Tawan Sprouts Privacy Policy

This Data Protection Notice (“Notice”) sets out the basis on which tawansprouts.com (“we”, “us”, or “our”) may collect, use, disclose or otherwise process your personal data in accordance with the Personal Data Protection Act B.E. 2562 of Thailand (“PDPA”). This Notice applies to personal data in our possession or under our control, including personal data in the possession of organisations which we have engaged to collect, use, disclose or process personal data for our purposes.

By using this website or by having a business relationship with us, you agree that we may collect, use, process, store and/or disclose your personal data in accordance with the terms of this privacy policy. If you disagree with all or any part of this privacy policy, please do not use or continue communication or any further use of this website.


1.1 As used in this Notice, “personal data” means data, whether true or not, about an individual who can be identified: (a) from that data; or (b) from that data and other information to which we have or are likely to have access.

1.2 Depending on the nature of your interaction with us, the personal data which we may collect from you include your name, identification information, and contact information, such as, your residential and/postal address, email address and telephone number, as well as your nationality, country of residence, gender, date of birth, photographs and other audio-visual information that may identify you (e.g., CCTV footage).


2.1 We process your personal data where it is necessary and there is a lawful basis for collecting or disclosing it. This includes where we collect, use, or disclose your personal data based on the legitimate grounds of our legal obligations, performance of a contract you have with us, our legitimate interests, performance under your consent and other lawful basis. The reasons for collect, use or disclose your personal data data are provided below:

  1. Legal Obligation
    We are regulated by laws, rules, regulations, and government regulatory authorities. To fulfil our legal and regulatory requirements with these authorities it is necessary to collect, use or disclose your personal data for the following purposes, which include but are not limited to:
    1. Compliance with the PDPA and any amendment to the law thereafter;
    2. Compliance with laws (e.g. school child safeguarding laws; and other laws to which we are subject both in Thailand and in other countries), including conducting identity verification, criminal background checks, other checks and screenings (including screening against publicly available database of regulatory authorities and/or official sanctions lists), and ongoing monitoring that may be required under any applicable laws;
    3. Compliance with regulatory obligations and/or orders of authorized persons (e.g. orders by any court of competent jurisdiction or of governmental, supervisory or regulatory authorities or authorized officers).
  2. Contract Made by You with Us
    We will process personal data with the request and/or agreement made by you with us, for the following purposes, which include but not limited to:
    1. Process your request prior to entering into an agreement, consider for approval in relation to the provision of our services, and deliver products, including any activities that if we do not proceed, then our operations or our services may be affected or may not be able to provide you with fair and ongoing services.
    2. Authenticate when entering or executing any transactions;
    3. Carry out your instructions (e.g. to debit amounts from bank accounts, or respond to your enquiries); provide online training, and other online learning platforms;
    4. Track or record your transactions;
    5. Produce transaction reports requested by you or for our internal usage reports;
    6. Notify you with transaction alerts and notify the due date of the fees and services;
    7. Proceed with any acts relating to insurance policy or claim for compensation (e.g. proceed with or monitor any claim under your insurance policy, claim against third party).
  3. Our Legitimate Interests
    1. Conduct our school operations (e.g. to audit, to conduct risk management, to monitor, prevent, and investigate misconduct, or other crimes, including but not limited to carrying out the criminal record checks of any persons related to our school);
    2. Conduct our management relationships (e.g. to serve parents and students, to conduct parent/student surveys, to handle complaints);
    3. Ensure our standard security services (e.g. to maintain body temperature checks, CCTV footage records, to register, exchange identification cards and/or take photos of visitors before entering our school campus, to monitor network activity logs and security incidents);
    4. Ensure school-provided medical services to students and staff.
    5. Develop and improve our school communication, services, and systems to enhance our service standards;
    6. Use your personal data for the greatest benefits in fulfilling your needs, including to conduct research, analyse data and benefits suitable to you by considering the fundamental rights of your personal data;
    7. Record images and/or voices or videos in relation to meetings, teaching, training, seminars, or marketing activities.

2.2 Your Consent:

Under PDPA, the rights belong to the individual to whom the data relates (”Data subject”). However, where consent is required as the lawful basis for processing personal data relating to students, we often rely on parental consent. Unless, given the nature of the processing in question, and the student’s age and level of understanding, it is more appropriate to use student consent. Parents should be aware that in such situations, they may not be consulted, depending on the interests of the child, the parent’s rights at law or under their contract, and considering all the relevant circumstances.

