Have a look at our human-readable summary first, or scroll down to read the full statement.
If you have used any of our websites or logged into any of our platforms, Mandala may have collected Personal Data about you. In order to run our business effectively, there are times when we request or require your Personal Data. When you use our website, we may ask for your contact information in order to market relevant information to you. When using our platform tools and services, we collect your name and email address as part of the login process. And finally, while you use any of our websites or platforms, we may collect usage metrics in order to optimize our services to you. We know how valuable your privacy is to you. You can trust us to handle it carefully. We work to keep your Personal Data secure, and we place restrictions on which of our employees can access it and why. Also remember: you are in control of your data. As a user of our Services, you have legal rights depending on where you live and on our legal obligations. For example, you can ask us to show you what data we have about you, make us correct that data if it is inaccurate, and even ask us to delete or stop using the data.
1. About Mandala
This privacy statement addresses how we handle the personally identifiable information (“Personal Data”) that Mandala collects and processes about users of our Services (“you” or “your”). “Services” means any services that we offer, including visitors to our website.
For whom this statement is relevant
This Privacy Statement applies to all users of our Services. This Privacy Statement explains how we collect, process, and use Personal Data about you.
Who is Mandala?
We are Ocean Sky Network Company Limited, and we trade as Mandala (“we”, “us” or “Mandala”). Our registered office address is at Summer Lasalle unit A521-5, 846 Lasalle Road, Bangna-Tai, Bangna, Bangkok 10260, may also act as a data controller from time to time at [email protected]. We act as the data controller of tWe are Ocean Sky Network Company Limited, and we trade as Mandala (“we”, “us” or “Mandala”). Our registered office address is at Summer Lasalle unit A521-5, 846 Lasalle Road, Bangna-Tai, Bangna, Bangkok 10260, may also act as a data controller from time to time at [email protected]. We act as the data controller of the Personal Data that we process about you.he Personal Data that we process about you.
Mandala is a provider of Software as a Service (SaaS) AI-Powered solution for social media marketing, search engine analytics and offers a suite of social media management and online listening analytics that are accessible via our websites and mobile applications. These tools allow you to bring together all of your social media accounts and search engine data for easy to access and management through a single online portal. Through this portal, you can listen, analyze and monitor public mentions including the ability to manage your social media, marketing, and advertising campaigns; engage with your audiences; schedule and publish messages; and analyze the results of these activities. The analyzed data is use for research, statistical analysis, both in terms of quantitative and qualitative research and measurements, this also includes analytical works and processes, benchmarking and rating of public channels and data. The data collected and analyze by Mandala are public data and/or set by the users/owners as public which allow us to perform complex analysis such as online behavior. The data we process is predominantly public data permitted access by the social media platforms, which the owners and users set as public, or consent Mandala to analyze. Despite all the data are public, we still treat any public data such as user public profiles and content as anonymous and do not trace back to the original users, such data are to innovate new technological services and perform complex AI procedures such as persona mapping that does not relate to the unique and actual user. As a general rule, we do not process and sell private data unless consented by the owner.
All functions, objectives, and features described, we refer to these tools as our “Services”. Furthermore, any collection, use, and management of personal information by the social networks, including Facebook, Instagram, Twitter (collectively, the “Social Networks”) and Search Engines, Google, YouTube, Web Domains, Web Forums (collectively, the “Web sites and Search Engines”) are governed by their respective privacy policies and terms. When using Social Networks, Websites and Search Engines, you are required to comply with their privacy policies and terms. We recommend you carefully review their privacy policies and terms, as Mandala is not responsible for the Social Networks, Web sites and Search Engines privacy policies and terms. Our Services are not intended for use by children and should only be accessed by individuals who are at least 18 years old and are using the Services for business purposes.
We may collect personal data from our customers and users of the Services (which includes employees of our corporate or institutional customers) for our own purposes, such as to provide and administer the Services, and to protect our legal rights. In this regard, we are the data controller of this personal data.
