Legal

Privacy Policy

Effective: 2026-06-01 · Last updated: 2026-05-27

Counsel review pending.

This document is the operator-published version. The text below reflects current business practice and was drafted from industry-standard B2B SaaS clauses adapted to object storage specifics. Final legal review by qualified counsel in Thailand and Singapore is in progress; the controlling version will be re-published here when complete.

This Privacy Policy describes how BangmodStorage processes personal data in connection with our object-storage service. It applies to operator-collected account data and metadata, not to the contents of objects you upload to your buckets (which we treat as Customer Data under the Data Processing Agreement).

1. Data Controllers

For Thai-billed customers, the controller is Bangmod Enterprise Co., Ltd., Thailand. For Singapore-billed customers, the controller is BangmodStorage (Singapore) Pte Ltd, Singapore. For EU/UK/other-jurisdiction data subjects, the relevant controller is identified on each invoice.

2. What we collect

  • Account data: name, billing email, country, optional company name, optional VAT/GST/UEN ID.
  • Billing data: payment method tokenized by Stripe; we do not store full card numbers.
  • Operational metadata: bucket names, object keys, sizes, region, request counts, IP addresses of API callers (for abuse prevention and billing).
  • Support communications: when you contact us, we retain the message and reply for the duration of the support ticket plus the retention period set out in §6.
  • Cookies: session, currency preference, CSRF — see our cookies section below.

We do NOT inspect the contents of your objects. We compute sizes and request counts on metadata and access patterns for billing and abuse detection; we do not read object bodies except as needed to serve a request you authorized.

3. Purposes and legal bases

  • Provide the Service — performance of contract.
  • Bill and invoice — performance of contract and legal obligation (tax compliance).
  • Prevent abuse and fraud — legitimate interests.
  • Comply with TH RD, SG IRAS, and other tax authorities — legal obligation.
  • Respond to legal process — legal obligation.
  • Send service notifications — performance of contract.
  • Send marketing emails — only with your consent, which you can withdraw at any time.

4. Subprocessors and disclosures

We use the following categories of third-party processors:

  • Stripe, Inc. — payment processing, tax computation assistance.
  • Email delivery provider — transactional notifications.
  • Cloud monitoring vendor — operational metrics and error reporting (metadata only, no Customer Data).

A complete and current list of subprocessors is available on request to privacy@bangmod.storage and is incorporated by reference into the DPA.

We disclose personal data to government or regulatory authorities only when required by valid legal process (subpoena, RD audit notice, etc.). We do not voluntarily share customer data for commercial purposes.

5. International transfers

Customer Data and account data may be stored in Thailand or Singapore depending on the region you select. We do not transfer Customer Data across regions without your action. Account data may also be processed by subprocessors in other jurisdictions; where required, we rely on Standard Contractual Clauses or comparable transfer mechanisms.

6. Retention

  • Account data: for the duration of the account plus 90 days.
  • Tax invoices and supporting evidence: 7 years from issue, per TH Revenue Code and SG GST Act retention requirements.
  • Audit logs (admin actions): 7 years from event.
  • Support communications: 2 years from ticket closure.
  • Object access logs: 90 days rolling, except where extended retention is required for incident investigation.

7. Your rights

Subject to the laws applicable to your data and the controller identified in §1, you may have the right to: access your personal data, correct inaccuracies, request deletion (subject to retention obligations in §6), object to processing, request a portable copy, and withdraw consent for marketing. To exercise these rights, contact privacy@bangmod.storage.

For Thai data subjects, the responsible supervisory authority is the Personal Data Protection Committee under the Personal Data Protection Act B.E. 2562 (2019). For Singapore subjects, it is the Personal Data Protection Commission under the Personal Data Protection Act 2012.

8. Security

We implement administrative, physical, and technical safeguards designed to protect personal data against unauthorized access, loss, or alteration. These include encryption of secrets at rest using authenticated encryption with key wrapping, TLS for data in transit, role-based access controls with principle of least privilege, append-only admin audit logging, and regular access reviews. No system is perfectly secure; if we become aware of a breach affecting your personal data, we will notify you and the relevant supervisory authority in accordance with applicable law.

9. Cookies

We use a small set of cookies necessary for the Service to function:

  • Session cookies (bgs_session, bgs_admin_session) — to keep you logged in.
  • Currency preference (bgs_pricing_currency) — to remember the currency for pricing display.
  • CSRF protection — to prevent cross-site request forgery.

We do not use third-party advertising or analytics cookies on public marketing pages or in the customer console.

10. Children

The Service is intended for use by businesses and individuals 18 years of age or older. We do not knowingly collect personal data from anyone under 18.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated at least 30 days before they take effect via the email address associated with your account.

12. Contact

Privacy-related inquiries: privacy@bangmod.storage. Other contact options at /contact.