PRIVACY POLICY

This Privacy Policy, or "Policy," comes into effect from April 3, 2024, and includes the following details:

Clause 1 - Definitions
Within this policy:

(a) "Website" refers to the website named CABAL: INFINITE COMBO, located at www.combocabalm.com.
(b) "Data Controller" refers to the website provider or owner, namely CB Soft Co., Ltd., Company Registration Number 0125566036499, located at 94/402, Moo 4, Bang Yai Subdistrict, Bang Yai District, Nonthaburi Province, and can be contacted via business@combo-interactive.com.
(c) "Data Processor" refers to an external entity that processes data on behalf of the Data Controller.
(d) "Data" refers to any information communicated or transmitted in any form, whether by document, file, report, book, plan, map, drawing, photograph, film, audio, or electronic recording.
(e) "Personal Data" refers to any data about a natural person that can identify the person either directly or indirectly.
(f) "Sensitive Data" means Personal Data related to race, ethnicity, political opinions, religious or philosophical beliefs, sexual behavior, criminal records, health data, disabilities, genetic and biometric data, such as facial images, iris scans, or fingerprints, labor union data, or any other data classified as sensitive by the Personal Data Protection Committee under the law.
(g) "User" means you, the visitor, user, or member of the website, whose Personal Data is governed by this Policy.
(h) "Data Protection Officer" refers to the officer appointed by the Data Controller to implement this policy in accordance with data protection laws.

Clause 2 - User Consent
By using this website, you agree that the website collects and uses your Personal Data for the following purposes:

(a) Marketing and promotions via online and offline channels, mobile text messages, and telemarketing.
(b) The website will collect and use your Personal Data, including your name, gender, address, country, phone number, email, and birth date.
(c) The Data Controller will retain your Personal Data for a period of 5 years, starting from the date you consented to the collection and use of your Personal Data.

Clause 3 - Data Sharing with Third-Party Service Providers
The user agrees to allow the Data Controller to share data with third-party service providers. The Data Controller will notify users in advance, allowing them to consent to the sharing of their data explicitly.

Clause 4 - Website Tracking Technologies
The Data Controller is authorized to use technologies like Cookies, Pixel Tags, and Google Analytics to track user behavior on the website. This data will be used solely for service improvement and targeted product recommendations.

Clause 5 - Withdrawal of User Consent
Users may withdraw their consent at any time by opting out through the privacy settings on the website. Withdrawal may limit access to special features on the site, allowing users only to browse.

Clause 6 - User Accounts
A user account may be provided. Users agree to keep their account credentials confidential and accept full responsibility for any actions taken by third parties using their account.

Clause 7 - User Rights
Users retain the right to:

Withdraw consent.
Access and request copies of their Personal Data.
Request that the Data Controller disclose the source of Personal Data collected without consent.
Transfer Personal Data to another Data Controller.
Object to data collection, use, or disclosure in certain situations.
Request the deletion or anonymization of Personal Data no longer necessary for the original purpose.

Clause 8 - Security Measures
The Data Controller employs appropriate security measures to prevent unauthorized access, such as access control, encryption, firewalls, and Internet Protocol Security (IPsec).

Clause 9: Rectification of Personal Data
The Data Controller has systems and measures in place as follows:

(a) Ensure that personal data is accurate, up-to-date, complete, and does not cause misunderstandings.
(b) Delete personal data that exceeds the retention period agreed upon by the user.
(c) Delete personal data that is irrelevant to the purposes for which the user has given consent.

Clause 10: Collection, Use, and/or Disclosure of Personal Data under Data Protection Law
The user consents to the collection, use, and/or disclosure of their data without prior consent. The collection, use, and/or disclosure must be necessary and align with the stated purposes. The Data Controller may collect, use, and/or disclose the user’s data without prior consent in the following cases:

(a) For achieving objectives related to public benefits, research, statistics, or historical or archival purposes. The Data Controller will implement appropriate measures to protect the rights and freedoms of the user’s personal data.
(b) To prevent or mitigate harm to the life, body, or health of any individual.
(c) When the collection, use, and/or disclosure is necessary to perform a contract to which the user is a party or to carry out the user’s request before entering into such a contract.
(d) When the use of personal data is necessary for the Data Controller to perform a public duty or comply with legal obligations.
(e) When the use of personal data is necessary for the legitimate interests of the Data Controller or a third party, provided such interests outweigh the fundamental rights and freedoms of the data subject.
(f) To comply with the law. The Data Controller will record information related to the collection, use, or disclosure of personal data as mentioned above.