In order to provide our Services, we analyze user profiles and other information that we receive directly from the social media platforms and other online platforms such as Facebook, Twitter, LinkedIn and others, via these platforms’ APIs. Such data include both non-personal data which is considered as Public Data by the platforms, and/or set by users as public such as various statistics and metrics and personal data of the platforms’ users (Personal data that is agreed by the users). Where we source the data directly from the relevant platforms, via these platforms’ public APIs, we determine the purpose of processing, which is developing and constantly enhancing our Services and offering them to our customers on a world-wide basis, via our web platform. Despite the relevant APIs from major platforms may allow us to collect and manage personal data such as personal profile, we have no interests to collect and operate on these personal data, such as user name, email address, time, phone number, etc. We only access public profiles and its content set by the owner as “Public” that the platform provide, which allows us to access, collect, and process. We believe what the user and owner set as “private” must be treated privately, and Mandala never cross this line. We only use public data (or set by the user as Public) to perform analytical functions, as a result we may access public profile, public pages and channels and its content to perform analytical function such as persona function, the studying of interactions for examples. In such cases, we always treat user id as anonymous and do not identify or trace back to the actual user. Thus, we may access personal details from personal profiles that is only set by the owner as ‘public’. Therefore we only operate and collect data that are “public”. We do not penetrate or indirectly access personal information that are private by nature, either by APIs or by other means. We do not access personal information despite the user logged in via their own social media account or given a user token to our platform. Most of all we do not sell social media data and/or use or send user data to advertising companies, targeting marketing services, or advertising network. In such cases, we are the data controller with respect to such data.
We also process personal data on behalf of our customers as a data processor; this is when the provision of certain Service or specific feature requires that our customers give us a permission (such as, for example, an access token or other administrative permission), within the Service, to access and manage any information that our customers monitor or collect from social media sites; this may include information that is not publicly available. When we access customer’s data with respect to which the customers are the data controllers, we act in accordance with the instructions of our customers (which they give us through the Services) as their data processor. This will be, for example, when we access Facebook Insights, perform post publishing and scheduling or facilitate and organize the communication (e.g. Facebook messages) between the customer and its end users within our product feature of Mandala.
We operates only in Public data, so what is public data?
Public information can be seen by anyone. This includes website content, channels content, user or channels profile names, posts and interaction such as like, comments, or share. Thus, public information can also be seen, accessed, reshared or downloaded through third-party services such as search engines, APIs, and offline media such as TV, and by apps, websites and other services as long as the owner set the content as public. On the contrary, private data means information that the owner is kept or set as private. For example if the data owner set profile name, location and email address as public, then the data is considered as public. On the contrary, if the user set email and phone number as private then the data is completely private and shall not be collected and processed without permission even the APIs allow to do so. Public content also applies to others who share or reshare about you in the public space. We may only operates in public data provided by relevant platforms via APIs.
Mandala as a third-party app that operate with social media platforms, search engines, and web sites may only gain public data such as key statistics, mentions, or interactions. We can only access public profile on social platforms such as Facebook, and any information that you share with them. Apps and websites you use may receive your list of Facebook friends if you choose to share it with them. Mandala offers analytic services, and we provide aggregated statistics and insights that help people and businesses understand how people are engaging with their posts, listings, Pages, videos and other content on and off the social media platforms. For example, a user of Mandala who is also a Facebook page admins may receive information about the number of people or accounts who viewed, reacted to, or commented on their posts, as well as aggregate demographic and other information that helps them understand interactions with their Page or account. We also use public data to provide information and content to research partners and academics to conduct research that advances innovation that support their business or mission, and enhances discovery and innovation on topics of general social welfare, technological advancement, public interest, health and well-being.
2. Data of customers and users of our Services
We collect the following information when you use our Services:
2.1 Login and registrations
- You register or use registration for our Services, by completing a web registration form;
- You log to our Service, either by entering your username (email) and password, or using a social login such as Connect with Facebook or Sign In with Twitter, or by any other similar authentication means that we may make available to you;
- You use our Services or otherwise interact with Mandala, for example when you publish any images, content or other files or data via our Services;
- You otherwise voluntarily provide such data, e.g. by filling out and submitting any forms made available to you through Mandala’ website or the Services or through websites or services of our business partners.
When you create an account with Mandala, we will ask you to complete a registration form indicating your first name, surname, email, company, and job title. You can also choose to add a phone number to your account.
You can log in to the Services with your username. In such case, you provide to us your username (email) and password. The password is hashed and Mandala does not see it.
For purposes of analysis and improvement of our Services, our servers may automatically record information when you visit our website or use some of our Services, including:
- IP address;
- Browser type and language;
- Date and time of your request or action, including your actions within the Services such as history of how you use our Services.
- The types of communication you would like to receive from us; and image (if you choose to provide this)
If our Services are purchased by an entity, it is the individual users within such entity’s organization who log into our Services platform and whose personal data are collected, as described above. Where such entity provides us directly with any personal data of its employees or other individual users that it authorized to access the Services, it must have all necessary consents, permissions or registrations to process and to provide to us its employees’ or users’ personal data.
2.2 Account information:
- Billing and other payment information (if you sign up for a paid service or purchase a Third-Party Service), including payment method details, such as credit card number.
- The Services you have acquired from us, including the type of plan, number of team members, and transaction information related to the Services.
