Privacy Policy
How the Company collects, uses, discloses, and protects Personal Data.
1. Preface
This Privacy Policy explains how the Company processes Personal Data when individuals visit the Company’s websites, create or administer accounts, or otherwise interact with the Platform and related services. It applies to End Users and representatives of Customers where the Company acts as a Controller, and it also explains how the Company supports Customers where the Company acts as a Processor. Effective Date: February 21, 2026. Last Updated: February 21, 2026.
2. Definitions and Relationship to Other Documents
Capitalized terms used in this Privacy Policy have the meanings set out in the Terms of Service, including Company, Platform, Customer, Organization, Instructor, Learner, End User, Content, Personal Data, Controller, Processor, and Subprocessor. The Cookie Policy forms part of this Privacy Policy for cookies and similar technologies. Where the Company acts as a Processor for a Customer, the Data Processing Agreement, if executed, governs that processing and prevails over this Privacy Policy to the extent of any conflict relating to Processor obligations.
3. Controller and Processor Roles
3.1 When the Company Acts as a Controller
The Company acts as a Controller for Personal Data processed for the Company’s own purposes, such as creating and administering Customer accounts, managing subscriptions and billing, operating and securing the Platform, preventing fraud and abuse, communicating with Customers and End Users about the Platform, complying with legal obligations, and improving the Platform. Personal Data processed in this context may include administrative account data, usage and security logs, and communications with the Company.
3.2 When the Company Acts as a Processor
As a baseline assumption, the Company acts as a Processor when it processes Personal Data contained in Customer Content or otherwise submitted to the Platform by or on behalf of a Customer in order to provide the Platform. In that context, the Customer is generally the Controller and is responsible for determining the purposes and means of processing, providing End User notices, and obtaining any required consents. Processor terms, including processing instructions and security obligations, are set out in the DPA where executed.
4. Categories of Personal Data
4.1 Account and Identity Data
The Company may process information used to create and manage accounts, such as name, username, email address, telephone number, organizational affiliation, role assignments, authentication factors, and account status information. Identity verification requirements, if any, are as follows: Identity verification is conducted through email verification at account creation. Additional verification may be required for administrative functions or as required by applicable law.
4.2 Transaction and Billing Data
Where a Customer purchases paid services from the Company, the Company may process billing contact information, invoicing details, transaction records, and payment status. Payment card details may be processed by a payment service provider and not stored by the Company, but payment processing flows and providers are as follows: Payment processing is handled by Stripe. The Company does not store payment card details directly. Where an Organization enables PromptPay as a payment method for Learner transactions on the Platform, the Company uses Slip2Go as a third-party service to verify PromptPay payment slips. In connection with each successful PromptPay transaction, the Company collects and stores the payment slip image as proof of payment, sends a transaction receipt to the Learner's registered email address, and charges a verification fee of 10 THB (approximately 0.5 USD) per successful transaction. The verification fee is deducted from the transaction amount before settlement to the Organization.
4.3 Platform Usage and Device Data
The Company may process technical and usage information such as device identifiers, browser type, operating system, IP address, approximate location derived from IP address, timestamps, pages and features used, referral URLs, and diagnostic and performance data. The Company uses this information to operate, secure, and improve the Platform and to investigate incidents and abuse.
4.4 Learning and Participation Data
Where processed as a Controller, the Company may process limited learning-related data necessary to operate the Platform, such as enrollment status, course access events, completion status, and communications. Where learning records are included in Customer Content and processed under Customer instructions, the Company processes such data as a Processor.
4.5 Communications Data
The Company may process the content of communications when Customers or End Users contact the Company, including support requests, feedback, and reports of abuse or infringement, together with related metadata.
4.6 Cookies and Similar Technologies Data
The Company may process identifiers and related information collected through cookies and similar technologies, as described in the Cookie Policy, including preference settings, session identifiers, and analytics-related identifiers, subject to the user’s choices and applicable law.
5. Purposes of Processing and Lawful Bases
5.1 Purposes
The Company processes Personal Data for purposes that may include providing and administering the Platform, authenticating users, configuring accounts, providing support, processing payments, communicating about service changes, maintaining security, preventing abuse, complying with legal obligations, and improving performance and functionality. The Company may also process Personal Data to conduct audits, internal reporting, and business planning, in a manner consistent with applicable law.
5.2 Lawful Bases Under PDPA
Where PDPA applies and the Company acts as a Controller, the Company will rely on an appropriate lawful basis, which may include consent, necessity for contract performance, compliance with legal obligations, legitimate interests, vital interests, or other bases recognized under PDPA, depending on the context and the type of Personal Data processed. Where consent is the basis, the Company will provide a mechanism to withdraw consent, subject to legal limitations and the effect on service availability.
5.3 Lawful Bases Under GDPR
Where GDPR applies and the Company acts as a Controller, the Company will rely on an appropriate lawful basis such as contract performance, legitimate interests, legal obligation, consent, or other bases recognized under GDPR, depending on the context. Where the Company acts as a Processor, the Customer is responsible for determining and documenting the lawful basis for the processing it controls.
6. Marketing Communications
The Company may send administrative or service-related communications that are necessary to provide the Platform, such as security notices, invoices, and changes to documentation. Marketing communications, if any, will be sent only where permitted by applicable law and subject to opt-out mechanisms. Marketing communications will only be sent with the user's prior opt-in consent. Users may opt out at any time through their account settings or by using the unsubscribe link in any marketing email.
