Privacy Policy

Effective date: May 30, 2026 · Last updated: May 30, 2026

1. Operator and scope

Peerapat Residence Co., Ltd. ("we", "us", "our", the "Operator") owns and operates FlowRent, a Software-as-a-Service (SaaS) platform that customers use to manage their own residential rental operations.

This policy explains how we collect, use, disclose, and safeguard personal data in connection with the Service. Continued use of the Service constitutes acceptance of this policy. The Thai-language version is the controlling text; other languages are provided for convenience.

2. Definitions

  • "PDPA" means the Personal Data Protection Act B.E. 2562 and its subordinate regulations.
  • "Service" means the FlowRent platform across all channels — web, mobile applications, and any LINE Official Account that customers operate for their tenants.
  • "Customer" means the juristic person or individual that subscribes to the Service to manage its own residential properties (building owner / property operator / juristic management company) and that operates the business using the Service.
  • "Tenant" means an occupant of a Customer's property who interacts with the Service through channels the Customer provides.
  • "Personal Data" has the meaning given in the PDPA.

3. Our role under PDPA

Our role differs based on the data being processed:

  • Data Processor — for tenant data, Customer-side user data, and operational data the Customer enters into or directs the Service to process. The Customer is the Data Controller of that data. We process strictly on the Customer's documented instructions and only for the purpose of providing the Service.
  • Data Controller — for (a) Customer admin account and login credentials, (b) Customer billing and tax-invoice data, and (c) marketing data of leads who contact us directly through public channels of the Service.

If you are a tenant and want to exercise PDPA rights over data held in a building, please contact the building operator directly — they are the Data Controller of your data.

4. Categories of data processed

Data that may be processed through the Service includes, generally:

  • Account / user data — name, email, phone, role in the system, and login credentials
  • Tenant data — name, ID or passport number, contact details, emergency contacts
  • Lease and occupancy data — unit number, term, rent, deposits
  • Billing and payment data — invoices, payment slips, meter readings, tax-invoice information
  • Maintenance and operational data — request details, attached photos, status
  • Communications and messages exchanged through the LINE Official Account or other channels within the Service
  • Technical data — IP address, device information, system logs, cookies

Sensitive personal data (e.g. health information) is not within the normal scope of the Service. If it must be processed in a specific case, we follow the additional PDPA requirements.

5. Lawful basis for processing

We rely on the following lawful bases under PDPA Section 24:

  • Performance of contract — to deliver the Service to the Customer or User
  • Legitimate interest — system security, fraud prevention, and Service-quality improvement
  • Legal obligation — e.g. issuing tax invoices and retaining accounting records
  • Consent — only where required by law, e.g. for marketing communications and non-essential cookies; consent may be withdrawn at any time

6. Purposes of processing

  • Operate the Service as requested by the Customer or User
  • Bill subscription fees and issue accounting / tax documents
  • Send service-critical and security notifications
  • Respond to enquiries and provide support
  • Monitor usage for security and to prevent misuse
  • Improve the Service at an aggregate level that does not identify individuals
  • Comply with applicable laws and lawful authority requests

7. Sub-processors

We may engage external service providers to support our operations — for example cloud hosting, email and SMS delivery, the LINE platform for messaging, and customer-support tooling. Such providers are bound by data-protection terms consistent with PDPA.

We will notify Customers in advance of material changes to sub-processors, with an opportunity to object as set out in the service agreement. We do not sell personal data to third parties under any circumstances.

8. Cross-border transfers

Processing may occur in or outside the Kingdom of Thailand, depending on the service providers we use. Where data leaves Thailand, we ensure an adequate level of protection or apply appropriate safeguards required under applicable law.

9. Retention

  • Customer-controlled data — retained during the subscription term; export available for 30 days after account closure
  • Backups — rotated on a standard schedule and retained no longer than 90 days before automatic purge
  • Accounting / tax records and other data legally required to retain — 5 years after contract termination, per Thai law (Revenue Code)
  • System logs — retained only as long as necessary for security and audit

10. Data breach notification

In the event of a personal-data breach that affects the Customer or data subjects, we will notify the Customer without undue delay, targeting within 72 hours of becoming aware of the breach, with the information available at that time and remediation steps, so the Customer can satisfy its own PDPA notification duties on time.

11. Data subject rights under PDPA

Data subjects have the following rights:

  • Right of access and to receive a copy
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right to object
  • Right to data portability
  • Right to withdraw consent
  • Right to lodge a complaint with Thailand's Personal Data Protection Committee

If you are a tenant, please direct requests to the building operator (the Data Controller) for data they control. For data for which we are the Controller (section 3), contact our DPO via the details in section 15.

12. Cookies

Our website uses cookies in the following categories:

  • Strictly necessary — required for basic Service functionality such as login; cannot be disabled
  • Analytics — to understand aggregate usage; optional
  • Functional — to remember preferences for convenience; optional

Non-essential cookies are not pre-enabled. You can manage consent at any time via the "Cookie Settings" control on the website.

13. Minors

The Service is not directed at individuals under 20 years of age. The Customer, as Data Controller, is responsible for obtaining valid consent under applicable law when needed.

14. Changes to this policy

We may update this policy from time to time. Material changes will be notified at least 30 days before they take effect, via email, in-app notice, or website announcement. The effective date at the top of this page always reflects the latest version.

15. Contact us

Peerapat Residence Co., Ltd.

  • Registered address: 343 Soi Phahonyothin 53, Phahonyothin Road, Anusawari Sub-district, Bang Khen District, Bangkok 10220, Thailand
  • Tax ID: 0105568020093
  • DPO email: peerapatresidence@gmail.com