2.3 Content and Social network user data:
The type and scope of personal data obtained from social media platforms depends on the type of the APIs and permissions set out by the respective platforms, and on the administrative permissions granted to us by our customers, where applicable. Therefore, we only process data that the social network users made available to general public, pursuant to the relevant platforms’ terms, and that are generally accessible via the social network APIs, or data that our customers grant us permission to access.
Below are the most typical examples of data collected about social media platform users:
- Basic social profile information for Social Networks you choose to connect to the Services. For example, your Facebook public profile information may include your Facebook username and profile image (turn on as public).
- A specific location such as an address, a city, or a place (for example, a restaurant) if you choose to share this information (Public data only).
- Public User generated content that are public by nature (Personal Profiles that is set as public, Personal Channels and content that is set as public, and Public Pages) and its public content such as posts, comments, interactions, pages, profiles, images or feeds) including its metadata (such as time and location of a post or comment). Your messages, posts, comments, images, advertising, and other material you curate on and upload to the Services; and information that is collected from the Social Networks that you choose to connect to and which is displayed on our Services.
- Content that you may send and receive through Social Networks may contain personal information that Mandala does not directly collect or process. This may include information such as: names, photos, age, gender, geographic location, opinions, preferences, and phone numbers.
- Additional individual information that is turned on as public (such as age, gender, employer, profession, geographic location, education information, financial status, interests, habits and preferences) published by the user.
- Contact details that is turned on as public (such as name, email address, telephone number) if made public by the user.
- We mainly operates in Public Domains, Public Profiles, Public Pages Posts, Channel Public Posts, Interactions in Public Pages, Behavior in Public Pages or channels. This also includes channels and Posts that are set as Public. We do not collect data from personal profiles that are private by nature unless is set as public. The uses of APIs are mainly public by nature, unless some certain functions is allowed by the data controller and data subjects that is directly based on APIs.
2.4 Logs, usage, and support data:
- Log data, which may include your IP address, the address of the web page you visited before using the Services, your browser type and settings, your device information (such as make, model, and OS), the date and time when you used the Services, information about your browser configuration, language preferences, unique identifiers, and cookie notice.
- Usage data and analytics, which may include the frequency of login, and the different types of activity undertaken by users.
- General Location information, such as IP address and the region in which you are located when you are logging in and using the Services.
- Customer support questions, issues, and general feedback that you choose to provide.
2.5 Surveys, events, and marketing information
If you choose to participate in our surveys, contests, events (such as webinars and in-person events), or those in which we are affiliated, or request information from us about our Services, we may collect information about you related to the survey, contest, or event; your contact information, such as your name, email address, telephone number, organization name and address; and general information about your organization that you choose to provide, such as annual company revenue, number of employees, and industry.
We may also use service providers to obtain additional business related information about your company such as the organization’s legal name, size, and publicly available revenue, to assist us in offering services that are appropriate to your organization’s needs.
In addition, we may collect information on email open and click rates, including whether individuals clicked on links, and which web pages are visited after opening the email. We may also collect your questions asked directly to us via emails and in live chat functions in order to improve our services.
2.6 Browsing our websites
When you browse our websites, we collect information about you as described below, some of which is collected automatically:
- When you use automated chat functionality (chatbots) to make an inquiry or other request, we may collect information about you such as your name and email address, your specific request, and information related to your use of our Services.
- Aggregated website usage data including form analysis data (such as time taken to complete the form), engagement rate, session replay, and mouse movements. If you wish to opt out of this collection, please contact [email protected]. Please note this requires the use of an opt-out cookie, so if you reset your cookies, you will need to opt out again.
3. How we use the data and your information?
We use your information for the purposes described below:
3.1 Providing and securing our Services
- To enable us to operate the Services and provide them to you. This may include verification of your payments, purchase orders and billing information. It may also include verification to determine free trial eligibility.
- Analysis of data from social networks, search engines, and websites is the core of our Services. We analyze this data to provide our Services to our customers in the scope and manner set out by the social platform terms for developers.
- We need to identify and authenticate our users to ensure, for example, that only those authorized users are able to use the Services for their organization, and to make changes to their accounts.
- We use information that you provide when signing up to set up your account, process payments, contact you regarding the Services, and manage your account.
- We use your contact information and information related to your request to respond to your inquiries, manage our contract with you, respond to your questions and requests, and send you updates and information about the Services.
- We use logging and other data such as general location information—for example, the IP address of your browser or device, to help us manage the performance, security and compliance of the Services.
- Where you have chosen to share your specific location information, we use this information to provide location based features, such as enabling you to share your location on your posts for Social Networks that support this functionality, and to use any functionality that relies on location information.
