Bnyx Technology Co., Ltd. (Thai juristic person registration no. 0135569006566), operator of the Vexio platform (https://vexio.app), recognises the importance of protecting your personal data and is committed to complying with the Thai Personal Data Protection Act B.E. 2562 (2019) ("PDPA").
This Policy describes how we collect, use, disclose, and protect your personal data — whether you are a website visitor, a Vexio account holder, a Vexio platform user, or an end customer communicating through chat with a Vexio user.
Vexio is a Revenue Ops platform for Social Commerce that helps businesses manage chat from LINE, Facebook, and Instagram, as well as sales team management, AI chat assistance, and payment processing — all in one system.
1 Personal Data We Collect
1.1 Data you provide directly
- Full name (or display name)
- Email address
- Phone number
- Company / store name and business information
- Tax ID (for tax invoice issuance)
- Account information (username, encrypted password)
- Payment data (only what is necessary for processing)
1.2 Data collected automatically
- IP address
- Browser type and version, operating system, device information
- Cookies and similar tracking technologies
- Platform usage data (pages visited, time spent, features used)
- System log data
1.3 End-customer chat data
As a platform provider, Vexio acts as a Data Processor for chat data that end customers send through LINE, Facebook, or Instagram channels of Vexio users. This data may include:
- End-customer name / display name
- Profile picture from the chat platform
- Message content, images, and files sent through chat
- Order and payment information sent through chat
* Vexio users (business owners) are the Data Controllers of their own end-customer data and are responsible for notifying their end customers of their own privacy policy.
2 Purposes of Collection and Use
We collect and use your personal data for the following purposes:
- Service delivery — Creating and managing user accounts, providing the Vexio platform including chat, AI assistant, team management, and payment features.
- Communication — Contacting you about the service, answering questions, sending important notifications, and sending newsletters you have opted into.
- Service improvement — Analysing usage to develop and improve the platform.
- Invoicing and tax documents — Financial and accounting operations.
- Legal compliance — Complying with applicable legal requirements.
- Security — Detecting and preventing fraud, unauthorised use, and cyber threats.
- Aggregate analytics — Producing de-identified statistical reports to improve our service.
3 Legal Basis for Processing
We process your personal data on the following legal bases:
Contractual Basis
Processing necessary to deliver the service under our terms of use — account creation, platform access, payment processing.
Consent
Marketing communications, non-essential cookies, and other cases where the law requires consent. You may withdraw consent at any time.
Legitimate Interests
System security, fraud prevention, service improvement, and aggregate analytics, balanced against your rights.
Legal Obligation
Data retention required by tax law, electronic transactions law, and other applicable laws.
4 Disclosure to Third Parties
We may disclose your personal data to the following third parties only as necessary to provide the service:
| Recipient Category | Purpose |
|---|---|
| Cloud providers | Hosting and processing data on secure servers |
| Payment gateways | Processing payments and verifying bank-transfer slips |
| AI providers (OpenAI, Anthropic) | Processing conversation content via OpenAI (GPT models) and Anthropic (Claude models) for our AI chat assistant. Both providers have signed DPAs with us and do not use your data to train their AI models. |
| Chat platforms (LINE, Facebook, Instagram, Telegram, WhatsApp, TikTok) | Connecting and exchanging messages per each platform's API |
| Analytics providers | Analysing website and platform usage to improve the service |
| Government authorities | When required by legal order or law |
We enter into Data Processing Agreements with every third party that accesses personal data, to ensure your data is protected to appropriate standards.
4.1 Google API Services & Limited Use Disclosure
When you connect a Google Account to Vexio (for our Knowledge Base import, Booking Calendar sync, or Data Export to Sheets features), the application requests only the OAuth scopes necessary for those features.
Google API scopes we request
| Scope | Purpose |
|---|---|
| drive.file | Access only files you explicitly select through the Google Picker to import as Knowledge Base articles. We cannot see any other files in your Google Drive. |
| calendar / calendar.events | Create, update, and cancel booking events on your Google Calendar when customers book through your AI chatbot, and check availability before confirming bookings. |
| calendar.events.freebusy | Check calendar availability without reading event details. |
| spreadsheets | Create new spreadsheets and write your CRM data for the Data Export feature (Business / Growth / Enterprise plans only). |
| userinfo.email / userinfo.profile / openid | Identify the connected Google Account (standard OAuth). |
Limited Use Disclosure
Vexio's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically, we affirm that:
- We use information received from Google APIs only to provide the user-facing features listed above (Knowledge Base import, Booking sync, Data Export).
