Privacy Policy 

Last update: May 31, 2022

Omise Co., Ltd., Omise Japan Co., Ltd., Omise SG Pte. Ltd., our affiliates and group companies (“Omise,” “we,” “us,” and/or “our,” ) recognize the importance of the protection of your Personal Data provided for using our services. As part of our daily business operations, we collect Personal Data from our clients and prospective clients in order to provide them with our products and services and to ensure that we can meet their needs both when providing these products and services and when providing them with the appropriate information.

As a result, we created this Privacy Policy (“Policy”) to help you understand your privacy options while using any device to access, use our services and to ensure that your Personal Data is collected, used, shared and transferred in an appropriate manner and for the purposes set out in this Policy.

This Policy will govern our treatment of your Personal Data and Sensitive Data during the term and performance of the services provided by us through our official website and applications (e.g., merchant dashboard) (as applicable), our process of onboarding merchants, and through our online payment services which customers transact via certain merchants’ online store/platform. 

Our Policy is reviewed regularly to ensure that any new obligations and technologies, changes to our business operations and practices are taken into consideration, as well as that it remains abreast of the changing regulatory environment. We encourage you to read this Policy carefully and we reserve the right to amend this Policy from time to time. Any amendment to this Policy will become effective when posted on our official website. Any Personal Data we hold will be governed by our most recent Policy. 

For the sake of clarification and for the purpose of this Policy, 

“Personal Data” means personal information relating to an individual who can be identified particularly by reference to certain information given by such an individual as requested by Omise for specific purposes contained in this Policy. 

“Sensitive Data” means any personal data pertaining to racial, ethnic, origin, political view, cult, religious or philosophical belief, sexual behavior, criminal record, health data, disability, trade union information, genetic data, biometric data or any data that may affect the data subject in the same manner, as prescribed by the committee. 

  1. Channel for collection of Personal Data and Sensitive Data
  2.         We collect your Personal Data and Sensitive Data through the following channels:

    1. The Personal Data and Sensitive Data that you provide directly to us, or that Omise collects as a result of your use or application for use of products and/or services, contact, visit, participation in activities, and search via service channels and/or Omise’s contact channels, such as head office, website, application, online social media platform of Omise, email and similar channels;
    2. The Personal Data and Sensitive Data received or accessed by Omise from other sources such as our service providers, business partners, any other person or juristic person or agency with which Omise has a legal relationship.

  3. Which Personal Data and Sensitive Data do we collect, use, and/or disclose ?
  4.         The following categories of Personal Data may be collected from you via the channels listed above. For Sensitive Data, we only collect your religion and nationality:

    1. Personal Information: title, first name, middle name, surname, alias (if any), gender, date of birth, age, occupation, qualifications, job title, position, nationality, citizenship, religion, country of residence, data on the document issued by government agencies (national identification card, passport, driver license or similar documents), signature, photograph, house registration, registered address, current address, and information on whether you hold a prominent public function (PEPs or other sanction lists);
    2. Contact Information: contactable address, workplace address, telephone number, facsimile, email address, ID or name on social network platform; 
    3. Transaction Information: payment history, payment date and time, transaction amount, transaction status, refund details, location of purchase, order number, complaint and claim, booking details, rental details, and any other details in relation to the payment transaction that arising from the use of Omise’s services;
    4. Financial Information: bank account details, electronic card information (e.g., cardholder name, card number, expiration date, cvv number, cycle cut), prompt pay number; 
    5. Technical Information: internet protocol address (IP Address) and its associated location, media access control address (MAC Address), email address, google unique user ID (UUID), log, Cookies ID, web beacon, pixel tag, software development kit (SDK), device ID, device model, series and type, browser information (e.g., browser type and version, operating system, etc.), data on access, data on single sign-on (SSO), URL, network, connection details, log in data, access time and period, timezone and location, time spent, other technology on your device used for accessing our website, and other technical data from usage on platform and operating system;
    6. Service Account Information: user name, password, account identity (e.g., account registration date, account usage data, etc.), action performed during dashboard usage (e.g., log in data, sign up data, page visited, exports performed, etc.), browser information used for accessing the dashboard; 
    7. Other Information: record of communication between you and Omise, details on complaint or comment, request for exercising right, record (audio, image and video), photo or video from our CCTV.