- We analyze usage information, your feedback, support queries, and survey responses to help us understand and make improvements to our Services.
3.2 Communicating with you
- We use your contact information where appropriate to send you information about our Services, events, marketing communications (consistent with your preferences—see “Marketing emails, advertising and website browsing” below), and job opportunities. We also use email statistics, such as open rates, to assess the effectiveness of, and to make improvements to our communications.
- We may process data of our customers or their individual users in particular email or other contact data, to communicate with our customers and users, for example, when we assist them with setting up or administering their account, when we provide customer care and support, send technical notices, updates of upcoming changes or improvements to the Services, reminders, security alerts and other support and administrative messages.
3.3 Improving our websites and applications and Services
- We use information about you to help us understand usage patterns and other activities on our websites and applications so that we can diagnose problems and make improvements, including enhancing usability and security.
- To provide a better user experience. We may process your personal data to learn how you use our Services to be able to continuously enhance user experience as well as provide our customers seamless customer support. We may process such personal data also to improve and enhance our existing Services and develop new offerings. This includes product and market statistics, research and analytics, benchmarks and other analyses to better understand your needs and the needs of users in the aggregate, diagnose problems and analyze trends.
3.4 To protect our Services and secure our or third party rights
- We process your personal data to keep the Service safe, secure and reliable. This includes detecting, preventing, and responding to fraud, abuse, security risks, and technical issues that could harm Mandala, our customers and users.
- We may process some of data when required by law or to establish, exercise or defend our legal claims or, where necessary, protect rights of Mandala. For example, we may store data about how you use our Services, including payments for Services, to prove or otherwise support our rights.
3.5 Services information
When using our Services, you may access, update, or correct most of your Account information by logging in to your account to edit your profile or organization record.
If you have requests that cannot be carried out by logging in to your account, such as accessing additional information or deleting information about you, please email at [email protected]. Please note that we may need to retain certain information about you for as long as you maintain an account for our Services, to provide you with our Services, for record keeping purposes, for payment processing, to comply with our legal and regulatory obligations, to resolve disputes, or to enforce the terms of service or other agreement in place between you (or your organization) and Mandala (the “Terms of Service”).
Requests to access, correct, or delete your information will be handled within thirty (30) days unless they are unusually extensive or complex, in which case we will advise you of the expected timeline for handling your request.
If you have authorized us to access your Social Network accounts, you may revoke this access at any time please contact [email protected] For example, if you have authorized us to access your information via the YouTube API services, in addition to our normal procedure for deleting stored data, you may revoke our access to. your data via the Google security settings page, located at https://security.google.com/settings/security/permissions
You can contact our Support team for other general requests about your account at [email protected]
3.6 Marketing emails, advertising and website browsing
For marketing communications, you may opt out of marketing communications sent by Mandala by accessing, or by clicking on the unsubscribe link in the marketing email you receive.
Mandala participates in interest-based advertising (where you may have visited our websites or another website which allows us to display advertising relating to our Services). The Network Advertising Initiative has developed a tool that may help you understand which third parties have currently enabled cookies for your browser and how to opt out of those cookies.
You may also opt out of the collection of aggregated usage data as described above in “Browsing our websites” by contacting [email protected]
4. Who has access to your information?
Mandala does not rent or sell your information. We restrict access to your information to authorized employees and we do not share your information with third parties except in the circumstances explained below.
4.1 Employees and Authorized Contractors
Our employees and authorized contractors may need to access information about you when they require this to perform their job. For example, a customer support representative would need access to your account to validate your identity and respond to your question or request; our email communications team would need access to your contact information to ensure this information is sent correctly and any unsubscribe requests are properly managed; and our security staff would need to review information to investigate attempted denial of service attacks, fraudulent account activity, or other attempts to compromise the Services.
All our employees and contractors are required to agree to maintain the confidentiality and protect the privacy of your information.
4.2 Service Providers, Authorized Resellers, and Partners
We will share limited information about you to authorized service providers we use for marketing services, communicating with you, managing our customer database, the provision of professional services, and providing and managing the Services (including hosting data centers, securing our Services, and payment processing).
We limit the number of service providers who are permitted to process your Content for the purpose of assisting us in delivering the Services. We refer to these service providers as “sub-processors” and they are listed on this page.
Where you have purchased a service from an authorized reseller or partner, we may provide information about you to (and may receive information about you from) the reseller or partner as necessary to support your use of the service you purchased.
4.3 Social Networks and Third-Party Services
4.4 Customer Organizations
Where your employer or an entity has purchased Services on your behalf, we may disclose information about you such as your name and email address, and some usage information including whether a user has logged in to the Service, frequency of login, time spent using the Services, and enrollment and completion of Mandala Academy Courses to assist your employer or the entity in managing its use and maximizing the value of the Services.
