Privacy Policy

This Privacy Policy ("Policy") describes how Curvf (operated by Curve Culture Co., Ltd., Company Registration No. 0735565007597, with its registered office in Bangkok, Thailand) ("Curvf", "we", "us", "our") collects, uses, discloses, transfers, retains, and protects your personal data when you visit, browse, register on, or transact through curvfofficial.com and any related subdomains, mobile views, or social commerce channels (the "Platform"). We process personal data in accordance with the Personal Data Protection Act B.E. 2562 (2019) of Thailand (the "PDPA") and applicable secondary regulations. By accessing the Platform, creating an account, or placing an order, you acknowledge that you have read, understood, and agreed to this Policy in full. If you do not agree, you must immediately discontinue use of the Platform.

Definitions

For the purposes of this Policy:

"Personal Data" means any information relating to an identified or identifiable natural person, as defined under the PDPA.
"Sensitive Personal Data" means data described in Section 26 of the PDPA, including data on race, religion, sexual orientation, health, biometric data, or criminal records. Curvf does not intentionally collect Sensitive Personal Data; you must not submit such data to us.
"Processing" means any operation performed on personal data, including collection, use, disclosure, storage, transfer, deletion, and destruction.
"Data Subject" means the natural person to whom the personal data relates.

Personal Data We Collect

We collect only data that is necessary, proportionate, and tied to a lawful basis described in Section 4 below. Categories include:

Account Data (when you register): name, email address, hashed authentication credentials managed by Google Firebase Authentication, account preferences, profile photo (if supplied via Google sign-in), and language setting.
Order & Transactional Data (registered users and guest checkouts): full name, billing and shipping address, postal code, phone number, email address, order history, items purchased, sizes, colors, quantities, order value, applied discount codes, invoice and tax information, and delivery instructions.
Payment Data: Curvf does not collect, view, or store full payment card numbers, CVV codes, or full bank account credentials. Payments are processed directly by our PCI-DSS-compliant payment service providers. We may receive limited transaction metadata (last four digits of card, card brand, authorization status, and transaction ID) solely for order reconciliation and fraud prevention.
Communications Data: the content of messages, complaints, return requests, unboxing-video evidence (as required by our Refund Policy), customer-service chat transcripts, and any voluntary product reviews you submit.
Technical & Device Data: IP address, device identifiers, browser type and version, operating system, time-zone setting, referring URL, pages viewed, time-on-page, click-stream data, and crash logs.
Cookies, Pixels & Tracking Data: session and persistent cookies, local storage, web beacons, and similar technologies used for authentication, cart persistence, analytics, fraud detection, and — with your consent — marketing and retargeting. See Section 9.
Marketing & Preference Data: opt-in status for newsletters, SMS, LINE, and push notifications; survey responses; wishlist contents.

You are responsible for ensuring that all personal data you provide is accurate, complete, and lawfully obtained. If you provide personal data of a third party (e.g. a gift recipient), you warrant that you have that person's consent or another lawful basis to do so.

Sources of Personal Data

We collect personal data directly from you when you register, place an order, contact us, or interact with the Platform. We may also receive personal data from third parties including: Google (when you use Google sign-in), payment service providers, logistics partners (delivery confirmations), social media platforms (where you interact with Curvf accounts), and fraud-prevention vendors.

Lawful Bases & Purposes of Processing

We process personal data on one or more of the following PDPA lawful bases:

Account creation, authentication, and security — Contract (Section 24(3)) and Legitimate Interest (Section 24(5)).
Order processing, shipment, and customer service — Contract (Section 24(3)).
Tax invoices, accounting records, and statutory reporting — Legal Obligation (Section 24(6)).
Fraud prevention, dispute investigation, and chargeback defence — Legitimate Interest (Section 24(5)).
Website analytics and product improvement — Legitimate Interest (Section 24(5)).
Marketing communications, retargeting, and personalised offers — Consent (Section 24); withdrawable at any time.
Defending or asserting legal claims — Legitimate Interest (Section 24(5)).
Corporate transactions (merger, acquisition, restructuring, or sale of assets) — Legitimate Interest (Section 24(5)).

Where we rely on legitimate interest, we have conducted a balancing test and determined that our interests do not override your fundamental rights and freedoms. You may request details of this assessment by contacting us.

Disclosure & Sharing of Personal Data

We do not sell your personal data. We disclose personal data only to the following categories of recipients, subject to written confidentiality and data-processing obligations:

Cloud & Infrastructure Providers: Google LLC (Firebase Authentication, Firestore, Cloud Storage, Cloud Run, Analytics) operating from data centres in Asia-Southeast1 (Singapore) and globally.
Payment Service Providers: our PCI-DSS-compliant payment gateway(s) for payment authorization and settlement.
Logistics & Fulfilment Partners: Thailand Post, Kerry Express, Flash Express, J&T Express, DHL, and other carriers required to deliver your order.
Communication Vendors: email-delivery, SMS, and LINE messaging providers for transactional and (where consented) marketing messages.
Analytics & Marketing Vendors: providers such as Google Analytics, Meta Pixel, and TikTok Pixel, used only where you have consented via our cookie banner.
Professional Advisors: auditors, accountants, lawyers, and insurers bound by professional confidentiality.
Government & Regulatory Authorities: the Revenue Department, the Customs Department, the PDPC, courts, law-enforcement agencies, and other competent authorities where required by Thai law or a valid legal process.
Successors in Interest: in the event of a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of our assets, personal data may be transferred to the acquirer or successor entity.