    The Personal Data and Sensitive Data we collect based on the actions you take with us are outlined in the table below for your convenience:

    Activity

    Personal Data or Sensitive Data we collect

    Onboarding as Omise’s new merchants

    Personal Information, Contact Information, Financial Information (only bank account details) 

    Visiting and interacting with our website

    Technical Information (as applicable)

    Payment via merchant’s platform

    Transaction Information, Financial Information (as applicable), Technical Information (as applicable)

    Visiting and interacting with our merchant dashboard

    Technical Information (as applicable), Service Account Information

    Merchant change request

    Personal Information, Contact Information, Financial Information (only bank account details), solely for the area that you need to update or modify your Personal Data or Sensitive Data

    Visiting our premise

    Personal Information (solely for the area where we need to know your identity), Contact Information (as necessary), Other Information (record, photo or video from our CCTV) 

    Having business negotiation with us (physical contact)

    Personal Information (solely for the area contained in your business card and upon your mutual agreement) 

    Complaint submission process

    Personal Information (as applicable), Contact Information (solely for the area you contacted us), Technical Information (only IP Address)

            We do not intend to collect, use, or disclose Personal Data and Sensitive Data of minors, the incompetent, or quasi-incompetent, unless we obtain consent from the guardian, the appointed guardian, the appointed curator, or any act pursuant to which minors may give consent by themselves pursuant to law (as applicable) and/or has any lawful basis. If we discover that the collection, use, or disclosure of Personal Data and/or Sensitive Data of minors, the incompetent, or quasi-incompetent persons was conducted without (i) consent from the guardian, the appointed guardian, the appointed curator, or minors who may give consent by themselves pursuant to law, and (ii) any lawful basis, we shall delete or destroy such Personal Data and/or Sensitive Data.

            If you provide Personal Data and/or Sensitive Data of any other third party who is a personnel of Juristic Person and/or who has an involvement with you, such as shareholders, directors, authorized persons, family members, reference persons and/or any other person etc. to Omise,  please inform those persons of the details under this Policy and request their consent, if necessary, or apply other lawful basis to ensure that Omise can collect, use and/or disclose Personal Data and/or Sensitive Data of the aforementioned third party.

  5. The Purposes we collect, use, and/or disclose your Personal Data and Sensitive Data
  6.         Omise will collect, use, and/or disclose your Personal Data and Sensitive Data only as necessary to accomplish Omise’s legitimate objectives, which may include the collection, use, and/or disclosure of Personal Data and Sensitive for the performance of contractual obligations to which you are a party, for the performance of legal obligations, for legitimate interest, for operations based on your consent, and/or for other lawful purposes.

            Omise will collect, use, and/or disclose your Personal Data and Sensitive Data only as necessary to accomplish Omise’s legitimate objectives, which may include the collection, use, and/or disclosure of Personal Data and Sensitive for the performance of contractual obligations to which you are a party, for the performance of legal obligations, for legitimate interest, for operations based on your consent, and/or for other lawful purposes.

      3.1 Compliance with the applicable laws: We collect, use, and/or disclose your Personal Data and/or Sensitive Data based on the fulfillment of responsibilities in line with the applicable laws and legislation, such as payment system law, anti-money laundering law, counter - terrorism and proliferation of weapons of mass destruction financing law, as well as other laws that Omise is required to abide by both domestically and internationally, including announcements and rules issued under such laws, which are both now in effect and to be altered further.. There are numerous regulatory authorities whose laws and regulations we must follow (e.g., the Bank of Thailand, Anti-Money Laundering Officer). We are obligated to process your Personal Data and Sensitive Data for credit checks, identification verification (i.e., know your customer and customer due diligence procedures), record keeping, payment processing, transaction monitoring, compliance with court orders, or other reporting responsibilities of anti-money laundering procedures.

      3.2 Contractual performance: We collect, use, and/or disclose your Personal Data and Sensitive Data on the basis of our contractual relationship with you in order to provide you with our services as well as information on those services, including consultation regarding the services, communication in relation to the services, and the performance of the complaint handling procedure. Additionally, your Personal Data and Sensitive Data are processed in order to complete our merchant onboarding procedure. In this case, in order to accept you as a merchant, we must authenticate your identification by executing the know your customer (KYC) and customer due diligence (CDD) procedures, as well as an inspection of the sanction list and merchant risk categorization procedures. In addition, we need to use your Personal Data in order to effectively manage your account with us to ensure that you are getting the best possible service from us. 

