Privacy Policy

Last updated: 2026-06-05

This Policy is prepared in accordance with the Personal Data Protection Act B.E. 2562 (PDPA, พ.ร.บ. คุ้มครองข้อมูลส่วนบุคคล พ.ศ. 2562).

This summary is provided for transparency and is not specific legal or tax advice. Questions? Contact support@billsos.com.

Cavastir, operator of BillsOS ("we", "us", "our"), respects your privacy and is committed to protecting your personal data under the Personal Data Protection Act B.E. 2562 (PDPA).

1. Data Controller

Cavastir is the data controller of your personal data under this Policy.

Contact: support@billsos.com

2. Personal Data We Collect

We collect the following data:

• Account data: Email address and password hash (PBKDF2)
• Business profile: Business name, tax ID, address, phone, email, PromptPay ID, and logo
• Customer/recipient data: Data you enter about your own customers, such as name, tax ID, and address
• Documents created: Invoices, receipts, quotations, and withholding-tax certificates
• Uploaded files: Payment slips and logos stored in Cloudflare R2
• Technical data: IP address and essential cookies

3. Purposes and Lawful Bases

4. Data Processors and Third-Party Recipients

We use carefully selected sub-processors to operate the Service:

• Cloudflare — Service hosting, D1 database, KV and R2 storage (data may be processed in global data centres with Standard Contractual Clauses as safeguard)
• Stripe — Subscription payment processing (payment data is transmitted to Stripe, which may process it in the US or abroad, with appropriate safeguards)

We do not sell your personal data, and do not share it with third parties beyond those listed in this Policy.

Cross-border transfer note: Cloudflare and Stripe may transfer data outside Thailand. We ensure that appropriate safeguards are in place in accordance with PDPA ss.28–29.

5. Data Retention

We retain your personal data for as long as your account is active. When you delete your account, personal data is deleted upon request unless we are required by law to retain it.

6. Data Security

• HTTPS encryption at all times
• Passwords hashed with PBKDF2 — no plaintext passwords stored
• Access controls: only authenticated users can access their own data
• Storage on Cloudflare D1, KV, and R2 with infrastructure-level encryption at rest

7. Data-Subject Rights under PDPA

As a data subject, you have the following rights under the PDPA B.E. 2562:

• Right of access — Request a copy of your personal data we hold
• Right of rectification — Request correction of inaccurate or incomplete data
• Right of erasure ("right to be forgotten") — Request deletion of your personal data in certain circumstances
• Right to restriction — Request restriction of processing of your data
• Right to data portability — Receive your data in a machine-readable format (available via in-app export)
• Right to object — Object to processing based on legitimate interest or for marketing purposes
• Right to withdraw consent — Withdraw consent at any time without affecting prior processing
• Right to lodge a complaint — Lodge a complaint with the Office of the Personal Data Protection Commission (PDPC) of Thailand

8. How to Exercise Your Rights

To exercise any of the rights above, you may:

• Email us at support@billsos.com
• Delete your account and export your data via the in-app Settings page

We will respond to requests within 30 days.

9. Children and Minors

The Service is not directed at individuals under 20 years of age (or the legal age of majority under Thai law). If you are under 20, please obtain parental consent before using the Service.

10. Policy Changes

We may update this Policy from time to time. Material changes will be notified to you by email and/or within the Service.

© 2026 BillsOS · a product of Cavastir  ·  support@billsos.com