Privacy Policy

This Privacy Policy ("the Policy") describes the manner in which personal data of natural persons accessing the website lotuswebagency.com, together with its Thai-language mirror at /th/ (collectively, "the Site"), is processed by the data controller identified in Section 2 ("the Controller"). The Policy applies to all visitors irrespective of their place of residence.

1. Scope and Methodology — Strictest-Rule Approach

The Site is operated by a company incorporated in the Hong Kong Special Administrative Region and is accessible worldwide. Several legal regimes governing the protection of personal data may apply concurrently:

• The EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the EU ePrivacy Directive (2002/58/EC).
• The UK GDPR, the UK Data Protection Act 2018, and the UK Privacy and Electronic Communications Regulations ("PECR").
• The French Loi n° 78-17 Informatique et Libertés, as amended, and the binding guidance of the Commission Nationale de l'Informatique et des Libertés ("CNIL").
• The Thailand Personal Data Protection Act B.E. 2562 (2019) ("PDPA Thailand").
• The Hong Kong Personal Data (Privacy) Ordinance (Cap. 486, "PDPO") and the six Data Protection Principles set out in Schedule 1 thereto.
• The U.S. California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA"), and the U.S. Children's Online Privacy Protection Act ("COPPA").
• The U.S. state comprehensive privacy laws enacted in the wake of the CCPA, including but not limited to the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, the Texas Data Privacy and Security Act, and the comprehensive privacy statutes of Oregon, Montana, Tennessee, Iowa, Indiana, Delaware, Florida, New Hampshire, New Jersey, Maryland, and Minnesota.
• The Brazilian Lei Geral de Proteção de Dados Pessoais (Law No. 13.709/2018, "LGPD").
• The Canadian Personal Information Protection and Electronic Documents Act ("PIPEDA") and, in respect of natural persons resident in the Province of Quebec, the Act respecting the protection of personal information in the private sector, as amended by Law 25 ("Quebec Law 25").
• The Swiss Federal Act on Data Protection of 25 September 2020 (revised, "nFADP").
• The Australian Privacy Act 1988 and the thirteen Australian Privacy Principles ("APPs").
• The Singaporean Personal Data Protection Act 2012 ("PDPA Singapore").
• The Japanese Act on the Protection of Personal Information ("APPI").
• The South African Protection of Personal Information Act 4 of 2013 ("POPIA").

To the extent that the obligations imposed by these regimes diverge, the Controller adopts a single methodology: where any applicable law would require a stricter standard or grant a more favourable right to the data subject than another, the stricter standard or more favourable right is applied uniformly to every visitor, irrespective of residence. The principal consequences of this approach are as follows:

• Consent. Consent for the processing of non-essential cookies and trackers is obtained through prior, explicit, informed, and freely given opt-in (the GDPR, ePrivacy, PDPA Thailand, PDPA Singapore, APPI, LGPD and POPIA standard), notwithstanding that the CCPA, certain U.S. state laws, and the PDPO would permit an opt-out or notice-only mechanism.
• Response time. Requests submitted by data subjects are answered within thirty (30) calendar days, irrespective of the longer periods permitted by the CCPA (45 days, extendable), the PDPO (40 days), or PIPEDA (30 days, extendable).
• Children. No personal data is knowingly processed in respect of any natural person under the age of sixteen (16), corresponding to the upper limit of the age range permitted under GDPR Article 8, and exceeding the thresholds of COPPA (13), the UK GDPR (13), and the PDPA Thailand (10 with parental consent).
• Rights. Each of the rights enumerated in Section 7 is granted to every data subject, including in jurisdictions whose law does not formally provide for such right (notably erasure and portability under the PDPO, or portability under PIPEDA in its current form).
• Sale and sharing of personal data. The Controller does not, and shall not, sell personal data for monetary consideration to any third party. Disclosures to advertising vendors that may constitute "sharing" or "targeted advertising" within the meaning of the CCPA or the U.S. state laws are subject to prior explicit opt-in consent, applied universally.
• Personal data breach notification. The Controller follows the GDPR Article 33 standard (notification of the competent supervisory authority within seventy-two (72) hours of becoming aware of a breach) for every breach, irrespective of whether a shorter or longer notification period would be permitted by other applicable law.
• International transfers. The strongest available safeguard is applied to every international transfer (Section 5), without regard to whether the data subject's home regime requires it.

