Privacy policy
Privacy Policy
CHANTRAMED LTD. ("ChantraMed", "we", "us", "our") respects your privacy and is committed to protecting your personal data in accordance with the Personal Data Protection Act B.E. 2562 (2019) of Thailand (the "PDPA") and applicable laws. This Privacy Policy explains what personal data we collect when you use our website https://chantramed.com (the "Site") and related services, how we use it, who we share it with, and what rights you have.
1. Who we are
- Legal name: CHANTRAMED LTD.
- Company registration number: 0835569007167
- Head office: 60/12 Moo 4, Chalong Sub-District, Maung District, Phuket 83130, Thailand
- Support email: sales@chantramed.com
- Privacy / PDPA contact: sales@chantramed.com
- LINE Official: @chantramed
- Phone: +66 8 4735 4688
- Support hours: Email and LINE support requests are accepted 24/7. Live response times may vary. Phone availability may vary.
ChantraMed is the data controller for personal data collected through the Site, except where a third-party service acts as its own controller, for example, a payment gateway processing your card details.
2. Scope of this Policy
This Policy applies to personal data we collect when you:
- visit the Site;
- create or sign in to a customer account, including via HIKO Social Login;
- add items to cart, wishlist, or complete a purchase;
- sign up to our email, SMS, or LINE updates where enabled;
- submit a review, rating, or comment;
- contact our customer-care team by email, LINE, phone, or the Site contact form;
- participate in the ChantraPoints / ChantraMed Rewards program;
- interact with our advertising, social-media pages, or marketing campaigns.
This Privacy Policy covers ChantraMed's ecommerce services. It does not cover any regulated healthcare or telemedicine service. If such services are launched in the future, they will be covered by a separate privacy notice.
3. Categories of personal data we collect
| Category | Examples | Source |
|---|---|---|
| Identification | First name, last name, username, gender optional, date of birth optional | You |
| Contact | Email address, phone number, LINE ID if you contact us via LINE, shipping/billing address | You |
| Account credentials | Hashed password, social-login identifier, login session data | You / HIKO Social Login / Shopify |
| Order data | Products purchased, order totals, order history, gift messages, special instructions | You / Shopify |
| Payment metadata | Masked card number, payment method, transaction ID, payment status. We do not store full card numbers — payment is processed by our payment providers. | Payment provider |
| Delivery data | Recipient name, delivery address, parcel tracking ID, proof-of-delivery, delivery exceptions | You / delivery carrier |
| Communications | Messages you send to support by email, form, LINE, call logs, review text, ratings | You |
| Loyalty | ChantraPoints balance, tier, points history, redemptions | BLOY / Shopify |
| Reviews | Review text, rating, photos/videos submitted, reviewer name | You / Judge.me |
| Marketing preferences | Email / SMS / LINE subscription status, consent logs, campaign engagement | You / marketing platforms |
| Technical / device | IP address, approximate location, device type, browser, OS, language, referrer, screen size | Automatic |
| Cookies / online identifiers | Shopify session cookies, analytics cookies, advertising cookies, consent record | Automatic / you |
| Site usage / events | Pages viewed, products viewed, add-to-cart, checkout steps, purchases, clicks | Shopify Customer Events / GA4 / Meta Pixel |
| Fraud / risk signals | Suspicious order patterns, device fingerprint-style signals provided by Shopify | Shopify / Shopify Network Intelligence, where enabled |
We do not knowingly collect health, medical-history, genetic, biometric, criminal-record, or other "sensitive personal data" as defined by section 26 of the PDPA, except where you voluntarily include such information in a support message or review. Please do not share sensitive health information with us unsolicited.