International Data Transfers

Some of our service providers — notably Google (Firebase, Cloud Run, Analytics) and certain payment, analytics, and communication vendors — may store or process personal data outside Thailand, including in jurisdictions that may not provide an adequate level of data protection under PDPA standards. In such cases, we rely on one or more of the following safeguards permitted under Sections 28 and 29 of the PDPA: (a) your explicit consent after being informed of the inadequacy; (b) the transfer being necessary for the performance of a contract to which you are a party; (c) compliance with appropriate safeguards (such as standard contractual clauses or binding corporate rules approved by the PDPC); or (d) any other exemption recognised by law.

By using the Platform, you acknowledge and consent to such cross-border transfers of your personal data, including transfers to the United States and other jurisdictions.

Data Retention

We retain personal data only for as long as is necessary for the purposes set out in this Policy or as required by law. Indicative retention periods:

Account data: for the lifetime of your account, plus up to two (2) years after closure for fraud-prevention and dispute-resolution purposes.
Order, invoice, and tax records: at least ten (10) years from the close of the relevant fiscal year, as required by the Revenue Code, the Accounting Act B.E. 2543, and the prescription periods under the Civil and Commercial Code.
Customer-service communications: up to three (3) years from the date of the last interaction.
Marketing-consent records and unsubscribe logs: for as long as is necessary to evidence consent and compliance.
Server logs, technical logs, and security event data: up to ninety (90) days for security investigations, longer if linked to an active incident.
CCTV footage (warehouse and office, where applicable): up to thirty (30) days.

Upon expiry of the applicable retention period, we will securely delete, destroy, or irreversibly anonymise the data, except where longer retention is required to defend or pursue legal claims, comply with a regulatory request, or fulfil an accounting or tax obligation.

Data Security

We implement reasonable administrative, technical, and physical safeguards designed to protect personal data against accidental or unlawful loss, alteration, unauthorised disclosure, or access. These measures include encrypted transmission (TLS 1.2 or higher), encryption-at-rest on managed Google Cloud services, role-based access controls, multi-factor authentication for administrative accounts, audit logging, and periodic security reviews.

No method of internet transmission or electronic storage is 100% secure, and we cannot guarantee absolute security. You are responsible for keeping your account credentials confidential and for notifying us promptly of any suspected unauthorised access. To the maximum extent permitted by law, we shall not be liable for any unauthorised access or disclosure resulting from your failure to safeguard your credentials, your use of unsecured networks, or events beyond our reasonable control. In the event of a personal-data breach that is likely to result in a high risk to your rights and freedoms, we will notify the Office of the Personal Data Protection Committee within seventy-two (72) hours of becoming aware of the breach and will notify affected Data Subjects without undue delay, as required by Section 37(4) of the PDPA.

Cookies & Tracking Technologies

We use cookies and similar technologies for: (i) strictly necessary functions (authentication, cart, fraud prevention) which cannot be disabled without breaking the Platform; (ii) analytics and performance measurement; and (iii) marketing, advertising, and retargeting, used only with your consent via our cookie banner. You may manage cookie preferences via our cookie banner or your browser settings; blocking strictly necessary cookies will impair functionality.

Children's Privacy

The Platform is intended for users who are at least twenty (20) years of age (the age of majority under Thai law). If you are below this age, you must obtain the consent of a parent or legal guardian before providing any personal data or making any purchase. We do not knowingly collect personal data from individuals under twenty (20) without such consent and will delete any such data upon becoming aware of it.

Your Rights Under the PDPA

Subject to the conditions and exceptions set out in the PDPA, you have the following rights:

Right of Access (Section 30): to obtain a copy of your personal data and information about how it is processed.
Right to Rectification (Section 35): to have inaccurate, incomplete, or outdated data corrected.
Right to Erasure (Section 33): to have your data deleted, destroyed, or anonymised in the circumstances permitted by law.
Right to Restriction (Section 34): to have processing restricted in the circumstances permitted by law.
Right to Object (Section 32): to object to processing in the circumstances permitted by law.
Right to Data Portability (Section 31): to receive your data in a machine-readable format and transmit it to another controller.
Right to Withdraw Consent: where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal, nor does it affect processing based on other lawful bases such as legal obligation, contract performance, or legitimate interest.
Right to Lodge a Complaint: with the Office of the Personal Data Protection Committee (PDPC) at https://www.pdpc.or.th.

To exercise any of the above rights, please submit a written request to the contact details below. We may require you to verify your identity before processing your request, and we may decline or charge a reasonable fee for requests that are manifestly unfounded, excessive, or repetitive. We will respond within thirty (30) days of receiving a complete and verified request, subject to extension where permitted by law.

Marketing Communications

If you have opted in to marketing, you may receive promotional emails, SMS, LINE messages, or push notifications from us. You may opt out at any time by clicking the "unsubscribe" link in any email, replying STOP to SMS, or updating your account preferences. We will continue to send you transactional, account, and legal communications regardless of your marketing preferences.

Changes to This Policy

We may amend this Policy from time to time to reflect changes in our practices, technology, legal requirements, or for any other reason. The "Last Updated" date at the top will reflect the most recent revision. Material changes will be communicated via the Platform or by email at our discretion. Your continued use of the Platform after the effective date of any change constitutes your acceptance of the revised Policy. You are responsible for periodically reviewing this Policy.

Governing Law & Jurisdiction

This Policy is governed by and construed in accordance with the laws of the Kingdom of Thailand, without regard to its conflict-of-laws principles. Any dispute arising out of or in connection with this Policy shall be submitted to the exclusive jurisdiction of the competent courts of Thailand. The parties agree that the Thai-language version of this Policy shall prevail in the event of any inconsistency between the English and Thai texts.

Contact Us — Data Controller

For privacy enquiries, Data Subject requests, or PDPA-related matters, please contact:

Email: admin@curvfofficial.com
Address: Curve Culture Co., Ltd. (Company Registration No. 0735565007597), Bangkok, Thailand