Where a particular regime confers a right that has no equivalent elsewhere — by way of example, the right to limit the use of sensitive personal information under the CCPA, or the right to lodge a complaint with a specific national authority — that right is granted in addition to the universal baseline. Competent supervisory authorities are listed in Section 12.

2. Identity of the Controller

The data controller for the purposes of the GDPR, the UK GDPR, the LGPD, the nFADP, the APPI and analogous concepts under the other regimes (including "business" within the meaning of the CCPA, "data user" within the meaning of the PDPO, "responsible party" within the meaning of POPIA, and "person responsible" within the meaning of the Quebec Law 25) is:

• LW AGENCY LIMITED (trading as LotusWebAgency)
• Business Registration No. 76684183 (Hong Kong)
• Registered address: Unit 2A, 17/F, Glenealy Tower, No.1 Glenealy, Central, Hong Kong S.A.R.
• Electronic mail: hello@lotuswebagency.com

The Controller has not designated a representative pursuant to Article 27 of the GDPR, Article 27 of the UK GDPR, Article 5(III) of the LGPD, Section 11 of POPIA, or analogous provisions of any other applicable regime. The electronic-mail address set out above constitutes the sole contact point for all matters relating to the protection of personal data.

3. Categories of Personal Data Processed

The categories of personal data processed by the Controller are presented below, grouped according to the lawful basis on which they are processed.

3.1 Personal data processed without consent

The following processing operations are necessary for the operation, security and integrity of the Site, and are therefore carried out on the basis of the legitimate interests of the Controller (Article 6(1)(f) GDPR), the corresponding business-purpose basis under the CCPA and the U.S. state laws, the equivalent legitimate-interest bases under the LGPD (Article 7, IX), PIPEDA, the nFADP, POPIA, the PDPA Thailand (s. 24(5)) and the APPs, and the necessary-for-purpose basis recognised by the PDPO (DPP 1 and 3) and the APPI.

3.1.1 Hosting and content-delivery logs

• Source. The Site is served as static content from GitLab Pages (operated by GitLab Inc.) or, in the alternative, from GitHub Pages (operated by GitHub, Inc., a subsidiary of Microsoft Corporation), and is delivered through the content-delivery and edge-security network of Cloudflare, Inc.
• Categories of data. Internet Protocol address, request timestamp, requested resource, referring URL, user-agent string, HTTP status code, approximate geographic location derived from the IP address, and similar technical metadata generated by ordinary HTTP/HTTPS communication.
• Purposes. Operation, availability, and security of the Site, including the prevention and mitigation of abuse, denial-of-service activity and unauthorised access; routine traffic measurement at the infrastructure level.
• Recipients. Cloudflare, Inc., and GitLab Inc. or GitHub, Inc., each acting as a processor or sub-processor under their respective terms.
• Retention. In accordance with the retention schedules of the respective providers; the Controller does not retain a separate copy of these logs.

3.1.2 Cookie-consent record

• Storage. Stored exclusively in the visitor's browser, in localStorage, under the key lwa.cookies, as a JSON object of the form {value, ts} comprising the choice expressed by the data subject and the timestamp at which it was recorded.
• Purpose. Compliance with the obligation to record and demonstrate the data subject's consent (Article 7(1) GDPR and equivalent provisions); operation of the consent-management mechanism.
• Recipients. None. The record is not transmitted to the Controller or to any third party.
• Retention. Twelve (12) months from the timestamp, or until the visitor clears browser storage, or until the consent version is incremented (Section 10), whichever occurs first.

