Fair Fair Company Limited, Juristic Person Registration number 0505555003558, the head office is located at No. 107/4, Village No. 5, Chiang Mai - San Sai Road, Nong Pa Khrang SubDistrict, Mueang Chiang Mai District, Chiang Mai Province, 50000, and the Green Capital Company Limited group, and persons involved in the processing of personal data who act according to the instructions of or on behalf of Fair Fair Company Limited, hereinafter called “ the Company” who have collected, used and / or disclosed data (refer as “Data Processing”). In order to comply with the Personal Data Protection Act B.E. 2562, including announcements and / or other relevant laws, the Company therefore has prepared and published this declaration to clarify and inform details about the collection, use or disclosure of personal data, including methods for protecting personal data as well as guidelines for handling personal data according to the Personal Data Protection Act B.E. 2562 as follows;

1. Definitions

• "Company" means Fair Fair Company Limited including group of Green Capital Company Limited and persons involved in the processing of personal data who act according to instructions of or on behalf of Fair Fair Company Limited.
• "Group of Green Capital Company Limited" means companies in the group of Green Capital Company Limited, consists of Green Capital Company Limited, Chai Phatthana Transport Chiang Mai Company Limited, Thai Phatthanakit Transport Company Limited, Chok Rung Thawee Tour Company Limited and Fair Fair Company Limited, including companies, partnerships, juristic persons, any other business that may have and/or be registered in the future.
• "You" or "Data Owner" means the person who owns that Personal Data. The Data owner refers only to individuals and does not include legal entities such as companies, partnerships, associations, foundations, or any other organization.
• "Policy" means the Personal Data Protection Policy of Fair Fair Company Limited.
• "Personal Data" means information about an individual that enables an individual to be identified, whether directly or indirectly; however, it does not include the information of the deceased.
• "Sensitive Data" means information including, but not limited to, personal information relating to race, ethnicity, political opinions, beliefs in a creed, religion or philosophy, sexual behavior, criminal history, health information, disability information, labor union information, genetic information, biological information such as face simulation data, iris simulation data or fingerprint simulation data, etc.
• "Processing of Personal Data" means the collection, use and disclosure of personal data.
• "Personal Data Controller" means a person or juristic person who has the authority to make decisions regarding the collection, use or disclosure of personal data.
• "Data Processor" means a person or juristic person that deals with the collection, use or disclosure of personal data according to the order or on behalf of the company.
• "Person" means an individual.

2. The scope of the Company's Personal Data Protection Policy applies to the following persons;

1. 2.1 A person who has been in contact with the Company including past and future customers, or
2. 2.2 Employees, personnel, officers, attorneys, representatives, agency, shareholders, directors, contact persons or persons related to a juristic person, a group of persons who has contacted the company including past and future customers.
3. 2.3 A person who has been in contact with the Company, including past and future business partner or, or
4. 2.4 Employees, personnel, officers, representatives, shareholders, directors, contacts, agency or persons related to a juristic person, a group of persons who have contacted the company, whether it is, was or may continue to be a partner or business partner of the Company.
5. 2.5 Job applicants, internship applicants and references.
6. 2.6 Employees, guarantors, internships, and family members of employees of the company.
7. 2.7 Visitors or the users of website www.fairfair.co.th, including electronic channels, applications, social media or other company sources.

3. Personal Data that the company collects, uses or discloses

In the collection and retention of Personal Data, the Company uses lawful means and as much as necessary according to the Company's operating objectives as follows;

