Privacy Policy and Data Protection Statement
LevelMark Accounting Co., Ltd.
Version 2.0 — Last Updated: March 2026
Applicable Regulations: Personal Data Protection Act B.E. 2562 (PDPA) — Primary · EU General Data Protection Regulation 2016/679 (GDPR) — Applicable to EU/EEA residents only · Thai Revenue Code
1. Data Controller
The Data Controller responsible for your personal information is:
LevelMark Accounting Co., Ltd. 30 Soi Sukhumvit 61 (Sethabut) Khlong Tan Nuea, Vadhana, Bangkok 10110 — Thailand Email: info@lmaccfirm.com Website: lmaccfirm.com
For any enquiry relating to the protection of personal data, please contact us directly at the email address above, with the subject line: “Privacy — [Type of Request]”.
Note on the DPO (Data Protection Officer): Based on LevelMark Accounting’s current activities, which do not involve large-scale processing or systematic monitoring of data subjects, the appointment of a DPO is not mandatory under Art. 37 GDPR or Section 41 PDPA B.E. 2562. Should activities expand in a manner that makes such appointment necessary, the Data Controller will promptly designate a DPO and notify the competent supervisory authority. All data protection enquiries are handled directly by the Data Controller at info@lmaccfirm.com.
2. Scope of Application
This Privacy Policy applies to all users and clients of LevelMark Accounting Co., Ltd. and complies with the following regulations:
| User's Residence | Applicable Regulation | Supervisory Authority |
|---|---|---|
| **Thailand** | PDPA B.E. 2562 (primary) | Personal Data Protection Committee (PDPC) |
| **European Union / EEA** | GDPR 2016/679 (in addition to PDPA) | Data protection authority of the user's country of residence |
| **Other residences** | PDPA as primary regulation | PDPC |
Important — Scope of GDPR: The EU General Data Protection Regulation applies exclusively to data subjects residing in the European Union or European Economic Area, pursuant to Art. 3(2) GDPR. For all other users, the Thai PDPA constitutes the primary and governing regulation.
Where the two regulations diverge, the applicable regime is specified for each category of user. Where they converge — which is the case in the vast majority of instances, given that the PDPA is modelled on the GDPR — a single unified rule applies.
3. Collection of Personal Data
We adhere to the principle of Data Minimisation (Section 22 PDPA / Art. 5(1)(c) GDPR).
We collect exclusively the information you voluntarily provide to us through our Contact Form. This includes:
- Full name
- Email address
- Message content (and any personal data contained therein)
We do not collect:
- Browsing history
- IP addresses for tracking purposes
- Behavioural analytics
- Geolocation data
- Cookies of any kind (see Section 4)
Provision of data:
- Mandatory: Name, Email and Message fields — without this information, we are unable to process your contact request or provide preliminary consultation.
- Optional: Consent to marketing communications (separate, non-pre-ticked checkbox) — refusal does not affect service delivery in any way.
Consequence of non-provision: If mandatory data is not provided, it will not be possible to respond to your enquiry or process your consultation request.
4. Cookie Policy — Zero-Cookie Website
We do not use cookies of any kind.
This website is designed as a Stateless Static Application. We do not install analytical, tracking, marketing or technical cookies on the user’s device. Browsing our website is entirely anonymous.
Direct consequence: No Cookie Consent Banner is required, in full compliance with:
- PDPC guidelines on cookies and online tracking
- Privacy by Design principle (Art. 25 GDPR / Section 37 PDPA)
- The absence of any cookie-based processing means no consent mechanism for cookies is legally required
5. Purposes and Lawful Basis for Processing
We process your data on the basis of explicit consent, as required by:
- Section 19 PDPA B.E. 2562
- Art. 6(1)(a) and Art. 7 GDPR (for EU/EEA residents)
Our contact form requires clear, specific and separate consent for each purpose, through non-pre-ticked checkboxes:
☐ Mandatory Consent — Handling of Request I consent to LevelMark Accounting processing my contact information (name, email, message) for the purpose of responding to my enquiry and providing preliminary consultation on accounting, tax compliance and business advisory services in Thailand.
☐ Optional Consent — Marketing Communications (Double Opt-In for EU/EEA subscribers) I consent to receiving occasional updates from LevelMark Accounting, including: tax alerts, regulatory changes affecting businesses in Thailand, accounting and compliance newsletters, and service updates.
Double Opt-In Notice: For subscribers residing in the EU/EEA, subscription to promotional communications is confirmed via a follow-up email after the initial consent is recorded, in accordance with EU data protection best practices and applicable supervisory authority guidelines.