4.5 Successor Entities
4.6 Law Enforcement, Government Agencies, and Professional Advisors
We may need to disclose information about you where we believe that it is reasonably necessary to comply with a law or regulation, or if we are otherwise legally required to do so, such as in response to a court order or legal process, or to establish, protect, or exercise our legal rights or to defend against legal claims or demands.
In addition, we may be required to disclose information about you if we believe it is necessary to investigate, prevent, or take action: (a) against illegal activities, fraud, situations involving potential threats to our rights or property (or to the rights or property of those who use our Services), or to protect the personal safety of any person; or (b) regarding situations that involve the security of our Services, abuse of the Services infrastructure, or the Internet in general (such as voluminous spamming, or denial of service attacks).
5. Retention periods
6. Sharing your personal data for legal and business purposes
We may use and/or disclose to third parties (including government bodies and law enforcement authorities, our affiliates, professional advisors and our vendors or subcontractors) information about you when:
- Complying with legal process;
- Enforcing or defending the legal rights of Mandala, and in connection with a corporate restructuring such as a merger, business acquisition or insolvency situations
- Preventing fraud or imminent harm; and
- Ensuring the security and operability of our network and services.
This information will be shared provided that, in all such circumstances, we will only share the limited personal information that is required to be shared in the unique situation.
- Cloudflare, Inc., headquartered at 101 Townsend St, San Francisco, CA 94107 USA;
- Amazon Web Services, Inc., headquartered at 410 Terry Avenue, Seattle, WA 98109 (“AWS”); AWS cloud is used to host our platform and Services;
- Google Inc., headquartered at 1600 Amphitheatre Parkway Mountain View CA 94043, United States; used in particular as e-mail client and as document storage;
- Zoom Video Communications, Inc., headquartered at 55 Almaden Blvd. Suite 600, San Jose, CA 95113, USA; supplier of a videoconferencing solution;
- Mailchimp, The Rocket Science Group, headquartered at LLC675 Ponce de Leon Ave NE Suite 5000Atlanta, GA 30308 USA;
- LiveChat, Inc., headquartered at 1 International Pl, Ste 1400, Boston, MA 02110-2619, USA;
- HubSpot, Inc., headquartered at 25 First Street, 2nd Floor, Cambridge, MA 02141 USA;
- PayPal, headquartered at 2211 North First Street, San Jose, California, CA 95131, United States;
- 2C2P (Thailand) Co., Ltd., 9 G Tower Grand Rama 9, 17th Floor, South Wing, Rama 9 Road, Huaykwang Bangkok 10310, Thailand;
7. What international data transfers occur at Mandala?
Our Services are managed by Mandala’s technical headquarters in Thailand. We respect and following the Personal Data Protection Act, B.E. 2562 (2019) (Thailand PDPA) and operate under the General Data Protection Regulation (GDPR) and other data protection laws, information about you may only be transferred from your region to other regions if certain requirements are met. For instance, under the GDPR, information about you may be transferred from the European Economic Area (EEA) to outside the EEA if adequate data protections are in place.
Mandala also uses third-party service providers, such as managed hosting providers, credit card processors, and technology partners to provide the software, networking, infrastructure and other services required to operate the Services. These third-party providers may process or store personal data on servers outside of the EEA and Switzerland, including in Canada or the US. We rely on adequacy (if sent to Canada), the service provider’s registration in the EU-US Privacy Shield and Swiss-US Privacy Shield (if sent to the US), and/or standard contractual clauses (if sent to the US or onward to other countries) to ensure that information about you is lawfully transferred under EU and Thailand law.
The third-party service providers we use to help us deliver the Services and which process your Content are referred to as “sub-processors” and are listed earlier.
By its nature, social media data can be shared with people around the globe. The Social Networks and Third-Party Services that you choose to integrate with our Services may collect, store, and process your information from various locations around the world according to their own terms and privacy policies.
8. Anonymous statistics
We may use aggregated anonymized data derived from the personal data provided by you or collected by the program analytics such as user behavior and activities for our own statistics, for auditing, for the purposes of product and market research, for analytics (which helps us to optimize and improve our Services and their usability, the range of Services and to develop new technologies, products, and services), and for benchmarks and other analyses. Additionally, we may choose to publish such anonymized data and to share it with third parties outside of Mandala. We will not directly or indirectly transfer any data received from you to (or use such data in connection with) any ad network, ad exchange, data broker, or other advertising or monetization related toolset.
