personaX Privacy Policy
English Reference Version - v1.2 Draft
Effective Date: 8 June 2026
The Thai version is the legally binding and controlling version.
1. Introduction and Data Controller
TENSOR ART HK LIMITED ("personaX", "we", "us", or "our", CR No. 77289411, BR No. 77289411, RM 1903, 19/F LEE GARDEN ONE, 33 HYSAN AVENUE, CAUSEWAY BAY, HONG KONG) operates the personaX mobile application (the "Service"). This Privacy Policy explains how we collect, use, disclose, transfer, retain, and protect Personal Data in connection with the Service, including under the Personal Data Protection Act B.E. 2562 ("PDPA") of the Kingdom of Thailand.
By using the Service, you acknowledge this Privacy Policy. This Policy applies together with our Terms of Service. Where specific processing requires consent, we will request it separately.
Data Protection Contact: personax@echo.tech
Thailand Local Representative: If a local representative is required under applicable PDPA rules, we will publish the representative's details in this Policy. Until then, privacy inquiries may be sent to personax@echo.tech.
2. Data We Collect, Why, and Legal Basis
The table below summarises the Personal Data we may collect, how it is collected, why we use it, and the legal basis under the PDPA.
| Data collected | How / when | Purpose | Legal basis (PDPA) |
|---|---|---|---|
| Email address, hashed password | You provide at registration or login | Account creation, authentication, account security | Contract (s.24(3)) |
| Display name, avatar, bio, profile preferences | You provide or edit in the Service | Profile and community features; personalization | Contract (s.24(3)) |
| Account identifiers, including user ID and session identifiers | Created or assigned when you register or use the Service | Account operation; authentication; support; fraud prevention; enforcement | Contract (s.24(3)) / Legitimate interest (s.24(5)) |
| User Content, including OCs, generated images or videos, generation history, posts, comments, profile content, uploaded or reference images | You create, upload, generate, or post | Core Service features; public display where you choose to publish; moderation; safety review; responding to reports | Contract (s.24(3)) / Legitimate interest (s.24(5)) |
| Reports, feedback, appeals, safety actions, and moderation notes | When you report content or users, send feedback, appeal decisions, or when we review safety issues | Content and user moderation; enforcing Terms; preventing abuse; responding to appeals, user requests, and legal requests | Legitimate interest (s.24(5)) / Legal obligation (s.24(6)) |
| AI prompts, reference images, AI chatbot messages, AI-generated outputs, and related metadata | You input to or receive from AI features | Sending to AI model infrastructure or providers to generate outputs; operating AI chatbot features; abuse detection; safety review; responding to in-App reports or flags | Contract (s.24(3)) / Legitimate interest (s.24(5)) |
| Device model, OS version, app version, language, timezone, device identifiers, Android ID or similar device IDs, push registration identifiers | Automatically collected when you use the Service or enable notifications | Service operation; analytics; crash reporting; fraud prevention; notification delivery; account and device security | Legitimate interest (s.24(5)) / Consent where required (s.24(1)) |
| IP address, carrier, network status, connection type | Automatically collected when you use the Service | Security; fraud prevention; service routing; abuse detection; analytics | Legitimate interest (s.24(5)) |
| Feature usage, actions, session data, event logs, error logs, crash logs | Automatically collected through the App and SDKs | Service improvement; analytics; troubleshooting; crash reporting; fraud prevention; safety | Legitimate interest (s.24(5)) |
| Advertising identifiers such as Android Advertising ID or Apple IDFA, if enabled and available | Collected by the App or SDKs subject to device settings and platform permissions | Analytics, attribution, fraud prevention, or advertising only if such features are enabled and disclosed in the App and platform data safety forms | Consent (s.24(1)) / Legitimate interest (s.24(5)), as applicable |
| Camera, photo picker, media, file, or storage access | Only when you initiate an upload, capture, generation, editing, or media-related feature and grant relevant permissions | Uploading or creating images, videos, or other media for Service features | Contract (s.24(3)) / Consent where required (s.24(1)) |
| Push notification token | When you grant notification permission or enable notifications | Delivering App notifications, service messages, and alerts | Consent (s.24(1)) |
| Email, push token, and marketing preferences | Registration, settings, or consent flows | Product updates and promotional messages where permitted | Consent (s.24(1)) |
| Support communications | When you contact us by email, forms, social media pages, customer support tools, or other support channels | Customer support; troubleshooting; responding to rights requests | Contract (s.24(3)) / Legitimate interest (s.24(5)) |
| Data required for legal compliance | As required by applicable law or lawful requests | Compliance with Thai law, platform rules, tax law, law enforcement requests, court orders, dispute handling | Legal obligation (s.24(6)) / Legitimate interest (s.24(5)) |
We do not intentionally collect biometric data, health data, financial account numbers, national ID numbers, or PDPA s.26 sensitive data unless you voluntarily include such information in User Content, prompts, messages, or support communications. Please do not submit sensitive information to the Service unless it is necessary.
