Privacy Policy

ERX Company Limited operating as KuCoin Thailand (the "Company", "we", "us," or "our") recognizes the importance in protecting your Personal Data (as defined below) that are under retention and responsibility and in order for us to comply with Thailand’s Personal Data Protection B.E. 2562 (2019) and its sub-regulations and notification related to the protection of Personal Data (collectively referred to as “Data Protection Law”). We, therefore, established this Privacy Policy (“Privacy Policy”) describes how we collect, use, disclose and cross-border transfer your Personal Data (collectively referred to as “process” or “processing”). This Privacy Policy applies to our business operations, activities on the websites, mobile applications, call centers, events and exhibitions, online communication channels, other locations, and any means where we collect, use disclose and/or cross-border transfer your Personal Data. 

Categories of person (data subject) that will be explain under this Privacy Policy includes: (1) our individual customer, which includes prospective customers, current customers and former customers; (2) employees, personnel, officers, representatives, shareholders, authorized persons, members of the board of directors, contact persons, agents; other natural persons in connection with our prospective, current and former corporate customer, (3) visitors and users of our platforms, such as websites, mobile applications; and (4) any other persons with whom we interact in the course of our business operation or any related services including, but not limited to, business partners. 

Natural/individual persons, collectively referred to as "you" or "your" and the individual client and the corporate client, collectively referred to as the “Customer” or "Client". 

1. PERSONAL DATA WE COLLECT, USE, OR DISCLOSE, AND DATA SOURCE 

"Personal Data" means any identified or identifiable information about you, directly or indirectly). In order to offer our services to the Client, we might collect your information in a variety of ways. We may collect your Personal Data directly from you, e.g., through account opening process, the registration to participate in various activities of us , contact between you and our employees, agent or call center; or indirectly from other sources, e.g., social media, third party’s online platforms, government authorities and other publicly available sources, and/or through our group companies, affiliates, service providers, business partners, official authorities, or third parties, e.g., ICO portals, digital asset issuers, etc. which specific types of data collected depends on the Client's relationship with us, and which services or products the Client requires from us.  

"Sensitive Personal Data" means Personal Data classified by law as sensitive data. We will only collect, use, disclose and/or cross-border transfer Sensitive Data if we have received your explicit consent or as permitted by law. 

Where in the case of a juristic person, the personal data is those of authorized persons, employees, personnel, agents, shareholders, directors, contractors, representatives, or beneficiaries of such juristic person. 

Example of your personal data that we collect, use, disclose, and/or transfer abroad includes, but is not limited to, the following categories of personal data: 

·       Personal details, such as your title, name-surname, gender, age, occupation, job title, salary, source of income, work place (e.g. job title, type of business, company you work for, etc.), education, nationality,  date of birth, marital status, information on government-issued cards (e.g. national identification number, passport number, etc.), tax identification number, signature, voice recording, image, motion picture, motion picture from closed circuit television (CCTV), house registration, background information, politically exposed persons information, relationship information with politically exposed persons and other identification information. 

·       Contact details, such as your address, work address, telephone number, mobile number, fax number, email address, other electronic communication ID including the social media account and information about contact person for emergency case. 

·       Account and financial details, such as your passbook, credit card and debit card information, account number and account type, prompt pay details, investment details, net assets, current assets, income and expenses, as well as payment details, service and product application details. 

·       Transaction details, such as the type of digital asset, price and quantity, purchase order, referral code, conditions (if any), trading history and balance, payment and transaction history relating to your assets, financial statements, liabilities, taxes, incomes, earnings and investments, source of wealth and funds, representation, investment information, default history, value referred to underlying assets and deposit and withdrawal digital assets. 

·       Technical details, such as your Internet Protocol address (IP address), web beacon, log, device identifier (such as IMEI, MAC, IMSI, device advertising ID i.e., Apple’s IDFA, Google’s GAID) and  network, connection details, access details, single sign-on (SSO) details, login log, access times, time spent on our page, cookies, login data, search history, browsing details, browser type and version, operating system, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on devices you use to access the platform including information collected through third-party software development kits (SDKs) intergrated into our services (e.g., analytics, crash reporting, advertising, or plug-ins). 

·       User account details, such as your trading account number, account identifier, username and password, PIN ID code for trading, interests and preferences, activities, investment objectives, investment knowledge and experience, and risk tolerance. 

·       Usage details, such as information on how you use the websites, platform, products, and services. 

·       Information for marketing communications, such as satisfaction surveys, investment attitude. 

·       Complaint details, such as any complaints, feedback, problem reports or responses through any channels related to our services. 

