Last Updated: December 2025

Privacy Policy

1. Compliance (Thai PDPA)

This Privacy Policy is designed to comply with Thailand's Personal Data Protection Act B.E. 2562 (2019) ("PDPA"). We are committed to protecting your personal information in accordance with these standards.

2. Data Collected

We may collect the following types of personal data when you use our services:

2.1 General Personal Data

  • Contact Information: Name, shipping address, billing address, email address, and phone number.
  • Transaction Details: Payment information (processed securely) and order history.
  • Technical Data: IP address, browser type, cookies, and browsing behavior on our site.

2.2 Sensitive Personal Data

We generally do not collect "Sensitive Data" (as defined under Section 26 of the PDPA, such as race, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union information, genetic data, biometric data, etc.) unless obtained with your explicit consent or as required by law.

3. Lawful Basis for Processing

We collect and use your data based on the following lawful grounds under the PDPA:

  • Contractual Basis: To process your orders, arrange shipping, and provide customer support.
  • Legitimate Interest: To improve our website, analyze trends, prevent fraud, and for marketing purposes where it does not override your fundamental rights.
  • Consent: To send you our newsletter and promotional offers (only if you have explicitly opted in).
  • Legal Obligation: To comply with tax, accounting, and consumer protection laws (e.g., issuing tax invoices).

4. Data Retention Period

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected.

  • Transaction Data: Kept for at least 10 years provided by accounting and tax laws.
  • Marketing Data: Kept until you withdraw consent or unsubscribe.
  • User Account Data: Kept for as long as your account is active, plus a reasonable period thereafter to resolve potential disputes. Once the retention period expires or the data is no longer necessary, we will securely delete, destroy, or permanently de-identify your personal data.

5. Data Subject Rights

Under the Thai PDPA, you have the following rights regarding your personal data:

  • Right to Access: Request a copy of your personal data.
  • Right to Rectification: Request correction of inaccurate or incomplete data.
  • Right to Data Portability: Request to receive your data in a readable format or transfer it to another controller.
  • Right to Object: Object to the processing of your data (e.g., for direct marketing).
  • Right to Erasure (Right to be Forgotten): Request the deletion or destruction of your data (subject to legal exceptions).
  • Right to Restriction of Processing: Request to suspend the use of your data.
  • Right to Withdraw Consent: Withdraw your consent at any time for data processed based on consent.

To exercise any of these rights, please contact our Data Protection Officer (DPO) using the details below.

6. Data Breach Notification

In the unlikely event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Office of the Personal Data Protection Committee (PDPC) within 72 hours of becoming aware of the breach. If the breach poses a high risk, we will also notify you without delay.

7. Third-Party Disclosure

We do not sell your data. We share it only with necessary third-party service providers to fulfill our contract with you, such as:

  • Logistics Providers: For product delivery (e.g., Thai Post, Kerry Express, Flash Express).
  • Payment Gateway Providers: (e.g., Stripe, PayPal, Omise) for secure transactions. Note: We do not store sensitive credit card data on our servers.

8. Cookies

We use cookies to ensure our website functions correctly and to analyze how visitors use our site.

  • Necessary Cookies: Essential for the website to function.
  • Analytics/Marketing Cookies: Used only with your explicit consent (opt-in). You can manage your cookie preferences through your browser settings or our cookie consent banner.

Contact Us (Data Protection Officer)

If you have questions or wish to exercise your rights, please contact our Data Controller/DPO:

Lemon & Herbs Address: 414 Moo 15, Hin Lek Fai, Hua Hin, Prachuap Khiri Khan, 77110, Thailand Phone: 095-309-5492 Email: kcnq.me@icloud.com

Lemon & Herbs

© 2025 Lemon & HerbsGood Thymes, Fresh Flavors

Privacy Policy | Lemon & Herbs