Privacy Policy

Version: 0.1 Last updated: 2026-05-15 Primary regulator: Personal Data Protection Committee (PDPC), Thailand

1. Who we are and what this policy covers

This Privacy Policy explains how Repound FX Co., Ltd. ("the Service", "we", "us") collects, uses, shares, and protects the personal data of Users ("you", "Data Subject"). It is written to comply with the Thai Personal Data Protection Act B.E. 2562 (2019) ("PDPA"), and to be aligned in substance with the EU General Data Protection Regulation ("GDPR") where you access the Service from the EU/EEA or the United Kingdom.

We are the Data Controller for the data described below. Our contact channel for privacy matters is published in Section 11.

2. Defined terms

Personal Data — any information relating to an identified or identifiable natural person, as defined in PDPA s.6.
Processing — any operation performed on Personal Data, including collection, recording, storage, use, disclosure, transfer, and erasure.
Partner Broker — the third-party forex brokerage at which you trade, and which reports commission information to us so we can calculate your Rebate.

3. Personal Data we collect

We collect the following categories of Personal Data:

Identity data — given name, family name, date of birth, country of residence, and (where required for identity verification) a national-ID or passport number.
Contact data — email address, mobile number, and optional LINE ID.
Account credentials — hashed password, two-factor authentication factors, session tokens.
Broker-linkage data — Partner Broker name, broker-issued account number, and the trading-volume / commission data the Partner Broker reports to us.
Payout data — your USDT-TRC20 wallet address; on-chain transaction hashes of payouts we send to that address.
Technical data — IP address, device and browser identifiers, language preference, cookies and similar identifiers, log data of access events.
Communications data — support tickets, chat messages, and emails you exchange with us.
Marketing-consent data — your opt-in or opt-out state for marketing communications.

We do not knowingly collect Personal Data from children under 18. The Service is not intended for minors.

4. Purposes of Processing and lawful bases

We Process Personal Data for the following purposes, on the lawful bases shown:

Operating your account and paying Rebates — performance of the contract you accepted under our Terms of Service.
Identity verification, anti-money-laundering, and fraud prevention — compliance with legal obligations and our legitimate interest in operating a non-fraudulent service.
Calculating Rebates from broker-reported data — performance of contract.
Securing the Service — legitimate interest in protecting Users and the Service from abuse.
Customer support and dispute resolution — performance of contract, and our legitimate interest in resolving complaints.
Marketing communications — your consent, which you may withdraw at any time.
Improving the Service through aggregated or pseudonymised analytics — our legitimate interest, with appropriate safeguards.

We share Personal Data only with the following categories of recipient, and only to the extent necessary:

Partner Brokers — to confirm your linked account and reconcile the commission they have paid us. We do not share your wallet address or password with brokers.
Service providers acting under our instructions — for hosting, email delivery, identity verification, and analytics. Each service provider is bound by a data-processing agreement and is permitted to Process data only on our behalf.
Tax, regulatory, or law-enforcement authorities — when we are required to disclose by Thai law, a court order, or a comparable legal instrument we are bound by.
A successor entity — in the event of a merger, acquisition, or asset transfer, in which case Users will be notified before any Processing changes materially.

We do not sell Personal Data, and we do not share it for the marketing purposes of unrelated third parties.

6. Cross-border data transfers

Some of our service providers operate servers outside Thailand. Where Personal Data is transferred abroad, we rely on (a) the recipient country having adequate data-protection standards, or (b) appropriate contractual safeguards such as standard contractual clauses, or (c) your explicit consent — consistent with PDPA Chapter 3.

7. Retention

We keep Personal Data only as long as is necessary for the purposes set out above and for the periods required by Thai accounting, tax, and AML rules. Indicative retention periods:

Identity and account data — for the life of the account, plus a period of up to ten (10) years after closure, as required for AML record-keeping and tax law.
Transaction and payout records — at least five (5) years after the relevant transaction.
Technical and log data — up to twenty-four (24) months.
Marketing-consent records — until you withdraw consent, plus a short evidentiary period.

Retention periods are subject to ongoing legal review and may be updated to reflect regulator guidance.

8. Your rights under PDPA

As a Data Subject you have the following rights under PDPA, exercisable through the contact channel in Section 11:

The right to access your Personal Data and request a copy;
The right to request correction of inaccurate or out-of-date Personal Data;
The right to request erasure, anonymisation, or destruction of Personal Data where the legal bases for keeping it no longer apply;
The right to request restriction of Processing in defined circumstances;
The right to object to Processing based on legitimate interests or for direct marketing;
The right to withdraw consent at any time, without affecting the lawfulness of Processing before withdrawal;
The right to data portability where the Processing relies on consent or contract and is carried out by automated means;
The right to lodge a complaint with the Personal Data Protection Committee (PDPC) of Thailand.

