EVOLUTION WELLNESS (THAILAND) LTD. (“the Company”) realizes the importance of the protection of your Data Privacy, which is a fundamental right to privacy of a person. Data subjects may wish to keep their data safe and secure. To ensure that your Personal Data is protected, we provide this Data Privacy Policy (“Policy”) to inform you of our Policy in relation to the collection, use and disclosure of your Personal Data of individuals as specified in this Policy.​

(1) Individual customers of the Company. This includes a targeted customer (prospective customer), current customer, and former customer of the Company;
(2) An employee, staff, officer, representative, shareholder, director, contact person, agent, and individuals related to Corporate customers which include a targeted customer (prospective customer), current customer, and former customer of the Company and;
(3) Non-customers who have transactions or activities or have relationships with the Company, such as external service providers, business partners, contract parties with the Company, or shareholders of the Company, etc. (hereinafter if not specifically referred to (1) to (3), the persons under (1) to (3) are collectively referred to as “Data Subject”)
          The Company has always placed importance and reiterated on Personal Data protection to ensure that your Personal Data will be used in accordance with the following principles.

• Lawfulness, fairness, and transparency: The Company shall process any Personal Data which is limited and necessary based on the lawful basis and explicitly establish methods for collecting and using Personal Data.
• Purpose Limitation Principle: The Company will only process the data for the purposes specified and notified at the time that the Company obtains Personal Data unless the processing is for a related purpose or a performance of an explicit legal obligation.
• Data Minimization Principle: The Company will collect and use Personal Data only to the extent necessary to achieve the purposes of data processing.
• Data Accuracy Principle: The Company will take reasonable steps to ensure that the collected Personal Data is accurate, complete, and up to date with regard to the processing purpose.
• Storage Limitation Principle: The Company will keep the data as needed unless it is necessary for the Company to meet the standards of document retention or by state regulations.
• Integrity and Confidentiality Principle: The Company will provide appropriate technical and administrative measures to ensure an appropriate level of safekeeping of Personal Data that the Company stores.
• Accountability Principle: The Company will take reasonable steps to be able to demonstrate that it has complied with the principles above.

Lawful bases in accordance with Section 24 for collecting, using, or disclosing the Personal Data as follows.

1. Consent bases that requires your consent first
2. Archives/Statistics/Research bases to achieve objectives related to the preparation of historical documents or archives for the public interest, or in connection with research or statistics which have put appropriate safeguards in place to protect your rights and freedoms.
3. Life-threatening suspension bases to prevent or suppress a danger to the life, body or health of a person.
4. The contract bases. It is necessary for the performance of a contract to which you are a party or for the performance of your request prior to entering into such contract.
5. Public interest bases. It is necessary for the performance of duties to carry out the public interest of the Personal Data Controller, or the performance of the duties to exercise the state power assigned to the Personal Data Controller
6. Legitimate Interests Bases. It is necessary for the legitimate interests of the Personal Data Controller or of a person or juristic persons other than the Personal Data Controller unless such benefits are less important than the fundamental rights of the Data Subject.
7. Legal Compliance Bases. It is in compliance with the law of the Personal Data Controller.

If it is Sensitive Data, it requires consent in accordance with Section 26 of the Personal Data Protection Act B.E. 2562 (2019), unless permitted by laws.