Where we rely on consent, you may withdraw consent at any time through in-App settings where available or by contacting personax@echo.tech. Withdrawal does not affect processing that occurred before withdrawal.
3. App Permissions and Platform Disclosures
The App may request platform permissions depending on your device, operating system, SDK behavior, and features you use. These may include camera, photo picker or media access, notifications, network status, and storage or file access. Some third-party SDKs may also declare permissions in the Android package for compatibility.
We only use runtime permissions when needed for a feature you choose to use or for Service operation, security, analytics, crash reporting, push notification delivery, or fraud prevention. If a permission is not needed for the Service, we aim to remove it or keep it inactive.
Platform permission prompts, Google Play Data safety disclosures, and this Policy should be read together. If we introduce new permission-based features, we will update this Policy and applicable platform disclosures.
4. How AI Features Process Your Data
Self-hosted open-source models. We operate certain AI models on our own or affiliated infrastructure, including infrastructure located in Mainland China. Your prompts, reference images, and related inputs may be sent to these servers to generate outputs. We deploy open-source and community models, including models from or used by our affiliated service TensorArt. We do not use your content to train or fine-tune personaX or TensorArt models without your separate explicit consent.
Third-party AI providers. Some features may use third-party AI models or infrastructure:
| Provider | Purpose | Location | Training / use policy |
|---|---|---|---|
| Google Gemini API | Image generation, AI chatbot features, text processing, safety or content processing | Google-operated infrastructure, including the United States and other jurisdictions where Google processes API requests | Subject to Google's applicable API terms and data processing terms |
| ByteDance / Volcengine Doubao or Seedream APIs | Image generation and image editing | Volcengine-operated infrastructure, including Mainland China and other jurisdictions where Volcengine processes API requests | Subject to Volcengine's applicable API, privacy, and data security terms |
| Alibaba Cloud / Qwen APIs | AI chatbot features, image or text processing, model inference | Alibaba Cloud / Qwen-operated infrastructure, including Mainland China, Singapore, and other jurisdictions where Alibaba Cloud or Qwen processes API requests | Subject to Alibaba Cloud / Qwen applicable terms for the API route used |
If AI-generated images, videos, OC generation results, generation history items, or AI chatbot responses are offensive, unlawful, unsafe, or otherwise objectionable, you may report or flag them through in-App reporting or feedback tools. We use reports to review specific outputs, enforce our Terms, improve safety controls, and meet platform policy requirements.
We will not sell your AI inputs or outputs to third parties. We will not use them to train personaX or TensorArt-owned models without your explicit consent, except to the extent necessary to operate, secure, moderate, debug, and improve the Service in accordance with this Policy.
