Personal Data Protection Act B.E. 2562 (2019) (PDPA), Kingdom of Thailand
This Notice is published in English and Thai. In the event of any conflict between the two language versions, the English version approved by legal counsel shall prevail.
1 — Who We Are
Polar Bear IT Services Co., Ltd ('Pontivus', 'we', 'us', 'our') operates the Pontivus Legal platform, an AI-assisted contract review and management service for legal professionals and their clients. We are the data controller for the personal data described in this Privacy Notice, except where we act as a data processor on your instructions as controller, which is explicitly stated in the relevant section.
182/8 Ramkhamhaeng 110 Saphansung Saphansung Bangkok 10240
dpo@pontivus.com
2 — What Personal Data We Collect
2.1 — Landing Page Demo Request Form
- Full name
- Work email address
- Company or law firm name
- Role or job title
- Optional free-text message
- Submission timestamp
- Version of this Privacy Notice in effect at the time of consent
- Marketing email opt-in election (recorded as PDPA s.19 consent evidence)
- IP address
- Browser User-Agent string
- Page locale
Demo-form submissions are validated by a Cloudflare Pages Function (edge-hosted on Cloudflare's network). The function renders a notification email containing your form data and PDPA s.19 consent-record fields, then transmits it via the Brevo transactional email API to our support@pontivus.com mailbox. That mailbox is hosted by Migadu on the pontivus.com domain. No pre-customer enquirer data is persisted in the Pontivus Legal platform database.
Every submission also creates or updates a contact in a Brevo contact list that Pontivus uses as its operational inbox for private pilot access requests (your work email, name, and company). This happens for all form submissions, not only when the marketing opt-in is selected. The separate marketing checkbox records whether Pontivus may send you marketing or product-update emails in addition to responding to your request.
Brevo and Migadu process email content, delivery metadata, and mailbox data subject to their respective privacy policies and our contractual safeguards. See Sections 5, 6, and 7.
2.2 — SaaS Account (Provisioned Users)
- Name and email address
- Optional profile avatar
- Workspace and plan assignment
- Per-document consent and acknowledgement ledger (document version, timestamp, IP address, User-Agent)
Pontivus Legal has no public self-service registration. Accounts are created by Pontivus staff following a sales engagement.
2.3 — Contracts You Upload (Third-Party Personal Data)
Data controller for personal data of third parties (counterparties, signatories, witnesses) contained in uploaded contracts
Data processor acting solely on your instructions, under the Customer Data Processing Agreement (DPA)
As controller, you are responsible for ensuring you have a valid lawful basis under PDPA ss.24 or 26 for any third-party personal data contained in documents you upload before transmitting that data to Pontivus.
2.4 — Technical and Log Data
- Web-server access logs
- Application error logs
- Aggregate (non-identified) performance metrics
No analytics scripts, advertising pixels, or behavioural-tracking cookies are used. The only third-party request on the landing page is to Google Fonts (fonts.googleapis.com).
3 — Purposes of Processing and Lawful Basis
| Purpose | Data | Lawful basis | Note |
|---|---|---|---|
| Respond to demo enquiries | Demo-form data | Consent obtained via checkbox on the demo form. Withdrawal available at any time via dpo@pontivus.com. | |
| Marketing emails | Work email address | Separate consent — distinct opt-in checkbox on the demo form | Not bundled with the primary consent. Withdrawal via unsubscribe link in every marketing email or account settings toggle. |
| Provide the SaaS service | Account data | Performance of contract | |
| AI-assisted contract review — data belonging to the account holder | Uploaded contract content (account holder's own data) | Performance of contract | |
| AI-assisted contract review — third-party PII embedded in uploaded contracts | Personal data of third parties in uploaded contracts | Pontivus acts as data processor under PDPA s.40, processing solely on the customer controller's instructions. The customer controller must independently hold a valid lawful basis under PDPA ss.24 or 26. | |
| Demonstrate consent compliance | Consent and acknowledgement ledger | Legal obligation (PDPA s.24(6)) — obligation to maintain evidence of consent under PDPA s.19 | |
| Fraud and abuse prevention | Technical data and system logs | Legitimate interest (PDPA s.24(5)) | |
| Data subject rights requests | Account data and consent ledger |
The contract-review pipeline uses large language models (LLMs) to extract and classify contractual clauses. All LLM outputs are presented to a human reviewer before any action is taken. No legally significant decisions are made automatically against any data subject. No profiling of Pontivus platform users is performed.