3.1.3 Theme-preference record

• Storage. Stored exclusively in the visitor's browser, in localStorage, under the key lwa.theme.
• Purpose. Persistence of a strictly functional visual preference (light, dimmed or dark theme). The record is technically necessary to honour the data subject's chosen presentation across sessions and does not serve any analytical or advertising purpose.
• Recipients. None. The record is not transmitted to the Controller or to any third party.
• Retention. Until the visitor clears browser storage or selects a different theme.

3.2 Personal data processed only with prior explicit consent

The following processing operations are carried out solely on the basis of the data subject's prior, explicit, informed and freely given consent within the meaning of Article 6(1)(a) and Article 7 of the GDPR, Article 5(3) of the ePrivacy Directive, Regulation 6 of the UK PECR, Article 7(I) of the LGPD, Section 13 of the PDPA Singapore, Section 19 of the PDPA Thailand, Article 17 of the APPI, Section 11(1)(b) of POPIA, and the opt-in provisions of the CCPA and the U.S. state laws applicable to advertising and analytics. Consent may be withdrawn at any time pursuant to Section 9.

3.2.1 Audience-measurement (analytics) cookies

• Service. Google Analytics 4, loaded via Google Tag Manager.
• Categories of data. Page views, session duration, approximate geographic location at city level (derived from IP address), device type, browser, referrer.
• Cookies set. _ga, _ga_*.
• Recipient / processor. Google LLC, United States of America.
• Retention. Fourteen (14) months from the data subject's last interaction; thereafter aggregated.

3.2.2 Advertising-measurement (marketing) cookies

• Service. Meta (Facebook) Pixel, loaded via Google Tag Manager.
• Categories of data. Page-visit events, IP address, device identifiers, and — where the data subject is concurrently authenticated to Facebook in the same browser — the corresponding Facebook user identifier.
• Cookies set. _fbp.
• Recipient / processor. Meta Platforms Ireland Limited (in respect of data subjects located in the European Economic Area or the United Kingdom); Meta Platforms, Inc., United States of America (in respect of all other data subjects).
• Retention. Ninety (90) days for the _fbp cookie; thereafter in accordance with the retention schedule of Meta Platforms.
• CCPA / U.S. state-law qualification. The disclosure to Meta Platforms in this context constitutes "sharing" for cross-context behavioural advertising within the meaning of the CCPA, and "targeted advertising" within the meaning of the comparable U.S. state laws. The data subject may opt out at any time by rejecting non-essential cookies in the cookie-management interface accessible via the "Cookie Settings" link in the footer of every page of the Site, or by submitting a request to the Controller pursuant to Section 8.

3.3 Sensitive personal information

The Controller does not knowingly process any "special category of personal data" within the meaning of Article 9 GDPR, "sensitive personal data" within the meaning of Section 26 of the PDPA Thailand or Article 5(II) of the LGPD, "sensitive personal information" within the meaning of Section 1798.140(ae) of the CCPA, "special personal information" within the meaning of Section 26 of POPIA, or any analogous category recognised by the other applicable regimes. The Site does not operate any contact form, registration form, or other interactive feature by which such data could be solicited; contact channels are limited to third-party messenger services and electronic mail. Should a data subject voluntarily transmit such information by electronic mail, it shall be processed solely for the purpose of replying to that communication.

4. Recipients of Personal Data

Personal data is disclosed only to the following categories of recipients, each acting under written terms providing for the protection of such data:

• Cloudflare, Inc. (United States of America) — content-delivery and edge-security services. Processing necessary for the operation of the Site. Privacy policy.
• GitLab Inc. (United States of America) and/or GitHub, Inc. (United States of America, subsidiary of Microsoft Corporation) — static-website hosting. Processing necessary for the operation of the Site.
• Google LLC (United States of America) — audience-measurement service, processed solely upon prior consent. Privacy policy.
• Meta Platforms Ireland Limited / Meta Platforms, Inc. — advertising-measurement service, processed solely upon prior consent. Privacy policy.

The Controller does not sell personal data for monetary consideration and maintains no relationship with any data broker.

