Personal Data Protection Policy

G Raphic As A Service Co.,Ltd (the "Company") recognizes the importance of your personal data which you provide to the Company with your trust. Thus, for collecting, using and disclosing your personal data in accordance with the Personal Data Protection Law, the Company has issued Personal Data Protection Policy which stipulates the Company’s objectives to collect use or disclose your personal data, the process of data collection, storage, usage and disclosure, types of the personal data, the rights of the data subject and other relevant details. This Personal Data Protection Policy is the Company’s obligation and responsibility regarding personal data of individual person and corporate person who involve in the Company’s business. Moreover, this policy sets the protection standard to give you confidence that your personal data shall be protected, used and managed appropriately in accordance with Personal Data Protection Act B.E. 2562.

This Personal Data Protection Policy shall be applied to:

(1) Individual clients mean individual person who uses or has used the Company’s products or services.

(2) Individual person who do not use any product or service holding with the Company or is non-client, but the Company may need to collect, use, or disclose your personal data, including anyone who visits or uses the Company’s website, platform, application, or attends the Company’s seminar, and including any person who is involved in transactions with the Company or provides the personal data to the Company in any way.

(3) Individual person who associated with the corporate client e.g. employees, staffs, officers, company representatives, shareholders, authorized persons, directors, contact persons, including any other individuals to whom the corporate client discloses their personal data in order to make the transaction or contact with the Company. This corporate client who uses or has used the Company’s products or services.

This Personal Data Protection Policy applies to our business, websites, mobile applications, call centers, events and exhibitions, online communication channels, other locations and any means where the Company collects, uses or discloses your Personal Data.

1. Personal data the Company collects

"Personal Data" means any identified or identifiable information about you, whether directly or indirectly (but not including the information of deceased persons) as listed below. In order to offer the Client our services, we might collect your information in a variety of ways. We may collect your Personal Data directly from you (e.g. through our investment consultant, operation officer, call center or other relevant employees.) or indirectly from other sources (e.g. social media, third party’s online platforms, and other publicly available sources) and through our group companies, service providers, business partners, official authorities, or third parties (e.g. third-party custodians, sub-custodians, and brokers). Which specific types of data collected depends on the Client′s relationship with us, and which services or products the Client requires from us.

"Sensitive Data" means Personal Data classified by law as sensitive data. The Company will only collect, use, or disclose Sensitive Data if the Company has received your explicit consent or as permitted by law.

Type of Clients

Individual Client

The Company will collect, use, or disclose the following categories and types of your Personal Data, including but not limited to:

(a) Personal details, such as your title, name, last name, gender, age, date of birth, nationality, education, marital status, occupation, job title, salary, work place, information on government-issued cards (e.g. national identification number, passport number, tax identification number or driver′s license details), house registration, signature, photo, voice recording, CCTV records, and other identification information;

(b) Contact details, such as your address, telephone number, mobile number, fax number, email address, and other electronic communication ID;

(c) Account and financial details, such as your credit card and debit card information, salary certificate, account number and account type, statement, financial information, prompt pay details, assets, debts, income and expenses, as well as payment details, service and product application details;

(d) Transaction details, such as the type of products or services (e.g. securities or derivatives), price and quantity, order number, broker number, conditions (if any), trading history and balance, payment and transaction records relating to your assets, credit limit, financial statements, liabilities, taxes, revenues, earnings and investments, source of wealth and funds, representation, trade information, default record, margin balance, and margin loan record;

(e) Technical details, such as your Internet Protocol (IP) address, web beacon, log, device ID and type, network, connection details, access details, single sign-on (SSO) details, login log, access times, time spent on our page, cookies, login data, search history, browsing details, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on devices you use to access the platform;

(f) Investment details, such as your account identifiers, username and password, PIN ID code for trading, interests and preferences, activities, investment objectives, investment knowledge and experience, and risk tolerance; and

(g) Usage details, such as information on how you use the websites, platform, products, and services, and your contact details.

Corporate Client

The Company will collect, use, or disclose the following categories and types of your Personal Data, including but not limited to the followings:

1. a) Identity Data, such as, your title, name, last name, gender, age, photos, education, information on CV, work-related information (e.g., position, function, occupation, job title, company you work for, employed at or holds shares of), information on government-issued cards (e.g., national identification number or passport number), photo, percentage of shares, signatures, and other identifiers;
2. b) Contact Details, such as, telephone numbers, fax number, address, country, e-mail, and other similar information;
3. c) Personal data generated in connection with the Client′s relationship with us, such as, account opening, administration, operation, payment, settlement, processing, and reporting, on behalf of the Client. Such Personal Data may include signatures, and your correspondence with us; and
4. d) Other information, collected, used or disclosed in connection with the relationship with us, such as, information you give us in contracts, arrangements, forms, request forms or surveys or data collected when you participate in our business functions, trainings, seminars or social events.

