Privacy and Cookies Policy
We, Ek-Chai Distribution System Company Limited (referred to in this policy as "Company", "we" or "us"), are working hard to serve shoppers a little better every day. Looking after the personal data you share with us is a hugely important part of this. We want you to be confident that your data is safe and secure with us, and understand how we use it to offer you a better and more personalised shopping experience.
The data controller is the Company.
We are committed to doing the right thing when it comes to how we collect, use, disclose and protect your personal data. That's why we've developed this privacy and cookies policy ("Policy"), which:
- sets out the different ways you interact with us and the types of personal data that we collect;
- explains the purposes why we use and/or disclose the data we collect;
- explains when and why we will share personal data with our corporate affiliates, subsidiaries and other companies under common control and ownership of the holding company or parent company of Ek-Chai Distribution System Company Limited ("our Group"), and with other organisations;
- explains the rights and choices you have when it comes to your personal data; and
- other matters relating to how we treat your personal data.
We offer a wide range of products and services, so we want you to be clear about what this Policy covers. This Policy applies to you if you use our services (referred to in this Policy as "our Services"). Using our Services means:
- shopping with us over the phone, in-store or online at our Online Shopping websites or any other online systems, platforms and applications operated by a third party through which our products and services are offered;
- accessing or using any of the websites ("our Websites"), online systems, platforms or mobile applications ("our Mobile Apps");
- making bill payments through us, for example, paying utility bill, phone and cable bill, and credit card bill at our cashier counters or via other payment channels we operate;
- being a member of My Lotus’s membership scheme ("My Lotus’s membership");
- applying to be our Business to Business ("B2B") customer or
- contacting or otherwise interacting with us or our customer service teams about our Service.
Group or category of the personal that the Company will collect the personal data
Under this policy, group or category of the personal that the Company will collect and process the personal data consists of any personal purchase the product and/or receive the service from the Company and/or other personal performing any similar activities i.e. the personal participates any activity, website, online system and platform or application user, any person who contact to receive the information or service from the Company and the product and/or service survey respondent. Also including any person who might connect with the customer mean any representative of the customer i.e. executive, director, employee, representative or any other who act on the customer behalf (in case the customer is a juristic person or business organisation) and shall include the personal whose personal data is presented through the document using in the transaction i.e. manager, buyer, consignee and payer regardless whether that personal is categorised as the My Lotus’s member or others, e.g. B2B customer, both individual or business organization, who does not have My Lotus’s membership.
Parts of this Policy also apply if you use our in-store pharmacy services and to our store CCTV systems where they capture footage of you.
Some other parts of our business and other companies in our Group may need to collect and use your personal data to provide you with their products and services and for certain other purposes. In such case, your personal data provided to them will be subject to their relevant privacy policies.
This Policy may be replaced or amended from time to time. If we make changes, we will notify such changes or replacing policy by making them available at our stores, on our Websites or any other appropriate channel available time to time. Please review this Policy (as updated from time to time) so you understand our how we treat your personal data and your rights regarding the collection, use and disclosure of your personal data.
This section tells you what personal data we may collect from you when you use our Services and what other personal data we may receive from other sources.
|When you register for our Services or apply to be our B2B customer, you may provide us with:|
|When you shop with us or browse our Websites or use our online systems, platforms, Mobile Apps, we may collect:|
|When you use our bill payment service, we may collect:|
|When you use My Lotus’s membership to shop with us, or use My Lotus’s membership vouchers or coupons, with your consent, we may collect:|
|When you contact us or we contact you or you take part in promotions, competitions or campaigns, surveys or reviews about our Services, we may collect:|
|When you ask us to fulfil your request relating to tax|
|When you visit our stores|
The data collected from the activities above may be classified into the following types:
Aggregated Data – We try and remove personal data we do not need. If we remove enough personal data is becomes anonymous. This means that you cannot be identified. We might also take data we hold and remove certain information and replace it with other non-identifying information such as ID number or reference number. This is an extra technique we use to protect data. We normally use these techniques to look at large amounts of individuals (such as our My Lotus’s membership customers). This includes information that is statistical or demographic data.
Special Category Data – This is special information that the law says is more sensitive (sometimes it is referred to as sensitive personal data) and it needs more protection. For the Company, this is principally health information if you use our pharmacy services or we may collect sensitive personal data in other circumstances such as our interactions with you when you are making a complaint to us.
Location Data – In some cases our online systems, platforms or apps might ask for your location information to help better serve you information about your local store or for us to make the correct delivery, you will be made aware at the time if we would collect this data.