4. How we use personal data: purposes and lawful bases
| Purpose | Lawful basis under PDPA | Notes |
|---|---|---|
| To create and manage your account | Contract / necessary for pre-contract steps | — |
| To process and deliver your orders | Contract | Shared with carrier |
| To process refunds and returns | Contract / legal obligation | — |
| To process payments and prevent payment fraud | Contract / legitimate interests | — |
| To provide customer support | Contract / legitimate interests | — |
| To operate the ChantraPoints / Rewards program | Contract | See Rewards Program Rules |
| To publish and moderate reviews | Consent at submission / legitimate interests | Judge.me |
| To send transactional messages | Contract | Order confirmation, shipping, refund, account messages; not marketing |
| To send marketing emails / SMS / LINE | Consent | Opt-in, separately from account creation. You can withdraw at any time. |
| To run ads on Google, Meta, and similar platforms | Consent | Via the Site's cookie banner |
| To measure and improve site performance | Consent for non-necessary analytics; legitimate interests for strictly necessary analytics | GA4, Shopify Customer Events |
| To comply with tax, accounting, and consumer-protection law | Legal obligation | — |
| To detect, investigate, and prevent fraud or abuse | Legitimate interests / legal obligation | See automated decisions and fraud scoring below |
| To defend or exercise legal claims | Legitimate interests / legal obligation | — |
4.1 Automated decisions and fraud scoring
Shopify and our payment providers may apply automated risk scoring to orders, for example to flag a suspected fraudulent order. Such checks assist human decisions; we do not make legally significant decisions about you based solely on automated processing. If your order is rejected for fraud reasons and you disagree, you can contact us at sales@chantramed.com and we will review the case manually.
5. Shopify Customer Events, Shopify Customer Privacy, and Shopify Network Intelligence
The Site runs on the Shopify platform. Shopify processes personal data on our behalf under its own Data Processing Addendum.
- Shopify Customer Events is used to send standardized event signals, such as page view, add to cart, checkout, and purchase, from the Site to connected destinations such as Google Analytics 4, Google Ads, and the Meta Pixel. Those events fire only for the purposes you have consented to via the cookie banner.
- Shopify Customer Privacy API powers the cookie/consent banner you see on first visit. You can accept, decline, or manage cookie categories at any time.
- Shopify Network Intelligence, where enabled, allows Shopify to use signals across its merchant network to help detect fraud, bots, and abusive traffic, and to improve conversion and personalization on participating stores. Where activated, the processing is operated by Shopify under its own terms.
6. Who we share personal data with
We share personal data only with the following categories of recipients, and only to the extent necessary for the purpose described.
| Recipient category | Examples | Purpose |
|---|---|---|
| Hosting / ecommerce platform | Shopify Inc. and its sub-processors | Running the Site, orders, payments, customer accounts |
| Payment providers | Shopify Payments and card networks / local gateways used at checkout | Processing your payment |
| Delivery carriers | Flash Express, Lalamove, Thailand Post, J&T Express, Grab, and other trusted delivery/fulfillment partners as needed | Shipping your order |
| Fulfillment partners | Trusted fulfillment and delivery partners, not publicly named | Preparing and dispatching orders |
| Analytics providers | Google LLC, Google Analytics 4, Google Ads, Google Merchant Center, Shopify Customer Events | Measuring site performance, advertising, ad measurement |
| Advertising providers | Meta Platforms, Facebook & Instagram / Meta Pixel, Google Ads | Serving and measuring ads, only with consent |
| Marketing platforms | Shopify Email; and, where enabled, additional email, SMS, or LINE marketing providers | Sending marketing communications with your consent |
| Loyalty platform | BLOY Loyalty Rewards | Operating ChantraPoints / ChantraMed Rewards |
| Reviews platform | Judge.me | Collecting and displaying product reviews |
| Social login | HIKO Social Login and the social identity provider you choose, such as Google, Facebook, LINE, or Apple | Enabling sign-in |
| Professional advisers | Accountants, auditors, Thai counsel | Compliance and legal matters |
| Government authorities | Thai Revenue Department, Royal Thai Police, Thai FDA / อย., PDPC and other regulators | Where we are legally required to disclose |
We do not sell personal data. We do not share personal data with third parties for their own independent marketing purposes.
7. Cookies and similar technologies
The Site uses cookies and similar technologies in the following categories:
- Strictly necessary — required for the Site to work, including session, cart, security, and language preference cookies. These cookies run without consent.
- Analytics — help us understand how the Site is used, including Shopify Customer Events and Google Analytics 4 measurement ID G-MD1SZ1EEKN.
- Marketing / advertising — used to show and measure ads on Google, Meta, and similar networks, including Google Ads, Meta Pixel ID 993904923308631, and Meta Enhanced data sharing.
- Functional / personalization — for example, remembered wishlist state and social-login integration.
You can accept, decline, or manage each category using the cookie banner that appears on your first visit, or by reopening preferences at any time via the "Cookie preferences" link in the footer. Strictly necessary cookies cannot be disabled.