However, where a student seeks to raise concerns confidentially with a member of staff and expressly withholds their agreement to their personal data being disclosed to their parents, we may be under obligation to maintain confidentiality unless, in our opinion, there is a good reason to do otherwise; for example, where the school believes disclosure will be in the best interests of the student or other students or is required by law.

In certain cases, we may ask for your consent to collect, use or disclose your personal data to maximize your benefits and/or to enable us to provide services to fulfil your needs for the following purposes, which include but is not limited to:

  1. Collect and use your sensitive personal data as necessary (e.g. your identification card photo for verification of your identity before continuing a transaction);
  2. To collect and use your personal data and any other data to conduct research and analyse to help enhance and improve our educational offerings;
  3. Send or transfer your personal data overseas, to entities that have adequate personal data protection standards (unless the PDPA specifies that we may proceed without obtaining consent);
  4. Disclose your personal data and any other data as shown on the school’s website and/or our trusted business partners for the following purposes: (1) conducting research and analysing your web application access and other personal data and any other data for the greatest benefits in developing products and services to truly fulfil your needs; and (2) contacting you for offering products, services, and benefits exclusively suitable to our students.

2.3 Other Lawful Basis
Apart from the lawful basis mentioned above, we may collect, use, or disclose your personal data based on the following lawful basis:

  1. Prepare historical documents or archives for the public interest, or for purposes relating to research statistics;
  2. Prevent or suppress a danger to you or another person’s life, bodily harm, or physical/mental health;
  3. Necessary to carry out a public task, or for exercising official authority.


The type of personal data, namely personal data, and sensitive personal data, in which we collect, use, or disclose, varies on the scope of products and/or services that you may have used or had an interest in. The type of personal data may include but is not limited to:

#CategoryExample of personal data
1Personal details First name, middle name, last name, nickname (if any) gender, date of birth, age, educational background, nationality, family, sibling and guardian information, academic records.
2Contact detailsMailing address, e-mail address, phone numbers, social media handles, name and contact details of representatives or authorised persons acting on your behalf.
3Identification and authentication details ID card, photos, identification number, passport information, birth certificate information, visa information, signatures.
4Employment detailsOccupation, previous employer’s details and workplace, position, salary or income information, references, records of disciplinary action.
5Financial detailsBank account information (through bank transfers, online payments).
6Information about your device and softwareYour GPS location, IP address, computer name, hostname, MAC Address.
7Survey research, marketing research informationParents, student, staff and community surveys, information and opinions expressed when participating in the school’s market research, details of services you receive and your preferences.
8Information concerning securityCCTV images, video or audio recordings, visual images, personal appearance, body temperature sensors.
9Sensitive Personal DataRacial or ethnic origin, health data, disability, special educational needs, biometric data, behavior records, child safeguarding records, criminal records or background checks.
10Other information Records of correspondence and other communications between you and us through other channels such as email or phone.


Normally, we will collect your personal data directly from you, but sometimes we may get it from other sources, in such cases we will ensure the compliance with the PDPA. Personal data we collect from other sources may include but is not limited to:

4.1 Information obtained by us from other school, financial institution, business partners, and/or any other persons who we have relationship with;

4.2 Information obtained by us from persons related to you (e.g. your family, friends, referees);

4.3 Information obtained by us from corporate customers as you are a director, authorized person, attorney, representative or contact person;

4.4 Information obtained by us from governmental authorities, regulatory authorities, financial institutions, credit bureau and/or third-party service providers;

4.5 Information obtained by us from insurance companies and/or other persons in relation to insurance policy or claim for compensation;

4.6 Information obtained by us from publicly available resources.


You can exercise your rights under the PDPA as specified below, through the channels prescribed by us at our contact details (see Section 12).

You have the right to access and obtain a copy of your personal data held by us, unless we are entitled to reject your request under the law or a court order, or if such request will adversely affect the rights and freedoms of other individuals.

You have the right to rectify your inaccurate personal data and to update incomplete personal data related to you.

You have the right to request us to delete, destroy or anonymise your personal data.

You have the right to request us to restrict the use of your personal data under certain circumstances. For example, during the investigation of your request to rectify your personal data; or to object the collection, use or disclosure of your personal data, or you request to restrict the use of personal data instead of the deletion or destruction of personal data which is no longer necessary as you have necessity to retain it for the purposes of establishment, compliance, exercise of protection of legal claims.