Other sources of personal data
We may collect or use personal data from other sources, such as Lotus’s Money Services, Lotus’s General Insurance Broker and Lotus’s Life Insurance Broker (collectively, "Lotus’s Money"), the holding company or parent company including but not limited to the Company, Egg Digital Co., Ltd., Lotus’s Money, or any affiliates and subsidiaries of such member as well as business entities under Charoen Pokphand Group that engage in the following businesses (a) telecom & media e.g. True Corporation Public Company Limited, True Digital Group Co., Ltd. and affiliates (b) agro-food e.g. Charoen Pokphand Food Public Company Limited and affiliates (c) retail & distribution e.g. CP All Public Company Limited, CP Axtra Public Company Limited (formerly known as Siam Makro Public Company Limited) and affiliates (d) e-commerce & digital e.g. Ascend Group Co., Ltd., True Money Co., Ltd. and affiliates (e) property development e.g. C.P. Land Public Company Limited and affiliates. specialist companies that supply information, online media channels, our Retail Partners and Public Registers. For example, this other personal data helps us to:
- create/manage your My Lotus’s membership account (including the allocation of My Lotus’s membership coins);
- review and improve the accuracy of the data we hold; and
- improve and measure the effectiveness of our marketing communications, including online advertising.
In addition, we may also collect personal data from and/or disclose the personal data to an authorized online third-party marketplaces (e.g. Lazada, Shopee). For example, if you purchase any products offered by the Company store via marketplace website or application, we may collect, use and disclose the personal data you have provided on such marketplace in accordance with the purposes set out in this Policy.
For your information, Retail Partners refer to an entity or organisation that participates in business activity with the Company, details of which are set out below under heading ' Sharing personal data with our partners' and Public Registers refer to your personal data that may be available in any public source which we can use to enrich or validate your personal data.
This section explains in detail how and why we use personal data. We collect or use personal data to:
|We use personal data to||Why do we process your personal data in this way?||Legal Basis for using your personal data|
|Make our Services available to you|
|Accommodate your request in relation to tax||We need to collect and use your personal data to comply with your requests when you ask us, for example, to issue tax invoice or VAT report in case you want to claim tourist tax refund.||Contractual Necessity and Legal Obligation|
for all categories of Customers
|Manage your account including your My Lotus’s membership||Your personal data enables us to comply with the Terms and Conditions which are agreed with you in relation to the orders you made using My Lotus’s membership and enable you, as a My Lotus’s membership, to participate in promotional activities and enjoy other benefits thereunder such as vouchers, reward points redemption, and any other sale promotions.||Consent Basis|
|Manage and improve our day-to-day operations|
|Conduct marketing research and communications|
|Set up activities or campaigns for marketing PR and advertising including the Corporate Social Responsibilities (CSR)|
|Customer survey and feedbacks|
|Detect and prevent fraud or other crime including legal compliance||It is important for us to monitor how our Services are used in order to detect and prevent fraud, other crimes and any misuse of services, to conduct ourselves in compliance with the laws, and to verify your identity in connection with the requests you made under this Policy. This helps us to make sure that our legal and regulatory compliance has been addressed and you can safely use our Services.||Legal Obligation and Legitimate Interest|
|Contact and interact with you|
|Claims||In order to resolve legal claims or disputes involving you or us. For example, if you have any accident or there is an incident at our stores.||Legal Obligation and Legitimate Interest|
|Comply with the relevant law relating to the operations and other lawful demand of the competent authority or official||Legal Obligation and Legitimate Interest|
|Corporate restructure within Group companies||Legal Obligation and Legitimate Interest for relevant Customers|
|Verify, monitor the safety and security of the individual and Company’s asset||Legitimate Interest|
|Pharmacy||Consent Basis and Medical Necessity|
Our Legitimate Interests in using your personal data
Where we have mentioned above our use of your personal data is based on our "legitimate interests", these are:
- to service our customers’ needs, including delivering our products and services;
- to promote and market our products and services (both our own products and branded goods) for Non-My Lotus’s membership Customer;
- to service your account, manage complaints and resolve any disputes;
- to understand our customers including their patterns, behaviours as well as their likes and dislikes;
- to protect and support our business, colleagues, customers and shareholders;
- to prevent and detect anti-social behaviour, fraud and other crime;
- to test and develop new products and services as well as improve existing ones; and
- to expand and sustain our business operation which would essentially benefit your experience with us
This section explains how and why we share personal data with other companies within our Group.
When you use our Services or become My Lotus’s member, we may share your personal data we collect with other companies in our Group so that they can assist and facilitate us in processing such personal data for any purposes of collection, use and disclosure which are stated in this Policy. These companies include but not limited to:
- Egg Digital Co., Ltd. – one of our main service providers, who helps us analyse your behaviour in order to improve our understanding about you.
- Business entities under Charoen Pokphand Group that engage in the following businesses:
(a) telecom & media e.g. True Corporation Public Company Limited, True Digital Group Co., Ltd. and affiliates
(b) agro-food e.g. Charoen Pokphand Food Public Company Limited and affiliates
(c) retail & distribution e.g. CP All Public Company Limited, CP Axtra Public Company Limited (formerly known as Siam Makro Public Company Limited) and affiliates
(d) e-commerce & digital e.g. Ascend Group Co., Ltd., True Money Co., Ltd. and affiliates
(e) property development e.g. C.P. Land Public Company Limited and affiliates.
