Rabbit Care (which refers to Rabbit Care Co., Ltd., Rabbit Care Broker Co., Ltd., and Ask Direct Group Co., Ltd.) (the “Company”, “we”, “us”, or “our”) recognizes the importance of the protection of personal data for our potential customers, customers, or retail merchants of our products and services, including any other relevant people (e.g., complainants). We follow security procedures when collecting, using, disclosing and/ or internationally transferring your Personal Data (as defined in Section 1 below) outside of Thailand. The information you share with us allows us, Companies under Rabbit’s Data Ecosystem (as defined in Section 3.1 below), affiliates and subsidiaries and our business partners, to provide the products and services you may need and want, while giving you the very best personalized experience and customer services.
1. What personal data we collect
We may collect your Personal Data directly or indirectly from other sources including Companies under Rabbit’s Data Ecosystem, affiliates and subsidiaries, our service providers, and our business partners who are third parties. The specific type of data collected will depend on the context of your interactions with us, and the services or products you need or want from us. The following are example of Personal Data that may be collected:
Personal details, such as title, name, surname, gender, age, occupation, job title, position, business type, nationality, date of birth, marital status, marriage certificate, number of family members and child, information on government-issued cards (e.g., national identification number, copy of national identification card, passport number, driver's license details), house registration, work permit, signature, voice, voice record, picture, photo, photograph, VDO records, video clip, educational backgrounds, workplace, electronic know-your-customer information (e-KYC), income tier, and income/salary/bonus, weight and height, CCTV records, license plate details, driving license picture, car registration picture, vehicle details (e.g. vehicle identification number and vehicle plate number), policy photocopy, relationship to the policyholder or claimant person, insurance policy, and electronic insurance policy;
Contact details, such as address, delivery details, billing details, phone number, mobile phone number, business phone number, email address, business email, LINE ID, Facebook account, Google account, Twitter account, and other account-related to the social networking sites;
Account details, such as credit/debit card holder number, credit/debit card information, bank account details, member ID, customer ID, member type, customer type, Rabbit Card number, Rabbit Line Pay ID, customer credit score, service and product applications (e.g., service registration form, financial or insurance application), joined month and payment details, and copy of bank account/ bank book;
Transaction details, such as payment information, card usage and transaction data (such as Rabbit Card usage/ transaction data and records, Rabbit Rewards point transaction data, lead and customer data of Rabbit Care (as defined in Section 3.1 below)), campaign response data, payment slip details about refund, refund amount, points, and date and location of purchase, purchase/order number, appointment date for service, complaints and claims, transaction, transaction history, location, transaction status, past sales transaction, prediction data (e.g., loan prediction score, credit scoring), and purchasing behaviour and other details of products and services purchased;
Technical details, such as Internet Protocol (IP) address, web beacon, log, devicetype, hardware-based identifiers such as universal device identifier (UDID) or Mac Address, software-based identifier such as identifier for advertisers for iOS operation system (IDFA), or identifier for advertisers for Android operation system (AAID), network, connection details, access details, single sign-on (SSO), login log, access time, time spent on our page, cookies, login data, search history, browsing detail, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on devices used to access the platform;
Behaviour details, such as information about purchasing behavior and data supplied through the use of our products and services, such as location, train station and train exit usually used;
Profile details, such as username and password, profile, purchase, historical order, past order, purchase history, items bought, item quantity, orders or product recalls made, orders via websites, order ID, financial records, PIN, interests, preference, feedback and survey responses data, satisfaction survey, social media engagement, participation details, loyalty programs, use of discount codes and promotions, customer order description, customer service, attendance to trade exhibitions and event, and insurance policy details;
Usage details, such as information on how you use the websites, platforms, products and services, Q&A record;
Marketing and communication details, such as preference in receiving marketing from us, Companies under Rabbit's Data Ecosystem, affiliates and subsidiaries, third parties, business partners and communication preferences;
CCTV details, please see out CCTV Policy for more details on how we collect, use and/or disclose Personal Data by our CCTV; and/or
Sensitive data, such as sensitive data as shown in the government-issued cards (e.g., religion on national identification card, race on passport); sensitive data from complaints and claims, incident report, and legal proceeding (to receive the complaints and resolve the issues); sensitive data from insurance related products or services (e.g., religion, health data, criminal records, disability); biometric data (e.g. finger scan and facial recognition); and health data.
In addition, your Personal Data may be collected from our business partners in case you purchase
a product from one of our business partners whose products are displayed on our websites. Your Personal Data related to the product you have purchased will be sent to us for the purposes of sale tracking and service improvement.
