🚧 Beta v0.1 — these terms are not final

DeskPixel is currently in Beta. Both these legal documents are an owner-drafted starter version and will be reviewed + finalized by Thai PDPA-qualified legal counsel before public launch. Beta users sign up under these terms with the understanding that they may evolve. Substantive changes will be notified by email.

Privacy Policy

Last updated: 2026-05-31

Note: This is a starter draft — owner will finalize with legal counsel and DPO before commercial launch.

🛡️ Compliant with Thailand's PDPA (Personal Data Protection Act 2019)

1. Introduction

DeskPixel AI respects your privacy. This policy explains what data we collect, how we use it, and your rights under Thailand's PDPA and international standards (GDPR as cross-reference).

2. Data Controller

Data controller: DeskPixel AI, operated by Yannawarut (company details added upon registration). DPO contact: privacy@deskpixel.app

3. What We Collect

We collect minimum data needed: • Account info: email, name, locale • Usage data: chat history, projects, knowledge files, custom agents • Technical data: IP, browser, device (for security + analytics) • Payment: processed by Stripe (we don't store card details)

4. AI Usage & Provider Keys

DeskPixel runs AI on the platform's own provider keys — you don't provide one: • We never ask for or store an AI API key from you • Your prompts are sent to our AI providers only to generate responses, never to train models • Connected-tool OAuth tokens (Notion) are encrypted in Supabase Vault and used only during your requests

5. How We Use Your Data

• Deliver the platform per your usage • Improve UX (aggregated analytics — not identifying) • Send transactional emails (signup, password reset, receipts) • Respond to support requests We never use your data to train any AI, and never sell to third parties.

6. Service Providers We Use

We use: • Supabase (database + auth + vault) — Tokyo, Japan • Vercel (hosting) — global edge • Stripe (payments) — US • OpenRouter / Anthropic / DeepSeek (AI inference — platform-provided) — US/EU • Resend (transactional email) — US • PostHog (analytics — anonymized) — EU • Sentry (error tracking) — US These providers comply with international security standards.

7. International Data Transfer

Your data may transfer to Tokyo (Supabase), US (Stripe, AI providers, Sentry), EU (PostHog) per service usage. These transfers operate under Standard Contractual Clauses (SCCs) or EU adequacy decisions. PDPA permits cross-border transfers when destinations meet adequate standards.

8. Data Retention

• Account + content: kept for lifetime of usage (until you delete account) • After account deletion: retained 30 more days before permanent removal (recovery window) • Payment records: kept per tax law (10 years — Thai Revenue Code) • Backups: 90-day rolling window

9. Your Rights (PDPA)

Under PDPA you have the right to: • Access data we hold about you (Right of Access) • Request corrections (Rectification) • Request deletion (Right to Erasure / 'Right to be Forgotten') • Object to processing (Objection) • Request portability (export to another provider) • Withdraw consent Submit requests via privacy@deskpixel.app — we'll respond within 30 days.

10. Cookies + Tracking

We use only essential cookies: • Authentication (Supabase session) • Locale preference (TH/EN) • No third-party advertising cookies Product analytics (PostHog): • Anonymized event tracking — never tied to your personal identity beyond your user ID • Session replay is scoped narrowly: recorded ONLY during onboarding and your first paid session (debugging launch friction). Automatically disabled afterwards. • Aggressive PII masking: all password fields, email fields, and any element marked data-ph-no-capture are masked at recording time — masked data never leaves your browser. • You can disable session replay entirely at any time in Settings → Privacy. • API keys and chat content are never recorded.

11. Security

Security measures: • TLS 1.3 on all connections • Row Level Security (RLS) in database • API keys + secrets encrypted in Vault • Daily backups • Security advisor lints on every deploy • No admin backdoor — even us If a data breach occurs, we'll notify you within 72 hours as required by PDPA.

12. Minors

This service is for users 18+. We don't knowingly collect minor data. If discovered, contact privacy@deskpixel.app and we'll delete immediately.

13. Changes to Policy

We may update this policy periodically. We'll give 14 days' notice via email for material changes.

14. Contact DPO

Privacy questions or PDPA rights requests: • Email: privacy@deskpixel.app • Subject line: 'PDPA Request' for faster handling If you don't get a response within 30 days, you can file a complaint with Thailand's Personal Data Protection Committee (PDPC) — pdpc.or.th