5. Third-Party Providers, SDKs, Affiliates, and Data Transfers
We use service providers and SDKs to operate the Service. Depending on the App version and enabled features, these may include:
| Provider / SDK category | Example providers or SDKs | Purpose |
|---|---|---|
| Cloud hosting, storage, and content delivery | TensorArt affiliated infrastructure, Alibaba Cloud / OSS, other cloud or CDN providers | Hosting, media storage, delivery, AI inference, file upload and download |
| AI model providers | Google Gemini, Volcengine / Doubao / Seedream, Alibaba Cloud / Qwen | AI generation, chatbot, image editing, text or safety processing |
| Analytics, event tracking, and diagnostics | Sensors Analytics, UBT or internal analytics tools | Usage analytics, event tracking, service improvement, fraud prevention |
| Crash reporting and stability | Firebase services, Bugly, platform diagnostics tools | Crash reporting, troubleshooting, performance and stability analysis |
| Push notifications | Firebase Cloud Messaging, EngageLab | Push token management and notification delivery |
| Payment, app linking, and platform integrations | Google Play, Alipay, WeChat SDK, Huawei services where applicable | Payments, app-to-app interactions, login or platform services where enabled |
| Customer support and communications | Email systems, customer support tools, social media pages, forms | Support, rights requests, account deletion requests, user communications |
These providers may process Personal Data only for the purposes described in this Policy and according to applicable agreements, platform rules, or provider terms. Some providers may act as independent controllers for data processed through their own services, such as social media pages or payment platforms.
TensorArt affiliate. personaX and TensorArt are operated under the same corporate entity, TENSOR ART HK LIMITED. We may share data within this entity for shared infrastructure, AI inference, fraud prevention, safety, moderation, support, and aggregated analytics. We do not share individual User Content between personaX and TensorArt for unrelated marketing purposes without your separate consent.
Cross-border transfers. Your data may be transferred to or processed in: (i) Hong Kong SAR; (ii) Mainland China; (iii) the United States; (iv) Singapore; and (v) other jurisdictions where our cloud, AI, analytics, crash reporting, notification, email, support, and infrastructure providers operate. Where required by applicable law, we rely on contractual safeguards, technical measures such as encryption and access controls, and other lawful transfer mechanisms.
Legal disclosures. We may disclose Personal Data without consent where permitted or required by law, including to comply with court orders, regulator requests, law enforcement requests, platform policy enforcement, Thai Computer Crime Act obligations, tax or accounting obligations, to enforce our Terms, to protect safety, to prevent fraud or abuse, or in a corporate transaction where the acquirer agrees to appropriate privacy commitments.
6. Data Retention
| Data | Retention period |
|---|---|
| Account data, including email and hashed password | Account lifetime + up to 90 days after deletion, unless longer retention is required by law, security, fraud prevention, or dispute handling |
| Public User Content, including posts, comments, OCs, and public generated content | Account lifetime; removed from public display on deletion where applicable; backups purged within a reasonable period, generally up to 90 days |
| AI prompts, AI chatbot conversations, generated outputs, generation history, and related metadata | Account lifetime or until you delete them where deletion is available; certain logs may be retained up to 90 days for abuse detection, safety review, security, and troubleshooting; longer if legally required |
| Login, device, analytics, event, crash, and security logs | Generally 6-12 months, unless longer retention is needed for security, abuse prevention, legal compliance, or dispute handling |
| Reports, feedback, appeals, safety actions, and moderation records | Up to 2 years; longer if needed for serious abuse, legal compliance, dispute handling, or safety protection |
| Payment or transaction records, if payment features are introduced | As required by tax, accounting, platform, and payment rules, generally up to 5 years or longer where legally required |
| Suspended or terminated account data | Up to 90 days for appeal and enforcement review; then deleted or anonymized unless longer retention is required |
7. Your Rights and Account Deletion
You have the right to access, rectify, erase, restrict, object to, and port your Personal Data; withdraw consent at any time; and lodge a complaint with the PDPC (https://www.pdpc.or.th / pdpc@mdes.go.th).
You can exercise certain rights directly in the App, including account deletion where available, data access where available, and marketing opt-out where available.
You may also request account deletion and associated data deletion outside the App through our account deletion request page:
personaX Account Deletion Request
For other privacy requests, contact personax@echo.tech. We respond within 30 days unless a different period is required or permitted by applicable law. Identity verification may be required before we fulfill a request.
When you request account deletion, we delete or anonymize your account and associated data, subject to data we must retain for legal compliance, security, fraud prevention, dispute handling, accounting, platform enforcement, or other legitimate reasons disclosed in this Policy.
8. Security, Children, Marketing, and Tracking
Security. We use technical and organizational measures designed to protect Personal Data, including encryption in transit where supported, hashed password storage, access controls, monitoring, and incident response procedures. AI chatbot conversations, prompts, posts, comments, and generated content are not end-to-end encrypted. Please do not share sensitive information such as ID numbers, bank details, passwords, health information, or other highly sensitive data in prompts, chats, posts, comments, or uploads.
