Privacy Policy
How CAIKU.ai handles your personal data
1. About This Policy
This Privacy Policy ('Policy') describes how CAIKU collects, uses, discloses, and protects your personal data when you use our services, including caiku.ai, the CAIKU AI Agent platform, and related services (the 'Services').
By using our Services, you accept this Policy. If you do not accept it — please stop using the Services.
This Policy complies with Thailand's Personal Data Protection Act B.E. 2562 (2019) ('PDPA') and other applicable Thai laws.
This English version is provided for convenience. In case of any conflict between the Thai and English versions, the Thai version shall prevail for matters governed by Thai law.
2. Data Controller
- Company
- HelloAds Co., Ltd.
- Address
- 14 Soi Vibhavadi Rangsit 16/29, Ratchadaphisek Subdistrict, Din Daeng District, Bangkok 10400, Thailand
- Tax ID
- 0205558029691
- privacy@caiku.ai
- Phone
- +66 2 038 5565
2.1 Data Protection Officer (DPO)
CAIKU has appointed a DPO to oversee privacy compliance:
- DPO Name
- Pitsanuchai Thongtha
- dpo@caiku.ai
- Phone
- +1 437 669 6615
- Office Hours
- Mon–Fri 9:00–18:00 (GMT+7)
3. Information We Collect
We collect four main categories of personal data:
3.1 Account Data
- Full name
- Email address
- Phone number
- Company name and job title (if provided)
- Password (stored as encrypted hash)
3.2 Usage Data
- Conversation logs (chat and voice transcripts)
- Lead data you upload to the system
- Knowledge base content
- Configuration and settings
- Activity logs (login, actions performed)
3.3 Technical Data
- IP address
- Browser type and version
- Device type and OS
- Cookies and similar tracking technologies
- API request logs
3.4 Payment Data
- Payment details — stored by our payment processor (Stripe / Omise), not by CAIKU
- CAIKU only retains: transaction ID, date, amount, and status
- Tax invoice information — as required by Thai law
3.5 What We Do Not Collect
- Full credit card details (handled exclusively by payment processor)
- Sensitive data under PDPA Section 26 (race, religion, health data, genetic data) — except with explicit consent
- Data of minors under 20 years of age — end-users under 20 are not permitted to use the Services
4. Purposes & Legal Basis
We process your data for the following purposes and on the following legal bases:
| Purpose | Data Used | Legal Basis (PDPA) | Retention |
|---|---|---|---|
| Providing the AI Agent service you subscribed to | Account + Usage + Technical | Section 24(3) Contract performance | Subscription period + 90 days |
| Improving and developing our services | Usage data (anonymized) | Section 24(5) Legitimate Interest | 5 years (anonymized) |
| Maintaining security and preventing misuse | Technical + Activity logs | Section 24(5) Legitimate Interest | 1 year |
| Complying with law — tax, financial reporting | Account + Payment data | Section 24(6) Legal obligation | 5 years (as required by law) |
| Sending marketing communications | Account + email | Section 24(1) Consent | Until consent is withdrawn |
| Voice cloning (Pro+ tier feature) | Voice samples | Section 24(1) Explicit Consent | Subscription period — deleted upon cancellation |
For Legitimate Interest basis — we maintain a Legitimate Interest Assessment (LIA) document that has passed the 3-part test (purpose, necessity, balancing test). You may request access by contacting our DPO.
5. Disclosure & Data Transfers
We may disclose your data to the following recipients:
5.1 Service Providers (Data Processors)
| Vendor | Service | Data Shared | Location |
|---|---|---|---|
| OpenAI | GPT + Realtime API + Whisper | Conversation content | USA |
| Anthropic | Claude API | Conversation content | USA |
| Google Cloud | Gemini + Cloud infrastructure | Conversation + storage | USA / Asia |
| Twilio | Voice telephony | Phone call audio + metadata | USA |
| Retell AI / Vapi | Voice agent infrastructure | Voice + conversation | USA |
| Supabase | Database + authentication | Account + usage data | USA / EU |
| Railway | Application hosting | All operational data | USA |
| Cloudflare | CDN + security | Technical metadata | Global |
| Stripe / Omise | Payment processing | Payment data | USA / Thailand |
All vendors listed above act as 'Data Processors' under PDPA — we have signed a Data Processing Agreement (DPA) with each. The DPA explicitly prohibits vendors from using your data for purposes other than those we instruct.