9. Marketing communications
We may contact you about our news, events, Services and their features or special offers that we believe may interest you, provided that we have the requisite permission to do so, either on the basis of your consent (where we have requested it and you have provided it to us), or our legitimate interests to provide you with marketing communications where we may lawfully do so, within the limits provided by law. In the latter case, we will only send you marketing communication if you are using or have recently used any of our Services and have not objected to receiving such information (by any means mentioned below).
Your marketing communication preferences may be changed at any time by following the instructions below:
- If you would like to unsubscribe from an email sent to you, follow the ‘unsubscribe’ link and/or instructions placed at the bottom of the email.
- Alternatively, you can contact us using the details in the “Contact Us” section below to change your marketing communication preferences, including the withdrawal of your consent.
If you have received unwanted, unsolicited emails sent via our system or purporting to be sent via our system, please forward a copy of that email with your comments to [email protected] for review.
We may share your contact details with our vendors or business partners who provide the relevant services or functions on our behalf, including event organization, marketing, distribution of surveys customer service, or public relations. These third-party vendors have access to and may collect information only as needed to perform their functions on our behalf and are not permitted to share or use the information for any other purpose.
Please note that we may occasionally send you important information (including via email) about our Services that you are using or have used including changes to applicable terms and conditions and/or other communications or notifications as may be required to fulfil our legal and contractual obligations. These important Service communications are not affected by your marketing communication preferences
10. Security and location of your data
We have implemented and will maintain appropriate technical and organizational measures, internal controls, and information security routines in accordance with good industry practice while keeping in mind the state of technological development in order to protect your data against accidental loss, destruction, alteration, unauthorized disclosure or access or unlawful destruction. Such measures may include, without limitation, taking reasonable steps to ensure the reliability of employees having access to your data and providing for limited access rights and access controls; authentication; personnel training; regular backup; data recovery and incident management procedures; restrictions on storing, printing and disposal of personal data; software protection of devices on which personal data are stored; etc.
We have also implemented Information Security Management in accordance with the requirements of information security standard – ISO 27001, including penetration tests, vulnerability scans, secure development frameworks access management, supplier management and compliance processes.
Data collected from you may be transferred to, and stored and processed in, The United States (US), Singapore, Thailand or any other country in which Mandala, its affiliates, subcontractors, suppliers or other third party vendors maintain facilities. While we reserve the right to change our business partners and /or data locations, when we transfer any personal data to the USA or any other country outside the EU or EEA or Asia in which Mandala, its affiliates, subcontractors, suppliers or vendors maintain facilities, we will implement such appropriate legal mechanism as are required by Thailand law and EU law to ensure an adequate level of personal data protection by such third parties receiving your personal data (for example, Thailand’s Personal Data Protection Act, and European Commission’s Standard Contractual Clauses).
We may transfer your Personal Data to, and store it in, a country other than your own. That country may not provide the same level of data protection as your own country. Whenever we transfer your information outside of the European Economic Area or the United Kingdom, we will take steps to ensure that adequate safeguards are in place to protect your Personal Data and to make sure it is treated securely. You may contact us for a summary of the safeguards which we have put in place to protect your Personal Data and privacy rights in these circumstances.
Our platform and Services (including any personal data contained therein) are hosted in the AWS cloud. Legally, this means that data are transferred to and stored and processed by Amazon Web Services, Inc., 410 Terry Avenue, Seattle, WA 98109 (“AWS”). Mandala and AWS have signed the controller-to-processor Standard Contractual Clauses approved by the European Commission (2010/87/EU) to ensure regulatory compliance for data transfers from Europe to the USA. The specific AWS Data Processing Addendum incorporating these model clauses has been approved and validated on EU level by Article 29 Working Party in 2015 as ensuring an adequate level of protection. See AWS_EU_Data_Protection_Whitepaper_EN.pdf for more details.
In general Mandala does not permanently store content from Social Networks. Rather, when you login to the Services, we retrieve data from Social Networks in real time so that it is displayed in the portal for viewing during your session. Aggregated data is used by Mandala for analysis, product improvement, and troubleshooting purposes. Hence, we may only store relevant public data that is necessary to provide functional Services and allow analyses of data for new Service features and product development. We also store other content that you produce (such as draft Content for publication on Social Networks) so that you can easily access this material on the Services. Messages in Inbox are stored for 48 weeks to enable you to take any action required, such as replying to messages. Mandala Analytics products will store mentions related to our customers for up to 36 months to allow our customers to conduct trending and analysis.
In some cases, content may continue to exist on the Social Networks even after you or we delete it from our Services, and you will need to contact the relevant Social Network directly if you want it to remove this content.