4 — Sensitive Personal Data
Uploaded contracts may contain sensitive personal data (health data, financial information, biometric data, etc.) relating to third parties.
Pontivus processes such data solely as your data processor, acting under your explicit instructions as data controller, with appropriate contractual safeguards in place.
Our AI sub-processors (OpenAI and xAI) are contractually bound under their respective Data Processing Agreements not to train any model on content we submit. Each provider retains API request and response payloads for up to 30 days for security and abuse-monitoring purposes, after which payloads are automatically deleted. Pontivus treats this 30-day window as a residual retention period, not zero retention, and discloses it accordingly.
If you upload contracts containing sensitive personal data, you as controller must hold a valid lawful basis — typically explicit consent of each identified individual — before transmitting that data to Pontivus for processing.
5 — Sub-Processors and Recipients
| Name | Country | Role | Policy |
|---|---|---|---|
| Cloudflare, Inc. | United States | Web hosting, DNS, CDN, Turnstile bot challenge | https://www.cloudflare.com/privacypolicy/ |
| Brevo (Sendinblue SAS) | France (European Union) | Transactional email API and contact-list inbox for all private pilot access form submissions | https://www.brevo.com/legal/privacypolicy/ |
| Migadu-Mail GmbH | Switzerland | Email hosting for @pontivus.com mailboxes (including support@pontivus.com) | https://www.migadu.com/privacy/ |
| Hetzner Online GmbH | Germany (European Union) | Application servers, database, object storage | https://www.hetzner.com/legal/privacy-policy |
| OpenAI, LLC | United States | LLM inference for contract review | https://openai.com/policies/privacy-policy |
| xAI Corp. (Grok) | United States | LLM inference (alternative model) | https://x.ai/legal/privacy-policy |
Workspace administrators can configure which AI provider is used: OpenAI only, xAI only, or user-selectable.
Pontivus does not sell personal data. We do not share personal data with advertising networks. We do not disclose personal data to government agencies or law enforcement except where compelled by applicable law.
6 Cross-Border Transfers
OpenAI (United States)
When you upload a contract for AI-assisted review, the text is transmitted to OpenAI in the US for LLM inference.
- (a) OpenAI DPA — contractual commitment prohibiting model training on submitted content
- (b) Stateless API integration — no persistent session storage
- (c) OpenAI standard 30-day abuse-monitoring retention window, after which payloads are automatically deleted (disclosed as residual retention, not zero retention)
- (d) Consent obtained at first login (PDPA s.29(1))
Enterprise Plan tiers may, where a Plan Addendum specifies, enrol the workspace under OpenAI's Zero Data Retention (ZDR) programme. This is not the default posture.
xAI / Grok (United States)
Where the workspace is configured to use xAI as the AI provider.
- (a) xAI DPA — contractual commitment prohibiting model training on API content
- (b) Stateless API integration
- (c) 30-day abuse-monitoring retention window, then automatic deletion
Cloudflare (United States)
Landing page edge traffic, Pages Functions, and Turnstile challenges pass through Cloudflare infrastructure. Demo-form personal data is not delivered via Cloudflare Email Routing.
Brevo (France / European Union)
All demo-form submissions are transmitted through Brevo's API: a notification email to support@pontivus.com and a contact record in Pontivus's Brevo pilot-access list. Safeguard basis: consent (PDPA s.19) for the form submission; separate consent for the marketing opt-in checkbox; Brevo DPA and standard contractual clauses where applicable.
Migadu (Switzerland)
Delivered demo-form emails are stored in the support@pontivus.com mailbox on Migadu-hosted pontivus.com mail infrastructure. Safeguard basis: contractual measures with Migadu and legitimate interest in responding to B2B enquiries (PDPA s.24(5)), in addition to the data subject's form consent.
Hetzner (Germany / European Union)
Account data, uploaded contract files, and derived analysis data are stored on Hetzner servers in Germany.