Clause 11: Collection, Use, and/or Disclosure of Sensitive Personal Data
The user acknowledges and agrees that the Data Controller may collect, use, and/or disclose sensitive personal data without the user’s prior consent in the following necessary circumstances:

(a) To prevent or mitigate harm to the life, body, or health of the user, even if the user is unable to give consent.
(b) When the data has been publicly disclosed with the user’s explicit consent.
(c) When necessary for the establishment, exercise, or defense of legal claims.
(d) When necessary for compliance with laws concerning:

(1) Preventive medicine, occupational medicine, employee work capacity assessments, medical diagnoses, health or social care services, medical treatments, or healthcare management.
(2) Public health benefits, such as preventing dangerous communicable diseases, or controlling the quality of medicines, medical devices, or pharmaceutical products, with appropriate protective measures in place.
(3) Labor protection, social security, national health insurance, or legal rights regarding social protection, with appropriate protective measures.
(4) Scientific, historical, or statistical research for public benefit, with necessary protective measures in place as determined by the Personal Data Protection Committee.
(5) Significant public interest with appropriate protective measures to safeguard the fundamental rights and benefits of the user.

Clause 12: Website Usage by Persons Under Guardianship or Custody
The user guarantees that they will not allow persons under their guardianship, as described below, to visit, use, or become members of the website:

(a) Incapable persons under the user’s guardianship.
(b) Quasi-incapable persons under the user’s custody.

If the user permits such persons to visit, use, or become members of the website, the user agrees that they have exercised their guardianship or custody to agree and consent to this policy on behalf of such persons.

Clause 13: Transfer of Personal Data to Foreign Countries
The Data Controller may transfer the user's personal data to foreign countries under the following conditions:

(a) The destination country or international organization must have adequate data protection standards as defined by law.
(b) The user has been informed and consents to the transfer despite the inadequate data protection standards of the destination country or organization.
(c) To comply with the law.
(d) When necessary to perform a contract to which the user is a party or to carry out the user’s request prior to entering into a contract.
(e) To comply with a contract between the Data Controller and another person for the user’s benefit.
(f) To prevent or mitigate harm to the life, body, or health of the user or another individual when the user cannot give consent.
(g) When necessary for performing tasks of significant public interest.

Clause 14: Notification of Personal Data Breaches
When the Data Controller becomes aware of a personal data breach, regardless of the party involved, the Data Controller will follow these steps:

(a) If there is a risk of impact on the rights or freedoms of any individual, the Data Controller will notify the Office of the Personal Data Protection Committee without delay, within 72 hours of becoming aware of the breach.
(b) If there is a high risk of serious impact on the rights or freedoms of any individual, the Data Controller will notify both the Office of the Personal Data Protection Committee and the affected data subjects within 72 hours of becoming aware of the breach.

Clause 15: Complaints and Reporting Issues on Personal Data
Users can file complaints or report issues regarding personal data, including requesting corrections or updates, objecting to data collection, or suspending data use by contacting the Data Protection Officer at business@combo-interactive.com.

Clause 16: Record of Significant Items
Unless otherwise specified by the data protection law, the Data Controller will record important information related to the storage, use, or disclosure of data, including the following:

(a) Personal data collected.
(b) The purpose of collecting each type of personal data.
(c) Information about the Data Controller.
(d) Retention periods for personal data.
(e) Rights and methods of accessing personal data.
(f) Exceptions for consent to collect, use, or disclose data.
(g) Denial of requests or objections.
(h) Details of data security measures.

Clause 17: Amendments to the Policy
The Data Controller may amend or modify this policy at any time, in whole or in part. The Data Controller will notify users of such changes, allowing them to review and accept electronically or otherwise. Once accepted, the amended policy becomes part of this agreement.

Clause 18: Relationship of the Parties
The parties agree that entering into this policy does not create an employer-employee relationship under labor law, nor a partnership under corporate law.

Clause 19: Assignment of Rights
Unless otherwise expressly stated, neither party may assign rights, duties, and/or liabilities under this policy without prior written consent from the other party.

Clause 20: Waiver of Rights
If the Data Controller delays or does not exercise a right, it does not constitute a waiver of that right. Exercising a partial right or waiving a right does not waive any other rights.

Clause 21: Severability of the Policy
If any provision of this policy is deemed invalid or unenforceable for any reason, the remaining provisions will remain valid and enforceable.

Clause 22: Governing Law
This policy is governed by the laws of Thailand.

Clause 23: Dispute Resolution
If disputes arise from this policy and the parties cannot resolve them, they agree to submit the dispute to the courts in Thailand.