Legal

Privacy Policy

How we handle personal data, by tier of engagement and by lawful basis. Designed to comply with PDPA, GDPR, and CCPA.

Last updated: 7 May 2026

1. Overview

Landing Pad Digital Co., Ltd., trading as Landing Pad Solutions (“we”, “us”, “our”), takes the protection of personal data seriously. This Policy explains what data we collect, why, how we use it, and what your rights are.

This Policy applies to anyone interacting with us: visitors to our website, prospects who submit a Hiring Brief, customers who engage our services, and individuals whose data is processed by AI Agents we deploy.

This Policy is designed to comply with the Thailand Personal Data Protection Act 2019 (PDPA), the EU and UK General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA), to the extent each applies.

2. Who is the controller and who is the processor

This is one of the most important distinctions in our service model, and it differs by tier.

Roles by service type
Tiers 1, 2, and 3

For data flowing through Agents we operate on your behalf, you are the Data Controller and we act as your Data Processor. We process personal data only on your documented instructions, as defined in your engagement.

Tier 4

After handover, you operate the Agents on your own infrastructure. You are the sole Data Controller and the sole Data Processor for any data flowing through that deployment. We have no access to that data unless you grant it for support purposes.

For our own activities (running our website, communicating with prospects, billing customers), we are the Controller of the data we collect about you in those contexts. The rest of this Policy describes that activity.

3. Data we collect

3.1 Information you provide

  • Identifiers when you submit a Hiring Brief or contact us: name, business name, email, phone (optional), website URL;
  • Communications: emails, messages on our chat widget, call notes, proposal correspondence;
  • Billing and contract information: company details, billing address, signed proposals, invoice records.

3.2 Information we collect automatically

  • Site analytics: pages visited, time on page, referring source, device and browser type, anonymised IP;
  • Cookies and similar technologies (see our Cookies Policy).

3.3 Information from third parties

We may receive information about you from publicly available sources (your website, professional profiles), or from referrers who introduce you to us with your consent.

4. Lawful basis for processing

We rely on the following lawful bases:

  • Performance of a contract: to deliver the services you have engaged us for;
  • Legitimate interests: for marketing communications to existing customers, internal reporting, and security monitoring, balanced against your rights and interests;
  • Consent: for non-essential cookies, marketing emails to prospects, and any processing where consent is the appropriate basis;
  • Legal obligation: for tax, accounting, and regulatory record-keeping.

Where we rely on consent, you can withdraw it at any time by contacting us or using the unsubscribe link in our emails.

5. AI processing disclosure

Our services involve large language models and AI processing. We are explicit about how this works because it materially affects your data.

5.1 AI providers we use

We work with major AI providers (such as Anthropic, OpenAI, and others) and host certain components on our own infrastructure. The specific providers in use for your deployment are disclosed in your proposal and Data Processing Agreement.

5.2 What is sent to AI providers

For Agents we operate, the conversation content, configuration, and any tool inputs are transmitted to the AI provider for inference. We use providers that offer enterprise data protection terms, including no training on customer data and limited retention windows.

5.3 What is not sent

We do not transmit raw billing information, secrets, or full datasets to AI providers. Sensitive integrations are accessed via tool calls with scoped credentials.

6. Third parties (sub-processors)

We share data with carefully selected service providers acting as our sub-processors. Our current sub-processors include hosting providers, AI inference providers, payment processors, email and analytics services, and CRM systems used to manage our engagement with you.

A current list of sub-processors is available on request. We give existing customers reasonable notice of material changes before they take effect.

7. International transfers

We are based in Thailand. Our infrastructure is hosted in Indonesia. Some of our sub-processors are based in the United States, the United Kingdom, the European Union, or elsewhere.

Where personal data is transferred outside the country of origin, we rely on appropriate safeguards including Standard Contractual Clauses, adequacy decisions, or the consent mechanisms permitted by PDPA Section 28.

8. Data retention

We retain personal data only for as long as needed for the purpose for which it was collected:

  • Hiring Briefs and prospect data: up to 24 months from last interaction;
  • Customer engagement data: for the duration of the engagement and 7 years after, to meet tax and accounting obligations;
  • Marketing list data: until you unsubscribe or 36 months of inactivity, whichever is sooner;
  • Conversation logs handled by Agents we operate: as defined in your engagement, typically 90 days unless extended.

9. Your rights

Depending on your jurisdiction, you have rights regarding your personal data. We honour the strictest applicable rights regardless of your location:

  • Access: request a copy of the personal data we hold about you;
  • Rectification: ask us to correct inaccurate or incomplete data;
  • Erasure: ask us to delete your data, subject to legal retention obligations;
  • Restriction: ask us to limit processing in certain circumstances;
  • Portability: receive your data in a machine-readable format;
  • Objection: object to processing based on legitimate interests, including for marketing;
  • Withdraw consent: at any time where consent is the basis;
  • Lodge a complaint: with the relevant supervisory authority (PDPC in Thailand, ICO in the UK, your local DPA in the EU, the California Privacy Protection Agency in CA).

To exercise any of these rights, email privacy@landingpad.solutions. We will respond within thirty (30) days.

10. Security

We apply technical and organisational measures appropriate to the risk, including encryption in transit, encryption at rest for sensitive data, access controls, regular backups, and audit logs.

No system is impenetrable. If a security incident affecting your personal data occurs, we will notify you and the relevant authority within the timeframes required by law.

11. Cookies

For information about how we use cookies and similar technologies on our website, see our Cookies Policy.

12. Changes to this policy

We may update this Policy from time to time. The “last updated” date at the top reflects the latest revision. Material changes will be communicated to active customers by email at least thirty (30) days before they take effect.

13. Contact us

For any privacy-related question or to exercise your rights:

Landing Pad Digital Co., Ltd.
Privacy contact: privacy@landingpad.solutions
General: hello@landingpad.solutions
Chiang Mai, Thailand