1. 3.1 Personal Data such as name-surname, age, date of birth, ID card number, Passport number, signature, copy of ID card, copy of House Registration, marital status, position, occupation, affiliation, Passport number or other identifying card number or other official documents that can be identified, etc.
2. 3.2 Contact Information such as address, phone number, email, business card, workplace, etc.
3. 3.3 Image Data such as image data, your or your property motion picture which has been collected from closed-circuit television, cameras when entering the company area, motion pictures of you or your property obtained from CCTV on buses, etc.
4. 3.4 Service Account Data on the Platform such as user account name, password, etc.
5. 3.5 Financial Data such as bank account information, copy of bank book, credit card number, credit card limit information, transaction data includes information about the products or services you purchase, price, payment method and payment details, income, etc.
6. 3.6 Purchase data of goods and services such as order history, interest in purchasing and servicing products, order number, request number, etc.
7. 3.7 Travel Information such as car information, flight information, hotel information, tour information, your car rental information, information for specific services for those who require a seat number, record passenger information on the trip, ticket number, tax invoice number, etc.
8. 3.8 Data obtained from automotive systems or devices such as IP Address, Cookie, service behavior, service history, sound, photo, animation, Social Media, Chat, Geolocation account, etc.
9. 3.9 Operational information such as start date, department, working year, position, job position, history, employment certification and references, employee identification number, salary, wages and benefits, salary adjustment history, employee disciplinary records and information, date of termination of employment, types of layoffs, recording of working time and leave history, bank account number, emergency contact details, details of employee life insurance beneficiaries (if any), educational background information and grades, learning and development information, image data, work history, other benefits that are not compensation from work, insurance related information, family members information, meeting notes and comments, etc.

The Company will collect personal information upon prior consent of the owner of the personal information, except in the following cases;

• Act according to the contract in the collection, use or disclosure of personal data for the necessity of services or performing a contract between the data owner and the Company.
• To prevent or suppress a danger to life, body or health.
• To comply with the law.
• For the Company's legitimate interests in case of necessity for legitimate benefits in the operation of the Company. The Company will consider the rights of the data owner as a priority such as to prevent fraud, network security, defense of freedom and the benefits of the data owner, etc.
• For study, research or statistics in the case of historical documents or archives for public interest related to research studies or statistics with appropriate manners to protect the rights and freedoms of data owner.
• To perform state missions in case it is necessary to perform missions for the public interest, to see the performance of under the authority of the state when the company has been assigned.

4. Sensitive Personal Data

The Company may need to collect sensitive information such as religion, ethnicity, biometrics (face scans, fingerprint scans), disability information, health information, criminal history. The company will ask for your consent every time to collect, use and/or disclose such information unless;

1. To prevent or suppress a danger to a person's life, body or health, which the owner of personal data cannot give consent for any reason.
2. It is a legitimate activity with the appropriate protection of a foundation, association or non-profit organization with political, religious, philosophical or trade union objectives to members who are former members or who are in regular contact with the foundation, associations or non-profit organizations according to the purposes without external disclosing personal data from the foundation, association, or non-profit organization.
3. The information is public with the explicit consent of the personal data owner.
4. It is necessary for the establishment of legal claims, practice or exercising legal claims or escalating legal claims.
5. It is necessary to take action according to the law in order to achieve the objectives regarding;
   1. Preventive medicine or occupational medicine, assessment of employees' ability to work, medical diagnosis, providing health or social services, medical treatment, health management in the process of providing social work services.
   2. Public health benefits such as health protection from dangerous communicable diseases or epidemics.
   3. Labor protection, social security, national health insurance, welfare relating to medical treatment of persons with legal rights, protection for car accident victims or social protection necessary to fulfill the rights or obligations of the Company or the owner of the personal data by providing appropriate measures to protect the fundamental rights and interests of the data owner.
   4. Scientific, historical, statistical or other public interest research studies.
   5. Important public interest.

The Company does not wish to collect and process the personal data of minors under 10 years of age. In the event that a minor is under 10 years old and wishes to use the website or application, receive services or has contract with the Company which requires a minor to submit personal information to the Company, the parents or guardians of the minor shall act on behalf of the minor.

In the case of a minor who is over 10 years old but is not sui juris and is unable to perform any legal acts by himself/herself and in doing so, the Company must collect personal information of minors, the Company may request the consent directly from the parents or guardians of the minor or may request the minor to notify the parents or guardians to give consent for the action with the Company.

5. Sources of Data

1. 5.1 Information from data owner directly, when you have provided in activities such as website channels, applications or other channels of the Company, entry and exit from the Company, purchasing products or using services from the Company, training, procurement, online and offline transactions, electronic correspondence (e-mail), filling in/providing information for applying for a job or other communication channels between the Company and you.
2. 5.2 Information from relevant third parties such as relatives, family members, etc.
3. 5.3 Data from automotive systems, such as CCTV footage, etc.
4. 5.4 Information from other sources, such as public information, information from partner, agencies, government agencies or the group of Green Capital Company Limited as well as other personal information that the service user has provided.