The Company will collect, use, or disclose the following Sensitive Data about you:

(a) biometric data, such as facial recognition or fingerprint;

(b) health data, such as medical information;

(c) disability;

(d) criminal records; and

(e) sensitive data as shown in the identification document

2. The Purpose of collection, use or disclosure of your Personal Data

The Company may collect, use, or disclose your Personal Data and Sensitive Data for the following purposes.

2.1 Purpose for which consent is required

The Company relies on your consent to:

(a) provide marketing communications, offering products and services, special offers, digital services, conduct market research and create marketing campaign for promotional materials about the products and services of the Company, our group companies, and the third parties which we cannot rely on other legal grounds;

(b) collect, use, or disclose your Sensitive Data for the following purposes:

(i) biometric data, which is facial recognition, fingerprint for the access to premises/application and authentication and verification;

(ii) health data, such as medical information for facilitation;

(iii) disability for communicating and providing appropriate services;

(iv) criminal records for investigating money laundering and financing of terrorist activities;

(v) sensitive data as shown in the identification document for the purpose of authentication and verification; and

(c) cross-border transfer your Personal Data to a country which may not have an adequate level of data protection, for which consent is required by law.

Where legal basis is consent, you have the right to withdraw your consent at any time. This can be done so, by contacting the Company or Data Protection Officer as specified in Clause 9. The withdrawal of consent will not affect the lawfulness of the collection, use, and disclosure of your Personal Data and Sensitive Data based on your consent before it was withdrawn.

2.2 Purpose for which the Company may rely on other legal grounds for processing your Personal Data

The Company may collect, use, or disclose your Personal Data by relying on the following legal grounds: (1) a contractual basis, for our initiation or fulfillment of a contract with you; (2) a legal obligation; (3) the legitimate interest of ourselves and/or third parties, to be balanced with your own interest and fundamental rights and freedoms in relation to the protection of your Personal Data; (4) vital interest, for preventing or suppressing a danger to a person’s life, body or health; and (5) public interest, for the performance of a task carried out in the public interest or for the exercise of official actions.

The Company relies on the legal grounds in (1) to (5) above for the following purposes of collection, use, or disclosure of your Personal Data:

Individual Client

(a) contacting you prior to your entering into a contract or an arrangement with the Company;

(b) processing applications for account opening, account maintenance, and operations relating to your accounts, including without limitation, processing your applications or requests for services or products, processing your transactions, generating your account statement, and operating and closing your accounts;

(c) providing services to you, such as securities brokerage, derivatives brokerage, securities underwriting, financial advisory, investment advisory, securities lending and borrowing, private fund management. from time to time and dealing with all matters relating to the services;

(d) providing investment products, offering choices to you (including investment products of third parties) from time to time and dealing with all matters relating to the investment products;

(e) managing your relationship with us and administration of your account with the Company;

(f) preventing customers with certain limitations (e.g. elderly person) from engaging in certain types of transactions by themselves for the purpose of damage control;

(g) carrying out your instructions or responding to your inquiries or feedback, and resolving your complaints;

(h) conducting identity verification and credit checks, know-your-customer (KYC) and customer due diligence (CDD) processes, other checks and screenings, and ongoing monitoring that may be required under any applicable law;

(i) preventing, detecting and investigating fraud, misconduct, or any unlawful activities, whether or not requested by any governmental or regulatory authority, and analysing and managing risks;

(j) complying with all applicable laws, regulations, rules, directives, orders, instructions and requests from any governmental, tax, law enforcement or other authorities or regulators (whether local or foreign), such as Anti-Money Laundering Office, Thai Revenue Department and Bank of Thailand;

(k) managing our infrastructure, internal control, internal audit and business operations and complying with our policies and procedures that may be required by applicable laws and regulations including those relating to risk control, security, audit, finance and accounting, systems and business continuity;

(l) addressing or investigating any complaints, claims or disputes;