      3.3 Troubleshooting and improvement of our services/products: We collect, use, and/or disclose your Personal Data on the basis of contractual performance in order to conduct any performance analysis, error correction, usability testing, and other activities for enhancing the efficacy of our services and products. We may from time to time use your Personal Data if you require assistance or advice on the use of our services or products.

      3.4 Protection of legitimate interests: We collect, use, and/or disclose your Personal Data on the basis of legitimate interest in order to protect our or a third party's legitimate interests. A legitimate interest is when we have a business or commercial reason to use or disclose your Personal Data, including, but not limited to: (i) initiating legal claims and preparing our defense in litigation procedures; (ii) means and processes we undertake to provide for our IT and system security, preventing potential crime, asset security, admittance controls, and anti-trespassing measures; (iii) any conduct relating to risk management; or (iv) fraud prevention and transaction investigations.

      3.5 Investigation or judicial procedure: We may collect, use, and/or disclose your Personal Data to comply with court orders or other judicial procedures, or the request or requirements of any applicable regulatory authority, in accordance with the applicable laws and regulations. Additionally, we may need to use your Personal Data to send you required legal notices.

      3.6 Marketing communications: We may collect, use, and disclose your Personal Data based on your consent in order to market and recommend our features, products, and services that you may be interested in, and we may use your Personal Data to send you marketing communications or advertisements, such as providing of privilege, sales promotion, special offer, and any other marketing communications in relation to our services or products via email, social media platform, telephone or other similar channels.

      3.7 Profiling and data analytic: We may collect, use and/or disclose your Personal Data based on your consent to, by using browser cookies, personalize contents and preferences, to selectively deliver and display the advertisements, and to enable us to evaluate statistical data about website visitors, such as their frequency and location of website access, as well as the conversion rate from website visit to account sign-up.

      For your convenience, the purposes for which we collect, use, and disclose your Personal Data based on your relationship with us are detailed in the table below:

      Type of Data Subject

      Compliance with the applicable law

      Contractual Performance

      Troubleshooting

      Protection of legitimate interests

      Investigation or judicial procedure

      Marketing communication

      Profiling and data analytic

      Website visitor

      -

      -

      -

      -

      -

      -

      Yes

      Individual merchant

      Yes

      Yes

      Yes

      Yes

      Yes

      Yes

      Yes

      Merchant’s directors/shareholders

      Yes

      Yes

      -

      Yes

      Yes

      -

      -

      Merchant’s customers (End-customer)

      Yes

      Yes

      Yes

      Yes

      Yes

      -

      -

      Omise’s new lead

      -

      -

      -

      -

      -

      Yes

      Yes

      Office visitor

      -

      -

      -

      Yes

      Yes

      -

      -

      Business partner’s representative

      -

      Yes

      -

      Yes

      -

      -

      -

  7. Disclosure of your Personal Data and Sensitive Data
  8.         We will not disclose your Personal Data and Sensitive Data to any third party, except the following conditions:

      1) Disclosure of your Personal Data and/or Sensitive Data is compelled by law, government authority, court order, or administrative tribunal;

      2) Disclosure of your Personal Data and/or Sensitive Data is justified by a lawful basis;

      3) Disclosure of your Personal Data and/or Sensitive Data occurs at your request or upon your consent;

      4) Disclosure of your Personal Data and/or Sensitive Data to persons or juristic persons described in this Clause 4.

            Unless otherwise authorized by a regulatory authority, we shall make such disclosures based on a need-to-know basis. Under these circumstances, we will inform the third party about the confidential nature of your Personal Data and/or Sensitive Data. As part of our use of your Personal Data and/or Sensitive Data for the purposes stipulated in this Policy, we may disclose your Personal Data and/or Sensitive to the following parties:

      (a) Members including directors, executives, employees, staffs of SYNQA Group Companies, Omise Group Companies and/or OPN Group Companies, solely for carrying out the purposes of this Policy and on a need-to-know basis;

      (b) Our financial business partners, partnering financial institution, source of funds, card schemes (VISA, MasterCard, JCB, Amex etc.), and third parties including financial technology service providers and commercial banks. In this regard, we will disclose your Personal Data and/or Sensitive Data to facilitate our services to you and for the legitimate investigation including but not limited to fraud or money laundering investigations;