You have the right to object to the collection, use or disclosure of your personal data in case we proceed with legitimate interests’ basis or for the purpose of direct marketing, or for the purpose of scientific, historical or statistical research, unless we have legitimate grounds to reject your request. For example, we have compelling legitimate grounds to collect, use or disclose your personal data, or the collection, use or disclosure of your personal data is carried out for the establishment, compliance, or exercise of legal claims, or for the reason of our public interests.

You have the right to receive your personal data in a format which is readable or commonly used by means of automatic tools or equipment and can be used or disclosed by automated means. Additionally, you have the right to request us to send or transfer your personal data to a third party, or to receive your personal data which we sent or transferred to a third party, unless it is impossible to do so because of the technical circumstances, or we are entitled to legally reject your request.

You have the right to withdraw your consent that has been given to us at any time The withdrawal of consent will not affect the lawfulness of the collection, use, or disclosure of your personal data based on your consent before it was withdrawn. You can review and change your consent to use or disclose your personal data for marketing purposes through channels as specified.

You have the right to make a complaint to the competent authority where you believe that the collection, use and disclosure of your personal data is unlawful or non-compliant with the PDPA.

5.9 Compliance with PDPA
We confirm that we will comply with any and all regulations of PDPA including the appointment of Data Controller and Data Processor.


6.1 If you wish to make (a) an access request for access to a copy of the personal data which we hold about you or information about the ways in which we use or disclose your personal data, or (b) a correction request to correct or update any of your personal data which we hold about you, you may submit your request in writing to our Data Protection Officer at the contact details provided below.

6.2 Please note that a reasonable fee may be charged for an access request. If so, we will inform you of the fee before processing your request.

6.3 We will respond to your request as soon as reasonably possible. Should we not be able to respond to your request within thirty (30) days after receiving your request, we will inform you in writing within that period of the time by which we will be able to respond to your request. If we are unable to provide you with any personal data or to make a correction requested by you, we shall generally inform you of the reasons why we are unable to do so (except where we are not required to do so under the PDPA).


7.1 To safeguard your personal data from unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks, we have introduced appropriate administrative, physical and technical measures.

7.2 We use the Cloud Service Providers listed below to store and transfer information. We have satisfied ourselves that these service providers offer an acceptable level of security. Links to these providers’ information on their security arrangements are provided below:
(a) Google Workspace
(b) HubSpot

7.3 You should be aware, however, that no method of transmission over the Internet or method of electronic storage is completely secure. While security cannot be guaranteed, we strive to protect the security of your information and are constantly reviewing and enhancing our information security measures.


8.1 We generally rely on personal data provided by you (or your authorised representative). In order to ensure that your personal data is current, complete and accurate, please update us if there are changes to your personal data by informing our Data Protection Officer in writing at the contact details provided below.


9.1 We may retain your personal data for as long as it is necessary to fulfil the purpose for which it was collected, or as required or permitted by applicable laws.

9.2 We will cease to retain your personal data, or remove the means by which the data can be associated with you, as soon as it is reasonable to assume that such retention no longer serves the purpose for which the personal data was collected, and is no longer necessary for legal or business purposes.


10.1 We generally do not transfer your personal data to countries outside of Thailand. However, if we do so, we will take steps to ensure that your personal data continues to receive a standard of protection that is at least comparable to that provided under the PDPA.


11.1 You may contact our Data Protection Officer if you have any enquiries or feedback on our personal data protection policies and procedures, or if you wish to make any request. Please contact us at:

Name: Tawan Sprouts – DPO Team
Address: RQ Residence Room, 6 8, 207 Sukhumvit 49/9 Alley, Khlong Tan Nuea, Watthana, Bangkok 10110, Thailand
Telephone: +66 64 978 9455
Email: dpo@tawansprouts.com


12.1 This Notice applies in conjunction with any other notices, contractual clauses and consent clauses that apply in relation to the collection, use and disclosure of your personal data by us.

12.2 We may revise this Notice from time to time without any prior notice. You may determine if any such revision has taken place by referring to the date on which this Notice was last updated. Your continued use of our services constitutes your acknowledgement and acceptance of such changes.

Last updated: April 30, 2024.