We do not intentionally collect your sensitive data (Sensitive Data). However, in case that we do, we will only collect, use, and/or disclose Sensitive Data on the basis of your explicit consent or where permitted by law.
We only collect the Personal Data of children, quasi-incompetent person and incompetent person where their parent or guardian has given their consent. We do not knowingly collect Personal Data from customers under the age of 20 without their parental consent when it is required, or from quasi-incompetent person and incompetent person without their legal guardian's consent. In the event that we learn that we have unintentionally collected Personal Data from anyone under the age of 20 without parental consent when it is required or from quasi-incompetent person and incompetent person without their legal guardians, we will delete it immediately or collect, use and/or disclose if we can rely on other legal basis apart from consent or where permitted by law.
2. Why we collect, use and/or disclose personal data
We may collect, use and/or disclose Personal Data for the following purposes:
2.1 The purpose of which we rely on consent:
We rely on consent for the collection, use, and/or disclosure of personal data by us, Companies under Rabbit’s data ecosystem, affiliates and subsidiaries, our service providers, and our business partners for the following purposes:
- Marketing and communications: To provide marketing communications, information, special offers, promotional materials, tele-marketing, privilege, advertisement, newsletter, and any marketing and communications, both online and offline channels, about products and services from us, Companies under Rabbit’s data ecosystem, affiliates and subsidiaries, and business partners which we cannot rely on other legal bases. Your sensitive data will also be collected to analyze and conduct personalized marketing;
- Data analytics services: To conduct data analytics services;
- For other businesses: To conduct other businesses, which are digital marketing, banking and financial, reward and loyalty programs, credit scoring, loans, insurance, telecommunications, asset management, investment, retail, e-commerce, including their related products and services; and
- Sensitive data:
- Sensitive data as shown in the government-issued cards (e.g., religion on national identification card): To authenticate and verify your identity;
- Sensitive data from insurance related products or services (e.g., religion, health data, criminal records, disability): To register and enable you to use our insurance related products or services;
- Biometric data (e.g., fingerprints and facial recognition): To perform e-KYC process; and
- Health data: To carry out financial transaction and service related to the payments (e.g., reimbursement).
- Sensitive data as shown in the government-issued cards (e.g., religion on national identification card): To authenticate and verify your identity;
2.2 The purpose that we may rely on other legal grounds for collection, use, and/or disclosure of personal data
We may also rely on (1) contractual basis, for our initiation or fulfilment of a contract with you; (2) legal obligation, for the fulfilment of our legal obligations; (3) legitimate interest, for the purpose of our legitimate interests and the legitimate interests of third parties. We will balance the legitimate interest pursued by us and any relevant third party with your interest and fundamental rights and freedoms in relation to the protection of your Personal Data; (4) vital interest, for preventing or suppressing a danger to a person’s life, body or health; and/or (5) public interest, for the performance of a task carried out in the public interest or for the exercising of official authorities or other legal grounds permitted under applicable data protection law as the case may be. Depending on the context of the interactions with us, we may collect, use and/ or disclose Personal Data for the following purposes:
- To provide products and services: such as, to register and enable the use of our products or services, including, but not limited to, for registration of Rabbit Card via online channels or Rabbit Kiosk, for membership of Rabbit Rewards, or for retails/ merchants registration; to enable the use of our websites, mobile applications, and platforms (e.g., to register to Rabbit Care channels, or to top-up Rabbit Card); to provide a free and instant fee quotation and pricing of our products and services; to provide a price comparison of, including, but not limited to, financial and/or insurance related products or services of business partners; to deliver the request of products or services and relevant information to those business partners for approval or underwriting purposes; to deliver/ receive contractual documents; to send annual insurance renewal quotes based on information previously provided when we received a request for insurance quotes; to process a request for service application or benefits in connection with Rabbit Card, Rabbit Rewards, or Rabbit Care; to enter into a contract and manage our contractual relationship; to support and perform other activities related to such services or products; to sell our products or services via online and offline channels; to deliver or ship the Rabbit Card or other products via online sale; to provide bulk sales of our products or services to our corporate customers; to lease the retails space on BTS stations; to provide our online media performance and digital marketing service; to process transaction with our business partners; to complete and manage bookings and to carry out financial transaction and service related to the payments including transaction check and verification and cancellation; to process orders, delivery, suspension, replacement, reimbursement, refund and exchange of products or services; to protect remaining balance when the Rabbit Card is lost or stolen; and to provide customer service operation, including call center;
- To provide marketing communications: such as, to provide marketing communications, information, special offers, promotional materials, tele-marketing, privilege, advertisement, newsletter, and any marketing and communications, both online and offline channels, about products and services from us, companies under Rabbit’s data ecosystem, affiliates and subsidiaries, and business partners;
- To offer promotions, special offers, loyalty programs, reward programs, prize draws, competitions and other offers/promotions: such as, to allow the participation in promotions, promotional campaign, special offers, promotional offer, loyalty programs, co-registration program with our business partners, sweepstakes, privilege, prize draws, competitions and other offers/promotions (e.g., to send reminder emails), events and seminars. This includes to process and administer account registration, gift registration, event registration; to process points collection, addition, exchange, earning, redemption, and transfer of points; to examine entire user history, both online and offline; and to provide and issue gift voucher, gift cards and invoices;