(m) provide marketing communications, offering products and services, special offers, digital services, conduct market research and create marketing campaign for promotional materials about the products and services of the Company, our group companies and the third parties;

(n) developing new services and products and updating you on our services and products from time to time;

(o) carrying out research, planning and statistical analysis, for example, on your investment limit and investment behaviour, for the purpose of developing our services and products;

(p) organizing our promotional campaign or events, conferences, trainings, seminars, and company visits;

(q) enforcing our legal or contractual rights including, but not limited to, recovering any and all amounts owed to the Company;

(r) facilitating financial audits to be performed by an auditor, or receiving legal advisory services from legal counsel appointed by you or us; and

(s) performing our obligations under any agreements to which we are a party, e.g. agreements with our business partners, vendors, agents or other asset management companies, or under which we are acting as an agent.

If the Personal Data the Company collect from you is required to meet our legal obligations or enter into an agreement with you, the Company may not be able to provide (or continue to provide) our products and services to you if the Company cannot collect your Personal Data when requested.

Corporate Client

(a) Business communication, such as, communicating with the Client about our products or services, e.g. by responding to inquiries or requests;

(b) The Client selection, such as, verifying your identity and your status, conducting due diligence or any other form of background checks or risk identification on you (including screening against publicly available government law enforcement agency and/or official sanctions lists as required if law), evaluating suitability and qualifications of you , issuance of request for quotation and bidding, execution of contract with you ;

(c) The Client data management, such as, maintaining and updating lists/directories of the Clients (including your Personal Data), keeping contracts and associated documents in which you may be referred to;

(d) Relationship management, such as, planning, performing, and managing the (contractual) relationship with the Client, e.g., by performing transactions and orders of products or services, processing payments, performing accounting, auditing, billing and collection activities, arranging shipments and deliveries, providing support services;

(e) Business analysis and improvement, such as, conducting research, data analytics, assessments, surveys and reports on our products, services and your performance, development and improvement of marketing strategies and products and services;

(f) IT systems and support, such as providing IT and supports, creating and maintaining code and profile for you, managing your access to any systems to which the Company has granted you access, removing inactive accounts, implementing business controls to enable our business to operate, and to enable us to identify and resolve issues in our IT systems, and to keep our systems secure, performing IT systems development, implementation, operation and maintenance;

(g) Security and system monitoring, such as authentication and access controls and logs where applicable, monitoring of system, devices and internet, ensuring IT security, prevention and solving crimes, as well as risk management and fraud prevention;

(h) Dispute handling, such as solving disputes, enforcing our contracts, establishing, exercising or defence of legal claims;

(i) Internal investigation, any investigation, complaints and/or crime or fraud prevention;

(j) Internal compliance, such as compliance with internal policies and applicable laws, regulations, directives and regulatory guidelines;

(k) Compliance with laws and government authorities, such as liaising and interacting with and responding to government authorities or courts;

(l) Marketing purposes, such as informing you of our news and publications which may be of interest, events, offering new services, conducting surveys; and

(m) Complying with reasonable business requirements, such as management, training, auditing, reporting, control or risk management, statistical, trend analysis and planning or other related or similar activities.

3. How the Company discloses or transfers your Personal Data

The Company may disclose or transfer your Personal Data to the following third parties (including their personnel and agents) who collect, use or process Personal Data in accordance with the purposes under this Personal Data Protection Policy. These third parties may be located in or outside Thailand. Therefore, please visit their privacy policies to learn and understand more details on how they collect, use or process your Personal Data.

Individual Client

3.1 Group Companies

As G Raphic As A Service Co.,Ltd is part of the Company may need to transfer your Personal Data to, or otherwise allow access to such Personal Data by, other companies within Company Limited Group for the purposes set out above.

3.2 Our service providers

The Company may use other companies, agents or contractors to perform services on our behalf or to assist with the provision of products and services to you. The Company may disclose your Personal Data to these service providers, including but not limited to: (a) IT service providers; (b) research agencies; (c) analytics service providers; (d) survey agencies; (e) marketing, advertising media and communications agencies; (f) payment service providers; and (g) administrative and operational service providers.

In the course of providing these services, the service providers may have access to your Personal Data. However, the Company will only provide our service providers with the Personal Data that is necessary for them to perform the services, and we ask them not to use your Personal Data for any other purposes. The Company will ensure that all the service providers we work with will keep your Personal Data secure.

