SawasdeeHealth

Legal

Privacy Policy

This policy explains how Sawasdee Health collects, uses, shares, and protects personal data, and the rights you have under applicable privacy laws.

Effective date
May 10, 2026
Last updated
May 10, 2026

1.Overview

Sawasdee Health is a service of Meridian Compass LLC, a Wyoming limited liability company (“Sawasdee Health,” “we,” “us,” or “our”). This Privacy Policy describes how we handle personal data when you visit our website, communicate with us, evaluate or subscribe to the Service, or interact with the AI agent on a clinic surface that uses our Service.

This policy is written to comply with Thailand’s Personal Data Protection Act (PDPA), the EU and UK General Data Protection Regulation (GDPR), and applicable US state privacy laws. Where a jurisdiction grants you greater rights than described here, those rights apply.

2.Our role: controller vs. processor

Our role under data-protection law depends on the data:

  • We act as the controller when we decide why and how to process personal data — for example, data about visitors to our marketing website, prospects, customer-account contacts, billing contacts, and recipients of our marketing communications.
  • We act as a processor when we process personal data on behalf of a clinic that subscribes to the Service. This includes End User data flowing through the agent: chat transcripts, contact details, treatment intent, and booking information. The clinic is the controller for that data, and our processing of it is governed by our Data Processing Addendumand the clinic’s own privacy notice.

If you contacted a clinic through an agent powered by Sawasdee Health and want to exercise your rights over that conversation data, please contact the clinic directly. If they do not respond, we will assist as their processor and route your request to them.

3.Personal data we collect

3.1 When you visit our website

  • Device and log data: IP address, approximate location derived from IP, device type, browser type, operating system, referring/exit URLs, pages viewed, timestamps.
  • Communications: if you submit our waitlist form, request a demo, or email us, we receive your name, email, organization, website URL, and the contents of your message.

3.2 When you create an account or evaluate the Service

  • Identifiers: name, work email, organization, role, country.
  • Account configuration: clinic website URL, channels you connect (web widget, WhatsApp, LINE), calendar configuration, knowledge-base content you provide.
  • Authentication data: hashed passwords, session tokens, OAuth tokens for third-party services you connect (Google Calendar, WhatsApp Business, LINE).

3.3 When you pay for the Service

  • Billing contact details, billing address, tax identifier (where required), and payment-method metadata such as card brand and last four digits.
  • We do not store full card numbers. Payments are processed and tokenized by Stripe.

3.4 When you use the Service

  • Service usage logs: API calls, dashboard activity, errors, performance metrics.
  • Customer-supplied content: knowledge base derived from your website, custom prompts, agent configuration.

3.5 End User chat data (processed on behalf of clinics)

  • Conversation transcripts, contact details an End User provides (such as name, email, phone), stated treatment interest, and booking details.
  • We process this on behalf of the clinic in our role as processor. Sensitive or special-category data (including health-related information) may be present in chat transcripts; we apply appropriate safeguards, but the clinic remains the controller.

4.Where we get it

We collect personal data from:

  • You, when you provide it directly through the website, dashboard, or email.
  • Your devices, automatically through cookies and similar technologies (see Section 12).
  • Third-party services you connect, such as Google for calendar events, Meta for WhatsApp delivery metadata, and LINE for messaging metadata.
  • Public sources used for sales and marketing, such as your clinic website and publicly listed business directories.

5.How and why we use it

We use personal data to:

  • provide, maintain, and secure the Service, including authenticating users and operating the chat agent;
  • process payments, prevent fraud, and meet financial-record requirements;
  • communicate with you about your account, the Service, security alerts, and policy updates;
  • respond to questions, sales inquiries, and demo requests;
  • send marketing communications about products you may find useful, where permitted by law and subject to your right to opt out;
  • improve the Service through aggregated analytics, error monitoring, and de-identified product research;
  • comply with law, respond to lawful requests by public authorities, and enforce our agreements.

We do not use End User chat content to train general-purpose AI models. We use de-identified, aggregated signals to operate and improve the Service. Our model providers operate under zero-retention or no-training-on-customer-data terms where available; see Section 8.

6.Lawful bases for processing

Where the GDPR or PDPA applies to our processing as a controller, we rely on the following lawful bases:

  • Performance of a contract — to provide the Service to a customer, process payments, and communicate about the account.
  • Legitimate interests — to operate, secure, and improve our website and Service; to prevent fraud; and to conduct B2B sales and marketing to organizations, balanced against your interests.
  • Legal obligation — to comply with tax, accounting, consumer-protection, and other laws.
  • Consent — for non-essential cookies, certain marketing messages, and any sensitive data we process directly. You may withdraw consent at any time without affecting prior processing.

7.How we share data

We share personal data:

  • With service providers that help us run the Service (Section 8) under contracts that limit how they may use the data;
  • With third-party platforms you connect at your instruction, such as Google, Meta, and LINE, to enable booking and messaging;
  • With professional advisors (lawyers, accountants, auditors) under confidentiality;
  • In a corporate transaction such as a merger, acquisition, financing, or sale of assets, subject to confidentiality and continued protection of the data;
  • To comply with law, respond to a lawful request, or protect rights, safety, or property.

