ThaiBot for your business — get started for free

Privacy Policy

Last Updated: April 8, 2026

Available in: English | ภาษาไทย (coming soon)

1. Introduction

This Privacy Policy describes how ThaiBot ("we," "us," or "our") collects, uses, stores, and protects personal data when you use our website at thaibot.ai and our AI-powered customer support platform (the "Service").

ThaiBot is operated by a Canadian sole proprietorship. We are committed to complying with Thailand's Personal Data Protection Act B.E. 2562 (2019) ("PDPA") and applicable international data protection laws.

This policy applies to:

  • Business customers who use ThaiBot to deploy AI chatbots for their businesses
  • End-users (consumers) who interact with ThaiBot-powered chatbots on business websites
  • Website visitors who browse thaibot.ai

Our Role in Data Processing

ThaiBot acts as a data processor when handling end-user chat data on behalf of our business customers (who are data controllers under PDPA). For data we collect directly — such as account registration data and website visitor data — we act as the data controller.

2. Data We Collect

2.1 Account Data (Business Customers)

When you create a ThaiBot account, we collect:

  • Name, email address, and company/business name
  • Business information provided during onboarding (industry, description, operating hours)
  • Payment and billing information (processed securely by Stripe — we do not store card numbers)

2.2 End-User Data (Processed on Behalf of Customers)

When consumers chat with a ThaiBot-powered chatbot, we process on behalf of the business customer:

  • Chat messages and conversation history
  • Names, email addresses, and phone numbers voluntarily provided during chat
  • Appointment booking details (date, time, service requested)
  • Conversation metadata (timestamps, channel, session identifiers)

2.3 Automatically Collected Data

We automatically collect:

  • IP address, browser type, device information, and operating system
  • Pages visited, referring URLs, and interaction patterns on thaibot.ai
  • Log data for security monitoring and error diagnosis

2.4 Payment Data

Payment processing is handled entirely by Stripe. We receive confirmation of payment status but do not store, process, or have access to your full credit card numbers. Stripe is PCI DSS Level 1 certified.

2.5 Cookie Data

See Section 12 (Cookies) below and our cookie consent banner for details on cookies used on thaibot.ai.

3. How We Use Your Data

We use personal data for the following purposes:

  • To provide the Service — operating AI chatbots, processing messages, managing appointments
  • To process AI-powered chat responses — sending message content to AI providers to generate replies (see Section 4)
  • To process payments — via Stripe for subscription billing
  • To communicate with you — support inquiries, service updates, and marketing (with your consent)
  • To improve the Service — aggregate and anonymized analysis only
  • To ensure security — fraud prevention, abuse detection, rate limiting
  • To comply with legal obligations — tax records, regulatory requirements

4. AI Data Processing — How It Works

ThaiBot uses artificial intelligence to generate customer support responses. Understanding how your data interacts with AI is important:

4.1 How Messages Are Processed

When a consumer sends a chat message, it is transmitted to third-party AI providers via our routing service to generate a response. The message content and relevant conversation context are sent for processing.

4.2 AI Providers

  • OpenRouter — AI routing service. Zero Data Retention (ZDR) is enabled; prompts and responses are not logged or stored by OpenRouter.
  • Anthropic (Claude) — AI processing. Data is automatically deleted after 7 days and is never used for model training.
  • Google (Gemini) — AI processing. Data is handled per Google Cloud API terms; not used for training when accessed via API.

4.3 What Data Is Sent to AI Providers

  • Chat message content and conversation context
  • Business configuration data (business name, services, operating hours) to personalize responses

4.4 What Data Is NOT Sent to AI Providers

  • Payment information or credit card details
  • Passwords or authentication credentials
  • Data from other businesses or customers

4.5 No AI Training on Your Data

Your data is NOT used to train AI models. We have enabled Zero Data Retention (ZDR) on our AI routing service, which ensures that prompts and responses are not retained by AI providers for training or any other purpose beyond generating the immediate response.

4.6 AI Output Disclaimer

AI-generated responses may contain errors, inaccuracies, or inappropriate content. ThaiBot does not guarantee the accuracy, completeness, or reliability of any AI-generated output. Business customers are responsible for reviewing and monitoring AI responses.