   “Person” means a natural person.
          “Personal Data” means any information relating to a person who can be identified, directly or indirectly. The Company may collect, use and/ or disclose Personal Data that is directly obtained from the data subject (Company’s registration platform) or obtained or accessed from other sources (e.g. Department of Business Development, Ministry of Commerce, Department of Provincial Administration, Ministry of Interior, Department of Consular Affairs, Ministry of Foreign Affairs, Credit Information Company, Legal Execution Department, Financial Institutions, Professional Advisors, Social Media, Third-Party Online Platforms or other public sources), or through our affiliates, service providers, business partners, official agency or outsiders.
          “Sensitive Data” means any information which is genuinely personal of a Person, but sensitive and likely exposed to unfair discrimination, e.g., racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual orientation, criminal records, data relating to health and disability, labor union data, genetic data, biometric data or any other data which affects the data subject in such manner as prescribed and announced by the Personal Data Protection Committee.
          “Data Subject” means a Person who owns Personal Data, except where the Person holds the data ownership or creates or collects such data on his/her own, whereby this Data Subject refers to only a natural person and excludes a “juristic person” established by law, such as company, association, foundation or any other organization.
          In this regard, a Data Subject includes any of the following Persons:
          1.   Data Subject of legal age refers to:
          1.1 a Person at the age of 20 or older; or
          1.2 anyone who is married at the age of 17 or older; or
          1.3 anyone who is married before the age of 17 with the Court’s permission or
          1.4 a minor whose legal representative has given consent for the minor to carry on a trade or other business or to enter into an employment contract as an employee, and in relation to the business or employment above, the minor shall have the same capacity as a person of legal age (sui juris).
In this regard, for the purpose of giving any consent, a Data Subject of legal age may give consent of his/her own accord.
          2. A minor Data Subject refers to a Person below the age of 20 and not of legal age under Item 1, and as such, for the purpose of giving any consent, the consent of the person with the appointed guardian authorized to act on behalf of the minor shall also be obtained.
          3. A quasi-incompetent Data Subject refers to a Person adjudged by the Court to be quasi-incompetent on the ground that he/she is incapable of managing his/her own affairs or manages it to the detriment of his/her own property or family because of physical or mental infirmity, habitual prodigality, habitual intoxication or other similar causes, and as such, for the purpose of giving any consent, the consent of the curator with the power to act on behalf of the quasi-incompetent person must first be obtained.
          4. An incompetent Data Subject refers to a Person adjudged by the Court to be incompetent on the ground of unsound mind5, and as such, for the purpose of giving any consent, the consent of the guardian with the power to act on behalf of the incompetent person must first be obtained.
          In this regard, such request for a Data Subject’s consent that does not proceed in compliance with the Personal Data protection law shall not be binding upon the Data Subject.
          “Data Controller” refers to a Person or a juristic person with the power and duties to make decisions regarding the collection, use or disclosure of Personal Data.
          “Data Processor” refers to a Person or a juristic person who proceeds with the collection, use or disclosure of Personal Data under such orders given by or on behalf of a Data Controller, whereby the Person or juristic person who proceeds as such is not a Data Controller.

    The Company collects the Personal Data as necessary according to the scope of purposes of using the data that the Company will inform in the next part. In this regard, the types of Personal Data stored with the Company have been classified as follows:

2.1.1 Personal Data collected from customersType of data- Personal Data
Examples of data that the Company collects, uses and/or discloses- Title, first name, middle name, last name, alias (if any), Identification card number/Passport number, Date of birth, age, Marketing taste, Gender, Emergency contacts, Health details, Vaccination information, Occupation, AIA insurance status, Payment details, Photograph, Signature

Type of data- Sensitive DataExamples of data that the Company collects, uses and/or discloses–
1. Collecting data from the physical test, including - Information about past and present heart disease problems, Chest pain or chest tightness, Medical history for heart disease, blood pressure, or diuretics, Problems related to sickness of bones and joints, Problems with balance and unconsciousness, Other diseases that affect exercise, such as gout.
2. Collecting data from BodiTrax – Impedance, Fat-free mass, Muscle value, Fat value, Bone value, BMR value, age, BMI value, weight, height.
3. Other health record data
4. Religious data

Type of data- Contact Information
Examples of data that the Company collects, uses and/or discloses– Current address, Personal or work telephone, E-mail address.

Type of data- Educational Information
Examples of data that the Company collects, uses and/or discloses– Career, Company Name.

Type of data- Financial Information
Examples of data that the Company collects, uses and/or discloses– Account number, Credit card number, Payment or settlement information, The Company's services and products usage, Trading history and balance, Payment and transaction history.

Type of data- Record images and/or voices interacting with the Company
Examples of data that the Company collects, uses and/or discloses– Records from CCTV, Records of communications through online or other electronic channels of the Company

Type of data- Usage details
Examples of data that the Company collects, uses and/or discloses– Data relating to your usage of websites, platforms, products and services, Cookies, Data relating to your usage and interaction with our platforms and operating system.

2.1.2 Personal data collected from job applicants
Type of data- Personal Data
Examples of data that the Company collects, uses and/or discloses- Title, first name, middle name, last name, Hobbies, Gender, Photograph.

