Privacy Policy
Compliant with Thailand's Personal Data Protection Act (PDPA) B.E. 2562
Last updated: March 2026
1. Data Controller
Rentdi, Bangkok, Thailand. Contact: support@rentdi.com
2. Data We Collect
- Account data: Email, phone number, name, date of birth
- Identity verification: National ID or passport number, ID document photo
- Property data: Address, photos, listing details (owners only)
- Financial data: Bank account details for refunds. Credit card data is NOT stored by Rentdi — it is processed directly by our payment provider (Opn/Omise).
- Usage data: Pages visited, search queries, booking history, IP address
3. Why We Collect Data
- To provide the rental platform service (account management, bookings, contracts)
- To verify user identity (KYC) for trust and security
- To process payments and generate contracts
- To comply with Thai legal requirements
- To improve the platform experience
4. Legal Basis (PDPA)
We process your data based on:
- Consent: For KYC data collection, marketing communications
- Contractual necessity: For rental agreements and payments
- Legal obligation: For tax and regulatory compliance
- Legitimate interest: For platform security and fraud prevention
5. Data Security
We protect your data with:
- AES-256-GCM encryption for sensitive personal data (national IDs, bank accounts)
- bcrypt password hashing (cost factor 12)
- SSL/TLS encryption in transit
- Presigned URLs with short TTL for identity documents
- Access-controlled file storage (KYC documents served through authenticated endpoints only)
- Append-only financial transaction records
- Admin action audit logging
6. Your Rights (PDPA Section 30-36)
As a data subject under Thai PDPA, you have the right to:
- Access: Request a copy of your personal data
- Correction: Update inaccurate data via your profile page
- Deletion: Request account deletion and data anonymization
- Portability: Request your data in a structured format
- Withdraw consent: For data processing based on consent
- Object: To data processing based on legitimate interest
To exercise these rights, email support@rentdi.com or use the “Request Account Deletion” option in your profile settings.
7. Data Retention
- Account data: retained while account is active + 30 days after deletion request
- Financial records: retained for 5 years (Thai Revenue Code requirement)
- KYC documents: retained for duration of active contracts + 1 year
- Login attempts: retained for 24 hours
8. Third-Party Sharing
We share data only with:
- Opn (Omise): Payment processing
- AWS: Cloud infrastructure and file storage
- Thai authorities: When required by law
We do NOT sell your personal data to any third party.
9. Cookies
We use a session cookie (rd_session) for authentication routing. We use Google Analytics for anonymous usage statistics. No advertising cookies are used.
10. Data Breach Notification
In the event of a data breach affecting your personal data, we will notify the PDPC within 72 hours and affected users as soon as practicable, in accordance with PDPA requirements.
11. Contact & Complaints
Data Protection Officer: support@rentdi.com
If unsatisfied with our response, you may file a complaint with the Personal Data Protection Committee (PDPC) of Thailand.