- To contact and communicate: such as, to provide information, marketing communications, campaign, advertisement, required notices, special offers, benefits, and promotional materials of our products or services; to send you news, electronic newsletters, marketing messages and information about the products, services, brands, and operations;
- To manage our relationship: such as, to communicate in relation to the products and services obtained from us, companies under Rabbit’s data ecosystem, affiliates and subsidiaries, and from our business partners; to handle customer service, call center and/or hotline-related queries, request, feedback, complains, claims, disputes or indemnity; to provide technical assistance and deal with technical issues; to process and update information; and to facilitate the use of the products and services;
- To conduct data cleansing, profiling and analytics: such as, to measure the engagement with the products and services; to undertake data cleansing and matching, data profiling and data analytics; to conduct market research, surveys, assessment, behaviour, statistics and segmentation, consumption trends and patterns; to know our customers better and understand their characteristics; to improve business performance; to better adapt our content to the identified preferences of our customers; to determine the effectiveness of our promotional campaigns; to identify and resolve of issues with existing products and services; to enhance the qualitative information development; to establish whether a relationship with the selected business partners already exists; and to provide the lead generation service to our business partners via Facebook or co-registration pages or any other social media or messenger platforms;
- To select and provides products or services that are likely to be of individual's interest and tailored to individual's needs: such as, to use the result from data cleansing and matching, data profiling and data analytics to recommend products and services that might be of interest to individual from us, companies under Rabbit’s data ecosystem, affiliates and subsidiaries, and our business partners; to identify individual's preferences, and personalize the experience; and to develop future editorial content targeted to meet individual's interests;
- To improve business operation, products and services: such as, to evaluate, develop, manage, improve existing and design new services, products, system and business operation for all of our customers, including but not limited to, customers of companies under Rabbit’s data ecosystem, affiliates and subsidiaries, and our business partners; to track and follow-up with sale transactions (sale tracking) for our service improvement; to identify and resolve issues; to create aggregated and anonymized reports and measure the performance of our physical products, digital properties, and marketing campaigns; and to manage, operate and maintain our payment systems. We may monitor and/or record our call to train our staff and improve our services;
- To learn more: such as, to learn more about the products and services received from us, companies under Rabbit’s data ecosystem, affiliates and subsidiaries, and other products and services that individual may be interested in receiving, including profiling based on the processing of personal data, for instance by looking at the types of products and services that was used, how the individual likes to be contacted and so on;
- To ensure the function of our websites, mobile applications, and platforms: such as, to administer, operate, track, monitor and manage our websites, mobile applications, and platforms to facilitate and ensure that they function properly, efficiently and securely; to facilitate and enhance users experience on our websites, mobile applications, and platforms; and improve layout and content of our websites, mobile applications, and platforms;
- To manage IT system: such as, for our own business management purpose including for our IT operations, management of communication system, operation of IT security and IT security audit; internal business management for internal compliance requirements, policies and procedures; and to update our database;
- To comply with regulatory and compliance obligations: such as, to comply with legal obligations, legal proceedings or government authorities' orders which can include orders from government authorities outside Thailand and/or cooperate with court, regulators, government authority and law enforcement bodies when we reasonably believe that we are legally required to do so and when disclosing personal data is strictly necessary to comply with the said legal obligations, proceedings or government orders. This includes to issue tax invoice or full tax form; to comply with electronic e-payment business, financial, and anti-money laundering related legal obligation; to record and monitor communications; to disclose to tax authorities, financial service regulators, other regulatory and governmental bodies; and to investigate or prevent crime;
- To protect our interests: such as, to protect the security and integrity of our business; to exercise our rights or protect our interest where it is necessary and lawfully to do so, for example to detect, prevent and respond to fraud claims, intellectual property infringement claims or violations of law; to manage and prevent loss of our assets and property; to secure the compliance of our terms and conditions; to produce report relating our products and services to companies under Rabbit’s data ecosystem, affiliates and subsidiaries, and business partners; to detect and prevent misconduct within our premises; to follow up on incidents; to prevent and report criminal offences and to protect the security and integrity of our business;
- To detect, suppress, and prevent fraud/ illegal actions: such as, for authentication and identify verification, and to conduct legal and other regulatory compliance checks (e.g., to comply with e-payment business, financial, insurance, and anti-money laundering related laws and regulations, to perform Know-Your-Customer (KYC) process or e-KYC process; and to prevent fraud and detected suspicious transactions). This includes to perform sanction list checking, internal audits and records, asset management, system and other business controls;
- To transfer in the event of merger: such as, sale, transfer, merger, reorganization or similar event we may transfer personal data to one or more third parties as part of that transaction;
- Risks: such as, to perform risk management, audit performance and risk assessments; to conduct credit checks and customer financial due diligence; and/or
- Life: such as, to prevent or suppress a danger to a person’s life, body or health.