5. International Transfers of Personal Data

Where a data subject grants consent for the processing operations described in Section 3.2, personal data may be transferred outside the European Economic Area, the United Kingdom, Switzerland, Thailand, Hong Kong, Singapore, Japan, Brazil, Australia, South Africa, Canada or any other jurisdiction in which the data subject is located, principally to the United States of America. Each such transfer shall be effected on the basis of the strongest available safeguard, including:

• The EU–US Data Privacy Framework, in respect of which Cloudflare, Inc., Google LLC and Meta Platforms, Inc. are self-certified, for personal data originating in the European Economic Area.
• The UK Extension to the EU–US Data Privacy Framework, for personal data originating in the United Kingdom.
• The Swiss–US Data Privacy Framework, for personal data originating in Switzerland.
• The European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914), and the United Kingdom's International Data Transfer Agreement and Addendum, supplemented as appropriate by additional technical and organisational measures.
• For the purposes of Section 28 of the PDPA Thailand, Section 33 of the PDPO, Section 26 of the PDPA Singapore, Article 33 of the LGPD, Section 72 of POPIA, the cross-border-transfer provisions of the APPs (APP 8) and PIPEDA, the foregoing safeguards constitute, in the assessment of the Controller, sufficient written undertakings of equivalent protection.

6. Retention Periods

Personal data is retained only for so long as is necessary for the purposes for which it was collected, and is thereafter deleted or anonymised in accordance with the following schedule:

• Hosting and content-delivery logs: in accordance with the retention schedules of Cloudflare, Inc., GitLab Inc., and GitHub, Inc. respectively.
• Google Analytics 4 data: fourteen (14) months from the data subject's last interaction.
• Meta Pixel data: ninety (90) days for the _fbp cookie; thereafter in accordance with the retention schedule of Meta Platforms.
• Cookie-consent record (lwa.cookies): twelve (12) months from the timestamp, or until the data subject clears browser storage, or until the consent version is incremented (Section 10), whichever occurs first.
• Theme-preference record (lwa.theme): until the data subject clears browser storage or selects a different theme.
• Electronic-mail correspondence with the Controller: for the duration of the matter to which it relates and for a reasonable period thereafter, in accordance with the principle of data minimisation.

7. Rights of the Data Subject

Pursuant to the strictest-rule methodology set out in Section 1, the following rights are granted to every data subject, irrespective of the data subject's place of residence and irrespective of whether the law of that residence formally provides for such right:

• Right of access — to obtain confirmation as to whether personal data concerning the data subject is being processed and, where that is the case, a copy of such data.
• Right to rectification — to obtain rectification of inaccurate personal data and completion of incomplete personal data.
• Right to erasure ("right to be forgotten") — to obtain the deletion of personal data, including where the law of the data subject's residence does not formally provide for such right (notably the PDPO).
• Right to restriction of processing — to obtain the suspension of processing pending the resolution of a dispute.
• Right to data portability — to receive the personal data concerning the data subject in a structured, commonly used and machine-readable format, granted universally.
• Right to object — to object to processing carried out on the basis of legitimate interests, including any profiling based thereon.
• Right to withdraw consent — at any time, without detriment, without prejudice to the lawfulness of processing carried out prior to such withdrawal.
• Right to opt out of "sale" or "sharing" within the meaning of the CCPA and the U.S. state laws, applied universally and exercisable through the cookie-management interface or upon request to the Controller.
• Right to limit the use of sensitive personal information within the meaning of the CCPA — formally acknowledged, although no such information is processed (Section 3.3).
• Right to non-discrimination for the exercise of any of the foregoing rights.
• Right not to be subject to solely automated decision-making producing legal or similarly significant effects (Article 22 GDPR) — observed in full, no such processing takes place.
• Right to lodge a complaint with a competent supervisory authority (Section 12).

