Privacy Policy

The Company may collect personal data from you as follows:

1.1 Data you provide directly

• Registration data: first/last name, email, phone number, password (stored encrypted), profile picture
• Data from third-party sign-in providers such as Google (Firebase Authentication) or LINE (we receive only the data you authorize, e.g., email, account name, profile picture)
• Payment data: transaction records and payment status (credit/ debit card data is stored and processed by PCI-DSS certified payment providers; the Company does not store full card data on its systems)
• Affiliate program KYC data (Affiliate applicants only): national ID / tax ID, copy of ID card, address, bank account for payouts
• Contact data: messages, questions, feedback, or complaints submitted via contact channels

1.2 Data collected automatically

• Device and usage data: device type, OS, browser version, IP address, language, device ID
• Learning data: courses purchased, episodes watched, progress, time spent, clicks, and content interactions
• Notification tokens (Firebase Cloud Messaging / FCM) to send push notifications to your device
• Cookies and similar tracking technologies (see Section 6)
• Affiliate referral data: referral code, click source, conversions — used to calculate commissions

1.3 Data from third parties

• Authentication providers such as Firebase Authentication (Google), LINE Login
• Payment providers and banks
• Affiliates who referred you to the platform

The Company uses your personal data for the following purposes:

• Providing the online learning platform — account creation, authentication, course access, and progress tracking
• Processing orders and payments — invoicing, fraud detection, and dispute handling
• Sending notifications, communications, and customer support via email, SMS, push notifications, or other channels you provide
• Developing, improving, and evaluating the quality of services, courses, and user experience
• Marketing and promoting new courses or offers (only with your consent, which you may withdraw at any time)
• Operating the Affiliate program — click tracking, commission calculation, KYC, and payouts
• Preventing, investigating, and addressing fraud, violations of the Terms of Service, or illegal acts
• Complying with laws, regulations, and governmental orders

The Company processes your personal data on one of the following legal bases:

• Contractual performance: to provide services under the Terms of Service, e.g., account creation, payments, and course access
• Consent: for activities that require consent, such as marketing communications or non-essential cookies
• Legitimate interest: e.g., service improvement, fraud prevention, and system security
• Legal compliance: e.g., retention of accounting and tax records for the period required by law

The Company will not sell or rent your personal data to third parties. However, it may disclose your data to service providers necessary for platform operations, including:

• Authentication providers: Google (Firebase Authentication), LINE Login
• Infrastructure and cloud providers: for hosting and content delivery (e.g., Cloudflare for images and digital content)
• Notification providers: Firebase Cloud Messaging (FCM) for push notifications, SMTP providers for email, SMS providers (e.g., Twilio)
• Payment providers: banks or PCI-DSS certified payment gateways
• Analytics and marketing providers: to measure campaign effectiveness and improve services (using aggregated or anonymized data where possible)
• Professional advisors: legal, accounting, and audit advisors, who are bound by confidentiality obligations
• Government authorities and courts: when required by law, court order, or to protect the Company's rights

The Company requires all recipients to maintain confidentiality and data protection at a standard no less than that set out in this Policy and applicable law.

Some external providers used by the Company, such as Google Firebase and Cloudflare, may process or store data on servers outside of Thailand. The Company ensures that such providers maintain personal data protection standards at an adequate level as required by the PDPA.

The Company uses cookies and similar technologies to ensure proper platform functionality and to enhance your experience. Types of cookies we use:

• Strictly necessary cookies: e.g., login cookies (JWT token, refresh token), security, and session state
• Functional cookies: e.g., selected language, user preferences
• Analytics cookies: e.g., measuring platform usage and performance
• Marketing / Affiliate cookies: e.g., Affiliate referral code tracking

You may manage or disable cookies via your browser settings. However, disabling certain cookies may impair some platform functionality.

The Company retains your personal data only as long as necessary for the purposes described, or as required by law, based on the following principles:

• Account and learning data: retained for the duration the account is active, plus up to 2 years after account closure, unless longer retention is required by law
• Payment data and accounting records: retained for at least 5 to 10 years as required by accounting and tax laws
• Affiliate KYC data: retained for at least 5 years after termination of the relationship, as required by anti-money- laundering laws
• Computer traffic logs: retained for at least 90 days as required by the Computer Crime Act

After these periods, the Company will delete, destroy, or anonymize such personal data.

Under the PDPA (B.E. 2562), you have the following rights:

• Right of access: to access and obtain a copy of the personal data we hold
• Right to rectification: to request correction of inaccurate or outdated data
• Right to erasure: to request deletion or destruction of your data, unless we are legally required to retain it
• Right to restrict processing: to request temporary restriction of use of your data
• Right to data portability: to receive your data in a readable format or transfer it to another data controller
• Right to object: to object to certain processing of your data
• Right to withdraw consent: to withdraw consent at any time, without affecting processing performed before withdrawal
• Right to lodge a complaint: to the Office of the Personal Data Protection Committee if you believe we are in breach of the law

To exercise these rights, please contact us at support@shortcut.biz. We will consider and respond to your request within 30 days of receipt.

The Company implements appropriate technical and organizational measures to prevent loss, unauthorized access, use, alteration, or unlawful disclosure of your personal data, including:

• Encryption of sensitive data (e.g., passwords, authentication tokens) both at rest and in transit (HTTPS/TLS)
• Role-based access control for internal access
• Logging and audit of system access activities
• Regular review and improvement of security measures

In the event of a personal data breach with high risk, the Company will notify you and the Office of the Personal Data Protection Committee as soon as possible, within the timeframes required by law.

The Company's platform is primarily intended for persons aged 18 years or older. If the User is a minor (under 20 years of age) or is legally incompetent, use of the service requires the consent of the person exercising parental power, a guardian, or a legal custodian.

If the Company becomes aware that it has collected personal data from a minor without appropriate consent, it will delete such data as soon as possible.

The Company may update or revise this Policy from time to time to reflect changes in law, services, or technology. The updated Policy will be published through appropriate channels — e.g., the website or in-platform notification.

Your use of the service after the effective date of the updated Policy constitutes acceptance of the updated Policy.

This Policy is part of the Terms and Conditions of Service of the Shortcut platform. In the event of any conflict between the two documents concerning personal data protection, this Policy shall prevail.