Your consent is:
- Freely given and informed — we clearly explain each purpose
- Granular — separate checkboxes for different purposes
- Unconditional — refusal of optional consent does not affect the service
- Documented — we record the date, time and version of the policy at the time consent is given
- Withdrawable at any time — by writing to info@lmaccfirm.com with the subject line “Withdraw Consent”
We do not use pre-ticked boxes. We do not process your data for purposes other than those for which you have expressly given consent. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal (Section 19(3) PDPA / Art. 7(3) GDPR).
6. Data Retention Periods
We retain your personal data only for as long as strictly necessary for the purposes for which it was collected, in compliance with the Thai Revenue Code and PDPA requirements:
| Type of Data | Retention Period | Legal Basis |
|---|---|---|
| Contact form enquiries (no business relationship) | **1 year** from last contact | Data minimisation — Section 22 PDPA / Art. 5(1)(e) GDPR |
| Client accounting records | **Minimum 5 years** after engagement ends | Thai Revenue Code Section 12 |
| Tax documents and related correspondence | **10 years** | Thai Revenue Code Section 3 |
| Consent records and DSAR logs | **3 years** from consent withdrawal or resolution | Section 19 PDPA / Art. 7(1) GDPR — burden of proof |
| Marketing communications opt-in | Until **consent is withdrawn** | Section 19(3) PDPA / Art. 7(3) GDPR |
Upon expiry of the retention period, data is securely and irreversibly deleted or anonymised, unless legal obligations require longer retention. You may request early deletion subject to our legal retention obligations (see Section 8).
7. Data Sharing and Security
We do not sell, trade, rent or transfer your personal information to third parties for commercial purposes.
Your data is protected through comprehensive security measures in accordance with Section 37 PDPA and Art. 32 GDPR:
Technical Safeguards:
- HTTPS/TLS encryption for all data in transit
- Encryption of data at rest in storage systems
- Access protected by multi-factor authentication
- Regular security updates to all systems
Organisational Safeguards:
- Data access restricted on a strict need-to-know basis
- Documented confidentiality obligations for all personnel with data access
- Internal procedures for personal data management and incident response
Physical Safeguards:
- Secure office premises with controlled access
- Physical document storage in locked, access-restricted areas
- Automatic device lock upon inactivity
8. Cross-Border Data Transfers
In certain operational circumstances (e.g. cloud accounting software, secure email hosting, cloud infrastructure), personal data may be transferred outside Thailand. All international data transfers comply with Sections 28–29 of the PDPA and the PDPC Notification on Cross-Border Data Transfers (effective 24 March 2024).
We ensure adequate protection through ONE or more of the following legal mechanisms:
- Transfer to countries with adequate data protection standards (once the PDPC publishes the approved countries list); OR
- Implementation of Standard Contractual Clauses (SCCs) or equivalent safeguards approved by the PDPC; OR
- Your explicit consent for the specific cross-border transfer, obtained at the time of data collection (Section 29 PDPA / Art. 49(1)(a) GDPR for EU residents)
Where we use international service providers, we conduct due diligence to ensure they maintain security standards equivalent to those required under Thai law and, where applicable, EU law.
9. Your Rights
For all users — PDPA Sections 30–38
| Right | Description | PDPA Reference | GDPR Reference |
|---|---|---|---|
| **Access** | Request a copy of personal data we hold | Section 30 | Art. 15 |
| **Rectification** | Request correction of inaccurate or incomplete data | Section 35 | Art. 16 |
| **Erasure** | Request deletion of your data ("Right to be Forgotten") | Section 33 | Art. 17 |
| **Restriction** | Request temporary suspension of processing | Section 34 | Art. 18 |
| **Portability** | Receive your data in a structured, machine-readable format | Section 31 | Art. 20 |
| **Objection** | Object to processing based on legitimate interests | Section 32 | Art. 21 |
| **Withdraw Consent** | Withdraw consent at any time | Section 19(3) | Art. 7(3) |
Note for EU/EEA residents: The GDPR column references apply in addition to the PDPA rights listed above, providing equivalent or additional protection where applicable.
How to Exercise Your Rights
Please submit a written request to: Email: info@lmaccfirm.com Subject: “Data Subject Access Request — [Your Name] — [Type of Right]”
We will respond within 30 days of receipt (Section 39 PDPA / Art. 12(3) GDPR). For particularly complex requests, this period may be extended by a further 60 days (90 days total), with prior written notification and clear justification provided to you.
Limitations
Certain rights may be limited by legal obligations. For example, we cannot erase accounting records or tax documents that we are legally required to retain under the Thai Revenue Code (5 years under Section 12 / 10 years under Section 3). We will always inform you of any limitations applicable to your specific request.