·     Personal Data generated in connection with the Client's relationship with us, such as account opening, KYC, KYB, KYT, administration, operation, payment, settlement, processing and reporting on behalf of the Client. Such Personal Data may include signatures, and your correspondence with us. 

·       Other information, collected, used, disclosed and/or cross-border transfer in connection with the relationship with us, such as, information you give us in contracts, forms or surveys or data collected when you participate in our business functions, seminars, or social events._ 

 
We may process your Personal Data that prescribed as Sensitive Data under the Data Protection Law which we will obtain your consent before or at the time we process your Sensitive Data, those Sensitive Data may including but not limited to: 

·       Biometric data e.g., face recognition, iris recognition or fingerprint (if any). 

·       Sensitive Data as shown in the national identification card, i.e., religion as appears on the identification card. 

·       Disability data or health data (if any). 

·       Criminal records (if any). 

2. THE PURPOSE OF COLLECTION, USE OR DISCLOSURE OF YOUR PERSONAL DATA 

We may collect, use, disclose and/or cross-border transfer your Personal Data for the following purposes (the purposes that we process your Personal Data depend on the relationship you have with us or the service or products you wish to use with us). 

2.1  Purpose for which consent is required 

In the case that we cannot rely on legitimate interest or other legal basis, we may rely on your consent to: 

a)     Collect, use, and/or disclose your sensitive data for the following purposes: 

1)     Biometric data e.g., face recognition for applying the service and for the purpose of identity verification and authentication (if any). 

2)     Sensitive data as shown in the identification card, i.e., religion (as appear in identification card) for the purpose of identity verification and authentication (if any). 

3)     Disability data for providing services and facilitation (if any). 

4)     Criminal records for background check (if any). 

b)     Provide marketing communications, special offers, promotional materials about our products and services (other than the existing products or services you are using with us) which we cannot rely on legitimate interest or other legal basis. 

Where we rely on consent as a legal basis, you are entitled to withdraw your consent at any time. This can be done so, by contacting us or our data protection officer via specified channels (the contacting detail can be found at “Contacting Us” as shown below this Privacy Policy). The withdrawal of consent will not affect the lawfulness of the collection, use, and/or disclosure of your Personal Data and sensitive data based on your consent before it was withdrawn, and where we are obliged on regulatory obligations. 

2.2 Purpose for which we may rely on other lawful basis for processing your Personal Data 

We may collect, use, disclose and/or transfer your Personal Data to other parties by relying on the following legal basis: (1) a contractual basis, for our initiation or fulfillment of a contract with you; (2) a legal obligation; (3) the legitimate interest of ourselves and/or third parties, to be balanced with your own interest and fundamental rights and freedoms in relation to the protection of your Personal Data; (4) vital interest, for preventing or suppressing a danger to a person’s life, body or health; and (5) public interest, for the performance of a task carried out in the public interest or for the exercise of official actions. 

We rely on the legal basis in (1) to (5) above for the collection, use, disclosure and/or transfer of your Personal Data to our officers, employees including our affiliates, group companies or agents or assigned companies, whether domestic or international entity, of the following purposes: 

2.2.1 Contractual and Service Provision 

• Contacting you prior to or during the course of entering into an agreement. 

• Opening, maintaining, operating, and closing accounts, processing transactions, issuing account statements, and facilitating account administration. 

• Providing digital asset services, investment products, wallet, and exchange services, including related platforms and after-sales support. 

2.2.2 Customer Relationship and Communication 

• Managing relationships, including responding to inquiries, complaints, and feedback. 

• Recording transactions and communications for quality assurance, support, and evaluation. 

• Business communication regarding products, services, events, and updates. 

2.2.3 Verification, Risk, and Compliance 

• Conducting identity verification, KYC, CDD, insolvency and status checks (e.g., bankruptcy, sanctions), and other due diligence. 

• Facilitating secure login and authentication, including access to SMS or email messages solely to retrieve one-time passwords (OTPs) for autofill functionality. Such access is temporary, limited to extracting the OTP code, and not used or stored for any other purpose. 

• Preventing, detecting, and investigating fraud, misconduct, or unlawful activities, and managing risks. 

• Complying with laws, regulations, regulatory requests, and responding to governmental, supervisory, and law enforcement authorities (local or foreign). 

2.2.4 Operations and Governance 

• Managing infrastructure, internal control, audits, finance, accounting, and business continuity. 

• Preparing reports, supporting financial audits, and complying with internal policies and legal obligations. 

