29December.co ("we", "us", "our") respects your privacy and is committed to protecting your personal data in accordance with Thailand's Personal Data Protection Act B.E. 2562 (2019) ("PDPA"). This policy explains what we collect, why, how long we keep it, and the rights you have over your data.
1. Data we collect
Account data: your name, email address, and password (stored only as a securely hashed value).
Order & delivery data: phone number, shipping address, the items and designs you order, and any gift-card message you write.
Enquiry data: any message, name, email, or phone you submit through our contact or design-builder forms.
Payment data: payments are processed by Stripe. We do not store your full card number — Stripe handles card and PromptPay details directly.
Technical data: approximate location (country) to show the right shipping options, and standard server logs (IP address, browser type) kept for security.
2. Why we use it (lawful basis)
To create and manage your account, and to process, fulfil, and deliver your orders (performance of a contract).
To respond to your enquiries (your consent / legitimate interest).
To keep transaction records required by Thai tax and accounting law (legal obligation).
To protect our site against fraud and abuse (legitimate interest).
We collect account data only after you give explicit consent by accepting this policy at sign-up. We do not sell your personal data, and we do not use it for third-party advertising.
3. Who we share it with
We share data only with service providers who help us operate, and only as far as needed:
Stripe — payment processing.
Shipping / courier partners — to deliver your order.
Our hosting provider — to run the website.
4. How long we keep it
Account data: until you delete your account.
Order records: retained for the period required by Thai tax law (currently up to 5 years), after which they are deleted or anonymised. When you delete your account, the personal details on past orders are anonymised immediately while the minimal transaction record is kept for legal compliance.
Enquiries: deleted when no longer needed, or when you delete your account.
5. How we protect it
Passwords are hashed with bcrypt and never stored in plain text. Data is transmitted over HTTPS, access to admin systems is authenticated, and we apply rate limiting and other safeguards against abuse.
6. Your rights under the PDPA
You have the right to access, correct, delete, restrict, or object to our use of your personal data, and to withdraw consent or request a copy of your data in a portable format. From your account page you can:
Self-service: Go to Your Account → Your Data & Privacy to download a copy of all your data or permanently delete your account at any time.
For any other request — or to lodge a complaint — contact us using the details below. You also have the right to complain to Thailand's Personal Data Protection Committee (PDPC).
7. Cookies
We use a small number of strictly necessary cookies to keep you signed in and to operate the shopping bag. We do not use third-party advertising or tracking cookies.
8. Changes to this policy
We may update this policy from time to time. The "last updated" date above reflects the latest version.
9. Contact us
For any privacy question or to exercise your rights, contact our data controller: