Privacy Policy
Last updated: May 23, 2026
Yagantra Co., Ltd. ("Yagantra", "we", "us", or "our") operates a medical herb compliance and traceability platform for the Thai regulated market and the marketing website at yagantra.app. This Privacy Policy describes how we collect, use, store, and protect personal data, and explains your rights under the Personal Data Protection Act B.E. 2562 (PDPA). By accessing Yagantra or submitting your information to us, you acknowledge that you have read and understood this policy.
1. Who We Are
Yagantra Co., Ltd. is the data controller for personal data processed through the Yagantra platform and marketing website. Contact us at privacy@yagantra.app for privacy matters or hello@yagantra.app for general inquiries. Address: Bangkok, Thailand (full registered address to be updated upon company registration).
2. Personal Data We Collect
We collect different categories of personal data depending on how you interact with Yagantra.
- •Website and inquiry forms: full name, work email, phone number, organization name, role, message content, and server logs (IP address, browser type, timestamps).
- •Organizations (farms, labs, dispensaries): representative identity, organization details, regulatory documents (Thai FDA registration, GACP certificate, licenses, DTAM certificates with expiry dates), staff accounts, operational data (batches, inventory, orders, compliance records), and billing information.
- •Healthcare professionals (doctors): name, medical license number, DTAM training certificate, and PT.33 prescription records linked to hashed patient identifiers.
- •Patients: name, passport or national ID number, active PT.33 prescription data (validity, monthly limit, product type), purchase history, and a hashed patient identifier (SHA-256 with salt) used for network-wide limit enforcement.
- •All authenticated users: session tokens, authentication logs, and an immutable append-only audit trail of every action (actor, timestamp, action type).
3. How We Use Your Personal Data
We use your data for the following purposes.
- •Service delivery: operating the platform, authenticating users, enforcing access controls, processing transactions on the Farm-to-Dispensary portal.
- •Regulatory compliance: generating PT.27/PT.28/PT.29 dispensary reports and farm monthly reports; enforcing network-wide PT.33 limits per DTAM rules; maintaining records required by Thai medical herb regulation.
- •Verification and onboarding: verifying organizational and doctor licenses; alerting on document expiry at 60, 30, and 7 days before expiration.
- •Patient prescription management: enforcing one active PT.33 per patient; real-time monthly limit checks at point of sale.
- •Billing: generating invoices, processing payments, managing subscription and soft-suspension status.
- •Communications: transactional emails — OTP codes, document expiry alerts, compliance deadline reminders, billing notifications.
- •Security: fraud detection, unauthorized access monitoring, incident investigation via immutable audit trail.
4. Legal Basis for Processing (PDPA)
Under the PDPA B.E. 2562, we process personal data on the following lawful bases: contract performance (Section 24(3)) for account and operational data to deliver the SaaS service; legal obligation (Section 24(6)) for compliance records and audit trail required by Thai medical herb regulation; legitimate interests (Section 24(5)) for security logs and fraud prevention; and consent (Sections 24(1) and 26) for patient health data. You may withdraw consent at any time — see Section 9.
5. Patient Health Data — Special Category
Patient prescription and purchase data is sensitive personal data under PDPA Section 26. We apply heightened protections.
- •Explicit consent is obtained during patient registration before any health-related data is collected.
- •Patient passport and national ID numbers are encrypted at rest; only the encrypted value is stored.
- •All cross-system references use a hashed patient identifier (SHA-256 with a server-side salt); plain identity is never shared across organizational boundaries.
- •Access is restricted by role: dispensary staff see only the verification result and limit status. All Yagantra staff access to identifiable patient data is audit-logged with business justification.
- •Patients can view their own complete data through the Patient Portal at any time.
6. How We Share Your Data
We do not sell personal data. We share data only in the following circumstances.
- •Within the platform (role-based): each actor sees only their authorized data slice. No organization can view another organization's operational data.
- •Regulatory submissions: compliance reports (PT.27/PT.28/PT.29) are submitted to DTAM by the licensed operator — not automatically by Yagantra. We may share data with Thai authorities when required by law.
- •Service providers (data processors): Cloudflare R2 or AWS S3 for file storage; Resend or AWS SES for transactional email; Sentry for error monitoring (personally identifiable data is scrubbed before transmission). Each processor operates under a data processing agreement.
- •Business transfers: in the event of acquisition or merger, we will provide prior notice before any personal data transfer.
7. Data Retention
We retain personal data for the following periods.
- •Immutable audit trail and compliance records: indefinitely, as required by Thai medical herb regulation and DTAM rules.
- •Platform operational data (active accounts): duration of subscription plus 1 year after termination.
- •Billing records: 5 years (Thai Accounting Act requirements).
- •Patient health data: duration of active registration; non-regulatory components deleted on request.
- •Web inquiry form submissions: 12 months.
- •Server access logs: 90 days.
8. Data Security
We implement technical and organizational measures to protect personal data.
- •Encryption in transit: TLS 1.2+ for all connections.
- •Encryption at rest: patient passport and national IDs encrypted at the database level; uploaded documents stored in encrypted object storage.
- •Access controls: JWT tokens (15-minute validity) plus Redis-managed sessions; role-based access control enforced at the API layer.
- •Audit trail: all data access and modifications are logged in an append-only log that cannot itself be modified.
- •Security reviews: conducted before production launch and on a regular basis thereafter.
9. Your Rights Under the PDPA
To exercise any right below, email privacy@yagantra.app. We will respond within 30 days. We may verify your identity before processing a request.
- •Right to be informed: to know how we collect and use your data — this policy fulfills that obligation.
- •Right of access: to request a copy of the personal data we hold about you.
- •Right to data portability: to receive your data in a structured, machine-readable format.
- •Right to rectification: to request correction of inaccurate or incomplete data.
- •Right to erasure: to request deletion of your data. Records required by Thai medical herb regulation cannot be deleted — we will inform you if erasure is not possible for a specific category.
- •Right to restriction and right to object: to limit processing or object to processing based on legitimate interests.
- •Right to withdraw consent: patients may withdraw consent for health data processing at any time. Withdrawal does not affect prior lawful processing but may limit platform features.
10. International Data Transfers
Our servers are primarily in Thailand or the Southeast Asia region. Some service providers (Cloudflare, AWS) may process data in other countries. Where transfers occur outside Thailand, we ensure an adequate level of protection recognized by Thai authorities or equivalent contractual safeguards. Contact privacy@yagantra.app for details.
11. Cookies and Tracking
Marketing website: strictly necessary session mechanisms for form submissions only. No advertising cookies, behavioral tracking, or third-party analytics during the pre-launch phase. Platform: strictly necessary session cookies for authentication only. We will update this policy before introducing any analytics tools.
12. Children
The platform is not intended for persons under 18. Medical herb in Thailand is restricted to adult patients with valid PT.33 prescriptions. If we become aware of data from a minor without parental consent, we will delete it. Contact privacy@yagantra.app if you believe a minor's data has been collected.
13. Changes to This Policy
We may update this policy to reflect changes in our practices or applicable law. For material changes, we will notify registered users by email at least 14 days before the change takes effect. Continued use of Yagantra after a change constitutes acceptance of the revised policy.
14. Contact Us
For privacy inquiries, data subject requests, or concerns: Email privacy@yagantra.app or hello@yagantra.app. Company: Yagantra Co., Ltd., Bangkok, Thailand. Privacy inquiries — 5 business days. Rights requests — 30 days.