• Conducting internal investigations, ensuring IT and cybersecurity, and monitoring systems, devices, and networks. 

• Collecting and analyzing crash logs, diagnostics, and performance data to monitor, maintain, and improve the stability, functionality, and security of our services and applications. 

2.2.5 Legal Rights and Dispute Management 

• Enforcing contractual and legal rights, including debt recovery. 

• Managing and resolving complaints, claims, and disputes. 

• Exercising or defending legal claims. 

2.2.6  Development, Research, and Marketing 

·       Conducting research, statistical analysis, marketing research, and market studies (including analysis of financial or usage data, credit scoring, or portfolio monitoring) to improve and develop our products and services. 

·       Developing new services, providing updates, and conducting surveys. 

·       Considering customer groups and sending invitations to join activities, events, or sales promotions as appropriate. 

·       Offering products, services, and privileges you have requested, or notifying you of benefits related to products or services you are using. 

·       Offering products or services of the same type or closely related to those you are currently using with us or our affiliates. 

·       Contacting you in cases where you have dropped an application for products or services, to facilitate re-application or offer other products or services that may be of interest. 

·       Sending marketing communications, promotional offers, and materials about our services, affiliates, and partners (where permitted). 

·       Organizing promotional campaigns, events, seminars, conferences, or similar activities, including facilitation for your participation (e.g., registration or attendance privileges). 

·       Organizing sales promotional activities, such as the provision of benefits, rewards, or gifts. 

3. HOW WE DISCLOSE OR TRANSFER YOUR PERSONAL DATA 

We may disclose or transfer your Personal Data to our affiliates, group companies, subsidiary or third parties authorized by us to proceed with specific matters (including the personnel and agent of such person), whether inside or outside Thailand, as follows: 

3.1 Our affiliates/ group companies 

We may disclose or transfer your Personal Data to our affiliates, group companies or subsidiaries for the purpose of services management or providing assistance to you in the matters related to our services or products, or for the part of qualification assessment of a person. 

3.2 Service providers, vendors and suppliers 

We may use other companies, agents or contractors to perform services on our behalf or to assist with the provision of products and services to you, such as: (a)  IT service providers and data storage providers; (b) research agencies; (c) analytics service providers; (d) payment service providers and provide withdrawal services from your account with us to your bank account; (e) administrative and operational service providers; and (f) other service providers involved with the provision of our products or services. 

In the course of providing these services, the service providers may have access to your Personal Data. However, we will only provide our service providers with the Personal Data that is necessary for them to perform the services, and we ask them not to use your Personal Data for any other purposes. We will ensure that all the service providers we work with will keep your Personal Data secure and treat your Personal Data in a manner consistent with this Privacy Policy. 

3.3 Business partners 

We may transfer your Personal Data to persons acting on your behalf or otherwise involved in the provision of the type of product or service you receive from us or you requested for us to provide, those persons may including but not limited to payment recipients, beneficiaries, Digital Asset Exchange, Digital Asset Broker, Digital Asset Dealer, Digital Token Issuer, ICO portal, commercial banks, correspondent banks, trustees, agents, vendors, co-brand business partners, market counterparties, issuers of products, related person to whom we disclose Personal Data in the course of providing products and services to you, and whom you authorize us to disclose your Personal Data to in accordance with applicable law, and we will ensure that these data recipients agree to treat your Personal Data in a manner consistent with this Privacy Policy. 

3.4 Government authorities 

In certain circumstances, we may be required to disclose or share your Personal Data to law enforcement agency, court, regulator, government authority for complying with legal obligations, such as Securities and Exchange Commission, Anti-Money Laundering Office, Bank of Thailand, Department of Provincial Administration, Office of the Personal Data Protection Commission, Department of Business Development, Department of Intellectual Property, Office of the National Anti-Corruption Commission, Royal Thai Police, Revenue Department, court or other third party for which we believe disclosure or transfer is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party's or individuals’ personal safety, or to detect, prevent, or otherwise address fraud, security or safety issues 

3.5 Professional advisors 

We may disclose or transfer your Personal Data to our professional advisors relating to audit, legal, accounting, smart contract and tax services who assist in running our business and defending or bringing any legal claims. 

3.6 Third parties as assignees, transferees or novatees 

We may assign, transfer, or novate our rights or obligations to a third party, to the extent permitted under the terms and conditions of any contract between you and us. We may disclose or transfer your Personal Data to assignees, transferees, or novatees, including prospective assignees, transferees, or novatees, provided that these data recipients agree to treat your Personal Data in a manner consistent with this Privacy Policy. 

