Privacy Policy

1. Data Controller and Contact Information

Harvest Clean Food ("we", "us", "our") operates the website www.harvestcleanfood.com and the associated meal-delivery service. We are the Data Controller under the Thailand Personal Data Protection Act B.E. 2562 (2019) ("PDPA") for all personal data collected through our website, mobile experience, and meal-delivery operations.

Data Controller: Harvest Clean Food
Address: 42 Sukhumvit Soi 31, Khlong Toei Nuea, Watthana, Bangkok 10110, Thailand
Email: [email protected]
Phone: +66 95 950 5111

We do not have a Data Protection Officer (DPO) at this time. All data subject requests should be directed to the contact details above.

2. Categories of Personal Data We Collect

We collect the following categories of personal data:

2.1 Identity and Contact Data

• Full name (first and last)
• Email address
• Phone number (used for delivery notifications and OTP authentication)

2.2 Delivery Data

• Street address, building name, floor, unit number
• District, province, and postal code
• Delivery time window preference
• Special delivery instructions (e.g. "leave with security desk")

2.3 Health and Dietary Data (Sensitive Data under PDPA Section 26)

Dietary preferences and allergen flags (e.g. gluten, dairy, peanuts, shellfish) that you voluntarily disclose to us constitute sensitive personal data under the PDPA. We collect this data only with your explicit consent and use it solely to prepare and deliver meals that are safe for you.

2.4 Financial Data

• Payment card tokens issued by Omise Co., Ltd. (our PCI DSS Level 1 certified payment processor). We do not store card numbers, CVV codes, or expiry dates on our servers.
• Order amounts, transaction IDs, and refund records.

2.5 Technical and Usage Data

• IP address and approximate geolocation (city level)
• Browser type, operating system, and device identifiers
• Pages visited, time on page, click patterns, and referral URL
• Cookie identifiers and analytics identifiers (see Section 6)

3. Lawful Basis for Processing and Purposes

Under PDPA Sections 24 and 26, we rely on the following lawful bases:

4. How We Share Your Data

We do not sell your personal data. We share it only with the third parties listed below, and only to the extent necessary for the stated purpose:

• Omise Co., Ltd. — payment processing. Your card details go directly to Omise's PCI DSS Level 1 certified environment; they never pass through our servers.
• Delivery partners and drivers — receive your name, address, and phone number solely to complete your delivery.
• Google LLC — Google Analytics 4 (usage analytics under consent), Google Ads (conversion measurement under consent).
• Meta Platforms Ireland Ltd. — Meta Pixel and Conversions API (marketing measurement under consent).
• Vercel Inc. — web hosting and edge-network infrastructure.
• Supabase Inc. — database and file storage (Singapore region).
• Resend Inc. — transactional email delivery.

We require all third-party processors to protect your data to a standard at least equivalent to this policy. We do not transfer your data outside Thailand or the EEA except where necessary for the services above, and where adequate safeguards (Standard Contractual Clauses or equivalents) are in place.

5. Your Rights Under the PDPA

Under PDPA Sections 30–43, you have the following rights regarding your personal data:

• Right to access (Section 30): Request a copy of the personal data we hold about you and information about how we process it.
• Right to data portability (Section 31): Receive your data in a structured, machine-readable format where technically feasible.
• Right to rectification (Section 35): Correct inaccurate or incomplete personal data.
• Right to erasure (Section 33): Request deletion of your personal data where we no longer have a lawful basis to process it (subject to legal retention obligations).
• Right to restrict processing (Section 34): Ask us to pause processing your data in certain circumstances.
• Right to object (Section 32): Object to processing based on legitimate interest, including direct marketing.
• Right to withdraw consent (Section 19): Withdraw any consent you have given at any time without affecting the lawfulness of processing before withdrawal.
• Right to lodge a complaint: Complain to the Personal Data Protection Committee (PDPC) of Thailand at pdpc.or.th.

To exercise any right, email [email protected] with the subject line "Data Subject Request". We will respond within 30 days as required by the PDPA. There is no charge for exercising your rights, except in cases of manifestly unfounded or excessive requests.