10. Children’s Data
Our services are intended exclusively for adults and businesses.
We do not knowingly collect personal data from individuals under the age of 10 years without verifiable parental or legal guardian consent, pursuant to Section 20 PDPA B.E. 2562.
Note for EU/EEA residents: For data subjects residing in the EU/EEA, the applicable age threshold is 16 years (or the lower limit set by the member state of residence, with a minimum of 13 years), pursuant to Art. 8 GDPR.
If we become aware of any inadvertent collection of data from minors below the applicable threshold, we will take immediate steps to delete the information and, where necessary, notify the PDPC and/or the relevant EU supervisory authority.
11. Data Breach Notification
In the event of a personal data breach that may pose a risk to the rights and freedoms of data subjects:
Notification to Supervisory Authority:
- We will notify the Office of the Personal Data Protection Committee (PDPC) without undue delay and, where feasible, within 72 hours of becoming aware of the breach, pursuant to Section 37(4) PDPA and the PDPC Data Breach Notification Regulation (in force since December 2022).
- For breaches affecting EU/EEA residents: we will also notify the competent EU supervisory authority within 72 hours, pursuant to Art. 33 GDPR.
Notification to Data Subjects: Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, affected data subjects will be notified directly and without undue delay (Section 37(5) PDPA / Art. 34 GDPR).
We maintain a documented Data Breach Response Plan that guides our internal procedures for detection, risk assessment, containment, authority notification and data subject communication.
12. Automated Decision-Making and AI Tools
We do not use automated decision-making or profiling that produces legal effects or significantly affects natural persons (Section 26 PDPA / Art. 22 GDPR). All decisions regarding your enquiries and consultations are made by qualified human accounting professionals.
Use of AI or software tools in support of operations: LevelMark Accounting may use accounting software, cloud platforms or AI-assisted tools as internal operational support. In such cases, no personal data of clients or enquirers is shared with or processed by such tools without prior anonymisation or explicit consent. This is consistent with the emerging requirements of the EU AI Act (Regulation EU 2024/1689) and PDPC guidance on automated data processing.
13. Competent Supervisory Authorities
If you believe that the processing of your personal data does not comply with applicable law and that we have not adequately addressed your concerns, you have the right to lodge a complaint with the competent supervisory authority:
For all users (primary authority — Thailand):
Office of the Personal Data Protection Committee (PDPC) Ministry of Digital Economy and Society Bangkok, Thailand Website: www.pdpc.go.th
For users residing in the European Union / EEA:
You may also lodge a complaint with the data protection authority of your country of residence within the EU/EEA. Full list of EU/EEA supervisory authorities: https://www.edpb.europa.eu/about-edpb/about-edpb/members_en
We nonetheless encourage you to contact us first at info@lmaccfirm.com — we are committed to resolving any concern or issue directly and promptly.
14. Response Timeframes
We are committed to responding to all legitimate requests within 30 days of receipt (Section 39 PDPA / Art. 12(3) GDPR). For particularly complex or numerous requests, this period may be extended by a further 60 days (90 days total), with timely written notification and clear justification provided to you before the initial 30-day period expires.
15. Governing Law and Jurisdiction
This Privacy Policy is governed primarily by the Personal Data Protection Act B.E. 2562 (PDPA) of Thailand. For matters concerning EU/EEA residents, the EU General Data Protection Regulation 2016/679 (GDPR) applies concurrently.
Any dispute relating to the application of this Privacy Policy that cannot be resolved amicably shall be subject to the jurisdiction of the competent courts of Bangkok, Thailand, unless mandatory provisions of applicable law provide otherwise.
16. Changes to This Privacy Policy
This Privacy Policy is reviewed periodically to incorporate:
- Regulatory updates (PDPA, GDPR, Thai Revenue Code)
- New guidelines from the PDPC or EU supervisory authorities
- Changes in LevelMark Accounting’s processing activities
Any material changes will be communicated to data subjects who have provided an email address and will in any case be published on this page with the updated revision date prominently displayed. Continued use of the website following publication of changes constitutes acceptance of the updated version of this Policy.
17. Data Protection Contact
For all data protection enquiries, requests or complaints, please contact:
Data Protection Coordinator LevelMark Accounting Co., Ltd. Email: info@lmaccfirm.com Subject: “Data Protection — [Your Name] — [Type of Enquiry]”
This Privacy Policy has been drafted in compliance with the Personal Data Protection Act B.E. 2562 (PDPA), the Thai Revenue Code, and the EU General Data Protection Regulation 2016/679 (GDPR) where applicable to EU/EEA residents. Updated March 2026.
LevelMark Accounting Co., Ltd. — info@lmaccfirm.com