7. Disclosure of Personal Data
7.1 Service Providers and Subprocessors
The Company may disclose Personal Data to service providers that assist in operating the Platform, such as hosting, storage, analytics, customer support tooling, security monitoring, and payment processing, subject to contractual protections and, where applicable, the DPA. The Company maintains a list of Subprocessors, available upon request by emailing heretohelp@openmirai.com. The Company will provide at least 30 days' advance notice before engaging a new Subprocessor.
7.2 Affiliates and Corporate Transactions
The Company may disclose Personal Data to affiliates for internal administration and governance, consistent with this Privacy Policy. The Company may also disclose Personal Data in connection with a merger, acquisition, reorganization, financing, or sale of assets, subject to appropriate confidentiality and security measures.
7.3 Legal Requirements and Protection of Rights
The Company may disclose Personal Data where required by law, regulation, or legal process, or where the Company reasonably believes disclosure is necessary to protect the rights, property, or safety of the Company, Customers, End Users, or others, including to investigate fraud or security incidents.
8. International Transfers
The Platform may involve processing and storage in jurisdictions outside Thailand and outside a user’s home jurisdiction. The Company will implement cross-border transfer safeguards required by PDPA and, where applicable, GDPR. For transfers subject to GDPR, the Company uses Standard Contractual Clauses (SCCs) as approved by the European Commission. The Company also implements encryption and access controls as additional safeguards.
9. Data Retention
The Company retains Personal Data only for as long as necessary to fulfill the purposes described in this Privacy Policy, to comply with legal obligations, to resolve disputes, and to enforce agreements. Retention periods may vary based on the type of data, the nature of the relationship with the Customer or End User, and legal requirements. Account data is retained for the duration of the account and for 90 days following account closure. Transaction records are retained for 5 years as required by Thai accounting law. Usage logs are retained for 12 months. Personal Data processed on behalf of Customers as Processor is retained as instructed by the Customer and deleted within 90 days of termination.
10. Security Measures
The Company maintains a security program intended to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, and unauthorized access. Security measures may include access controls, logging and monitoring, encryption in transit, and backups, subject to the Security Policy and the DPA where applicable. No method of transmission or storage is completely secure, and the Company does not guarantee absolute security.
11. Individual Rights and Requests
11.1 Rights Under PDPA
Where PDPA applies and the Company acts as a Controller, individuals may have rights such as access to and obtaining a copy of Personal Data, rectification, deletion or destruction, restriction of processing, data portability where applicable, objection to processing in certain circumstances, withdrawal of consent, and the right to lodge a complaint with the competent authority. Some rights may be subject to legal limitations and exemptions.
11.2 Rights Under GDPR
Where GDPR applies and the Company acts as a Controller, individuals may have rights such as access, rectification, erasure, restriction, portability, objection, and the right not to be subject to certain automated decision-making, as applicable. Individuals may also have the right to lodge a complaint with a supervisory authority.
11.3 How to Submit Requests
Requests may be submitted using the contact details in the Contact and Notices page. The Company will take reasonable steps to verify identity before responding. The Company will respond to data subject requests within 30 days. Extensions of up to 60 additional days may apply for complex requests, with notice to the data subject. No fees are charged for the first request in any 12-month period; reasonable fees may apply for excessive or repetitive requests as permitted by applicable law.
11.4 Requests Relating to Customer-Controlled Data
Where the Company acts as a Processor, the Customer is responsible for responding to requests from End Users relating to Customer-controlled Personal Data. The Company will provide reasonable assistance to the Customer as required by the DPA and applicable law, subject to technical feasibility and the Customer’s instructions.
12. Children and Educational Use
The Platform may be used by Organizations that serve minors. The Company does not knowingly collect Personal Data from children in circumstances that would require parental or guardian consent unless instructed by a Customer acting as Controller and subject to appropriate notices and consents. The Company requires End Users to be at least 13 years of age, or the minimum age of digital consent in the End User’s jurisdiction, whichever is higher. Child-related consent mechanisms are the responsibility of the Customer acting as Controller.
13. Incident and Breach Notification
The Company maintains procedures intended to detect, respond to, and investigate security incidents. Where the Company becomes aware of a personal data breach under PDPA or a personal data breach under GDPR (as applicable), the Company will provide notifications to Customers, regulators, and affected individuals where required by law and within applicable timelines. Incident notification will be provided within 72 hours of becoming aware of a personal data breach, as further described in the DPA. Notifications will be sent via email to the Customer's designated contact.
14. Changes to this Privacy Policy
The Company may update this Privacy Policy from time to time. The Company will publish the updated version within the legal documentation portal and may provide additional notice of material changes by reasonable means, such as email or in-Platform notifications. Unless otherwise stated, changes take effect on the effective date specified in the updated Privacy Policy.
15. Contact
Privacy contact email: heretohelp@openmirai.com. Data Protection Officer contact (if appointed): heretohelp@openmirai.com. Registered address in Thailand for privacy-related correspondence: 129/290 Perfect Place Village, Moo 3, Soi Saima, Rattanathibet Road, Saima, Mueang Nonthaburi, Nonthaburi. Additional contact methods and legal notice requirements are set out in the Contact and Notices page.