If a high-risk personal data breach occurs, we will notify affected users and applicable regulators where required by law, including PDPA s.37(4) where applicable.
Children. The Service is not intended for children under 13 or under the minimum age required in their country or region. If a user is under 18, they must have permission from a parent or legal guardian to use the Service. We do not knowingly collect Personal Data from anyone below the applicable minimum age. If we discover such data, we will delete it and terminate the account where required. Contact personax@echo.tech if you believe a child below the applicable minimum age has shared data with us.
Marketing. We send promotional emails and push notifications only with consent where required. You can opt out through in-App settings where available, email unsubscribe links where provided, device notification settings, or personax@echo.tech. Transactional messages such as security alerts, Terms updates, support replies, and service notices may continue.
Tracking and Data Safety consistency. We use device identifiers, user IDs, system version, device model, usage events, SDK-based analytics, crash logs, and security logs for session management, preference memory, service improvement, crash reporting, fraud prevention, safety, and platform compliance. We do not currently serve third-party advertising. If advertising is introduced, we will update this Policy, in-App disclosures, and applicable platform data safety declarations, and obtain consent where required.
9. Changes, Language, and Contact
Changes. We may update this Policy from time to time. Material changes will be notified by email, in-App notice, push notification, or other appropriate method at least 14 days before taking effect where required by law. Continued use of the Service after the effective date means you acknowledge the updated Policy.
Language. This Policy is available in Thai and English. The Thai version is the legally binding and controlling version.
Company: TENSOR ART HK LIMITED
Company Registration No.: 77289411
Business Registration No.: 77289411
Registered Address: RM 1903, 19/F LEE GARDEN ONE, 33 HYSAN AVENUE, CAUSEWAY BAY, HONG KONG
All Inquiries (Support / Legal / PDPA): personax@echo.tech
PDPC (regulator): https://www.pdpc.or.th | pdpc@mdes.go.th
-- End of Privacy Policy --
personaX Privacy Policy
English Reference Version - v1.2 Draft
Effective Date: 8 June 2026
The Thai version is the legally binding and controlling version.
1. Introduction and Data Controller
TENSOR ART HK LIMITED ("personaX", "we", "us", or "our", CR No. 77289411, BR No. 77289411, RM 1903, 19/F LEE GARDEN ONE, 33 HYSAN AVENUE, CAUSEWAY BAY, HONG KONG) operates the personaX mobile application (the "Service"). This Privacy Policy explains how we collect, use, disclose, transfer, retain, and protect Personal Data in connection with the Service, including under the Personal Data Protection Act B.E. 2562 ("PDPA") of the Kingdom of Thailand.
By using the Service, you acknowledge this Privacy Policy. This Policy applies together with our Terms of Service. Where specific processing requires consent, we will request it separately.
Data Protection Contact: personax@echo.tech
Thailand Local Representative: If a local representative is required under applicable PDPA rules, we will publish the representative's details in this Policy. Until then, privacy inquiries may be sent to personax@echo.tech.
2. Data We Collect, Why, and Legal Basis
The table below summarises the Personal Data we may collect, how it is collected, why we use it, and the legal basis under the PDPA.