Type of data- Sensitive Data
Examples of data that the Company collects, uses and/or discloses- Other health data, Religious data.

Type of data- Contact Information
Examples of data that the Company collects, uses and/or discloses- Current address, Phone number, mobile number, Email, Line ID.

Type of data- Educational and Professional Information
Examples of data that the Company collects, uses and/or discloses- Educational institutions and training information, Educational qualification, Occupation, Company name, Work history.

Type of data- Record images and/or voices interacting with the Company
Examples of data that the Company collects, uses and/or discloses- Records from CCTV, Records of communications through online or other electronic channels of the Company.

Type of data- Usage details
Examples of data that the Company collects, uses and/or discloses- Data relating to your usage of websites, platforms, products and services, Cookies, Data relating to your usage and interaction with our platforms and operating system.

2.1.3 Personal data collected from employees
Type of data- Personal Data
Examples of data that the Company collects, uses and/or discloses- Date of birth, Proof of name and surname change (if any), Photograph, Height, Weight, EWTH application or Resume/CV, Employee Checklist, Employment Contract, Welfare documents (Confidentiality Agreement / Facebook Usage Agreement / Provident Fund Membership Application / Group Insurance Beneficiary Letter), Job Description according to position, Various Competency Documents, Other Assessment.

Type of data- Sensitive Data
Examples of data that the Company collects, uses and/or discloses- Criminal record, Religion, Ethnicity, COVID vaccination history.

Type of data- Contact Information
Examples of data that the Company collects, uses and/or discloses- Current address, Current address and house registration address, Phone number and mobile number, Email, Line ID, FB account / IG account or other social media platforms (if any).

Type of data- Educational and Professional Information
Examples of data that the Company collects, uses and/or discloses– Occupation, Company name, Educational qualifications and related training, Copy of educational background, Various training contracts, Relevant proficiency test results such as an English test, Driving license according to the nature of work (only required position), Other Certificates.

Type of data- Financial Information
Examples of data that the Company collects, uses and/or discloses– Account number, Income and tax information, Copy of Book Bank, Credit card number, Payment or settlement information, The Company's services and products usage, Trading history and balance, Payment and transaction history.

Type of data- Record images and/or voices interacting with the Company
Examples of data that the Company collects, uses and/or discloses– Records from CCTV, Records of communications through online or other electronic channels of the Company.

Type of data- Usage details
Examples of data that the Company collects, uses and/or discloses– Data relating to your usage of websites, platforms, products and services, Cookies, Data relating to your usage and interaction with our platforms and operating system.

Type of data- Personal Data of any other third party
Examples of data that the Company collects, uses and/or discloses–
1. Emergency contact information: Name, Surname, Phone number
2. Referral Person: Name, Surname, Phone number, Job title, Place of work.
3. Guarantor information: Name, Surname, Photo, Phone number, Job title, Proof of income for guarantee, Copy of ID card / Copy of government official card.

2.1.4 Personal Data collected from partners
Type of data- Personal Data
Examples of data that the Company collects, uses and/or discloses–
1. Information in the copy of the ID card is: Name, surname, ID number, Address, Date of birth, Photo, Height.
2. Information in the copy of the house registration is: Name, surname, ID card number, Address according to the house registration, Nationality.
3. Other information: Signature, Job title.

Type of data- Sensitive Data
Examples of data that the Company collects, uses and/or discloses– Religion

Type of data- Record images and/or voices interacting with the Company
Examples of data that the Company collects, uses and/or discloses– Records from CCTV.

Type of data- Usage details.
Examples of data that the Company collects, uses and/or discloses– Data relating to your usage of websites, platforms, products and services, Cookies, Data relating to your usage and interaction with our platforms and operating system.

2.2   Sensitive Data means any information which is genuinely personal of a Person, but sensitive and likely exposed to unfair discrimination, e.g., racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual orientation, criminal records, data relating to health and disability, labor union data, genetic data, biometric data or any other data which affects the data subject in such manner as prescribed and announced by the Personal Data Protection Committee.
          The Company has no policy to collect Sensitive Personal Data from you, however, in certain cases that the Company may need to collect Sensitive Personal Data from you, the Company shall collect the Sensitive Personal Data provided that the Company has been given explicit consent by you or permitted by law.
          In the event that the Data Subject does not provide Personal Data or provides inaccurate or out-of-date Personal Data to the Company, the Data Subject may be affected by being unable to transact with the Company or may not be convenient or not receive the performance of the existing contracts with the Company, and may cause damage or loss to the Data Subject, and may prevent the Company or the Data Subject from complying with the contract.