We retain your information only as long as required to provide the Services requested by you, for record keeping purposes, to comply with our legal obligations, resolve disputes, and enforce the terms for the Services.
After it is no longer necessary for us to retain information about you, we will dispose of it in a secure manner or anonymize the information.
11. Mandala's roles under the GDPR and UK data protection laws
Depending on the situation and the type of data involved, Mandala may act as a data controller or a data processor.
Mandala as a data controller
Mandala acts as a data controller when we are:
- Collecting information from you to set up and administer your Mandala account (for example, Account information such as your name and email address);
- Monitoring usage information on our website and Services;
- Managing your contact and other related information to send marketing, Services, and other communications to you;
- Responding to a support or general inquiry; and
- Recruiting individuals for job opportunities.
12. Legal bases for processing when Mandala is a data controller
The legal bases for processing information about you include:
- Your consent (for example, when you have provided your information to sign up for an account or for a webinar; or you have provided your employment history when applying for a job). Where we rely on your consent to process personal data, you have the right to withdraw your consent at any time.
- It is necessary to perform a contract (for example, we may need your information to fulfill our obligations of providing Services to you under the terms relevant to the Services you have acquired).
- Legitimate interest (for example, to provide and maintain the Services to you, to maintain the security of the Services, and to attract new customers to maintain demand for the Services.
- In some cases, we may have a legal obligation to process your personal data to comply with relevant laws (for example, processing payroll and tax information to comply with relevant employment and tax legislation); or processing is necessary to protect your vital interests or those of another person (for example, obtaining health-related information during a medical emergency).
13. Your rights when Mandala is a data controller
In addition, you may have the following rights:
- Right to object to processing: you may request that Mandala stops processing information about you (for example, to stop sending you marketing communications).
- Right to restrict processing: you may request that we restrict processing information about you (for example, where you believe that this information is inaccurate).
- Right to data portability: you may request that we provide you with information Mandala has about you in a structured, machine-readable, and commonly used format, and you may request that we transfer this information to another data controller.
If you would like assistance on any of the above requests, please email our privacy team with details of your request so that we may consider how we can help you.
14. Mandala as a data processor
Where you are using our Services and making decisions about the personal data that is being processed in the Services (including selecting the Social Network accounts you wish to connect to the Services, or uploading and using content), you are acting as a data controller and Mandala is acting as a data processor.
There are certain obligations under the GDPR that you have as a data controller, including being responsible for managing content on the Services. As a data processor, Mandala will only access and process content to provide you with the Services in accordance with your instructions (which you provide through the Services), the Terms of Service, the Social Networks’ terms, and applicable laws. As part of delivering the Services, we may process content to further improve the Services, such as enhancing usability and developing new features.
If you, as a data controller, require Mandala to agree to data protection requirements under Article 28, GDPR, or under UK data protection laws, Mandala makes available a data processing addendum that meets these requirements. Please email your customer details (organization name and plan information) with your request to our Privacy team at [email protected].
If you are using the Services as an authorized user of a Mandala customer (whether that customer is your employer, another organization, or an individual), that customer determines its own policies (if any) regarding storage, access, modification, deletion, sharing, and retention of personal information and content, which may apply to your use of the Services. Please check with that customer about the policies and settings it has in place.
15. Your rights
This Section describes your rights under the applicable laws, such as the GDPR or the California Consumer Privacy Act of 2018, Civil Code sections 1798.100 et seq. (“CCPA”), Thailand PDPA and how to apply them. If you exercise any of your rights pursuant to this Section or pursuant to applicable laws, we will communicate any rectification or erasure of your personal data or restriction of processing carried out in accordance with your request to each recipient to whom the personal data have been disclosed, unless such communication proves impossible or involves disproportionate effort.
If you wish to exercise these rights and/or obtain all relevant information about the processing of your personal data, please contact us at [email protected] You will be asked to identify yourself; this is necessary to verify that the request has been sent by you. We will respond within 1 month after receipt of your request, but we retain the right to extend this period up to 2 months in exceptional circumstances. We will in any event inform you within 1 month after receipt of your request if we decide to extend the period for our response.
In accordance with applicable laws and as further described below, you have i) the right to request access to, ii) rectification, iii) erasure or iv) portability (e.g. transfer of your personal data to another service provider) of your personal data we process, as well as to object to the processing of your personal data and/or request restriction of such processing.
Please note that your objection to processing could mean that we are unable to provide you with our Services or otherwise perform the actions necessary to achieve the purposes set out above.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us by contacting us via the contact details in ‘Contact Us’.
Your California Privacy Rights
Under the CCPA, you may have the following specific rights:
- The right to know about the personal information collected about you.