| Data collected | How / when | Purpose | Legal basis (PDPA) |
|---|---|---|---|
| Email address, hashed password | You provide at registration or login | Account creation, authentication, account security | Contract (s.24(3)) |
| Display name, avatar, bio, profile preferences | You provide or edit in the Service | Profile and community features; personalization | Contract (s.24(3)) |
| Account identifiers, including user ID and session identifiers | Created or assigned when you register or use the Service | Account operation; authentication; support; fraud prevention; enforcement | Contract (s.24(3)) / Legitimate interest (s.24(5)) |
| User Content, including OCs, generated images or videos, generation history, posts, comments, profile content, uploaded or reference images | You create, upload, generate, or post | Core Service features; public display where you choose to publish; moderation; safety review; responding to reports | Contract (s.24(3)) / Legitimate interest (s.24(5)) |
| Reports, feedback, appeals, safety actions, and moderation notes | When you report content or users, send feedback, appeal decisions, or when we review safety issues | Content and user moderation; enforcing Terms; preventing abuse; responding to appeals, user requests, and legal requests | Legitimate interest (s.24(5)) / Legal obligation (s.24(6)) |
| AI prompts, reference images, AI chatbot messages, AI-generated outputs, and related metadata | You input to or receive from AI features | Sending to AI model infrastructure or providers to generate outputs; operating AI chatbot features; abuse detection; safety review; responding to in-App reports or flags | Contract (s.24(3)) / Legitimate interest (s.24(5)) |
| Device model, OS version, app version, language, timezone, device identifiers, Android ID or similar device IDs, push registration identifiers | Automatically collected when you use the Service or enable notifications | Service operation; analytics; crash reporting; fraud prevention; notification delivery; account and device security | Legitimate interest (s.24(5)) / Consent where required (s.24(1)) |
| IP address, carrier, network status, connection type | Automatically collected when you use the Service | Security; fraud prevention; service routing; abuse detection; analytics | Legitimate interest (s.24(5)) |
| Feature usage, actions, session data, event logs, error logs, crash logs | Automatically collected through the App and SDKs | Service improvement; analytics; troubleshooting; crash reporting; fraud prevention; safety | Legitimate interest (s.24(5)) |
| Advertising identifiers such as Android Advertising ID or Apple IDFA, if enabled and available | Collected by the App or SDKs subject to device settings and platform permissions | Analytics, attribution, fraud prevention, or advertising only if such features are enabled and disclosed in the App and platform data safety forms | Consent (s.24(1)) / Legitimate interest (s.24(5)), as applicable |
| Camera, photo picker, media, file, or storage access | Only when you initiate an upload, capture, generation, editing, or media-related feature and grant relevant permissions | Uploading or creating images, videos, or other media for Service features | Contract (s.24(3)) / Consent where required (s.24(1)) |
| Push notification token | When you grant notification permission or enable notifications | Delivering App notifications, service messages, and alerts | Consent (s.24(1)) |
| Email, push token, and marketing preferences | Registration, settings, or consent flows | Product updates and promotional messages where permitted | Consent (s.24(1)) |
| Support communications | When you contact us by email, forms, social media pages, customer support tools, or other support channels | Customer support; troubleshooting; responding to rights requests | Contract (s.24(3)) / Legitimate interest (s.24(5)) |
| Data required for legal compliance | As required by applicable law or lawful requests | Compliance with Thai law, platform rules, tax law, law enforcement requests, court orders, dispute handling | Legal obligation (s.24(6)) / Legitimate interest (s.24(5)) |
We do not intentionally collect biometric data, health data, financial account numbers, national ID numbers, or PDPA s.26 sensitive data unless you voluntarily include such information in User Content, prompts, messages, or support communications. Please do not submit sensitive information to the Service unless it is necessary.
Where we rely on consent, you may withdraw consent at any time through in-App settings where available or by contacting personax@echo.tech. Withdrawal does not affect processing that occurred before withdrawal.
3. App Permissions and Platform Disclosures
The App may request platform permissions depending on your device, operating system, SDK behavior, and features you use. These may include camera, photo picker or media access, notifications, network status, and storage or file access. Some third-party SDKs may also declare permissions in the Android package for compatibility.
We only use runtime permissions when needed for a feature you choose to use or for Service operation, security, analytics, crash reporting, push notification delivery, or fraud prevention. If a permission is not needed for the Service, we aim to remove it or keep it inactive.
Platform permission prompts, Google Play Data safety disclosures, and this Policy should be read together. If we introduce new permission-based features, we will update this Policy and applicable platform disclosures.
4. How AI Features Process Your Data
Self-hosted open-source models. We operate certain AI models on our own or affiliated infrastructure, including infrastructure located in Mainland China. Your prompts, reference images, and related inputs may be sent to these servers to generate outputs. We deploy open-source and community models, including models from or used by our affiliated service TensorArt. We do not use your content to train or fine-tune personaX or TensorArt models without your separate explicit consent.