2.3   Personal Data of minors, incompetent or quasi - incompetent persons
          The Company has no intention to collect, use and / or disclose Personal Data of minors, the incompetent or quasi - incompetent persons, unless the Company obtains consent from the guardian, the appointed guardian, the appointed curator or any act which minors may give consent by itself pursuant to law (as the case may be) and / or has any lawful basis. If the Company discovers that the collection, use and / or disclosure of Personal Data of minors, the incompetent or quasi - incompetent persons is undertaken without (i) consent from the guardian, the appointed guardian, the appointed curator or minors who may give consent by itself pursuant to law (as the case may be) and (ii) any lawful basis, the Company shall delete or destroy such Personal Data.

2.4   Personal Data of any other third party
          If you provide us Personal Data of any other third party who has involvement with you i.e. emergency contact persons and / or any other person per document of your transaction, and reference persons such as , name, surname, address, telephone number, family income and personal information and other contact information to contact in an emergency, fill out an application, or transact with the Company. You certify that such information is lawful. Please inform those persons of the details under this Policy and request their consent.

The Company may collect your Personal Data via the following channels:
          3.1 Personal Data that you give directly to or through The Company
          Normally, the Company will collect your Personal Data directly from you. This usually occurs when you communicate with the Company for inquiries, comments, make complaints through the website, application, telephone, e-mail, or to order products or hire or use the services of the Company; and enter into a contract with the Company, offering goods or contracting or providing services to the Company and entering into contracts, participating in marketing activities or other activities, etc.
          3.2 Personal Data that the Company automatically collects from you.
          The Company may automatically collect some technical information about the Device, activities and traffic patterns, browsing history information.
          3.3 Personal Data that we obtained from outsiders.
          The Company may sometimes obtain your Personal Data from other external sources, for example from public sources, your business or commercial sources regardless of whether you provide Personal Data yourself or have given consent to any such disclosure of your Personal Data, the Company's service providers, government agencies.

    The Company may collect, use and disclose Personal Data for the following purposes:

          4.1 Purposes for which the Company requires consent
          The Company shall collect, use and / or disclose your Personal Data based on consent for the following objectives.
          (a) Marketing operations, submission of offers for products and / or services, privileges for marketing promotions for which the Company cannot apply other criteria or lawful bases.
          (b) Collection, use and / or disclosure of Sensitive Personal Data of the Data Subject for the following objectives.
                (1) Sensitive Personal Data appeared on the identification documents (such as race, blood type or religion) for identity verification and identification purposes.
                (2) Health record data in medical documents and physical examination or other related documents of the Company used for health examination and verification.
          (c) To transfer your Personal Data to a recipient country that may have inadequate data protection standards and consent is required by law.
          4.2 Purposes for which the Company may process the Personal Data based on other criteria and lawful bases.
          The Company only collect, use or disclose your Personal Data where it is necessary or there is a lawful bases for collecting, using or disclosing it below:
          (1) necessary for the performance of a contract, entering into an agreement, or performance of a contract made by the Data Subject.
          (2) compliance with laws
          (3) necessary for legitimate interests by considering our benefits or third party’s benefits with your fundamental rights in Personal Data
          (4) prevent or suppress a danger to a person’s life, body or health; and/or
          (5) necessary to carry out a public task, or for exercising official authority. The Company will rely on the criteria or lawful basis in aforementioned (1) to (5) for the collection, use and/or disclosure of personal information for the following purposes.
                (1)    Contact the Data Subject prior to your entering into a contract or processing the Data Subject’s request;
                (2)    Offer various products and services, marketing data, promotional or marketing activities including documents delivery regarding promotions or promotional activities;
                (3)    Management of the Data Subject’s relationship with the Company and management of the Data Subject’s existing account with the Company;
                (4)    Management of complaints of Data Subjects, resolving or investigating any complaints, claims or disputes related to products or services;
                (5)    Prevention, detection and investigation of fraud, misconduct or unlawful activities requested by government agencies or regulators and analysis and risk management;
                (6)    Compliance with laws, rules, regulations, guidelines, orders, advice and requests from government agencies, tax agency, law enforcement agencies or other agencies or regulators (both domestic and international), such as the Revenue Department, Social Security Office Department of Welfare, and Legal Execution Department, Ministry of Commerce, Laws relating to public health, etc.;
                (7)    Contact, notification, notification of debt payment, the exercise of claims or enforce legal or contractual rights, assignment of rights and/or duties, debt collection, financial audit by auditor or obtain services from legal advisors;
                (8)    Performance of the Company’s obligations in accordance with terms and conditions set out in an agreement to which the Company is a party such as contracts with service providers or any person or juristic persons or to enforce legal or contractual rights in which the Company acts as an agent and/or broker, etc.; and
                (9)    Records and/or voice records of CCTV surveillance to investigate suspicious transactions which the Data subject made with us, including but not limited to use such records to improve or develop the Company's services, to deal with the data subject complaints or to ensure security.
          4.3 In the event that the Company will process your Personal Data in a manner and/or for purposes inconsistent with the purposes stated above, the Company will provide additional policies or notices regarding the protection of Personal Data and/or deliver you a written explanation for the processing of such data. You are advised to read the relevant policies or additional notices in conjunction with this Policy and/or such delivered document. (as the case may be)
          4.4 The Company would like to inform you that in the event that the Company requires identification documents such as an ID card, passport, work history, or other documents which may contain Sensitive Personal Data, such as religion, nationality or blood type, etc. The Company does not intend to collect such data. Therefore, you are requested to cross out or blacken out that part of the data. The company reserves the right to cross out or blacken out such data in order to maintain your Sensitive Personal Data.
          4.5 You agree not to deliver any data that is inaccurate and/or misleading to the Company and you agree to notify the Company of any inaccuracies or changes of such data. The Company reserves the right to request delivery of any additional documents to verify the data you have given to the Company as the Company deems appropriate.

To carry out the purposes stated in this Privacy Policy. Your Personal Data may be disclosed or delivered to various departments within the Company and to a third party as follows:

Type of Personal Data- Within the Company
DetailsYour Personal Data may be disclosed or submitted to only various departments within the Company that are relevant and have the necessary roles and duties for the purposes. These persons or teams of the Company will be allowed to access your Personal Data as necessary and appropriate

• Sales staff or other relevant department officials by assigning permissions to access data according to the roles and responsibilities
• Your executive or direct supervisor who is responsible for managing or making decisions about you or when dealing with HR procedures
• Supporting parties or teams such as Marketing, Corporate, Call center, Club operation, Fitness, Admin and Accounting, HR, procurement, Leasing, Property, IT, etc.

Your Personal Data may be disclosed or delivered to external organizations such as the Revenue Department, Social Security Office, Department of Labor Protection and Welfare, Legal Execution Department, Ministry of Commerce, Ministry of Labor or any other agency by virtue of law.

Type of Personal Data- Organization or third party
Details
The Company may disclose your data to organizations or third parties who contact us for verifying your transactions and to provide services or products according to the demand of you or partner company.

       6.1 The Company may send or transfer your Personal Data to other parties both domestically and internationally where necessary to perform the contract to which you are a party or is acting under a contract between the Company and another person or juristic person for your benefit or for use in the processing of your request before entering into the contract or to prevent or suppress a danger to life, body or health to you or others as well as to comply with the law or as necessary to carry out tasks for the public interest.
          6.2 The Company may store your Personal Data on a computer, Server, or Cloud provided by another person and may use third-party programs or applications in the form of providing software packages and in forms of ready-made platform services to process your Personal Data. However, the Company will not allow unrelated persons to access Personal Data and the Company will require those other parties to have appropriate Personal Data security protection measures.
          6.3 In the event that it is necessary to send or transfer your Personal Data abroad, the Company will comply with Personal Data protection laws and take reasonable measures to ensure that your Personal Data is protected and that you can exercise your Personal Data rights as required by law, including the Company will require those who receive your Personal Data to take appropriate measures to protect your Personal Data and only process such Personal Data as necessary and take steps to prevent other people from unauthorized use or disclosure of Personal Data.