3.7 Third parties connected with business transfer 

We may disclose or transfer your Personal Data to our business partners, investors, significant shareholders, assignees, prospective assignees, transferees, or prospective transferees in the event of any reorganization, restructuring, merger, acquisition, sale, purchase, joint venture, assignment, dissolution or any similar event involving the transfer or other disposal of all or any portion of our business, assets, or stock. If any of the above events occur, the data recipient will comply with this Privacy Policy in respect of your Personal Data. 

When we transfer Personal Data to third parties, we will take steps to ensure the protection of your Personal Data, such as confidentiality arrangements or other appropriate security measures as required by law. If you wish to know more about how your Personal Data being process by those third parties, you may learn more detail by visiting privacy notice or privacy policy of such third parties. 

4. SECURITY MEASURE OF YOUR PERSONAL DATA 

We have enforced organizational, and technical measures to protect your Personal Data under our control from destruction, loss, access, use, alteration or disclosure whether by accident, unlawful or without permission which includes accessing or controlling access to your Personal Data to maintain a confidentiality, accuracy, and the availability of Personal Data under our control, in accordance with the minimum requirements required by law. 

We have established measures to control access to your Personal Data and the use of equipment for storing and processing Personal Data which is safe and appropriate for the collection, use and disclosure of Personal Data. Moreover, the Company has provided the measures to limit access to Personal Data and the use of devices for storing and processing Personal Data by assigning the right to access the data to the authorize designated employees to access information and the responsibilities for preventing unauthorized access to Personal Data, disclosure, awareness or illegal copying of Personal Data or stealing of Personal Data storages or processing devices. In addition, the Company has provided the measures for retrospective review of access, change, deletion or transfer of Personal Data. 

5. CROSS-BORDER TRANSFER OF YOUR PERSONAL DATA 

We may disclose or transfer your Personal Data to third parties or servers located overseas, (for example, cloud platforms, or service providers that supports Know Your Customer (KYC) processes customers status checks for identity proofing and authentication), Such destination countries may or may not have the same data protection standards as Thailand. Where such transfer is necessary to perform our services and fulfill the contractual obligations agreed with you, we will ensure that appropriate safeguards are in place.  These include secure transfer measures and requiring the data to adopt data protection standards equivalent to Thailand’s through adequacy level of protection, binding corporate rules, or standard data protection clauses. Where applicable, we may also rely on the derogations permitted by law to ensure the transfer is lawful. 

6. OTHER DETAIL ABOUT YOUR PERSONAL DATA 

6.1. Cookies and how they are being use 

“Cookies” are tracking technologies that are used in analyzing trends, administering our websites, tracking users’ movements around the websites, and remembering users’ settings. If you visit our websites, we will gather certain information automatically from you by using Cookies, it is classified into two types: Strictly Necessary Cookies, which are essential for the use of the website and is stored without requiring consent, and Targeting Cookies, which users may give consent or reject on the Company’s website. 

Most internet browsers allow you to control whether or not to accept Cookies. If you reject the use of Cookies, your ability to use some or all the features or areas of our websites may be limited. 

6.2. Personal Data of minors, incompetent persons or quasi-incompetent persons 

Our activities are not generally aimed at minors, incompetent persons and quasi-incompetent persons. However, if we receive these persons’ Personal Data in any cases, we do not knowingly collect Personal Data from customers who are minors without their parental or legal guardian consent, as a case maybe, when it is required, or from quasi-incompetent persons or incompetent persons without their legal guardian's consent. 

In addition, if we are aware that we have unintentionally collected Personal Data from any minor without parental or legal guardian consent, as a case maybe, when it is required, or from quasi-incompetent person or incompetent person without their legal guardians' consent, we will delete it immediately or continue to process such Personal Data if we can rely on other legal bases apart from consent. 

6.3. Personal Data related to third parties 

If you provide the Personal Data of any third party, such as your spouse and children, shareholders, directors, beneficiary, contact person, attorney-in-fact, e.g., their name, family name, email address, and telephone number and politically exposed persons. You should ensure that you have the authority to do so and to permit us to use Personal Data in accordance with this Privacy Policy. You are also responsible for notifying the third party of this Privacy Policy and, if required, obtaining consent from the third party or rely on other legal basis which allows us to lawfully collect, use and/or disclose Personal Data of such third parties. 

7. HOW LONG DO WE RETAIN YOUR PERSONAL DATA 

We retain your Personal Data for as long as is reasonably necessary to fulfill the purposes for which it was collected, as set out in this Privacy Policy, and to comply with our legal and regulatory obligations. In certain cases, we may need to retain your Personal Data for longer periods if required by applicable law (e.g., Securities and Exchange Laws, AML/CTPF Laws, Tax Laws), internal policies or operational requirements and other necessities such as in the event of a dispute. 

