Privacy Policy

Last updated: 22 April 2026

This Privacy Policy explains how Cultra Lab Limited Partnership ("we", "us"), registered in Thailand at 1st Floor, PKCD Building, 9, 8 Muang Naka Rd, Phuket 83000, Thailand, collects, uses, discloses and protects your personal data when you use thaiandenglish.com or the Phuut Thai application (the "Service"). This policy is written to comply with the Thai Personal Data Protection Act B.E. 2562 (2019) ("PDPA") and, where applicable, the EU General Data Protection Regulation (GDPR) and the UK GDPR.

1. Data controller and contact

The data controller responsible for your personal data under the PDPA is Cultra Lab Limited Partnership. For any privacy-related question, request, or complaint, contact privacy@thaiandenglish.com. We are not legally required to appoint a Data Protection Officer (PDPA Section 41) given our size, the limited scope of personal data we process, and the absence of large-scale monitoring or special-category data. The inbox above is monitored as our primary privacy contact.

2. What we collect

• Email address, if you create an account. Used to send magic-link sign-in emails and transactional notices (receipts, trial-ending reminders, security alerts).
• Learning progress: the sentences and words you have seen, spaced-repetition card states, review counts, game scores.
• Profile preferences: your chosen learning mode, interface language, gender (used for Thai pronouns and polite particles), level, kid-mode flag, self-declared age bracket, and an optional nickname.
• Subscription state, if you subscribe to paid Thai mode: trial / active / cancelled status and billing period end date. Payment card details are handled entirely by Paddle and never reach our servers.
• Basic technical data: browser user-agent, request timestamps, IP address. Stored transiently by our hosting and infrastructure providers (GitHub Pages, Supabase) for security, anti-abuse and service reliability.

We do not collect your contacts, precise location, microphone audio, photos, or any biometric data. We do not run analytics or advertising trackers. We do not process special-category (sensitive) personal data such as race, religion, health, political opinion or sexual orientation. If the scope of processing ever changes, we will update this section and notify users in accordance with Section 12.

3. Why we use it — and our legal basis

Under PDPA Section 24, we must identify a lawful basis for each purpose of processing. Here is what we do and why:

We do not rely on consent as a legal basis for the processing listed above, because each purpose is necessary to deliver the Service you signed up for, required by law, or reflects our legitimate interest in running a secure service. If we later introduce any processing that requires consent (for example, optional product-research emails), we will ask separately and you will be able to withdraw consent at any time.

4. Where your data is stored and who processes it

We use the following sub-processors under written data-processing agreements. They process personal data on our instructions only.

• Supabase (PostgreSQL, Singapore region) — user authentication and progress storage. Row-level security ensures each user can only read and modify their own row.
• GitHub Pages (CDN, United States / global) — serves the static site. Transient request logs only.
• Email delivery provider (via Supabase Auth) — transactional email for magic-link sign-in and account notices.

Paddle.com Market Limited (United Kingdom) acts as Merchant of Record for payments and operates as a separate independent data controller for the payment data it collects directly from you. Paddle's own privacy policy applies to that data — see paddle.com/legal/privacy.

Your browser also caches a local copy of your progress in localStorage for offline use. Clearing your browser storage clears this local copy.

5. Cross-border transfers

Some sub-processors above store or process personal data outside Thailand. Under PDPA Section 28, cross-border transfers are permitted where the destination country has adequate data protection standards, or where appropriate safeguards are in place. We rely on the following safeguards:

• Singapore, where Supabase hosts EU and APAC customer data, has personal-data laws (the PDPA 2012) recognised by the Thai PDPC as offering broadly equivalent protection.
• The United Kingdom, where Paddle operates, is subject to the UK GDPR — recognised by the Thai PDPC as providing adequate protection.
• Contractual safeguards in each provider's data-processing agreement, including PDPA- and GDPR-aligned obligations.

6. Who we share with

We do not sell your personal data. We do not share it with advertisers, data brokers, or marketing networks. We disclose it only to:

• the sub-processors listed in Section 4, under written data-processing agreements;
• professional advisers (lawyers, accountants, auditors), under duties of confidentiality, where reasonably necessary;
• authorities or courts, where required by Thai law or a valid order from a competent authority (for example, under the Computer Crime Act B.E. 2560 which requires service providers to preserve or produce certain records). Where permitted, we will notify you first;
• a successor entity in a merger, acquisition, reorganisation or asset sale, as described in our Terms of Service, provided the successor is bound by terms substantially equivalent to this Policy.

7. Retention

• Account and progress data: for as long as your Account is active.
• After account deletion: we delete your personal data within 30 days, except for tax invoices retained by Paddle for up to 7 years under UK and Thai accounting and tax law.
• Support / privacy-request emails: up to 2 years after the request is resolved, for dispute-resolution and audit purposes.
• Infrastructure logs: up to 30 days (Supabase) and up to 90 days for traffic records where required by the Computer Crime Act.

8. Your rights under the PDPA

If you are a data subject in Thailand, the PDPA grants you the following rights. Equivalent rights exist under the GDPR and UK GDPR on substantially similar terms.

• Right to be informed (PDPA s.23) — covered by this policy.
• Right of access (s.30) — request a copy of the personal data we hold about you.
• Right to rectification (s.35) — have inaccurate or incomplete data corrected.
• Right to erasure / account deletion (s.33) — delete your account and associated data.
• Right to restriction (s.34) — pause our use of your data in certain circumstances.
• Right to data portability (s.31) — receive your data in a machine-readable format, or have it sent to another provider.
• Right to object (s.32) — object to processing based on legitimate interests.
• Right to withdraw consent (s.19), where processing is based on consent.
• Right to lodge a complaint with the Personal Data Protection Committee of Thailand (PDPC). Contact details are at pdpc.or.th.

To exercise any of these rights, email privacy@thaiandenglish.com from the email address on your Account. We may need to ask follow-up questions to confirm your identity and scope the request. We aim to respond substantively within 30 days as required by PDPA Section 30(3). There is no charge for reasonable requests; we may charge a reasonable fee or refuse manifestly unfounded or excessive requests to the extent permitted by law.

9. Breach notification

In the event of a personal-data breach that poses a risk to your rights, we will notify the PDPC within 72 hours as required by PDPA Section 37(4), and we will notify you without undue delay if the breach presents a high risk to your rights and freedoms.

10. Children and minors

Under the PDPA, a person under 20 years of age who is not married is a minor and cannot give valid consent without parental or guardian agreement. During onboarding we ask you to self-declare whether you are under 18, which controls an in-product Kid Mode filter; this is not a legal age-verification.

• If you are under 20 and resident in Thailand, please use the Service only with the permission of a parent or legal guardian, who accepts our Terms of Service on your behalf.
• We do not knowingly collect data from children under 10. If we learn that we have, we will delete it without undue delay.
• Kid Mode, when selected, hides adult-context examples (bar phrases, dating scripts, etc.).
• A parent or guardian who believes a minor has created an Account without appropriate consent should contact privacy@thaiandenglish.com and we will delete the Account promptly.

11. Cookies & local storage

We use your browser's localStorage to cache your progress and preferences for offline use, and a Supabase authentication cookie to keep you signed in. These are strictly necessary to operate the Service and do not require separate consent under the PDPA. We do not use analytics, tracking, or advertising cookies. If we ever add any non-essential cookie, we will request your consent before setting it.

12. Changes to this policy

If we make material changes to this Policy we will notify you by email (if you have an Account) or by in-app banner at least 14 days before they take effect. Minor clarifications will be reflected in the "Last updated" date at the top of this page.

13. Contact

© Cultra Lab Limited Partnership. All rights reserved.