Privacy Policy
GIGIT Company Limited | Effective Date: 4 June 2026
1. Personal Data We Collect
- Identity Data: Full name, date of birth, gender, profile photo.
- Sensitive Personal Data (Biometric): Facial recognition data used for identity verification (e-KYC). gigit processes biometric data under PDPA Section 26 with your explicit consent at the point of collection, and applies enhanced safeguards including encryption in transit and at rest, restricted access, and limited retention (see Section 5).
- Contact Data: Mobile number, email address, physical address, and social media identifiers (e.g., Line ID).
- Official Documents: Photos of Thai National ID Card or Thai Passport, submitted via our identity verification provider.
- Financial Data: Bank account numbers for payouts and encrypted payment card information. Raw payment card details and bank account numbers are processed and stored by our Payment Service Provider; gigit retains only references and transaction records.
- Location and Technical Data: Real-time GPS location (Latitude/Longitude) for matching nearby Tasks, IP Address, device information, and Platform chat history.
- Performance and Reputation Data: Reliability Rating (for gigit heroes), Completion Rating (for Employers), ratings, reviews, completion history, cancellation history, and dispute outcomes.
2. Purposes of Data Processing
gigit processes your personal data under the following legal bases:
- Contractual Basis: To create and manage user accounts, facilitate Task matching between Employers and gigit heroes, operate the Safe Payment System (Reserved Payment / escrow), and ensure Task delivery.
- Legitimate Interest: To maintain Platform security, prevent fraud, monitor for unauthorised off-platform contact exchange, resolve disputes, maintain Reliability and Completion Ratings and Platform reputation metrics, and improve application performance. gigit has assessed these legitimate interests against the rights and interests of data subjects and concluded that they are not overridden, and applies additional safeguards (including data minimisation and access controls) to reduce impact on data subjects.
- Legal Obligation: To comply with relevant laws, including the Digital Platform Act B.E. 2566, the Thai Revenue Code, anti-money-laundering requirements, and orders from government authorities.
- Consent: For marketing communications, promotions, or specific notifications that you choose to receive, and for the processing of biometric data under Section 1.
3. Disclosure of Personal Data to Third Parties
gigit will disclose only the necessary data to the following parties:
- Counterparties: Employers and gigit heroes will see each other's profile data and reviews to facilitate hiring decisions.
- Third-Party Service Providers: Identity verification providers (who process biometric data and KYC documents on gigit's behalf), the Payment Service Provider (who processes payment card and bank account data), cloud hosting providers, analytics providers, and other authorised data processors engaged by gigit.
- Government Authorities: When required by a court order or as mandated by law.
4. Cross-Border Data Transfers
Some of gigit's third-party service providers (including cloud hosting and analytics providers) may process personal data outside of Thailand. Where personal data is transferred outside Thailand, gigit will ensure adequate safeguards in accordance with PDPA Sections 28 and 29, including by entering into appropriate contractual protections with the relevant processors. A list of current cross-border data destinations and safeguards is available on request.
5. Data Retention
gigit retains personal data only for as long as necessary for the purposes set out in this Policy:
- Account profile and Platform activity data — for the duration of your account. On account closure, this data is deleted from gigit's systems, except where retention is required by law.
- Identity verification data (including biometric data and KYC documents) — gigit does not store raw biometric data or KYC documentation. This data is held by our identity verification provider in accordance with their own privacy policy and retention practices. gigit retains only a record of verification status.
- Financial and payment data — gigit does not store payment card details or bank account numbers. These are held by the Payment Service Provider. gigit retains transaction records (Booking IDs, amounts, dates, parties) as required by Thai tax and accounting law, typically for 5 years from the end of the relevant tax period.
- Platform communications (chat logs, support records) — for 2 years from last activity or until account closure, whichever is later.
- Dispute evidence — for 3 years from dispute resolution.
- Records required to comply with legal obligations (anti-money-laundering, court orders, regulatory requests) — for the period required by the relevant law.
Where retention is not specifically required by law, gigit applies the shortest practicable period.
6. Your Rights Under the PDPA
You hold the following rights under the PDPA in respect of your personal data held by gigit:
- Right of Access — to request a copy of your personal data and information about how it is processed.
- Right to Rectification — to correct inaccurate or incomplete data.
- Right to Erasure — to request deletion of your personal data where the legal basis no longer applies.
- Right to Restriction of Processing — to request that gigit limit its processing of your data in certain circumstances.
- Right to Data Portability — to receive your personal data in a structured, commonly used format, or have it transferred to another data controller where technically feasible.
- Right to Object — to object to the processing of your data on grounds of legitimate interests or for direct marketing.
- Right to Withdraw Consent — where processing is based on consent, to withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
- Right to Lodge a Complaint — to file a complaint with the Personal Data Protection Committee of Thailand (PDPC) if you believe gigit's processing of your data does not comply with the PDPA.
How to exercise your rights.
Contact gigit's Data Protection Officer at privacy@gigit.asia with your request and proof of identity. gigit will respond within 30 days of receiving a complete request. Requests are free of charge unless manifestly unfounded or excessive. If your request is denied in whole or in part, gigit will explain the reason and your right to complain to the PDPC.
7. Marketing Communications
Where gigit provides the option to receive marketing communications, you may opt in or out at any time via in-app settings or by contacting privacy@gigit.asia. Opting out of marketing does not affect service-related communications you receive about your account, Bookings, or disputes.
The gigit Website may use cookies and similar technologies to operate, secure, and improve the service. Where cookies are used, full details — including how to manage your preferences — will be set out in gigit's Cookie Policy, published on the Website.
9. Automated Calculations
gigit uses automated logic to calculate certain Platform metrics, including Reliability Ratings (for gigit heroes) and Completion Ratings (for Employers), based on objective inputs such as Task completion rates, cancellation history, and feedback from other Users. These ratings inform Platform decisions about visibility and account standing but do not automatically result in account suspension or termination. Account decisions involving suspension or termination involve human review.
10. Security and Accuracy
gigit utilises data encryption technology and strictly limits data access to authorised personnel only (Access Control) to prevent data leaks, unauthorised access, or misuse.
gigit takes reasonable steps to ensure that personal data held about you is accurate, complete, and up-to-date. You are responsible for keeping your account information current and notifying gigit of any changes.
11. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of data subjects, gigit will notify the Office of the Personal Data Protection Commission (PDPC) without undue delay and where feasible within 72 hours of becoming aware of the breach, in accordance with PDPA Section 37. Where the breach is likely to result in a high risk to affected data subjects, gigit will also notify those data subjects without undue delay.
12. Data of Minors
The Platform is restricted to Users aged 18 and over. gigit does not knowingly collect personal data from minors. If gigit becomes aware that personal data of a minor has been collected, it will be deleted promptly. Where a Task involves contact with a minor (for example, childcare for an Employer's child), data about that minor may be processed only as necessary for the Task and in accordance with the Employer's instructions.
13. Contact Us
If you have questions or wish to exercise your rights regarding your personal data, please contact:
GIGIT Company Limited Email: privacy@gigit.asia Live Chat: Via the gigit application.
If you believe the processing of your data does not comply with the law, you may file a complaint with the Office of the Personal Data Protection Commission (PDPC).
Thai version is in the original Drive document; not reviewed at this stage.