Where the personal data we collect from you is needed to meet our legal or regulatory obligations or enter into an agreement with you, if you do not provide your personal data when requested, we may not be able to provide (or continue to provide) our products and services to you.
3. To whom we may disclose or cross-boarder transfer personal data
3.1 Companies under Rabbit’s data ecosystem
- “Rabbit’s data ecosystem” refers to a group of companies whose names are listed in this link
- “Rabbit Care” refers to Rabbit Care Co., Ltd., Rabbit Care Broker Co., Ltd., and Ask Direct Group Co., Ltd. which are also part of Rabbit’s data ecosystem; and
- “Companies under BTS Group” refers to a group of companies whose names are listed in this link
In limited circumstances, as Rabbit Care is part of Companies under Rabbit’s data ecosystem and Companies under BTS Group which all collaborate and partially share customer services and systems, including website-related services and systems, we may need to transfer your personal data to, or otherwise allow access to such personal data by Companies under Rabbit’s data ecosystem, Companies under BTS Group, and their affiliates and subsidiaries, for the purposes set out above. Companies under Rabbit’s data ecosystem, Companies under BTS Group, and affiliates and subsidiaries will rely on the consent obtained by us to use your personal data.
3.2 Our service providers
We may use other companies, agents or contractors to perform services on behalf or to assist with the provision of products and services. We may share personal data including but not limited to (1) infrastructure, software and website developer and IT service providers; (2) warehouse and logistic service providers; (3) data storage and cloud service providers; (4) data cleansing and matching, data profiling, and data analytics service providers; (5) marketing, advertising media and communications agencies; (6) research agencies; (7) survey agencies; (8) campaign and event organizers; (9) tele-sale service providers; (10) call center service providers; (11) payment, payment system, authentication service providers; (12) outsourced administrative service providers; (13) telecommunications and communication service providers; (14) licensed credit-referencing agencies to carry out certain credit checks for certain insurance products; (15) telemedicine service providers; and/or (16) printing houses.
In the course of providing such services, the service providers may have access to your personal data. However, we will only provide our service providers with the personal data that is necessary for them to perform the services, and we ask them not to use your personal data for any other purposes. We will ensure that all the service providers we work with will keep your personal data secure.
3.3 Our business partners
3.4 Social networking sites
We allow you to login on our sites and platforms without the need to fill out a form. If you log in using the social network login system, you explicitly authorize to access and store public data on your social network accounts (e.g. Facebook, Google, Instagram), as well as other data mentioned during use of such social network login system. In addition, we may also communicate your email address to social networks in order to identify whether you are already a user of the concerned social network and in order to post personalized, relevant adverts on your social network account if appropriate.
3.5 Third parties permitted by law
In certain circumstances, we may be required to disclose or share your personal data in order to comply with a legal or regulatory obligations. This includes any law enforcement agency, court, regulator, government authority, embassy, consulate, or other third party where we believe this is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals’ personal safety; or to detect, prevent, or otherwise address fraud, security or safety issues (e.g., Anti-Money Laundering Office (AMLO), Bank of Thailand (BOT), Office of Insurance Commission (OIC) and Revenue Department).
3.6 Professional advisors
We may disclose personal data to our expert advisors including, but not limited to, (1) independent advisors, project advisors, financial advisors; (2) legal advisors who assist us in our business operations and provide litigation services such as defending or initiating legal actions; and/or (3) auditors who provide accounting services or conduct financial audit for the Company.