We do not sell personal data, and we do not share personal data for cross-context behavioral advertising.

8.Sub-processors and providers

We rely on the following categories of third-party providers. A current list of sub-processors used to process customer personal data is maintained alongside the DPA and is updated when material changes occur.

ProviderPurposeRegion
Stripe, Inc.Payment processing, billing, fraud preventionUnited States
Supabase, Inc.Database, authentication, file storageSingapore (ap-southeast-1)
Anthropic, PBCLarge language model inference for the agentUnited States
Vercel, Inc.Hosting and content delivery for the Service and websiteUnited States; global edge
Google LLCCalendar booking integration (at customer’s instruction)Global
Meta Platforms, Inc.WhatsApp Business message delivery (at customer’s instruction)Global
LY CorporationLINE Messaging API delivery (at customer’s instruction)Japan / Thailand
Resend, Inc.Transactional and waitlist emailUnited States

Note on AI providers. Where available, we configure model providers to operate under no-training and zero or limited data-retention settings for customer content. The agent uses the supplied knowledge base and conversation context to produce responses; outputs are not used to train general-purpose models.

9.International data transfers

We are based in the United States, and many of our providers operate globally. Personal data we process may be transferred to, and stored or processed in, countries outside Thailand, the EEA, or the UK, including the United States. Where required, we use legally recognized transfer mechanisms — for example, the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, and equivalent measures under the PDPA — and apply additional safeguards as appropriate.

10.Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, including:

  • Account and configuration data: for as long as the account is active, plus a reasonable period to handle disputes, comply with law, or restore from backup.
  • Billing and tax records: for the period required by law (typically up to seven years).
  • Server and security logs: typically up to twelve months, longer if needed for security investigations.
  • End User chat transcripts:retained according to the clinic’s configured retention period (default: twenty-four months from the conversation, or shorter if the clinic specifies).
  • Marketing data: until you opt out and for a reasonable period thereafter to honor your suppression request.

11.Your rights

Subject to applicable law, you may have the right to (a) access the personal data we hold about you, (b) correct it, (c) delete it, (d) restrict or object to certain processing, (e) port the data, (f) withdraw consent where consent is the basis for processing, and (g) lodge a complaint with a supervisory authority. To exercise these rights, email privacy@sawasdeehealth.com. We will respond within the time required by applicable law (typically thirty days). We may need to verify your identity before responding.

For data we process as a processor on behalf of a clinic, please contact the clinic. We will assist them as required by our DPA.

12.Cookies and similar technologies

Our marketing website uses a small number of cookies and similar technologies. Today these are limited to:

  • Strictly necessary cookies that support session state, load balancing, and basic security.
  • Analytics in privacy-respecting form to count visits and understand which pages are useful. Where required by law, we will ask for consent before setting non-essential analytics or marketing cookies, and you can manage consent through your browser or any consent banner we provide.

We do not currently use third-party advertising cookies on the marketing website. If that changes, we will update this policy and, where required, request consent.

13.Security

We implement administrative, technical, and physical safeguards designed to protect personal data, including encryption in transit and at rest, access controls and least-privilege role separation, audit logging, tenant isolation through row-level security, and a documented incident response process. No system is completely secure; we cannot guarantee absolute security. To report a vulnerability or suspected incident, email security@sawasdeehealth.com.

14.Children

The Service is intended for use by clinics and their authorized adult personnel. It is not directed to children, and we do not knowingly collect personal data from children under 13 (or the equivalent age in your jurisdiction). If you believe a child has provided personal data to us, contact us so we can delete it.

15.Jurisdiction-specific notices

15.1 Thailand (PDPA)

Where we process personal data of individuals in Thailand as a controller, the legal bases set out in Section 6 apply. You may exercise your rights under Sections 30–37 of the PDPA, including the right to access, copy, correct, delete, restrict, object, withdraw consent, and lodge a complaint with the Office of the Personal Data Protection Committee.

15.2 European Economic Area, United Kingdom, and Switzerland

For individuals in the EEA, the UK, or Switzerland, we process personal data under the GDPR and equivalent laws. You have the rights described in Section 11 and may complain to your local supervisory authority. Our EEA/UK representative, where required, is identified at privacy@sawasdeehealth.com.

15.3 California and other US states

Where US state privacy laws apply, you have the rights to know, delete, correct, and opt out of certain processing. We do not sell personal information and do not share personal information for cross-context behavioral advertising. To exercise your rights or designate an authorized agent, email privacy@sawasdeehealth.com.

16.Changes to this policy

We may update this Privacy Policy. If a change is material, we will give notice through the Service or by email. The date of the most recent update appears at the top of this page.

17.How to contact us

Meridian Compass LLC d/b/a Sawasdee Health, a Wyoming limited liability company. For privacy questions or requests, email privacy@sawasdeehealth.com. For other legal matters, email legal@sawasdeehealth.com.

Questions about this document? Email legal@sawasdeehealth.com.