5. Legal Basis for Processing

We process personal data under the following lawful bases as defined by the PDPA:

  • Contractual necessity (Section 24(3)) — processing that is necessary to provide the Service you have requested (core chat processing, account management, appointment booking)
  • Consent (Section 19) — for AI-specific disclosures, marketing communications, and cross-border data transfers
  • Legitimate interest (Section 24(5)) — for security monitoring, fraud prevention, service improvement through anonymized analytics
  • Legal obligation (Section 24(6)) — for tax compliance, regulatory record-keeping

6. Data Sharing & Third Parties

We share personal data with the following categories of third parties, solely to provide and operate the Service:

  • AI Providers: OpenRouter, Anthropic (Claude), Google (Gemini) — for generating chat responses
  • Hosting: Vercel (United States) — application hosting and delivery
  • Database: Supabase (United States) — data storage with AES-256 encryption at rest
  • Payments: Stripe (United States) — payment processing
  • Email: Resend — transactional email delivery (booking confirmations, account notifications)

We do not sell personal data. We do not share personal data with advertisers or data brokers. We do not use personal data for purposes other than those described in this policy.

7. Cross-Border Data Transfers

Your data is stored and processed on servers located in the United States. This constitutes a cross-border data transfer under PDPA Section 28.

The following transfers occur:

  • Database storage — Supabase servers in the US
  • Application hosting — Vercel servers in the US
  • AI processing — Anthropic and Google servers in the US (via OpenRouter)
  • Payment processing — Stripe servers in the US

Safeguards: We implement Standard Contractual Clauses (SCCs) with each US-based vendor where available. Our vendors maintain SOC 2 Type 2 certifications (Supabase, Vercel) or equivalent security standards. Your explicit consent for these transfers is obtained via our pre-chat consent screen and during account registration.

8. Data Retention

  • Account data: Retained while your account is active, plus 90 days after account deletion
  • Chat data: Retained per business customer configuration (default: 12 months)
  • Payment records: 7 years (tax compliance requirement)
  • Consent records: 5 years (PDPA requirement)
  • Log data: 90 days
  • AI provider retention: OpenRouter: none (ZDR enabled); Anthropic: 7 days maximum

Upon account closure, we will delete or anonymize your personal data within the retention periods specified above, except where retention is required by law.

9. Your Rights Under PDPA

Under Thailand's Personal Data Protection Act, you have the following rights:

  • Right to be informed — to know what data we collect and how we use it (this policy)
  • Right of access — to request a copy of your personal data (response within 30 days)
  • Right to rectification — to correct inaccurate or incomplete data (30 days)
  • Right to erasure — to request deletion of your personal data (90 days)
  • Right to restrict processing — to limit how we process your data (30 days)
  • Right to data portability — to receive your data in a structured, machine-readable format (30 days)
  • Right to object — to object to processing based on legitimate interest (30 days)
  • Right to withdraw consent — at any time, as easily as consent was given (immediate effect)

To exercise any of these rights, contact us at privacy@thaibot.ai. We will respond within the timeframes specified above.

You also have the right to lodge a complaint with the Personal Data Protection Committee (PDPC) of Thailand if you believe your rights have been violated.

10. Security

We implement appropriate technical and organizational measures to protect your personal data:

  • Encryption at rest — AES-256 encryption via Supabase
  • Encryption in transit — TLS/SSL on all connections
  • Access controls — Row Level Security (RLS) on all database tables, multi-factor authentication on administrative accounts
  • Rate limiting — on all API endpoints to prevent abuse
  • Breach notification — we commit to notifying affected parties and the PDPC within 72 hours of discovering a confirmed data breach

11. Children

The Service is not intended for individuals under 20 years of age without parental or guardian consent, in accordance with PDPA Section 20. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a minor without appropriate consent, we will delete it promptly.

12. Cookies

We use the following categories of cookies on thaibot.ai:

  • Strictly necessary cookies — authentication session, CSRF protection, consent preferences. These are required for the Service to function and do not require consent.
  • Functional cookies — language and locale preferences. Set only with your consent.

Vercel Analytics (if enabled) is cookieless by default and does not require cookie consent. You can manage your cookie preferences at any time via the cookie consent banner on our website.

13. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you via email at least 30 days before the changes take effect. Non-material changes (such as formatting or clarifications) will be posted here with an updated "Last Updated" date.

Continued use of the Service after notification of material changes constitutes acceptance of the updated policy.

14. Contact

For privacy-related inquiries or to exercise your data protection rights:

For general inquiries about the Service, visit thaibot.ai or contact us through the chat widget.