3.7 Other third parties related to insurance products or services
3.8 Other third parties
3.9 Third parties connected with business transfer
4. International transfers of personal data
We may disclose or transfer personal data to third parties or servers located overseas, which the destination countries may or may not have the same data protection standards. We take steps and measures to ensure that personal data is securely transferred, that the receiving parties has in place suitable data protection standard and that the transfer is lawful by relying on the derogations permitted under the law.
5. How long do we keep personal data
We retain personal data for as long as is reasonably necessary to fulfil purpose for which we obtained them and to comply with our legal and regulatory obligations. However, we may have to retain personal data for a longer duration, as required by applicable law.
6. Cookies and how they are used
If you visit our websites, we will gather certain information automatically from you by using tracking tools and cookies (including, but not limited to, Google Tag Manager, Google Analytics, Hotjar, Matomo, Zendesk, Facebook Pixel Analytics, Facebook Ad Manager, and Google Cloud). Cookies are tracking technologies which are used in analyzing trends, administering our websites, tracking users’ movements around the websites, or to remember users’ settings. Some of the cookies are necessary because otherwise the site is unable to function properly. Other cookies are convenient for the visitors: they remember your username in a secure way as well as your language preferences.
Most internet browsers allow you to control whether or not to accept cookies. If you reject cookies, your ability to use some or all of the features or areas of our websites may be limited. Please see our Cookies Policy for more details
7. Data security
As a way to protect personal privacy, we maintain appropriate security measures, which includes administrative, technical and physical safeguards in relation to access control, to protect the confidentiality, integrity, and availability of personal data against any accidental or unlawful or unauthorized loss, alteration, correction, use, disclosure or access, in compliance with the applicable laws.
In particular, we have implemented access control measures which are secured and suitable for our collection, use, and disclosure of personal data. We restrict access to personal data as well as storage and processing equipment by imposing access rights or permission, user, access management to limit access to personal data to only authorized person, and implement user responsibilities to prevent unauthorized access, disclosure, perception, unlawful duplication of personal data or theft of device used to store and process personal data;. This also includes methods that enabling the re-examination of unauthorized access, alteration, erasure, or transfer of personal data which is suitable for the method and means of collecting, using and/or disclosing of personal data.
8. Rights as a data subject
Subject to applicable laws and exceptions thereof, a data subject may have the following rights to:
- Access: Data subjects may have the right to access or request a copy of the personal data we are collecting, using and/or disclosing. For your own privacy and security, we may require proof of data subject's identity before providing the requested personal data;
- Rectification: Data subjects may have the right to have incomplete, inaccurate, misleading, or or not up to date personal data that we collect, use and/or disclose rectified;
- Data Portability: Data subjects may have the right to obtain personal data we hold about that data subject, in a structured, electronic format, and to transmit such data to another data controller, where this is (a) personal data which you have provided to us, and (b) if we are collecting, using and/or disclosing that data on the basis of data subject's consent or to perform a contract with the data subject;
- Objection: Data subjects may have the right to object to certain collection, use, and/or disclosure of personal data such as objecting to direct marketing;
- Restriction: Data subjects may have the right to restrict our use of personal data where the data subject believes such personal data to be inaccurate, that our collection, use and/or disclosure is unlawful, or that we no longer need such personal data for a particular purpose;
- Withdraw Consent: For the purposes the data subjects have consented to our collection, use and/or disclosure of your personal data, data subjects may have the right to withdraw consent at any time;
- Deletion: Data subjects may have the right to request that we delete, destroy, or de-identity personal data that we collect, use, and/or disclose, except we are not obligated to do so if we need to retain such personal data in order to comply with a legal obligation or to establish, exercise or defend legal claims; and
- Lodge a complaint: Data subjects may have the right to lodge a complaint to the competent authority where the data subject believe our collection, use, and/or disclosure of personal data is unlawful or non-compliance with applicable data protection law.
9. Several liability
10. Our contact detail
- Rabbit Care (which refers to Rabbit Care Co., Ltd., Rabbit Care Broker Co., Ltd., and Ask Direct Group Co., Ltd.)
1 Q. House Lumpini Building, 29th Floor, South Sathorn Road, Thungmahamek, Sathorn, Bangkok 10120
[email protected] or 084-021-9999
- Data Protection Officer (DPO)
1 Q. House Lumpini Building, 29th Floor, South Sathorn Road, Thungmahamek, Sathorn, Bangkok 10120
[email protected] or 084-021-9999