3.3 Our business partners

The Company may transfer your Personal Data to persons acting on your behalf or otherwise involved in the provision of the type of product or service you receive from us, including payment recipients, beneficiaries, account nominees, intermediaries (such as third-party securities companies, or asset management companies), custodians, correspondents, agents, vendors, co-brand business partners, counterparties, issuers of products, or global trade repositories to whom the Company discloses Personal Data in the course of providing products and services to you and whom you authorize the Company to disclose your Personal Data to, provided that these data recipients agree to treat your Personal Data in a manner consistent with this Personal Data Protection Policy.

3.4 Third parties permitted by law

In certain circumstances, the Company may be required to disclose your Personal Data to a third party in order to comply with legal or regulatory obligations. This includes any law enforcement agency, court, regulator, government authority or other third party for which we believe disclosure or transfer is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party′s or individuals’ personal safety, or to detect, prevent, or otherwise address fraud, security or safety issues.

3.5 Professional advisors

The Company may disclose or transfer your Personal Data to our professional advisors relating to audit, legal, accounting, and tax services who assist in running our business and defending or bringing any legal claims.

3.6 Third parties as assignees, transferees, or novates.

The Company may assign, transfer, or novate our rights or obligations to a third party, to the extent permitted under the terms and conditions of any contract between you and us. The Company may disclose or transfer your Personal Data to assignees, transferees, or novatees, including prospective assignees, transferees, or novatees, provided that these data recipients agree to treat your Personal Data in a manner consistent with this Personal Data Protection Policy.

3.7 Third parties connected with business transfer

The Company may disclose or transfer your Personal Data to our business partners, investors, significant shareholders, assignees, prospective assignees, transferees, or prospective transferees in the event of any reorganization, restructuring, merger, acquisition, sale, purchase, joint venture, assignment, dissolution or any similar event involving the transfer or other disposal of all or any portion of our business, assets. If any of the above events occur, the data recipient will comply with this Personal Data Protection Policy to respect your Personal Data.

Corporate Client

The Company may have to disclose your Personal Data with other parties for the purposes set out in section 2 above, such as, our affiliates within company limited, our other business partners, third party service providers engaged by us. In some cases, the Company may disclose your Personal Data to any government authority, law enforcement agency, court, regulator, or other third party where the Company believes this is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individual’s personal safety, or to detect, prevent, or otherwise address fraud, security or safety issues.

When the Company transfers Personal Data to the third parties, The Company will take steps to ensure the protection of your Personal Data, such as confidentiality arrangements or other appropriate security measures as required by law.

4. Disclosure of Personal Data by transferring Personal Data to a foreign country

The Company may disclose or transfer your Personal Data to third parties or servers located overseas, and the destination countries may or may not have the same data protection standards as Thailand. The Company has taken steps and measures to ensure that your Personal Data is securely transferred, that the data recipients have suitable data protection standards in place, and that the transfer is lawful by relying on the derogations as permitted under the law.

5. How long do we keep your Personal Data

The Company retains your Personal Data for as long as is reasonably necessary to fulfill the purposes for which the Company has obtained it as set out in this Personal Data Protection Policy, and to comply with our legal and regulatory obligations. However, the Company may have to retain your Personal Data for longer duration, if required by applicable law.

6. Other important information about your Personal Data

6.1 Cookies and how they are used

If you visit our websites, the Company will gather certain information automatically from you by using Cookies. Cookies are tracking technologies that are used in analyzing trends, administering our websites, tracking users’ movements around the websites, and remembering users’ settings.

Most Internet browsers allow you to control whether or not to accept Cookies. If you reject Cookies, your ability to use some or all of the features or areas of our websites may be limited.

6.2 Personal Data used by persons who are limited in their ability to perform juristic act

Our activities are not generally aimed at minors, incompetent persons, or quasi-incompetent persons and the Company does not knowingly collect Personal Data from customers who are minors (those who is not sui juris by marriage or who does not have status as sui juris according to section 27 of the Civil and Commercial Code), incompetent persons or quasi-incompetent persons without the consent of parent or curator or legal guardian (as the case may be).

If you are a minor, an incompetent person, or a quasi-incompetent person wish to engage in a contractual relationship with us, you must obtain the consent from your parent or curator or legal guardian prior to contacting us or providing us with your Personal Data. If the Company learns that the Company has unintentionally collected Personal Data from any minor without the consent of parent or curator or legal guardian (as the case may be), the Company will delete it immediately or continue to process such Personal Data if we can rely on other legal bases apart from consent.

