Your data is safe with ThaiBot

ThaiBot is built to comply with Thailand's Personal Data Protection Act (PDPA) B.E. 2562. We process data under lawful bases defined by PDPA Sections 19 and 24, and we respect all data subject rights including access, rectification, erasure, and portability.

Read our full Privacy Policy →

All data is encrypted in transit (TLS/SSL) and at rest (AES-256). Your customer conversations, business data, and personal information are protected at every layer of our infrastructure.

• AES-256 encryption at rest (Supabase)
• TLS 1.2+ on all connections
• Row Level Security on every database table

We enable Zero Data Retention (ZDR)on our AI routing service. Your prompts and conversations are never stored or used to train AI models. They exist only long enough to generate a response, then they're gone.

• OpenRouter: Zero Data Retention enabled
• Anthropic (Claude): Auto-deleted after 7 days, never trained on
• Google (Gemini): API-only access, not used for training

ThaiBot runs on industry-leading infrastructure providers with enterprise-grade security certifications. We don't store payment card data — Stripe handles it all (PCI DSS Level 1).

Data is stored on US-based servers (Supabase, Vercel). We implement Standard Contractual Clauses (SCCs) with vendors where available and obtain explicit user consent for cross-border transfers as required by PDPA Section 28.

In the event of a confirmed data breach, we commit to notifying affected parties and the Personal Data Protection Committee (PDPC) within 72 hoursof discovery — exceeding the PDPA notification requirement.

Under PDPA, you have the right to access, correct, delete, restrict, and port your data. You can withdraw consent at any time. Contact privacy@thaibot.aiand we'll respond within 30 days.

All API endpoints are rate-limited to prevent abuse. Database access is secured with Row Level Security (RLS) — businesses can only access their own data. Administrative accounts require multi-factor authentication.