Privacy Policy
Version 1.1 · Effective 2026-05-21
Drafted to align with the Thai Personal Data Protection Act B.E. 2562 ("PDPA").
0. About this notice
This Privacy Policy explains how Gun Rodwong, operating as an individual sole proprietor in Thailand ("Operator", "we"), collects, uses, discloses, and protects your personal data when you use the Midas Alpha service ("Service").
Nature of the Service. Midas Alpha is operated as a personal project by an individual on a private, invite-only basis. Subscription fees represent shared operating costs (infrastructure, data) among invited members and not a commercial fee for advisory services. The Service is not a commercial investment-advisory product.
We are the data controller as defined under PDPA Section 6. As a sole-operator project at small scale, we are below the processing thresholds in PDPA Section 41 and do not designate a Data Protection Officer; we may revisit this if scale changes. For privacy enquiries or to exercise your rights, contact:
- Email: gun.rodwong@gmail.com
- Subject line: "PDPA REQUEST" followed by the right you wish to exercise (e.g., "PDPA REQUEST — Access")
- Response time: within thirty (30) days of receipt, in accordance with PDPA Section 30
1. Personal data we collect
| Category | Examples | Source |
|---|---|---|
| Account identifiers | Email address, name, Google account ID, profile picture | You, via Google OAuth |
| Authentication data | Session tokens, sign-in timestamps, IP address, user agent | Automatic |
| Payment data | Stripe customer ID, subscription status, billing email; we do not store card numbers | Stripe |
| Telegram link data | Telegram chat ID, username | You, when linking |
| Trade ledger data | Trades you record (ticker, quantity, price, date, account balance) | You |
| Strategy preferences | Strategy allocations, notification preferences | You |
| Referral data | Referral code, who referred you (if any) | You / referrer |
| Technical data | Browser type, device, screen size, language, anonymised page-view analytics | Automatic |
| Communications | Support emails, in-app feedback | You |
We do not collect: government ID numbers, biometrics, racial or ethnic origin, religious beliefs, political opinions, health data, sexual orientation, criminal record. PDPA Section 26 sensitive-category data is out of scope.
2. Purposes and lawful basis for processing
Under PDPA Section 24, we process your data only on these grounds:
| Purpose | Lawful basis |
|---|---|
| Operate the Service (signals, dashboard, ledger) | Performance of contract (PDPA §24(3)) |
| Bill subscriptions, handle refunds, prevent fraud | Performance of contract; legitimate interest (PDPA §24(5)) |
| Send signal notifications to your linked Telegram | Performance of contract |
| Send transactional emails (receipts, password reset, ToS changes) | Performance of contract; legal obligation (PDPA §24(6)) |
| Analyse aggregated usage to improve the Service | Legitimate interest (PDPA §24(5)) |
| Comply with Thai tax, accounting, or court orders | Legal obligation (PDPA §24(6)) |
| Defend or pursue legal claims | Legitimate interest |
We do not send marketing or promotional emails. We only contact you about the Service itself (transactional notifications, security alerts, material changes to these documents).
3. Third-party processors and recipients
We use the following processors to provide the Service. Each is bound by a data-processing agreement.
| Processor | Location | Purpose | Data shared |
|---|---|---|---|
| Google LLC (OAuth) | United States | Authentication | Email, name, Google ID, profile picture |
| Stripe, Inc. | United States, Singapore | Subscription billing | Email, name, billing address, payment-card data (held by Stripe, not us) |
| Telegram Messenger LLP | UAE | Notification delivery | Telegram chat ID, message content (signal text + your sizing) |
| Supabase, Inc. (PostgreSQL) | Singapore | Database hosting | All account, trade, and strategy data |
| Vercel Inc. | Singapore + global edge | Application hosting | IP address, request metadata, browser data |
| Doppler | United States | Secrets management for our infrastructure (does not receive user data) | n/a |
We do not sell your data, share it with advertisers, or use it for advertising profiling.
4. Cross-border transfers
Some processors operate outside Thailand. Under PDPA Section 28, cross-border transfers are permitted because: (a) the recipient countries have adequate protection or (b) appropriate safeguards (Standard Contractual Clauses, certifications) are in place, or (c) the transfer is necessary for performance of our contract with you. We will not transfer your data to a country with materially lower protection without your explicit consent.
5. Retention
| Data category | Retention period |
|---|---|
| Account data | While your account is active, plus 90 days after deletion |
| Subscription / billing records | 5 years after the last transaction (Thai Revenue Code) |
| Trade ledger you recorded | While your account is active, plus 30 days after deletion |
| Signal delivery logs | 12 months |
| Authentication / error logs | 7 days |
| Support communications | 2 years after resolution |
| Backups | 30 days rolling, then purged |
After the retention period, data is deleted or irreversibly anonymised.
6. Your rights under PDPA
You have the following rights under PDPA Sections 30 to 36, free of charge once per calendar year (additional requests may carry a reasonable administrative fee):
- Access (§30): receive a copy of personal data we hold about you
- Rectification (§35): correct inaccurate or incomplete data
- Erasure (§33): request deletion of data we no longer need
- Restriction (§34): limit processing while a dispute is pending
- Portability (§31): receive data in a machine-readable format
- Objection (§32): object to processing based on legitimate interest or for marketing
- Withdraw consent (§19): for any consent-based processing
- Lodge a complaint with the Personal Data Protection Committee (PDPC) at pdpc.or.th
To exercise any right, email us at gun.rodwong@gmail.com with subject "PDPA REQUEST — <right>". We will respond within 30 days. We may need to verify your identity before acting.
7. Security
We implement reasonable technical and organisational measures appropriate to the risk of a single-operator service at small scale:
- TLS 1.2+ for all data in transit (managed by our hosting provider, Vercel)
- Encryption at rest for the database (managed by our database provider, Supabase)
- Single operator: only the Operator has production-system access, eliminating insider-access surface area beyond one person
- Secrets management via Doppler, with access logged and audited
- Authentication via Google OAuth (we do not store passwords)
- Stripe handles all payment-card data; we never receive or store card numbers
- In the event of a personal-data breach, we will notify the PDPC within 72 hours of awareness and affected users without undue delay, in accordance with PDPA Section 37(4)
No security measure is perfect. As a small private service, our defences are commensurate with the scale and sensitivity of the data we hold; they are not equivalent to an enterprise-grade information-security programme. You acknowledge that residual risk exists.
8. Cookies and similar technologies
We use only cookies strictly necessary for the Service to function:
- Session cookie (NextAuth) — keeps you signed in
- CSRF cookie — protects sign-in flows from forgery
We do not use marketing, advertising, or third-party analytics cookies that require consent under PDPA Section 19. If we add any in the future, we will request your consent via a cookie banner before setting them.
9. Children
The Service is not directed to persons under twenty (20) years of age. If we learn we have collected data from someone under 20, we will delete it.
10. Changes to this Policy
We may update this Policy. The "Version" date at the top of this page indicates the last update. Material changes will be communicated by email at least thirty (30) days in advance. Your continued use after the effective date constitutes acceptance.
11. Contact
For any privacy matter: gun.rodwong@gmail.com with subject prefix "PDPA REQUEST".