- We do not transfer information received from Google APIs to any third party except (a) to provide the user-facing features you requested, (b) to comply with applicable law, or (c) as part of a merger, acquisition, or sale of Vexio assets with notice to users.
- We do not use information received from Google APIs for advertising, including personalised or retargeted ads.
- We do not allow humans to read information received from Google APIs except (a) with your consent for specific identified data, (b) for security purposes such as investigating abuse, or (c) to comply with law.
- We do not use information received from Google Workspace APIs to develop, improve, or train generalised AI / ML models. Data used by Vexio's AI chatbot stays scoped to the specific conversation.
Your Controls
- You can disconnect your Google Account from Vexio at any time through the settings page of each integration (Knowledge Base, Booking, Data Export).
- You can revoke Vexio's access entirely via Google Account Permissions at any time.
- When you disconnect, all syncing stops immediately. Data previously imported into Vexio remains in your workspace (so your AI chatbot keeps working) until you remove it yourself.
5 International Data Transfers
Because some of our services rely on providers with servers or offices abroad, your personal data may be transferred outside Thailand — for example, to the United States (OpenAI, Anthropic, Google) and Singapore (cloud infrastructure). We will:
- Verify that the destination country has an adequate level of personal data protection.
- Use appropriate safeguards such as Standard Contractual Clauses (SCCs) or Data Processing Agreements with equivalent security terms.
- Obtain your consent where the law requires it.
6 Data Retention
We retain your personal data only as long as necessary for the purposes set out above and to comply with the law:
| Data Type | Retention Period |
|---|---|
| Account information | As long as the account is active and up to 1 year after closure |
| Chat data and conversations | Per the user's plan (typically 6–24 months) |
| Financial and tax data | 5 years (per tax law) |
| System logs and security data | Up to 1 year |
| Marketing data | Until consent is withdrawn |
7 Data Subject Rights
Under the PDPA, you have the following rights regarding your personal data:
Right of access
Request access to and a copy of your personal data.
Right to rectification
Correct inaccurate or incomplete personal data.
Right to erasure
Request deletion of your personal data, subject to legal exceptions.
Right to restriction
Restrict the processing of your personal data in certain cases.
Right to object
Object to the processing of your personal data for certain purposes, such as marketing.
Right to data portability
Receive your personal data in a structured, machine-readable format.
Right to withdraw consent
Withdraw consent at any time, without affecting the lawfulness of processing prior to withdrawal.
Right to lodge a complaint
Lodge a complaint with the Personal Data Protection Committee (PDPC) if your data subject rights have been violated.
To exercise these rights, please contact our Data Protection Officer at [email protected]. We will respond within 30 days of receiving a valid request.
9 Data Security
We use technical and organisational security measures to protect your personal data against unauthorised access, loss, alteration, or disclosure:
- Data encryption in transit and at rest
- Password hashing with bcrypt / secure hashing algorithm
- HTTPS / TLS for all communications
- Least-privilege access control
- Regular backups
- Regular security audits and reviews
- Restricting access to personal data to employees who need it
While we use appropriate security measures, no internet transmission or electronic storage method is 100% secure. If you become aware of a security incident, please notify us immediately at [email protected].
10 Changes to this Policy
We may update this Privacy Policy from time to time to reflect changes to the service, the law, or other relevant requirements. When we do:
- We will publish the updated Policy on this website with a new effective date.
- For material changes, we will notify you by email or another appropriate channel.
- Your continued use of the service after the updated Policy takes effect constitutes acceptance of the changes.
11 Contact Data Protection Officer (DPO)
If you have questions, concerns, or wish to exercise your data subject rights, please contact:
Data Controller
Bnyx Technology Co., Ltd.
Juristic Person Registration No.
0135569006566
Address
87/119 Moo 5, Bueng Kham Phroi Sub-district, Lam Luk Ka District, Pathum Thani Province, Thailand
Company Website
Product Website