PDPA Notice (Thailand)
This notice supplements our Privacy Policy and addresses specific requirements of Thailand's Personal Data Protection Act B.E. 2562 ("PDPA"). It applies if you are located in Thailand or if Thai data protection law otherwise applies to your use of LEMON POS.
1. Data Controller
Name: Oak and Anchor Tech LLC
Email: support.lemonpos@gmail.com
We are a U.S.-incorporated company offering services internationally, including to users in Thailand. We do not maintain a physical presence in Thailand.
We do not have a Data Protection Officer (DPO); small operations are exempt under PDPA where applicable.
2. Categories of personal data
Identity & contact: name, email, business name, phone, country.
Account: login credentials, language preferences, security tokens.
Operational data: menu, sales records, staff records that you enter.
Technical: IP address (truncated), device, browser, approximate location.
Billing: handled by Lemon Squeezy as Merchant of Record.
We do not process sensitive personal data (health, religion, race, biometrics, etc.).
3. Lawful basis for processing
Performance of contract — to provide LEMON POS to you.
Legitimate interests — to operate, secure, and improve our service.
Consent — for marketing communications (you may withdraw at any time).
Legal obligation — to retain certain records for tax and compliance.
4. Recipients (sub-processors)
Hetzner (Germany) — infrastructure hosting.
Lemon Squeezy (USA) — payment processing.
Resend (USA) — transactional email.
Plausible (Estonia) — analytics.
Cloudflare (global) — CDN and security.
We do not share data with advertisers, social media platforms, or data brokers.
5. Retention
Active account data: while your account is active.
Closed accounts: 90 days, then deleted.
Billing records: 7 years.
Analytics: 12 months aggregated.
Backups: 30-day rolling.
6. Your rights under PDPA
Right of access — request a copy of your data.
Right to rectification — correct inaccurate data.
Right to erasure — delete your data, subject to legal retention requirements.
Right to restrict processing.
Right to data portability.
Right to object to processing.
Right to withdraw consent.
Right to lodge a complaint with the Personal Data Protection Committee (PDPC) at pdpc.or.th.
To exercise any right, email support.lemonpos@gmail.com. We respond within 30 days.
7. International transfers
Because LEMON POS is operated from outside Thailand, your data is transferred to and processed in countries that may not have data protection laws equivalent to Thai PDPA. We use appropriate safeguards, such as Standard Contractual Clauses, where applicable.
8. Children
Our service is not intended for users under 18 years old. We do not knowingly collect data from minors. If you believe we have, contact us immediately.
To exercise your PDPA rights or report concerns: support.lemonpos@gmail.com