If you access the Service from the EU/EEA or UK, you have substantively equivalent rights under the GDPR; we will treat your request under whichever regime is more protective.

We will respond to verified rights requests within thirty (30) days, or earlier where required by law.

9. Cookie Notice

We use a limited set of cookies and local-storage items for authentication, language and theme preference, fraud prevention, and aggregate analytics. We do not use third-party advertising cookies. You can disable cookies in your browser, but some functions of the Service may not work without them. This Cookie Notice (updated 2026-05-19) supplements the section above with the detail required by PDPA and ePrivacy-style consent rules.

What we use

We operate this site through the following providers. All non-essential processing occurs only with your consent.

Vercel — hosting, CDN, and edge functions. Storage keys: _vercel_*, deployment session cookies. Retention: session, plus up to 30 days for security/abuse logs. Jurisdiction: United States.
Supabase — database, authentication, and file storage. Storage keys: sb-*-auth-token, supabase-auth-token, refresh-token cookies. Retention: session token expires on logout or after the configured idle window; backup logs up to 7 days. Jurisdiction: Singapore (primary region) and the United States (replica / control plane).
PostHog — product analytics. Storage keys: ph_*, posthog. Retention: anonymised identifier kept for 12 months; raw event data is rotated on PostHog's retention schedule. Jurisdiction: United States (EU instance available; current deployment is US).
Resend — transactional email delivery. No browser cookies are set; processing is server-side only. Retention: email send logs up to 30 days. Jurisdiction: United States.

Cross-border transfer basis

Several of the providers above are located outside Thailand. Where Personal Data is transferred internationally for non-essential purposes we rely on your explicit consent under PDPA s.28(b). For essential purposes (authentication, security, fraud prevention) we rely on contract performance and legitimate interest, with appropriate contractual safeguards in our data-processing agreements. You can withdraw consent for non-essential transfers at any time using the "Cookie preferences" link in the site footer.

Your rights under PDPA

Under PDPA s.30–s.36 you have the right to:

Access (s.30) — request a copy of the Personal Data we hold about you.
Rectify (s.35–s.36) — correct inaccurate or out-of-date data.
Erase (s.33) — request deletion, anonymisation, or destruction where the legal basis no longer applies (the "right to be forgotten").
Withdraw consent (s.19) — opt out of analytics or marketing cookies at any time; withdrawal does not affect lawful processing before withdrawal.
Object (s.32) — object to processing based on legitimate interest, or to direct-marketing processing.
Data portability (s.31) — receive your data in a structured, machine-readable form where the processing is consent- or contract-based and automated.
Lodge a complaint — file a complaint with the Personal Data Protection Committee of Thailand at https://www.pdpc.or.th.

How to exercise your rights

Email privacy@repound.fx with your request. Please include enough information for us to verify your identity. We respond within thirty (30) days of a verified request.

Lawful basis per cookie category

Strictly necessary cookies — legitimate interest in keeping the Service secure, authenticating sessions, and remembering your language/theme preference. These cannot be turned off without breaking core functionality.
Analytics cookies — your consent. PostHog is the only analytics tool in use today. You can opt out via "Cookie preferences" or by rejecting analytics on the consent banner.
Marketing cookies — your consent. Marketing/advertising cookies are currently inactive. If we ever activate them, they will be opt-in only and listed in this notice before they are set.

Retention periods

Strictly necessary cookies — expire when you close the browser or after up to 30 days, whichever is sooner.
Analytics cookies — anonymised identifier retained for up to 12 months; aggregated, non-identifying analytics may be retained longer for trend analysis.
Marketing cookies (when activated) — maximum 13 months from the date of consent, after which we will re-prompt.

Data controller and DPO contact

The Data Controller for this Service is Repound FX Co., Ltd.. For PDPA-specific requests, contact our Data Protection Officer at privacy@repound.fx (a DPO is appointed where required by PDPA s.41). General privacy inquiries can also be routed through the footer contact link.

10. Security

We use industry-standard administrative, technical, and physical safeguards including TLS encryption in transit, hashed passwords, role-based access control, audit logging, regular vulnerability testing, and incident-response procedures. No system is perfectly secure; if we become aware of a Personal Data breach that creates a meaningful risk to you, we will notify you and the PDPC in line with PDPA s.37.

11. Contact for privacy requests

How to exercise your rights. To exercise any right or make any inquiry under this Policy, contact our Data Protection Officer at privacy@repound.fx, or use the channel published on the Service's site footer. Mark your message clearly as a "PDPA request" so it can be routed promptly. Requests covering cookies and similar technologies (Section 9) are handled through the same channel.

12. Changes to this Policy

We may update this Policy from time to time. Material changes will be communicated by in-product notice or email at least seven (7) days before they take effect, except where shorter notice is required by law.