Privacy Policy

Compliant with Thailand's Personal Data Protection Act (PDPA) B.E. 2562

Last updated: March 2026

1. Data Controller

Rentdi, Bangkok, Thailand. Contact: support@rentdi.com

2. Data We Collect

  • Account data: Email, phone number, name, date of birth
  • Identity verification: National ID or passport number, ID document photo
  • Property data: Address, photos, listing details (owners only)
  • Financial data: Bank account details for refunds. Credit card data is NOT stored by Rentdi — it is processed directly by our payment provider (Opn/Omise).
  • Usage data: Pages visited, search queries, booking history, IP address

3. Why We Collect Data

  • To provide the rental platform service (account management, bookings, contracts)
  • To verify user identity (KYC) for trust and security
  • To process payments and generate contracts
  • To comply with Thai legal requirements
  • To improve the platform experience

4. Legal Basis (PDPA)

We process your data based on:

  • Consent: For KYC data collection, marketing communications
  • Contractual necessity: For rental agreements and payments
  • Legal obligation: For tax and regulatory compliance
  • Legitimate interest: For platform security and fraud prevention

5. Data Security

We protect your data with:

  • AES-256-GCM encryption for sensitive personal data (national IDs, bank accounts)
  • bcrypt password hashing (cost factor 12)
  • SSL/TLS encryption in transit
  • Presigned URLs with short TTL for identity documents
  • Access-controlled file storage (KYC documents served through authenticated endpoints only)
  • Append-only financial transaction records
  • Admin action audit logging

6. Your Rights (PDPA Section 30-36)

As a data subject under Thai PDPA, you have the right to:

  • Access: Request a copy of your personal data
  • Correction: Update inaccurate data via your profile page
  • Deletion: Request account deletion and data anonymization
  • Portability: Request your data in a structured format
  • Withdraw consent: For data processing based on consent
  • Object: To data processing based on legitimate interest

To exercise these rights, email support@rentdi.com or use the “Request Account Deletion” option in your profile settings.

7. Data Retention

  • Account data: retained while account is active + 30 days after deletion request
  • Financial records: retained for 5 years (Thai Revenue Code requirement)
  • KYC documents: retained for duration of active contracts + 1 year
  • Login attempts: retained for 24 hours

8. Third-Party Sharing

We share data only with:

  • Opn (Omise): Payment processing
  • AWS: Cloud infrastructure and file storage
  • Thai authorities: When required by law

We do NOT sell your personal data to any third party.

9. Cookies

We use a session cookie (rd_session) for authentication routing. We use Google Analytics for anonymous usage statistics. No advertising cookies are used.

10. Data Breach Notification

In the event of a data breach affecting your personal data, we will notify the PDPC within 72 hours and affected users as soon as practicable, in accordance with PDPA requirements.

11. Contact & Complaints

Data Protection Officer: support@rentdi.com

If unsatisfied with our response, you may file a complaint with the Personal Data Protection Committee (PDPC) of Thailand.