The Company may collect and use cookies and / or any other technologies of similar nature when you use the Company’s website such as the date and time, the link that was viewed, pages visited, terms and conditions, and any settings, which will be saved on your computer and/or communication device accessed, such as a notebook, tablet or smartphone via a web browser while browsing the website.
          Cookies will not harm your computer and/or communication devices. In the following cases, your Personal Data may be collected in order to enhance your experience of using the online services. It will recollect your use and preferences of language and setting in order to respond to your demand so that we can verify your uniqueness and your safety data including the services you are interested in. Cookies are also used to measure traffic to online services.

          To adjust the content, we may consider based on your previous and current browsing behavior and such data may be used for advertising purposes. You can learn more details from the “Cookies Policy” of the Company HERE.

    8.1 The Company will collect your personal data for the collection, use or processing purposes stated by the Company in this Policy to the extent necessary as long as required by law. This includes complying with the requirements of applicable law.
          8.2 The Company will still further keep your Personal Data for the collection, use or disclosure purposes once you have ended the relationship with us for a period of time that is appropriate for the legitimate interest and necessary as specified by laws or keep in a way that makes it impossible to identify the person directly or indirectly such as “make it anonymous data” or “make it pseudonymous Data”
          8.3 The Company may retain your Personal Data for as long as necessary to achieve the related objectives of each Privacy Policy. The Company will keep
your Personal Data for a period as necessary according to the statute of limitations after the end of the relationship or your last contact with us.          8.4 The Company will undertake operations through appropriate steps to delete or destroy the Personal Data or make it permanently anonymous or any other methods to erase all Personal Data when a said period ends or become irrelevant, or it is no longer necessary for the Company to collect according to the purposes herein, or the Company must act upon your request to erase your Personal Data.

  The Company prioritizes the security importance of your Personal Data such as encryption, and restriction of access to personal information to ensure that our personnel and third parties acting on our behalf have complied with appropriate standards for Personal Data protection. This includes the duty to prevent data leakage and the Company to take appropriate security measures in relation to the processing of the data.
          The Company will keep your personal information very well in accordance with the Technical Measures and Organizational Measure to secure the proper processing of Personal Data. and to prevent Personal Data breaches. The Company has established policies, rules and regulations for Personal Data protection, including measures to prevent recipients of information from the company using or disclose information outside the intended purpose or without power or wrongdoing and the Company has updated the Policy. Such rules and regulations are periodically necessary and appropriate. In addition, the Company's executives, employees, contractors, agents, consultants and recipients of information from the Company are obliged to maintain the confidentiality of Personal Data in accordance with the confidentiality measures set by the Company.
          The Company shall apply Technical and Organizational measures for the safekeeping of your Personal Data in order to appropriately maintain the security of Personal Data processing and to prevent Personal Data breaches. The Company has established policies, rules and regulations for Personal Data protection, including measures to prevent recipients of data from the Company from using or disclosing data outside the intended purpose or without authority or illegally and the Company has updated the Policy, rules and regulations periodically as necessary and appropriate. Furthermore, the Company’s executives, employees, personnel, contractors, representatives, advisors, and recipients of data from the Company shall maintain the confidentiality of Personal Data in accordance with the confidentiality measures determined by the Company.
          The Company has regularly reviewed and updated the Company's Personal Data security procedures and measures to be up to date in order to maintain a level of security as appropriate to the risk and to ensure the confidentiality of Personal Data, completeness, availability and flexibility in the processing of Personal Data on an ongoing basis, including protection, loss and collection, access, use, modification, alteration or unauthorized disclosure of Personal Data. The Company will apply various measures to maintain the security of the Company's Personal Data when processing all types of Personal Data both in electronic and document format.

          The Company may amend or update this Policy from time to time to comply with guidelines and relevant laws and regulations. The Company will notify you of such change through the appropriate channels. As such, the Company would encourage you to read and check the details in the Policy every time when such changes are made.

 If you have any inquiries in relation to the collection, use, and disclosure of your Personal Data, including your rights under this Policy, you can contact the Company below:
Email: DataProtection.TH@evolutionwellness.co.th
Tel: 02-118-6665

Announced to be effective on 30 May B.E. 2565(2022)