      (c) Regulatory bodies as required by laws, such as law enforcement agencies, investigators, public prosecutors, tribunals, courts, authorities who have the authority to supervise the business or regulated payment services, such as the Bank of Thailand, and government agencies in relation to the provision of services. In this regard, we will disclose your Personal Data and/or Sensitive Data to comply with the directives of officials or those with legal rights;

      (d) Our consultants or specialists, such as auditors, legal counsel, tax consultants. We will disclose your Personal Data and/or Sensitive Data for our general business operations;

      (e) Our service providers include information technology, information technology support, infrastructure, system, information technology security, database, search agency, marketing, campaign and event organizers, and service providers associated with the merchant’s onboarding, screening and monitoring procedures. We will disclose your Personal Data and/or Sensitive Data to facilitate services to you, record, integrate and secure your Personal Data and/or Sensitive Data;

      (f) Assignee of Omise's merger rights In the event of organizational restructuring or mergers and acquisitions, purchase of business, transfer of rights, liquidation, or any other similar event, we may be required to disclose your Personal Data and Sensitive Data to such assignments; and 

      (g) Anyone authorized by you.  

  9. Cross-Border Transfer
  10.         We may transmit your Personal Data outside of Thailand, Japan, Singapore, Malaysia to SYNQA Group Companies and Omise Group Companies, as well as our service providers who provide IT infrastructure and technological services, including data center, cloud platform or having their servers located in other countries. To the extent that we transmit your Personal Data outside of Thailand, we will ensure that such transmission is lawful and that our sub-processors in the third countries are obligated to comply with the data protection laws or other comparable laws and to provide the appropriate safeguarding measures in relation to the transmission of your Personal Data, as required by law. 

  11. Cookies
  12.         We use and allow our cookies and certain third-parties to use cookies and similar tracking technology on our Site as follows.​

            We use browser cookies to personalize content and your preference, to selectively deliver and display our advertisements and marketing materials to allow us to analyze statistical information of our Site users including frequency and location of Site access, and to measure conversion rate from Site visit to account sign-ups. For this profiling purpose we embed third party javascript from Google that shares your browser information with them and links the site access with your browsing history using their cookies. In return, they provide us with an anonymized Site’s visitors’ usage analysis. Your actual user identity that you shared with these providers will not share with us. You consent to our browser cookies if you continue to use our website and decide not to block them.​

            You may choose to disable or delete certain cookies on your internet browser settings, but you will not be able to access or use important features or functions of the Site. You can also delete all site access and conversion data shared with Google anytime from https://myactivity.google.com/myactivity.

  13. Retention of you Personal Data
  14.         We will retain your Personal Data and Sensitive Data in electronic, paper, audio and video formats for as long as necessary to fulfill the purposes outlined in this Policy, unless stated otherwise in this Policy. Following the expiration or termination of our engagement or relationship with you, we will continue to retain your Personal Data for as long as the applicable laws require. Once we conclude that your Personal Data is no longer required to be retained for the purposes of this Policy and we are relieved of our legal obligation to keep your information, we will delete or destroy your Personal Data or make it as non-personally identifiable information. The retention duration for your Personal Data is specified in the table below:

    Type of Personal Data based on activity

    Retention Period

    Personal Data and Sensitive Data which are collected throughout the process of onboarding Omise’s new merchants

    Thailand: 10 years retention period for the information relating to the KYC and CDD documents and information pursuant to Anti-Money Laundering Act of Thailand

    Japan: 7 years retention period for the information relating to the KYC documents and information pursuant to the laws in Japan (including the Corporate Tax Law) 

    Singapore: 5 years retention period for the information relating to the KYC and CDD documents and information.

    Personal Data collected from the visiting and interacting with our website 

    The retention period will be governed by: 

    Google Analytics: the information will be retained for 38 months

    Facebook Insights: the information will be retained according to the retention policy of Facebook

    Logged access data that only provides IP and browser information of the accessing user may be kept for 1 year as required by PCI-DSS.

    Personal Data collected from the payment via merchant’s platform 

    Thailand and Singapore: the retention period is 5 years following the date of completion of the transaction.

    Japan: the retention period is 7 years following the date of completion of the transaction.