Third-party AI providers. Some features may use third-party AI models or infrastructure:
| Provider | Purpose | Location | Training / use policy |
|---|---|---|---|
| Google Gemini API | Image generation, AI chatbot features, text processing, safety or content processing | Google-operated infrastructure, including the United States and other jurisdictions where Google processes API requests | Subject to Google's applicable API terms and data processing terms |
| ByteDance / Volcengine Doubao or Seedream APIs | Image generation and image editing | Volcengine-operated infrastructure, including Mainland China and other jurisdictions where Volcengine processes API requests | Subject to Volcengine's applicable API, privacy, and data security terms |
| Alibaba Cloud / Qwen APIs | AI chatbot features, image or text processing, model inference | Alibaba Cloud / Qwen-operated infrastructure, including Mainland China, Singapore, and other jurisdictions where Alibaba Cloud or Qwen processes API requests | Subject to Alibaba Cloud / Qwen applicable terms for the API route used |
If AI-generated images, videos, OC generation results, generation history items, or AI chatbot responses are offensive, unlawful, unsafe, or otherwise objectionable, you may report or flag them through in-App reporting or feedback tools. We use reports to review specific outputs, enforce our Terms, improve safety controls, and meet platform policy requirements.
We will not sell your AI inputs or outputs to third parties. We will not use them to train personaX or TensorArt-owned models without your explicit consent, except to the extent necessary to operate, secure, moderate, debug, and improve the Service in accordance with this Policy.
5. Third-Party Providers, SDKs, Affiliates, and Data Transfers
We use service providers and SDKs to operate the Service. Depending on the App version and enabled features, these may include:
| Provider / SDK category | Example providers or SDKs | Purpose |
|---|---|---|
| Cloud hosting, storage, and content delivery | TensorArt affiliated infrastructure, Alibaba Cloud / OSS, other cloud or CDN providers | Hosting, media storage, delivery, AI inference, file upload and download |
| AI model providers | Google Gemini, Volcengine / Doubao / Seedream, Alibaba Cloud / Qwen | AI generation, chatbot, image editing, text or safety processing |
| Analytics, event tracking, and diagnostics | Sensors Analytics, UBT or internal analytics tools | Usage analytics, event tracking, service improvement, fraud prevention |
| Crash reporting and stability | Firebase services, Bugly, platform diagnostics tools | Crash reporting, troubleshooting, performance and stability analysis |
| Push notifications | Firebase Cloud Messaging, EngageLab | Push token management and notification delivery |
| Payment, app linking, and platform integrations | Google Play, Alipay, WeChat SDK, Huawei services where applicable | Payments, app-to-app interactions, login or platform services where enabled |
| Customer support and communications | Email systems, customer support tools, social media pages, forms | Support, rights requests, account deletion requests, user communications |
These providers may process Personal Data only for the purposes described in this Policy and according to applicable agreements, platform rules, or provider terms. Some providers may act as independent controllers for data processed through their own services, such as social media pages or payment platforms.
TensorArt affiliate. personaX and TensorArt are operated under the same corporate entity, TENSOR ART HK LIMITED. We may share data within this entity for shared infrastructure, AI inference, fraud prevention, safety, moderation, support, and aggregated analytics. We do not share individual User Content between personaX and TensorArt for unrelated marketing purposes without your separate consent.
Cross-border transfers. Your data may be transferred to or processed in: (i) Hong Kong SAR; (ii) Mainland China; (iii) the United States; (iv) Singapore; and (v) other jurisdictions where our cloud, AI, analytics, crash reporting, notification, email, support, and infrastructure providers operate. Where required by applicable law, we rely on contractual safeguards, technical measures such as encryption and access controls, and other lawful transfer mechanisms.
Legal disclosures. We may disclose Personal Data without consent where permitted or required by law, including to comply with court orders, regulator requests, law enforcement requests, platform policy enforcement, Thai Computer Crime Act obligations, tax or accounting obligations, to enforce our Terms, to protect safety, to prevent fraud or abuse, or in a corporate transaction where the acquirer agrees to appropriate privacy commitments.