6. Purposes of collection, use or disclosure of personal data

The Company may use personal information for the following purposes or according to other purposes notified when collecting data or that you have given your consent after the Company has collected data in order to;

1. 6.1 Enter into contracts or perform contractual duties between the Company and the data owner or performing the duties under the contract between the Company and third parties for the benefit of the data owner.
2. 6.2 Use information to verify customer identity.
3. 6.3 Provide information, recommend products, products, services, marketing public relations, promotional items, or benefits through contact channels received from the data owner.
4. 6.4 Deliver products and provide services to meet various needs or complaints.
5. 6.5 Be used in business operations, evaluations and business improvements to improve the quality of products and services.
6. 6.6 Carry out any accounting and financial activities such as account verification, notification and debt collection, issuing tax invoice and evidence of various transactions required by law, etc.
7. 6.7 Use for the legitimate interests of the Company such as voice recording of complaints through the Call Center system, recording via CCTV, recording in and out from the company.
8. 6.8 Comply with the Company’s policy.
9. 6.9 Apply for job, employment and/or any other related purposes.
10. 6.10 Be used in investigations and compliance with laws, regulations or statutory duties of the company.
11. 6.11 Respond to your request such as after-sales service, receipt of complaints, etc.
12. 6.12 Facilitate and present a list of benefits to service users.
13. 6.13 Use in market purposes, promotion and customer relations such as sending promotional information, products and services, promotional items, recommend business partners, etc.
14. 6.14 Survey customer satisfaction, market research and statistical analysis for information to improve products and services or create new products and services.
15. 6.15 Other purposes with your explicit consent.

7. Individuals or entities that may be exposed to your personal information from the Company

The Company may need to disclose your personal information to other persons or entities located in Thailand or abroad to achieve the objectives stated in this declaration; namely,

1. 7.1 Group of the Green Capital Company Limited.
2. 7.2 Business partners of the Company such as business partner in ground transportation, air transport and rail transport, tourism, hotel, car rental, marketing, financial institution, insurance or life insurance company or any person involved in the promotion or loyalty program, platform partner data analysis or the person whose name or logo appears in the contract, website or other service channels of the company.
3. 7.3 Persons related to the Company's services such as passenger transport operators, both scheduled and non-scheduled, airline, area operators provide check-in services and baggage handling, pick-up service and delivery service, call center operations, person who acts as an intermediary in the Company's transactions, service partner with the Company, outsource service provider, operator or seller of goods or services to the Company or representatives of both domestic and foreign companies that the company is a contracting party with, such as structural development service provider, technical infrastructure provider, electronic system or information technology development service provider, logistics and warehouse service providers, cloud service provider (Cloud), data analytics service provider, providers of organizing events and activities, etc.
4. 7.4 Individuals or entities as required by law, the Company may need to disclose your personal information to comply with laws, rules, regulations or orders of government agencies, government agencies, regulators or when the Company believes that the action is necessary for take actions according to the law, to protect the rights of other companies or individuals, for the safety of other people, to prevent, check or dealing with corruption, security or safety in areas such as tax agency, fund management unit, social security, financial institutions, etc.
5. 7.5 Company consultants such as experts in law, finance, techniques and auditors, etc.
6. 7.6 Assignees of rights or obligations from the Company or persons who accept the claim transfer from the Company, including persons related to the reorganization, business transfer investment, a merger, the purchase or sale of assets, stocks or businesses; the persons involved in the operations will comply with this declaration.
7. 7.7 Other people related to you, such as beneficiary, person with authority to act on behalf of, guarantor, etc.
8. 7.8 Associations, organizations, clubs, and agencies such as Employee Savings Cooperative, Thai Airways Co., Ltd., Thai Airways Staff Club Association, etc.
9. 7.9 Websites and social media such as Facebook, Google or Instagram, etc.

The company will require the person or agency that has disclosed your personal data to comply with the security of your information according to company policy and law. The company will allow the use of your personal data only for the stated purposes and in accordance with the company's instructions.