6.3 Personal Data related to third parties

If you provide the Personal Data of any third party such as your parents, spouse and children, shareholders, directors, beneficiary, emergency contact, referral, and references to us, (e.g. their name, family name, email address, and telephone number.) you should ensure that you have the authority to do so and to permit us to use the Personal Data in accordance with this Personal Data Protection Policy. You are also responsible for notifying the third party of this Personal Data Protection Policy and, if required, obtaining consent from the third party or rely on others legal basis.

7. Your rights with regard to your Personal Data

Your rights described here means legal rights by virtue of the Personal Data Protection Act B.E.2562. However, you may exercise any of these rights within legal requirements and policies at the present or as amended in the future as well as regulations set out by the Company. In the case you are under 20 years old or your legal contractual capacity is restricted, your father and mother, guardian or representative may request to exercise the rights on your behalf.

(a) Right to Access: you may have the right to access or request a copy of the Personal Data which the Company has collected, used, or disclosed. Moreover, you have the right to request us to disclose the acquisition of your personal data obtained without your consent;

(b) Right to Data Portability: you may have the right to obtain Personal Data hold about you, in a structured, electronic format, including (A) right to request the Company to send or transfer the personal data in such format directly to other data controllers if doable by automatic means or (B) right to request to obtain the Personal Data in such format sent or transferred by the Company directly to other data controller unless not technically feasible.

(c) Right to Objection: in some circumstances, you may have the right to object to how we process your Personal Data in certain activities which specified in this Policy;

(d) Right to Deletion: you may have the right to request that the Company deletes, destroys, or de-identifies your Personal Data that we process about you, e.g. if the data is no longer necessary for the purposes of processing;

(e) Right to Restriction: you may have the right to restrict our processing of your Personal Data if you believe such data to be inaccurate, that our processing is unlawful, or when such data no longer need to store for a particular purpose;

(f) Right to Rectification: you may have the right to have Personal Data that is incomplete, inaccurate, misleading, or out-of-date rectified;

(g) Right to Withdraw Consent: you may have the right to withdraw consent that was given to us for the processing of your Personal Data at any time, unless there are restrictions on the right to withdraw consent as required by the law, or a contract that benefits you; and

(h) Right to Lodge a complaint: you may have the right to lodge a complaint to the competent authority if you believe our processing of your Personal Data is unlawful or non-compliance with applicable data protection law.

8. Changes to this Personal Data Protection Policy

From time to time, the Company may change or update this Personal Data Protection Policy. We encourage you to read this Personal Data Protection Policy carefully and periodically revisit https://creativevaluation.com/th/page/17  to review any changes that may occur in accordance with the terms of this Personal Data Protection Policy. The Company will notify you or obtain your consent again if there are material changes to this Personal Data Protection Policy, or if the Company is required to do so by law.

9. Contacting Us

If you wish to contact us to exercise the rights relating to your Personal Data or if you have any queries or complaints about your Personal Data under this Personal Data Protection Policy, please contact us or our Data Protection Officer via the following avenues:

(a) G Raphic As A Service Co.,Ltd

• 899/24 Sukhumvit 101 ,Bangchak,Phrakhanong,Bangkok 10260
• Telephone No: 0-2000-8254

(b) Data Protection Officer

• 899/24 Sukhumvit 101 ,Bangchak,Phrakhanong,Bangkok 10260
• Email: DPO@creativevcloud.com
• Telephone No: 0-2000-8254

10. Security in the storage of personal data

The Company has established and/or adopted a storage system for personal data with appropriate mechanisms and techniques, including restricting access to your personal data by our staffs, employees, company representatives, shareholders, authorized persons, directors, contact persons, and our agents in order to prevent unauthorized use, disclosure, destruction or access to your personal data without authorization.

11. Application of Personal Data Protection Policy

You hereby agree and acknowledge that this Personal Data Protection Policy shall be applied to all personal data collected by the Company. In addition, you agree that the Company has the right to collect and use your personal data which has been collected by the Company (if any), as well as your any personal data currently collected and to be collected by the Company for the future in order to use or disclose to other people within the scope of this Personal Data Protection Policy.

12. Applicable Law

You hereby agree and acknowledge that this Personal Data Protection Policy shall be governed by and interpreted in accordance with the Thai law and the Thai courts shall have exclusive jurisdiction over any dispute that may arise.

This Personal Data Protection Policy shall come into full effect on October 1, 2023