7 Retention Periods
| Data | Retention | Basis |
|---|---|---|
| Demo-form submission (email in support@pontivus.com Migadu mailbox) | 12 months from submission date of last contact or inquiry resolution (unless converted to an active customer account) | Performance of contract for pre-contractual measures at the data subject's request and Legitimate interest for B2B sales management and follow-up) |
| Brevo contact list (all private pilot access form submissions) | 12 months from submission date or last contact, unless converted to an active customer account | Consent (PDPA s.19) for the form submission; legitimate interest in managing pilot access requests (PDPA s.24(5)) |
| Brevo transactional processing and delivery metadata | Per Brevo DPA and privacy policy retention schedule | Legitimate interest — deliver demo-form notifications and demonstrate consent compliance (PDPA s.24(6)) |
| Marketing emails to addresses that opted in on the form | Until marketing consent is withdrawn or 12 months of no engagement, whichever is earlier | Consent (PDPA s.19) — separate marketing opt-in checkbox |
| SaaS account data | Duration of active account + 90-day grace period | Performance of contract (PDPA s.24(3)) |
| Consent and acknowledgement ledger | 5 years from the date of consent | Legal obligation (PDPA s.24(7)) — 5-year general prescription period under Civil and Commercial Code s.193/30, read with PDPA s.19 burden-of-proof requirement. Correction: prior versions cited s.19 alone as the retention basis; s.19 does not itself prescribe a retention period. |
| Uploaded contracts and analysis outputs | Duration of active workspace + 30 days post-closure | Performance of contract (PDPA s.24(3)) |
| Web and application logs | 90 days, rolling | Legitimate interest — security and fraud prevention (PDPA s.24(6)) |
| Billing records | 5 years under Thai Revenue Code (s.87/3) | Legal obligation (PDPA s.24(7)) |
The Revenue Code prescribes 5 years for standard accounting records (s.87/3). A 7-year period may apply only in certain extended investigation scenarios under the Revenue Code.
Section 8 — Your Rights
PDPA ss.30–36
- Right of Access — Request confirmation of whether Pontivus processes your personal data and obtain a copy.
- Right to Rectification — Request correction of inaccurate personal data.
- Right to Erasure — Request deletion of your personal data in circumstances defined by the PDPA.
- Right to Restriction — Request restriction of processing in certain circumstances.
- Right to Data Portability — Where processing is based on consent or contract and carried out by automated means, receive your data in a machine-readable format.
- Right to Object — Object to processing carried out on the basis of legitimate interest (PDPA s.24(6)).
- Right to Withdraw Consent — Withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
Use your account settings or submit a written request to dpo@pontivus.com.
Within 5 business days of receipt
Within 30 days of receipt
For complex or voluminous requests, Pontivus may extend the response period by a further 30 days. We will notify you in writing before the expiry of the initial 30-day period, stating the reasons for the extension.
PDPA s.39
No fee is charged unless requests are manifestly unfounded or excessive, in which case Pontivus may charge a reasonable fee or decline the request, with written reasons provided.
Marketing email consent may be withdrawn at any time via the unsubscribe link in every marketing email or via account settings. Withdrawal does not affect the lawfulness of marketing emails sent before withdrawal.
Section 9 — Cookies and Similar Technologies
The landing page uses no analytics, advertising, or behavioural-tracking cookies. Strictly necessary Cloudflare cookies (edge security, Turnstile bot challenge on the demo form) are set as required for site security. Google Fonts is loaded from fonts.googleapis.com — no cookies are set by Google Fonts, but Google receives the request IP address and User-Agent header as part of the font delivery request.
/en/legal/cookie-policy
PDPA s.37 — cross-border transfer via Google Fonts disclosed in Cookie Policy
Section 10 — Children
PDPA s.20
The service is intended for legal and business professionals. We do not knowingly collect personal data from individuals under 20 years of age, being the age of full civil capacity under the Thai Civil and Commercial Code. If you believe we have inadvertently collected personal data from a minor, please contact dpo@pontivus.com immediately so that we can take prompt action to delete the data.
Section 11 — Complaints to the PDPC
PDPA s.73
You have the right to lodge a complaint with the Personal Data Protection Committee (PDPC) at pdpc.or.th. Pontivus welcomes the opportunity to resolve any concern directly first — please contact our DPO at dpo@pontivus.com.
Section 12 — Changes to This Notice
When we make a material change, we publish a new version at this URL and trigger a re-acknowledgement prompt at next login for SaaS users.
For material changes, Pontivus will endeavour to provide at least 30 days' advance notice where practicable.
Prior versions remain permanently accessible at their pinned URLs. Previous versions are also available on request from dpo@pontivus.com.
Section 13 — Contact
dpo@pontivus.com
Attention: Data Protection Officer, Polar Bear IT Services Co., Ltd, 182/8 Ramkhamhaeng 110 Saphansung Saphansung Bangkok 10240, Kingdom of Thailand
https://www.pdpc.or.th/