8. Transfer and disclosure of personal information

The Company will not disclose and/or transfer your personal information to external agencies, unless informed consent from you or in the following cases;

1. 8.1 To achieve the purposes stated in this Privacy Policy, the Company may need to disclose or share specific information as necessary to partners, service providers or outside agencies as follows;
   1. 8.1.1 Business partners and business partners.
   2. 8.1.2 Agents or partners who provide services to the Company or perform any act on behalf of the Company such as carrier, document storage and destruction service provider, contractors doing marketing activities and advertising media, the contractor develops and maintains security systems and information technology, auditor, lawyer, legal or tax consultant, etc.
   3. 8.1.3 Business partners.
   4. 8.1.4 Banks and payment service providers such as credit or debit card companies, etc.
2. 8.2 The Company may disclose or share personal information to a group of Green Capital Company Limited, which will only process the information for the purposes specified in this Privacy Policy.
3. 8.3 Required by law or legal process to disclose information or disclosed to officials, government officials or competent authorities to comply with a lawful order or request.

9. Transferring or transmitting information to other countries

In some cases, the Company may send your information to other countries such as in the event that the company contacts service recipients abroad or external agencies located abroad; in such a case, the Company will send your information abroad only if it meets one of the following conditions;

1. 9.1 Destination country or international organization that receiving information has been determined by the Personal Data Protection Committee that their protection of personal data manners are satisfactory.
2. 9.2 Foreign entities, that receiving data under personal data protection policies, have been inspected and certified by the Office of the Personal Data Protection Commission.
3. 9.3 Companies and foreign entities have established appropriate personal data protection measures that can enforce the rights of data owner, including effective legal remedial measures according to the rules and procedures prescribed by the Personal Data Protection Committee such as standard contract, compilation of practices, certified standards, etc.
4. 9.4 It is necessary for the exercise of legal rights.
5. 9.5 Have received your consent whereby you are aware of the inadequate personal protection standards of the destination country or international organization receiving the personal data.
6. 9.6 It is necessary for the performance of a contract to which you are a party or for processing your request before entering into that contract.
7. 9.7 It is an action under a contract between the company and another person or juristic person for your benefit.
8. 9.8 To prevent or suppress a danger to the life, body or health of you or another person, when you are unable to give consent at that time.
9. 9.9 It is necessary for the implementation of important public interest.

10. Links to Other Websites or Services

The Company may provide links to other external websites or services, which the company is not responsible for the practice or action of personal data protection or the content of those websites or services. The Company recommends that you shall read and understand the privacy statements or policies of each website or service, and the Company's Privacy Policy which applies to personal information collected by the Company only.

11. Website Systems Used by the Company to Collect Information

To access the Company's website system, the Company automatically collects certain information from your usage for the purposes set out in this declaration such as recorded information or collected by cookies and similar technologies used by the Company for statistical analysis or in other activities of the website system or the Company's affairs to help the Company provide you with a good experience on the website, including improving the efficiency and quality of the Company's website.

12. Cookie

Cookies are small files containing information that are downloaded onto your device, when you visit the Company's website; the Company uses cookies to remember your preferences to store your booking and purchase information and to facilitate the operation of the website. If you visit our website without changing your browser or your device which settings cookies, it is considered that you agree to receive cookies when you use services on our website.

13. Personal Data Security Measures

The Company arranges appropriate security measures to prevent loss, access, use, alteration, alteration or disclose personal data without authorization or unlawfully in accordance with personal data protection law, in hard copy or in electronic form or any other form of personal data.

14. Period of collection of personal data

The Company will keep your personal data as long as the data is necessary for the purpose of data collection according to the details set forth in the policy, announcement or relevant laws. After the expiration of the period and your personal data is no longer necessary for the aforementioned purposes, the Company will destroy your personal data or make your personal data anonymous according to the format and standard for erasing personal information required by law. However, in the event of a dispute over the exercise of rights or lawsuits relating to your personal data, the Company reserves the right to continue to keep such information until the dispute has final judgment.

15. Services by Third Parties or Sub-services

The Company may engage or procure third parties to process personal data on its behalf or on behalf of the Company. The third parties may offer services in various ways such as being a caregiver (Hosting), receive service work (Outsourcing) or as a Cloud computing service/provider or is a work in the form of employment in other forms.