- The right to have your personal information deleted.
- The right not to be discriminated against for exercising consumer rights under the CCPA.
You may exercise your rights by emailing at [email protected]. While we disclose personal information to service providers for the purpose of managing our relationship with you (e.g. distributing marketing communications) and providing the Services, we do not sell your personal information.
16. Access to and rectification of your personal data
According to applicable laws, you have the right to rectify your personal data you have shared with us. Through your settings of the Services, you can access and update your account information and change your profile settings.
If you wish to limit or change access to or the sharing of your personal data with a social network, please do this via your account settings on that social network.
17. Accuracy of your personal data
We take reasonable measures to ensure that you are able to keep your personal data accurate and updated. You can always approach us in order to obtain confirmation whether or not we still process your personal data.
18. Erasure of your personal data
You can ask us to erase your personal data at any time. If you approach us with such a request, we will delete all your personal data we have without undue delay, provided that your personal data is no longer necessary for the provision of the Services or other permitted purposes, in particular in connection with exercising and defending our legal rights, or meeting our legal obligations. We will also delete (and ensure deletion by the processors that we engage) all your personal data in case you withdraw your consent or in the circumstances that the law requires us to do so.
19. Restriction of processing
If you request us to restrict the processing of your personal data, e.g. in circumstances when you contest the accuracy, lawfulness or our need to process your personal data, we will limit processing of your personal data to the necessary minimum (storage) and, if applicable, will process them only for the establishment, exercise or defence of legal claims or, where necessary, for protection of rights of another natural or legal person, or other limited reasons dictated by the applicable law. In case the restriction is lifted and we continue processing your personal data, you will be informed accordingly without undue delay.
20. Portability of your personal data
You have the right to receive personal data relating to you and which you have provided to us. If you approach us with such request, we will provide your personal data in commonly used and machine-readable format to you without undue delay from receipt of your request. If you request so, we will send your personal data to a third party (another data controller) which you will identify in your request, unless such request would adversely affect rights or freedoms of others and where technically feasible.
21. Objection to processing
You have the right to object to our using your personal data on the basis of our legitimate interests and there is something about your particular situation which makes you want to object to processing on this ground. In such case, we will no longer process your personal data unless we demonstrate compelling legitimate grounds for their further processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of our legal claims. If you object to processing of your data for direct marketing purposes, we will cease to process your data for these purposes.
22. Withdraw your consent
If you have provided us any consent with the processing of personal data, for example for marketing communication, you can withdraw your given consent at any time without stating any reason. We will block your personal data for any further processing. Please note that the withdrawal of your consent does not affect the lawfulness of any processing based on consent before its withdrawal.
23. Complaint to a data protection authority
You have the right to submit a complaint concerning our data processing activities to Office of the Permanent Secretary, at The Government Complex Commemorating His Majesty the King's 80th Birthday Anniversary, 5st December, B.E.2550 120 Moo 3 Bld. B, 6-9 Flr., Chaengwattana Rd., Laksi, Bangkok 10210
24. Request to opt out of the sale of personal data under the GDPR and PDPA
Mandala does not sell, as defined in the GDPR and the PDPA, any personal data. Therefore, if a consumer communicates an opt-out request under this provision, it will have no effect. If you require additional information about your rights under the GDPR and the PDPA to opt-out of the processing of your personal information, please contact: [email protected] and put GDPR or PDPA Request in the subject line.
25. Contact Us
Only you, or a person you have authorized to act on your behalf, may make a request related to your Personal Data. If you submit a request through an authorized agent, the agent must present signed written permission to act on your behalf, and you may also be required to independently verify your identity with us.
In order to protect your Personal Data, we may ask you or your authorised agent to provide additional Personal Data so that we can verify your identity. Any information that you provide will only ever be used as part of the process to confirm your identity and complete your request. In order to protect your Personal Data, if we cannot verify your identity, we will not be able to comply with your request.
Once you have submitted a request, you can expect an initial reply from the Mandala Privacy Team within a reasonable amount of time, dependent on where you live. Except where the law does not require or allow us to do so, any information we have of yours will be provided in an easily accessible and portable format once we have received your verifiable request. We will adhere to the appropriate response timeline that applies to you depending on where you live. We may request additional time if necessary in accordance with applicable law.
If you have any queries regarding our data collection and protection practices or your rights, Ocean Sky Network Company Limited
please do not hesitate to contact our Data Protection Officer Nathathai Siriwiriyasomboon.
Summer Lasalle unit A521-5
846 Lasalle Road, Bangna-Tai,
Bangna, Bangkok 10260
Attn: Mandala Privacy Team
Ocean Sky Network Company Limited