Privacy Policy — Summary
Thai Watch Market complies with:
- Personal Data Protection Act B.E. 2562 (PDPA)
- Personal Data Protection Committee guidelines (PDPC)
- International standards (GDPR equivalents for international visitors)
This page explains what data we collect, how we use it, how long we retain, and what rights sellers have.
Data Controller
Legal entity: Thai Watch Market Co., Ltd. Location: Bangkok, Thailand Data Protection Officer (DPO): Khun Ton Suksombat ([email protected]) General contact: [email protected]
Data We Collect
1. KYC Data (per AML)
- ID: citizen card or passport (ID number, name, date of birth, photo)
- Address: registered or current address
- Occupation: for source of funds verification
- Bank account: account number, bank name, branch (for wire transfer)
- Source of asset: watch provenance documentation
2. Transaction Data
- Watch reference and code
- Serial number
- Agreed price
- Date and place of transaction
- Personnel (employees involved)
3. Contact Information
- Phone number
- LINE ID
- Messages and photos sent via LINE
4. Watch-Identifying Data
- Watch photos (dial, case-back, crown, serial)
- Authentication records
- Provenance documents (warranty card copy, original receipt)
- Valuation records
5. Automatically Collected Data
- Visitor device + browser
- IP address (for security log)
- Anonymized analytics
- We don't use third-party tracking cookies (Google Analytics, Facebook Pixel)
How We Use Data
Stated Purposes
- Transaction processing:
- Authenticate watches
- Set appraisal price
- Process payment
- Issue receipts
- AML/KYC compliance:
- Conduct KYC per AML law
- File CTR or STR as legally required
- Retain records 10 years
- Tax and accounting:
- Issue VAT invoices
- File taxes to Revenue Department
- Accounting audits
- Brand verification:
- Submit serial to Rolex/Patek/AP service centre (only with seller consent)
- Check Stolen Watch Database
- Opt-in marketing:
- Send market reports only to opt-in subscribers
- Sellers can unsubscribe at any time
Purposes We Don't Use
- We don't sell data to third parties
- We don't share with dealers outside our partner network bound by contractual NDA
- We don't use for targeted advertising
- We don't profile customers for data sale
Data Retention
| Data type | Period | Reason |
|---|---|---|
| KYC records | 10 years | AML Act Section 13 |
| Transaction records | 10 years | AML + tax |
| Receipts | 10 years | Revenue Department |
| Authentication records | 7 years | Dispute reference |
| LINE/email conversations | 5 years | Post-sale support |
| Anonymized website analytics | 12 months | Service improvement |
| Opt-in marketing list | Until unsubscribed | Subscribed service |
After retention period — data is deleted or anonymized per PDPA standards.
Seller Rights Under PDPA
Under Personal Data Protection Act B.E. 2562, sellers have:
1. Right of access
- Request to see personal data we hold about you
- We respond within 30 days
2. Right to correction
- Request correction of inaccurate data
- We act within 7 days
3. Right to erasure ("right to be forgotten")
- Request deletion of data no longer needed
- Limitation: We cannot delete data the AML law requires retained 10 years
- Marketing (opt-in) data can be deleted immediately
4. Right to withdraw consent
- Unsubscribe from marketing list
- Refuse analytics tracking
5. Right to portability
- Request data in machine-readable format
- We provide in JSON or CSV
6. Right to object
- Object to processing for unnecessary purposes
- File with our DPO
7. Right to complain
International Data Transfer
In some cases we may transfer data to:
-
Rolex Service Centre (Switzerland): for Code 50 verification — only serial + seller address (no ID); seller must consent
-
Patek Philippe Service Centre (Geneva): for Extract from Archives verification — same conditions
-
AP Service Centre (Le Brassus): for AP verification — same conditions
-
Bonhams Hong Kong / Sotheby's Singapore: for consignment (only if seller chooses to consign) — minimum necessary data for auction
Every international transfer:
- Requires written seller consent
- Limited to necessary data
- Uses secure channels (end-to-end encryption)
- Recipient has data protection standards equivalent to or exceeding PDPA
Data Security
Technical measures
- Encryption (at rest + in transit)
- Backup at secure facility
- Access log monitoring
- Regular system patching
Organizational measures
- Access limited to necessary employees
- Data protection training for employees
- Audit of irregular data access
- Incident response plan
In case of data breach
- We notify affected parties within 72 hours
- We report PDPC within 72 hours
- We investigate and remediate
Cookies and Tracking
We use:
- Essential cookies: for basic website function (session management, language preference)
- Anonymized analytics: for site improvement — aggregate data not identifying individuals
We don't use:
- Google Analytics, Facebook Pixel, Hotjar, or third-party tracking
- Retargeting cookies
- Cross-site tracking
Policy Updates
This policy may be updated as laws or services change:
- Minor changes: posted on this page — "updated" date changes
- Major changes: notification via LINE/email with renewed consent if needed
Last updated: June 5, 2026
Contact Us
For questions or to exercise PDPA rights:
- DPO: Khun Ton Suksombat — [email protected]
- General: [email protected]
- LINE: @thaiwatchmarket
- Location: Bangkok, Thailand
Sources:
- Personal Data Protection Act B.E. 2562
- Anti-Money Laundering Act B.E. 2542
- Notifications and guidelines from the Personal Data Protection Committee (pdpc.or.th)