    Personal Data collected from the visiting and interacting with our merchant dashboard

    The retention period is 5 years for connecting the dots on how the system is being used.

  15. Your right as a Data Subject
  16.         The right that is available to you in relation to your Personal Data and Sensitive Data we hold about you are as follows:

      (a) Right to Access: You have the right to request access to your Personal Data and Sensitive Data stored in our system and to receive a reasonable copy of such data.

      (b) Right to Rectification: Your Personal data is necessary for the delivery of our services. On this basis, we shall ensure that your Personal Data and Sensitive Data are accurate, up-to-date, and comprehensible, and that its subject matter does not lead to confusion. If your Personal Data and/or Sensitive Data is inaccurate, out-of-date, incomplete, or may lead to misconceptions regarding the substance of the information, you have the right to request rectification of your Personal Data and Sensitive Data by contacting us at the contact point stated in this Policy. In certain instances, we may seek further evidence to authenticate the veracity of the rectified information.

      (c) Right to Data Portability: You have the right to receive your Personal Data and Sensitive Data if we have made it accessible in a format that can be read or utilized by automated tools or equipment and can be used or disclosed via automated method. You also have the right to request that we electronically transmit or transfer your Personal Data and Sensitive Data to another data controller, where possible, and have the right to obtain Personal Data and Sensitive Data that we send or transfer in such form directly to another data controller, unless it is technically impossible to do so.

      (d) Right to Object: You have the right to  object to the collection, use, or disclosure of your Personal Data and Sensitive Data. If you submit an objection request, we will continue to collect, use, and/or disclose your Personal Data and Sensitive Data only to the extent that we are required by law to do so or that it is more important or for the purpose of establishing legal claims on a case-by-case basis, compliance, or exercise of legal claims, or defense against legal claims.

      (e) Right to Restriction or Suspension: You have the right to request a restriction on or a temporary suspension of the collection, use, and/or disclosure of your Personal Data and Sensitive Data in certain situations, such as if you suspect that the Personal Data and/or Sensitive Data obtained by Omise is erroneous or in the event that your Personal Data and/or Sensitive Data is undergoing revision, etc.

      (f) Right to Delete or Destroy: You can ask us to delete or destroy your Personal Data and Sensitive Data. If you suspect that your Personal Data and/or Sensitive Data has been improperly collected, used, or disclosed or it is no longer required to preserve for the purposes outlined in this Policy. We reserve the right to refuse deletion or destruction requests if we believe or determine that your Personal Data and/or Sensitive Data is compelled by law to be retained.

      (g) Right to Withdraw Consent (opt-out): You have the right to withdraw consent at any time. Nonetheless, the withdrawal shall not affect the collection, use, disclosure, processing, and/or transmission of your Personal Data to which you have already consented. If we have disclosed your Personal Data or Sensitive Data to third parties, we will notify them of your withdrawal. However, Your withdrawal of consent may prevent us from fulfilling our obligations under the contract or from providing you with services, or may result in the suspension of all  subsequent transactions and associated activities. Before withdrawing your consent, it is in your best interest to perform research and inquiries about the consequences.

      (h) Right to Lodge Complaint: If you believe that Omise's collection, use, or disclosure of your Personal Data and Sensitive Data violates applicable law, you have the right to file a complaint with the official or the competent legal body.

  17. Inquiries
  18.         If you wish to contact Omise for the exercise of the rights stated above or to inquire about this Policy, you can contact Omise through the following channels:

    1. Our Offices:

        Thailand: Omise Co., Ltd.

        1448/4 J2 Building, Crystal Design Center (CDC), Soi Ladprao 87 (Chandrasuk), Praditmanutham Road, Khongchan, Bangkapi, Bangkok 10240 Thailand.

        Phone Contact: 02 252 8777

        Japan: Omise Japan Co., Ltd.

        Tokyo Square Garden, 1-1 Kyobashi 3 chome, Chuo-ku, Tokyo, Japan 104-0031.

        Phone Contact: +3-63115877

        Singapore: Omise Payment SG. Pte. Ltd.

        6 Battery Road, 38-04, Singapore, 049909

    2. Email Contact: support@omise.co
    3. Our Data Protection Officers:

Omise uses cookies to improve your overall site experience and collect information on your visits and browsing behavior. By continuing to browse our website, you agree to our Privacy Policy. Learn more