Where Meta Enhanced data sharing is enabled, hashed customer identifiers such as email and phone may be sent to Meta for conversion measurement and ad matching, subject to your consent. We do not send health or sensitive personal data to Meta or any other ad platform.
8. Marketing communications
You will only receive marketing email, SMS, or LINE messages from us if you have given us consent. You can withdraw consent at any time by:
- using the "unsubscribe" link at the bottom of any marketing email;
- replying STOP to any marketing SMS, or the local opt-out keyword provided;
- blocking or unfollowing our LINE Official Account;
- contacting us at sales@chantramed.com.
Transactional messages such as order confirmation, shipping, refund, security alerts, and account changes are not marketing and will continue to be sent as long as you have an active order or account.
9. International data transfers
Some of our service providers, including Shopify, Google, and Meta, are based outside Thailand. When personal data is transferred to a country that does not provide a level of personal-data protection equivalent to Thai law, we rely on the transfer mechanisms permitted under sections 28–29 of the PDPA, including the recipient being subject to appropriate safeguards, contractual protections, and, where applicable, your consent.
10. Health data and ad platforms
If a regulated healthcare or telemedicine service is introduced in the future, any health data collected for that service will be handled under a separate privacy notice, kept separate from marketing systems, and will not be shared with advertising, remarketing, or audience-building platforms.
11. Data retention
We retain personal data only as long as necessary for the purposes described in this Policy, or as required by applicable Thai law, including tax, accounting, and consumer-protection obligations. Where retention is no longer required, we delete, anonymize, or archive the data under restricted access.
Different categories of personal data are retained for different periods, depending on:
- the purpose of processing, such as order fulfilment, accounting, marketing, dispute handling, and loyalty;
- your relationship with us, such as active customer, inactive account, or unsubscribed contact;
- the lawful basis on which the data is processed, such as contract, consent, legal obligation, or legitimate interests;
- legal or regulatory requirements that set minimum retention periods, such as tax records;
- whether the data is the subject of a pending request or dispute.
If you would like details of the retention period applicable to a specific category of your data, please contact us using section 17.
12. Your PDPA rights
Subject to PDPA exceptions, you have the right to:
- Access — request confirmation of whether we process your personal data, and a copy of it.
- Correction — ask us to correct inaccurate or incomplete data.
- Deletion / erasure — ask us to delete data that is no longer necessary, where you have withdrawn consent, or where processing is unlawful.
- Restriction of processing — ask us to suspend processing in certain cases.
- Objection — object to processing based on legitimate interests, direct marketing, or profiling.
- Withdrawal of consent — where processing is based on your consent, you can withdraw it at any time. This does not affect processing before withdrawal.
- Portability — receive data you provided to us in a common, machine-readable format, where technically feasible.
- Complaint — lodge a complaint with the Personal Data Protection Committee (PDPC) of Thailand.
To exercise any of these rights, email sales@chantramed.com with the subject line "PDPA request — [type]". We will respond within the statutory deadline, generally 30 days. We may need to verify your identity before acting, to protect your data.
13. Security
We apply reasonable administrative, technical, and physical safeguards designed to protect personal data against unauthorised access, loss, alteration, and disclosure. This includes, for example, TLS/SSL encryption at the network layer, access controls, least-privilege staff access, and review of our processors. No internet service is completely immune to risk, and we will notify you and the PDPC of qualifying personal-data breaches within the timelines required by law.
14. Children
The Site is intended for users who are at least 20 years old, the age of majority in Thailand. If you are between 10 and 20, please use the Site only with the consent of a parent or legal guardian; their consent to this Policy will be required for certain processing under section 20 of the PDPA. We do not knowingly collect personal data from children under 10 without parental consent. If you believe we have collected data from a child inappropriately, please contact us.
15. Third-party sites
The Site may link to third-party websites, for example, social-media pages, delivery-carrier tracking pages, and our payment providers. We are not responsible for the privacy practices of those sites; please review their own policies.
16. Changes to this Policy
We may update this Policy from time to time. Material changes will be announced on the Site and, where appropriate, by email. The "last updated" date at the top of this Policy indicates when it was most recently revised.
17. Contact
- Privacy / PDPA requests: sales@chantramed.com
- General support: sales@chantramed.com | LINE @chantramed | +66 8 4735 4688
- Postal address: CHANTRAMED LTD., 60/12 Moo 4, Chalong Sub-District, Maung District, Phuket 83130, Thailand