We will keep your Personal Data for the duration of your relationship with us, and thereafter for a period necessary to achieve the purposes of this Privacy Policy. Once your relationship with us ends, your Personal Data will continue to be retained as required or permitted by law, for example: 

·       Personal Data such as know-your-customer (KYC) and due diligence information retained for 10 years after the end of the relationship including in the event of you request to delete your account or if we disapprove your application to use our services. This retention is mandatory even after account deletion, and such data will be securely kept only for the legally required period. 

 We will take appropriate measures to securely delete, destroy, or anonymize your Personal Data when it is no longer necessary or when the retention period has expired. 

8. RIGHTS REGARDING YOUR PERSONAL DATA 

Subject to the applicable laws and exceptions thereto, you may have the following rights regarding your Personal Data: 

a)     Access: you may have the rights to access or request a copy of the Personal Data we are processing about you including information as to which categories of Personal Data we have in our possession or control; 

b)     Data Portability: you may have the rights to obtain Personal Data hold about you, in a structured, electronic readable format or can be usable by tools or equipment that operate automatically for transmit your Personal Data to another data controller, where technically feasible, provided that the processing is based on your consent or necessary for the performance of a contract; 

c)     Objection: in some circumstances, you may have the rights to object the means we process your Personal Data in certain activities which specified in this Privacy Policy; 

d)     Erasure or Destruction: you may have the rights to request that we erase, destroy, or de-identify your Personal Data that we process about you, e.g., if the data is no longer necessary for the purposes of processing or withdraw the consent on which the collection or processing is based, and where we have no legal ground for such collection or processing or where the Personal Data has been unlawfully processed; 

e)     Restriction: you may have the rights to restrict our processing of your Personal Data if you believe such data to be inaccurate, that our processing is unlawful, or that we no longer need to process this data for a particular purpose; 

f)      Rectification: you may have the rights to have Personal Data that is incomplete, inaccurate, misleading, or out-of-date rectified; 

g)     Consent withdrawal: you may have the rights to withdraw consent that was given to us for the processing of your Personal Data, unless there are restrictions on the right to withdraw consent as required by the law, or a contract that benefits you; and 

h)     Lodge a complaint: you may have the right to lodge a complaint to the competent authority if you believe our processing of your Personal Data is unlawful or non-compliance with applicable data protection law. 

If you wish to exercise any of your rights as specified above, please fill the request form in accordance with the form, method and channels provided by us or you may contact us to learn more detail about your right by contacting via “CONTACTING US” as specified below of this Privacy Policy. 

Upon receiving the valid request from you, we will proceed with your request within the appropriate period or as required by the law. However, the period may be extended for a longer period due to reasons regarding your right that wish to exercise or complexity of your request. If we deny your request for exercising the data subject rights, we will advise you of the reason for the refusal. 

9. LINK TO OTHER WEBSITES 

In the event that you use our website or mobile application, it may contain links to other platforms, websites, applications or third parties service providers. We could not ensure their contents and their operations and could not be held responsible for any collection, use, disclosure and/or cross-border transfer of your Personal Data by such platforms, websites, applications or service providers. In this regard you should verify the privacy policy of such platforms, websites, applications or any services which linked to our website or our application (if any) to acknowledge and understand their processes of collection, use, disclosure and/or cross-border transfer your Personal Data. 

10. CHANGE TO THIS PRIVACY POLICY 

From time to time, we may change or update this Privacy Policy to be in accordance with our actual practice and legal compliance. We encourage you to read this Privacy Policy carefully and periodically review any changes that may occur in accordance with the terms of this Privacy Policy on our website (https://www.kucoin.th/) We will notify you or obtain your consent again if there are material changes to this Privacy Policy, or if we are required to do so by law. 

11. CONTACTING US 

If you wish to contact us to exercise the rights relating to your Personal Data or if you have any queries or complaints about your Personal Data under this Privacy Policy, please contact us or our Data Protection Officer via the following detail: 

A.     Data Protection Officer 

·       Address: 1788, Singha Complex Building, 27th Floor, Unit 2702-2708  New Petchaburi Road,  

Bang Kapi Subdistrict, Huai Khwang District, Bangkok 10310, Thailand 

·       Telephone: 02-080-6060 

·       Email: dpo@kucoin.th 

This Privacy Policy was last updated on 11 September 2025