6. Cookie Policy

We use cookies and similar browser storage technologies. Under Thailand's PDPA, we require your explicit consent before placing any non-essential cookies on your device. Below is a full description of every cookie category we use and the specific cookies within each category.

6.1 Necessary cookies (always active — no consent required)

These cookies are strictly required for the site to function. They cannot be disabled. No consent is required under PDPA Section 24(3) because they are necessary for the performance of a contract with you.

6.2 Analytics cookies (require consent)

These cookies help us understand how visitors use the site — which pages are popular, where users drop off, and how to improve performance. No personally identifiable information is sent to advertising platforms via these cookies. These are only placed after you accept analytics cookies.

6.3 Marketing cookies (require explicit consent — PDPA Sec. 19)

These cookies are used to measure the effectiveness of our advertising and to show you relevant promotions on social media and search platforms. Under Thailand's PDPA Section 19, we are required to obtain your explicit, freely given consent before placing these cookies. You can opt out at any time. These are only placed after you explicitly accept marketing cookies.

We also use server-side Conversion APIs (Meta CAPI, TikTok Events API) to measure conversions without relying on browser cookies. These send hashed email/phone data only when you have granted marketing consent and placed an order.

6.4 Managing your cookie choices

You can change or withdraw your cookie consent at any time using the button below or via “Cookie Preferences” in the site footer. Withdrawing consent does not affect the lawfulness of any processing carried out before withdrawal (PDPA Sec. 19).

You can also manage cookies through your browser settings. Note that blocking necessary cookies may break site functionality. External opt-out links:

• Google Analytics opt-out browser add-on
• Meta cookie policy
• TikTok privacy policy

7. Data Retention

We keep your personal data for the following periods:

• Account and order data: For the duration of your active account plus 24 months after you close it — to honour refund requests, meet tax and accounting obligations (Thai Revenue Code requires 5-year financial records), and resolve disputes.
• Payment transaction records: 5 years from the transaction date in accordance with the Thai Revenue Code and anti-money-laundering requirements.
• Marketing consent records: Until you withdraw consent plus 1 additional year (to demonstrate compliance).
• Dietary and allergen data: For the duration of your subscription plus 6 months — deleted promptly on request.
• Analytics data: Up to 14 months in Google Analytics 4 (GA4 default data retention setting).

8. Security Measures

We protect your personal data using:

• Encryption in transit: All traffic between your device and our servers uses TLS 1.2 or higher.
• Encryption at rest: Database encryption provided by Supabase (AES-256) for all stored personal data.
• Access controls: Least-privilege role-based access for staff. Admin functions require multi-factor authentication.
• Payment security: No card data touches our infrastructure — Omise's PCI DSS Level 1 certified environment handles all card processing.
• Audit logging: All admin access to customer data is logged with timestamps and purpose.
• Incident response: In the event of a data breach affecting your rights and freedoms, we will notify the PDPC within 72 hours and inform affected data subjects without undue delay as required by PDPA Section 37.

9. Children's Data

Our service is not directed at or intended for individuals under 20 years of age (the age of majority in Thailand under the Civil and Commercial Code). We do not knowingly collect personal data from minors. If we become aware that we have collected personal data from a person under 20 without appropriate parental or guardian consent as required by PDPA Section 20, we will delete that data promptly.

If you believe a minor has provided us with personal data, please contact us at [email protected].

10. Changes to This Policy and Contact

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be communicated by:

• Posting a revised policy on this page with a new “last updated” date, and
• Sending an email notice to all registered users at least 14 days before the change takes effect.

Continued use of the Service after the effective date constitutes acceptance of the updated policy. Where PDPA requires fresh consent (e.g. new processing purposes), we will obtain it before processing.

Contact for Privacy Matters:

Email: [email protected]
Post: Harvest Clean Food, 42 Sukhumvit Soi 31, Bangkok 10110, Thailand

For more on the terms governing your use of our services, see our Terms of Service.