Privacy Policy

Scope and roles

This Privacy Policy applies to visitors of the Child Protect Platform website, prospective customers, tenant administrators, authorized school users, and other individuals whose data is processed through the platform.

For platform use, the school, tenant organization, education group, or child-focused organization normally determines why safeguarding data is collected and how it is used. In that context, Child Protect Platform will usually act as a service provider or data processor under the customer agreement, unless a separate agreement states otherwise.

Personal data we may handle

• Website contact details such as name, organization, email address, phone number, and message content.
• Account and access data such as name, work email, role, tenant, school, login activity, reset-link activity, and account status.
• Safeguarding records entered by authorized users, including reports, case notes, status history, assignments, and administrative actions.
• Evidence files and metadata uploaded into authorized workflows.
• Technical data such as IP address, device/browser information, security logs, audit logs, and service health events.

Purposes of processing

• To provide, secure, monitor, and improve the platform.
• To support structured safeguarding reporting, case management, and evidence preservation.
• To authenticate users and enforce role, tenant, and school permissions.
• To maintain audit logs, security logs, backup and recovery records, and operational assurance controls.
• To respond to enquiries, support requests, security reports, and legal or regulatory requests.

Legal basis under Thailand PDPA

Depending on the context, processing may rely on contract necessity, legal obligation, legitimate interests, consent where required, vital interests, public interest, or other grounds recognized under Thailand's Personal Data Protection Act B.E. 2562 (2019). Sensitive personal data and child-related data require heightened care and may require explicit consent or another permitted legal basis.

Sharing and disclosure

Data is not sold. Data may be disclosed to authorized customer administrators, school safeguarding personnel, contracted service providers, hosting/security providers, professional advisers, regulators, law enforcement, child protection authorities, or courts where appropriate and lawful. Platform access is intended to follow least-privilege controls and tenant/school scoping.

Security measures

Security controls may include encrypted evidence handling, HTTPS, role-based access control, tenant and school scoping, audit logs, hardened server configuration, local-only internal services where deployed that way, malware scanning, backup verification, monitoring, and controlled deployment procedures.

Retention

Records are retained according to customer agreements, safeguarding policy, legal obligations, evidence preservation needs, audit requirements, and operational backup cycles. Safeguarding records may require longer retention than ordinary website enquiries because they may be needed for review, investigation, reporting, or legal proceedings.

Individual rights

Under Thailand PDPA, individuals may have rights to access, correction, deletion or anonymization, restriction, portability, objection, withdrawal of consent, and complaint to the Personal Data Protection Committee, subject to legal limits and safeguarding exceptions. Requests about school-controlled safeguarding records should usually be directed to the relevant school or tenant organization first.

Contact

Privacy enquiries may be sent to privacy@childprotect.co. Child Protect uses this contact point for questions about privacy, personal data, and safeguarding-related data handling.