Privacy Policy

Privacy Policy
CytoAurora Biotechnology (Thailand) Co., Ltd. recognizes the importance of protecting the personal data of users, clients, and website visitors. This policy is designed to explain the purposes, methods, and guidelines for collecting, using, and disclosing personal data in accordance with the Personal Data Protection Act B.E. 2562 (“PDPA”).

Scope of Use
This privacy policy applies to personal data collected by CytoAurora Biotechnology (Thailand) Co., Ltd. through various channels, including:

Website usage: Such as visiting, registering, or using online services. Automatic data collection (e.g., IP addresses, cookies) may occur to improve user experience.
Online forms: Such as appointment forms, newsletter subscriptions, or surveys, which may request necessary information (e.g., name, phone number, email) to provide appropriate services.
Communication with the company: Via phone, email, or social media. Data collected will be used to provide services, answer inquiries, or process requests.

The company collects, uses, and protects personal data in compliance with the PDPA and strict security measures to ensure appropriate data management.

Types of Data Collected
We collect only data necessary for service provision and operations, which may include:

Identification data: Name, date of birth, gender
Contact information: Address, email, phone number
Identification numbers: National ID or passport (when necessary)
Health and medical data (sensitive data): Health history, diagnoses, lab results, genetic testing results (if applicable), treatment information, medications, and medical records
Payment information: Billing data, receipts, and payment details (some may be shared with payment service providers)
Website and technical data: IP address, browser type, cookies, usage behavior (to improve services)

The company collects data only as necessary for clear purposes and will not use data for purposes other than those specified unless consent is obtained from the data subject.

Purpose of Data Use
Data will be used for clear purposes, including:

Providing diagnostic and treatment services to patients
Managing appointments, issuing receipts, and processing payments
Communication and notifications about treatments, test results, or appointments
Improving service quality, conducting internal research and development (data anonymized for statistical analysis)
Compliance with laws, regulations, or governmental orders
Direct marketing (with your consent), such as news, promotions, and clinic activities

Legal Basis for Processing
Our data processing is based on at least one of the following legal grounds:

Consent – For marketing or processing not necessary for service provision
Performance of a contract or pre-contractual actions – For treatment and appointments
Legal obligation – To comply with legal or regulatory requirements
Legitimate interests of the data controller – Such as fraud prevention or system security

Disclosure of Data to Third Partie
The company may disclose data to:

IT service providers (e.g., cloud service providers, system administrators) to support operations
Medical service providers (specialist doctors, laboratories) when necessary for patient care
Payment service providers and accountants
Government agencies or regulatory authorities as required by law

All disclosures are subject to Data Processing Agreements or appropriate contracts to ensure data protection and usage limitations.

Cross-Border Data Transfer
If personal data is transferred abroad, the company ensures compliance with relevant laws and confirms that the recipient provides sufficient data protection or appropriate safeguards.

Data Security
The company implements appropriate technical and organizational measures to protect data, including:

Data encryption when necessary
Role-based access control
Data backup, logging, and monitoring
Staff training on data protection

Despite these measures, no system is 100% secure. The company maintains alert and response protocols in case of a data breach.

Data Retention
Data is retained according to the stated purpose and legal requirements, for example:

Patient and medical records: Retained according to legal or professional standards
Financial and accounting data: Retained according to tax and accounting laws; afterward, data is deleted or anonymized appropriately

Data Subject Rights
Under the PDPA, you have rights including but not limited to:

Access your personal data
Object to certain data processing
Correct inaccurate or incomplete data
Request deletion or suspension of data processing (as permitted by law)
Request data portability in a machine-readable format

To exercise any of these rights, please contact our Data Protection Officer.

Cookies and Related Technologies
Our website may use cookies and tracking technologies to improve user experience, analyze usage, and for advertising purposes. You can manage cookie settings via your browser or tools provided on the website.

Contact and Complaints
For questions, claims, or to exercise your rights, please contact:
Data Protection Officer

Email: admin@cytoaurora.co.th
Tel: +66 65-715-2539
Address: CytoAurora Biotechnology (Thailand) Co., Ltd., No. 14 Soi Center of Research 12, Bangkapi Subdistrict, Huai Khwang District, Bangkok 10310, Thailand

If you are not satisfied with the response, you may file a complaint with the Personal Data Protection Committee or relevant regulatory authorities.

Policy Updates
We may update this privacy policy periodically to reflect changes in practices or laws. Significant changes will be announced on the website and/or communicated to you.

Additional Requirements for Sensitive Data
Processing of health and other sensitive data is subject to strict limitations and generally requires written consent or a clear legal basis.

Data Processor Requirements
When engaging third-party service providers who process data on our behalf, we implement Data Processing Agreements specifying security requirements, scope of use, and transfer restrictions.