6. Data Retention
| Data | Retention period |
|---|---|
| Account data, including email and hashed password | Account lifetime + up to 90 days after deletion, unless longer retention is required by law, security, fraud prevention, or dispute handling |
| Public User Content, including posts, comments, OCs, and public generated content | Account lifetime; removed from public display on deletion where applicable; backups purged within a reasonable period, generally up to 90 days |
| AI prompts, AI chatbot conversations, generated outputs, generation history, and related metadata | Account lifetime or until you delete them where deletion is available; certain logs may be retained up to 90 days for abuse detection, safety review, security, and troubleshooting; longer if legally required |
| Login, device, analytics, event, crash, and security logs | Generally 6-12 months, unless longer retention is needed for security, abuse prevention, legal compliance, or dispute handling |
| Reports, feedback, appeals, safety actions, and moderation records | Up to 2 years; longer if needed for serious abuse, legal compliance, dispute handling, or safety protection |
| Payment or transaction records, if payment features are introduced | As required by tax, accounting, platform, and payment rules, generally up to 5 years or longer where legally required |
| Suspended or terminated account data | Up to 90 days for appeal and enforcement review; then deleted or anonymized unless longer retention is required |
7. Your Rights and Account Deletion
You have the right to access, rectify, erase, restrict, object to, and port your Personal Data; withdraw consent at any time; and lodge a complaint with the PDPC (https://www.pdpc.or.th / pdpc@mdes.go.th).
You can exercise certain rights directly in the App, including account deletion where available, data access where available, and marketing opt-out where available.
You may also request account deletion and associated data deletion outside the App through our account deletion request page:
personaX Account Deletion Request
For other privacy requests, contact personax@echo.tech. We respond within 30 days unless a different period is required or permitted by applicable law. Identity verification may be required before we fulfill a request.
When you request account deletion, we delete or anonymize your account and associated data, subject to data we must retain for legal compliance, security, fraud prevention, dispute handling, accounting, platform enforcement, or other legitimate reasons disclosed in this Policy.
8. Security, Children, Marketing, and Tracking
Security. We use technical and organizational measures designed to protect Personal Data, including encryption in transit where supported, hashed password storage, access controls, monitoring, and incident response procedures. AI chatbot conversations, prompts, posts, comments, and generated content are not end-to-end encrypted. Please do not share sensitive information such as ID numbers, bank details, passwords, health information, or other highly sensitive data in prompts, chats, posts, comments, or uploads.
If a high-risk personal data breach occurs, we will notify affected users and applicable regulators where required by law, including PDPA s.37(4) where applicable.
Children. The Service is not intended for children under 13 or under the minimum age required in their country or region. If a user is under 18, they must have permission from a parent or legal guardian to use the Service. We do not knowingly collect Personal Data from anyone below the applicable minimum age. If we discover such data, we will delete it and terminate the account where required. Contact personax@echo.tech if you believe a child below the applicable minimum age has shared data with us.
Marketing. We send promotional emails and push notifications only with consent where required. You can opt out through in-App settings where available, email unsubscribe links where provided, device notification settings, or personax@echo.tech. Transactional messages such as security alerts, Terms updates, support replies, and service notices may continue.
Tracking and Data Safety consistency. We use device identifiers, user IDs, system version, device model, usage events, SDK-based analytics, crash logs, and security logs for session management, preference memory, service improvement, crash reporting, fraud prevention, safety, and platform compliance. We do not currently serve third-party advertising. If advertising is introduced, we will update this Policy, in-App disclosures, and applicable platform data safety declarations, and obtain consent where required.
9. Changes, Language, and Contact
Changes. We may update this Policy from time to time. Material changes will be notified by email, in-App notice, push notification, or other appropriate method at least 14 days before taking effect where required by law. Continued use of the Service after the effective date means you acknowledge the updated Policy.
Language. This Policy is available in Thai and English. The Thai version is the legally binding and controlling version.
Company: TENSOR ART HK LIMITED
Company Registration No.: 77289411
Business Registration No.: 77289411
Registered Address: RM 1903, 19/F LEE GARDEN ONE, 33 HYSAN AVENUE, CAUSEWAY BAY, HONG KONG
All Inquiries (Support / Legal / PDPA): personax@echo.tech
PDPC (regulator): https://www.pdpc.or.th | pdpc@mdes.go.th
-- End of Privacy Policy --