8. Procedure for Exercising Rights

Requests for the exercise of any of the rights enumerated in Section 7 shall be addressed to the Controller at hello@lotuswebagency.com. The request shall contain such information as is reasonably necessary to identify the data subject and the right being exercised. The Controller shall not require the disclosure of an identity document for routine requests; in cases of reasonable doubt as to identity, supplementary verification may be requested in accordance with Article 12(6) GDPR.

Requests are answered within thirty (30) calendar days of receipt, free of charge, save where the request is manifestly unfounded or excessive within the meaning of Article 12(5) GDPR.

9. Withdrawal and Modification of Consent

Consent granted in respect of audience-measurement or advertising-measurement cookies may be withdrawn or modified at any time, without detriment, by activating the Cookie Settings control located in the footer of every page of the Site. Non-essential cookies are managed as a single bundle: acceptance or rejection applies to the analytics and advertising categories collectively. The clearing of browser storage shall likewise have the effect of resetting the consent record and re-displaying the consent banner upon the next visit.

10. Re-prompting upon Material Change

The Policy is versioned. The cookie-consent record stores the version and timestamp against which the data subject's consent was obtained. Where any of the following elements is materially modified, the version shall be incremented and a renewed consent prompt shall be displayed: cookie categories, processors or sub-processors, retention periods, or the identity of the Controller.

11. Notification of Personal Data Breach

In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, the Controller shall notify the competent supervisory authority within seventy-two (72) hours of becoming aware of the breach, in accordance with Article 33 GDPR, applied universally. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, affected data subjects shall be informed without undue delay in accordance with Article 34 GDPR.

12. Competent Supervisory Authorities

A data subject may lodge a complaint with the supervisory authority of the data subject's place of residence, place of work, or place of the alleged infringement. The principal authorities are:

• Hong Kong Special Administrative Region — Office of the Privacy Commissioner for Personal Data (PCPD)
• Thailand — Personal Data Protection Committee Office (PDPC Thailand)
• France — Commission Nationale de l'Informatique et des Libertés (CNIL)
• United Kingdom — Information Commissioner's Office (ICO)
• European Union and European Economic Area Member States — the national Data Protection Authority of the relevant Member State (full list maintained by the European Data Protection Board)
• Switzerland — Federal Data Protection and Information Commissioner (FDPIC)
• Singapore — Personal Data Protection Commission (PDPC Singapore)
• Japan — Personal Information Protection Commission (PPC)
• Australia — Office of the Australian Information Commissioner (OAIC)
• Brazil — Autoridade Nacional de Proteção de Dados (ANPD)
• Canada (federal) — Office of the Privacy Commissioner of Canada (OPC)
• Quebec — Commission d'accès à l'information du Québec (CAI)
• Republic of South Africa — Information Regulator
• State of California, U.S.A. — California Privacy Protection Agency (CPPA) or the Attorney General of California; for other U.S. states with comprehensive privacy laws, the Attorney General of the relevant state.

13. Children

The Site is not directed to children. The Controller does not knowingly process personal data of any natural person under the age of sixteen (16), corresponding to the strictest applicable threshold (the upper limit of GDPR Article 8, the Quebec Law 25 threshold of 14 with parental consent, the COPPA threshold of 13, and the UK GDPR threshold of 13). Should a parent or guardian have grounds to believe that a child has provided personal data, contact in accordance with Section 16 shall result in deletion.

14. Security

The Site is served exclusively over the HTTPS protocol. All third-party scripts described in Section 3.2 are loaded solely upon the data subject's prior consent and solely from the recipients identified in Section 4. The Controller implements technical and organisational measures appropriate to the risk, including transport-layer encryption, access controls on the Controller's electronic-mail systems, and ongoing review of the sub-processors identified herein.

15. Amendments to This Policy

The version number and date appearing at the head of the Policy shall be updated whenever the Policy is amended. Material amendments within the meaning of Section 10 shall trigger a renewed consent prompt; non-material amendments shall not.

16. Contact

For all matters relating to the protection of personal data — whether a request for the exercise of a right, a question, or a complaint — please contact the Controller at hello@lotuswebagency.com.