Entrusting a third party to process personal data as a processor of that personal data, the Company will provide an agreement specifying the rights and obligations of the Company as a data controller and of the persons designated by the Company as a data processor. This includes detailing the types of personal data that the Company entrusts to be processed, including the purpose of the jurisdiction for processing personal data and other relevant agreements, where the personal data processor is obligated to process personal data to the extent specified in the agreement and only on the instructions of the Company, it can be processed for other purposes.

Where a personal data processor has assigned the Sub-service (Sub-processor) to process personal data on behalf of or on behalf of a personal data processor, the Company shall require the Personal Data Processor to provide a documented agreement between the Personal Data Processor and the Sub-processor in a form and standard not lower than the agreement between the Company and the personal data processor.

16. Owner's rights of Personal Data

You can request to exercise various rights as required by the personal data protection law and as specified in this declaration as follows;

1. 16.1 Right to withdraw consent. You have the right to withdraw your consent at any time, unless there are restrictions by law or contract that benefit you. However, the consent withdrawal will not affect the processing of personal data that you have previously lawfully given consent to the Company.
2. 16.2 Right to request access and obtain a copy of personal data, unless the Company has the right to deny your request by law or court order in case that your request will have an effect that may prejudice the rights and liberties of other persons.
3. 16.3 The right to request personal data to be updated, accurate, complete and not misleading. However, the Company can carry out the amendment without your request.
4. 16.4 The right to request erasure or destruction or anonymization of personal data in the following cases;
   1. 16.4.1 When personal data is no longer necessary for retention in accordance with the purpose of collection, collection, use or disclosure of personal data.
   2. 16.4.2 When you withdraw your consent to the collection, collection, use or disclosure of personal data and the Company has no legal authority to collect, collect, use or disclose personal information further.
   3. 16.4.3 When you object to the collection, collection, use or disclosure of personal information and the Company has no legal authority to refuse, unless the Company has a legitimate reason to refuse your request.
5. 16.5 The right to obtain or request to submit or transfer your personal data when the Company has made such personal information in a form that can be read or generally used by automatic tools or devices and can disclose personal information by automated means, unless it cannot be done by technical condition, or performing duties for the public interest or as a duty under the law or the exercise of right to infringe upon the rights or liberties of other persons.
6. 16.6 The right to object. You have the right to object to the collection, use or disclosure of personal data at any time in the following cases;
   1. 16.6.1 In the case of personal information that the Company processes on the basis of legitimate interests, unless the Company demonstrates a more significant legitimate cause or to establish legal claims, compliance or exercise of legal claims or raising up against legal claims.
   2. 16.6.2 For direct marketing purposes.
   3. 16.6.3 For scientific, historical or statistical research studies, unless it is necessary for the Company to take actions for the public interest of the Company.
7. 16.7 You have the right to request to suspend the use of personal information in the following cases:
   1. 16.7.1 When the Company is in the process of verifying your request to update personal information to correct the information.
   2. 16.7.2 When the personal information must be deleted or destroyed.
   3. 16.7.3 When the personal data is no longer needed. Because you have a necessity to request that your personal data be retained for the establishment of legal claims, compliance with or exercising legal claims or raising up against legal claims.
   4. 16.7.4 When the Company is in the process of proving its right to refuse a request to object to the collection, use or disclosure of personal data.
8. 16.8 You have the right to lodge a complaint with the expert committee under the Personal Data Protection Act B.E. 2562, if the company violates or does not comply with the Personal Data Protection Act B.E. 2562.

17. Changes to Privacy Policy

The Company may amend the Privacy Policy by posting the policy on the website and applications (Application) with the date of the last amendment. We recommend that you shall review the Policy regularly. Your continued use of our products or services after changes to the Privacy Policy will deem to be your acceptance of the changed policy.

18. Contact

If you have any questions or wish to correct, delete data, exercise any other rights under the personal data protection law or other matters related to your information, you can contact:

Personal Data Protection Officer or Personal Data Protector
Fair Fair Company Limited
107/4, Village No. 5, Chiang Mai - San Sai Road, Nong Pa Khrang Sub-District, Mueang Chiang Mai District, Chiang Mai Province, 50000
Tel.: 053-241789
Email: info@fairfair.co.th