5.2 International Data Transfers
Your data may be transferred to countries with privacy protection standards lower than Thailand (e.g., USA). We apply the following safeguards:
- Standard Contractual Clauses (SCCs) in our DPAs with all vendors
- Encryption in transit (TLS 1.3+)
- Access control and audit logs
- Vendor selection limited to providers with privacy compliance certifications (SOC 2, ISO 27001)
5.3 Disclosure Required by Law
We may disclose your data when:
- Required by court order or government authority
- Necessary to prevent crime or protect lives
- Necessary to protect CAIKU's or another user's rights
5.4 What We Do Not Do
We do not sell, trade, or rent your personal data to third parties for marketing or commercial gain — under any circumstances.
6. Your Rights (Data Subject Rights)
Under PDPA Sections 30-39, you have seven rights:
| Right | What It Means | How to Exercise |
|---|---|---|
| 1. Access | Request a copy of data we hold about you | Email dpo@caiku.ai |
| 2. Rectification | Correct inaccurate data | Update in account settings or contact DPO |
| 3. Erasure | Delete your data (Right to be Forgotten) | Email dpo@caiku.ai |
| 4. Objection | Object to processing for certain purposes | Email dpo@caiku.ai |
| 5. Restriction | Restrict processing | Email dpo@caiku.ai |
| 6. Portability | Receive your data in a portable format | Email dpo@caiku.ai |
| 7. Withdraw Consent | Withdraw consent previously given | Account settings or contact DPO |
6.1 Response Time
We will respond to your request within 30 days from receipt of a complete request. For complex cases, we may extend this period by an additional 30 days — with prior notice to you.
6.2 Fees
The first request is free. For repeated or excessive requests, we may charge a fee based on actual cost (e.g., admin processing) — but we will inform you in advance.
6.3 Right to Complain
If you believe CAIKU has violated PDPA, you may file a complaint with the Personal Data Protection Committee (PDPC):
- Website
- pdpc.or.th
- pdpc@mdes.go.th
- Phone
- +66-2-141-6993
We encourage you to contact our DPO first so we can resolve the issue as quickly as possible.
7. Data Security
We implement the following data protection measures:
7.1 Technical Measures
- Encryption in transit (TLS 1.3+)
- Encryption at rest (AES-256)
- Multi-factor authentication (MFA) for admin access
- Role-based access control
- Audit logs retained for 5 years
- Annual vulnerability scanning and penetration testing
- Backup and disaster recovery — RPO 1 hour, RTO 4 hours
7.2 Organizational Measures
- DPO appointed and registered with PDPC
- Annual privacy training for all staff
- Vendor due diligence with signed DPAs
- Documented incident response plan
- Privacy by Design in feature development
7.3 Data Breach Notification
In the event of a data breach affecting you:
- We will notify the PDPC within 72 hours (as required by PDPA)
- We will notify you directly as soon as practical, via email and in-app notification
- We will explain what happened, which data was affected, and remediation steps taken
- We will recommend actions you should take (e.g., change password)
8. Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Account data | Subscription period + 90 days | Recovery and reactivation |
| Conversation logs | 12 months | Quality and improvement |
| Voice recordings | 30 days (default — adjustable) | Transcription and QA |
| Voice samples (cloning) | Subscription period — deleted on cancellation | Active service only |
| Activity logs | 1 year | Security and investigation |
| Audit logs | 5 years | PDPA compliance |
| Payment data | 5 years (per Thai tax law) | Tax compliance |
| Anonymized usage data | Indefinite | Service improvement |
8.1 After Retention Period Ends
- Data is deleted from production systems
- Data is deleted from backups in the next rotation cycle (up to 90 days)
- A deletion certificate is issued upon request
9. Cookies & Tracking
caiku.ai uses cookies to enable our services and analyze usage. See our Cookie Policy for details.
10. Policy Changes
We may update this Policy from time to time. For material changes, we will notify you 30 days in advance via email and in-app notification. Continued use of the Services after an update constitutes acceptance of the new Policy.
10.1 Version History
| Version | Date | Changes |
|---|---|---|
| 1.0 | 1 May 2026 | Initial publication |
11. Contact Us
- DPO Email
- dpo@caiku.ai
- General Privacy
- privacy@caiku.ai
- Customer Support
- support@caiku.ai
- Phone
- +66 2 038 5565
- Response SLA
- 30 days (per PDPA)