necessary, including the following types:

(1) Identification Information:

First and last name, gender, date of birth, nationality, photograph, and identification card number and/or passport information.

(2) Contact Information: Address, email, and phone number.

(3) Educational and Employment Information: Academic background, employment history, and other information necessary for the recruitment process.

(4) Service Usage Information: Behavioral data related to your use of the Companys services and other relevant service-related information.

(5) Financial Information: Payment details and bank account numbers.

(6) Security Information: Data used for security systems.

(7) Service Improvement Data: Information collected to improve service delivery, including in cases where service issues arise.

(8) Legal Compliance Data: Data necessary for the Company to comply with legal obligations, including data used for audits or to take action in cases of breach of service terms or violation of applicable laws.

The collection of the above information is necessary for the performance of a contract or for compliance with legal obligations. If you choose not to provide such information, the Company may not be able to provide the requested services or fulfill your requests.

5.2 Sensitive Personal Data Sensitive Personal Data refers to specific categories of personal data as defined by law, such as information related to individuals with visual or hearing impairments, or biometric data. The Company may collect, use, and/or disclose such sensitive personal data for the purpose of verifying and authenticating the identity of service users, only with your explicit consent, or when it is necessary under the applicable laws.

6. Sources of Personal Data

The Company may collect your personal data through the following channels:

6.1 Direct Collection from You

This includes information provided during the application process, signing service agreements, requesting benefits, or completing surveys. Data collected through phone conversations, email exchanges, or other communication channels between the Company and you. Data gathered from service usage or personal data provided by you via online platforms such as mobile applications or the Company's website. Additionally, the Company may request explicit consent to collect your personal data in other cases, as applicable.

6.2 Collection from Other Sources

The Company may also receive your personal data from sources other than you directly, where such sources are legally authorized to disclose your personal data. These sources include affiliated companies, the Department of Business Development, the Ministry of Commerce, the Stock Exchange of Thailand, the Civil Enforcement Department, the Ministry of the Interior, the Revenue Department, government agencies, state bodies, business partners, and trusted subcontractors providing services on behalf of the Company.

7. Disclosure of Personal Data to Others

The Company will not disclose your personal data to individuals or entities outside the Company group, except as necessary to fulfill the purposes of personal data processing as stated in this notice. The Company may disclose your personal data to the following parties:

(1) Business Facilitators, including business partners, contractors, or agents hired by the Company to act on its behalf, as well as subcontractors. This includes providers of transportation services, financial and transaction service providers, cloud service providers, IT service providers, software and system developers, business consultants, professional advisors, and others.

(2) Authorized representatives, authorized sub-agents, or legal agents with valid authority to act on your behalf.

(3) Parties involved in organizational restructuring or mergers of the Company, where the Company may need to transfer rights to such activities, including those who require sharing information for organizational restructuring, asset transfer, financial agreements, asset sales, or other transactions related to the business and/or assets used in the Company's operations.

(4) Customers or service users of the Company who are authorized to access personal data as part of business-related information or where the data subject has provided consent to the Company and/or to the Company's customers or service users, or for other reasons as required by law.

(5) Legal representatives, such as attorneys or debt collection agents.

(6) Government agencies, law enforcement bodies, regulatory authorities, or other entities as required by law, such as agencies acting on legal orders, auditing agencies, or legal processes like the Anti-Money Laundering Office, National Anti-Corruption Commission, Social Security Office, Revenue Department, Civil Enforcement Department, Courts, etc.

8. Retention Period of Personal Data

The Company will collect your personal data for as long as necessary to fulfill the objectives of each type of service, in accordance with the duration of the contract or legal relationships between you and the Company, unless the law allows a longer retention period.

9. Your Rights Regarding Personal Data

You can exercise your rights under the relevant laws and policies in effect now or amended in the future, as well as according to the guidelines established by the Company.

9.1 Right to Withdraw Consent

If you have given consent to the Company for a specific purpose, you have the right to withdraw your consent at any time, unless there are legal limitations or the consent is related to a contract that benefits you. However, withdrawing consent may affect your rights or benefits, so it is advisable to understand and inquire about the consequences before exercising this right. If the withdrawal of consent prevents the Company from delivering certain products or services to you, the Company will notify you of the consequences. You may contact the Company and request to exercise your rights by following the Company's designated procedures, submitting a request with supporting evidence to verify that you are the owner of the personal data. The Company may refuse requests that are fraudulent, unreasonable, impractical, or otherwise non-compliant with legal requirements.

9.2 Right to Access and Request a Copy of Data

You have the right to access and receive a copy of the personal data the Company holds about you, unless the Company is legally entitled to refuse your request under the law or a court order, or if fulfilling your request could result in harm to the rights and freedoms of others.

9.3 Right to Request or Request the Transfer or Transmission of Personal Data

You have the right to request your personal data in a format that is generally readable or usable by automated tools or devices, allowing the data to be used or disclosed automatically. You also have the right to request that the Company send or transfer your personal data to external parties or request a copy of personal data that the Company has sent or transferred to external parties, unless it is technically impossible or the Company has a legal reason to refuse your request.

9.4 Right to Object

You have the right to object to the collection, use, or disclosure of your personal data, unless the Company has legal grounds to refuse your request, such as demonstrating that the collection, use, or disclosure of your personal data is justified by overriding legal grounds or for the establishment of legal claims, the exercise of legal rights, or for the Companys public interest. Exercising your right to object may prevent the Company from providing services to you due to legal requirements or contractual obligations between you and the Company.

9.5 Right to Suspend the Use of Data

You have the right to request the Company suspend the use of your personal data in certain cases, such as when the Company is reviewing a request for the correction of your personal data or objection to the collection, use, or disclosure of your personal data, or when you request the suspension of the use of your personal data instead of deletion or destruction, if you need the personal data retained for the establishment, exercise, or defense of legal claims.

9.6 Right to Request Deletion or Destruction of Data

You have the right to request the Company delete or destroy your personal data or anonymize it in accordance with the Companys designated procedures, unless the Company needs to retain the data for the performance of a contract for service or has legal grounds to refuse your request.

9.7 Right to Correct Data

You have the right to request the correction or update of any inaccurate or incomplete personal data to ensure it is up to date, subject to the requirements of any relevant laws.

10. Data Security Measures

The Company has implemented appropriate data security measures to prevent the loss, access, use, alteration, modification, or disclosure of personal data without authorization or in violation of the law. These measures align with the Companys information security policies and practices.

In cases where the Company assigns external agencies or individuals to process personal data on its behalf, the Company ensures that these external parties maintain the confidentiality and security of the personal data and prevent its collection, use, or disclosure for any unauthorized purposes or in violation of the law.

11. Use of Personal Data for Original Purposes

The Company retains the right to collect and use your personal data previously collected before the Personal Data Protection Act (PDPA) came into effect, for purposes related to the collection, use, and disclosure of personal data as originally intended. If you no longer wish for the Company to continue collecting and using your personal data, you may contact the Company at any time to withdraw your consent.

12. Contact Channels

If you have any questions or require additional information regarding the Companys Personal Data Protection Policy or wish to exercise your rights under the Personal Data Protection Act, please contact the Company through the following channels:

Headquarters Address: 719/5 Rama VI Road, Wang Mai Subdistrict, Pathum Wan District, Bangkok 10330, Thailand

เData Protection Officer Email: dpo@fyn.com

13. Changes to the Personal Data Protection Policy

The Company may change or amend this Personal Data Protection Policy from time to time. The current version of the Privacy Policy will be made available on the Companys website at www.fyn.com.