- Business entities in Lotus’s Money Group namely Lotus’s Money Services Ltd., Lotus’s General Insurance Broker Ltd. and Lotus’s Life Insurance Broker Ltd.
In the event you allow us to share your personal data within our Group (i.e. by giving consent for personal data sharing in the My Lotus’s membership application or at any time you opt in), we may also make your personal data available to other companies within our Group as mentioned above for them to tailor offers and communicate with you in relation to their products, services or any marketing campaign which might be of your interest.
In addition, we may disclose your personal data to other companies in our Group subject to your instruction or data transferring request. For example, you may ask us to share your My Lotus’s membership number with Lotus’s Money in order to link your Lotus’s credit card with My Lotus’s membership number so that you can earn extra points or benefits when you use the credit card to shop with us.
In case of acquisition and sell or corporate restructure of our Group, we may need to disclose your personal information as necessary to other companies within our Group in order to ensure the continuity and efficiency of our services rendered.
Sharing personal data with our partners
This section explains how and why we share personal data with Retail Partners, Merchants, My Lotus’s membership Partners and Service Providers, Vendors and Consultants.
When we share personal data with these companies we require them to keep it safe, and they must not use your personal data for their own marketing purposes.
|Retail Partners||We work with a number of Retail Partners who -|
|My Lotus’s membership Partners||At your request, we may transfer your personal data to our My Lotus’s membership Partners including but not limited to Charoen Pokphand Seeds Co., Ltd., One Siam, Bangchak and other partners we will have in the future for them to verify your identity and/or adding points to My Lotus’s membership Partners’ loyalty program according to the specified term and condition and/or facilitate you in converting My Lotus’s membership coins into rewards, points or other benefits you are entitled to from being a member of our My Lotus’s membership Partners.|
|Service Providers, Vendors and Consultants|
Sharing personal data with other organisations
This section explains how and why we share personal data with other organisations.
We may share personal data with other organisations in the following circumstances:
- if the law or a public authority says we must share personal data or for the administration of justice;
- if we need to share personal data in order to establish, exercise or defend our legal rights (this includes providing personal data to others for the purposes of preventing fraud);
- where we restructure, sell or transfer our business (or a part of it). For example, in connection with a takeover or merger.
We know how important it is to protect and manage your personal data. This section sets out some of the measures we have in place:
- We apply physical, electronic and procedural safeguards in connection with the collection, storage and disclosure of personal data;
- We protect the security of your information while it is being transmitted by encrypting it;
- We use computer safeguards such as firewalls and data encryption to keep this data safe;
- We only authorise access to employees and trusted partners who need it to carry out their responsibilities;
- We regularly monitor our systems for possible vulnerabilities and attacks, and we carry out penetration testing to identify ways to further strengthen security; and
- We will ask for proof of identity before we share your personal data with you.
Whilst we take appropriate technical and organisational measures to safeguard your personal data, it is important that you keep your login details and devices protected from unauthorised access.
The personal data that we collect from you may be transferred to, and stored at, a destination outside Thailand. It may also be processed by companies operating outside Thailand who work for us or for one of our Service Providers. If we do this we ensure that your privacy rights are respected in line with this Policy and the applicable laws.
We will not keep your personal data longer than we need to. How long this is depends on several factors, including:
- Why we collected it in the first place;
- How old it is;
- Whether there is a legal/regulatory reason for us to keep it;
- Whether we need it to protect you or us.
Cookies are small text files containing a unique identifier, which are stored on your computer, tablet or mobile device so that your device can be recognised when you are using a particular website, online systems, platforms or mobile app. They can be used for the duration of your visit or they can be used to measure how you interact with services and content and location over time. Cookies help to provide important features and functionality on our Websites, online systems, platforms and Mobile Apps, and to improve your customer experience. Cookies can also be used help us to detect fraudulent activity or to prevent security breaches and so we may record information about your device within the Cookies.
When you accept Cookies on our Services, these may be used to do the following:
|Improve the way our Websites and Mobile Apps work|
|Improve the performance of our Websites and Mobile Apps|
|Deliver relevant online advertising, including via social media|
|Measuring the effectiveness of our marketing communications, including online advertising|
Third parties operating through our Websites, online systems, platforms and Mobile Apps
Our key partners are listed below with information about the services they provide to us. This list is not exhaustive but it does include those partners with whom we have an established relationship and whose cookie technologies are most frequently deployed through our Services.
|Measurement & Personalisation||To analyse how our services are used, including to test and develop different content versions. This data may also be used to enable us to personalise our services, develop service or product and the marketing of our services.||Adobe|
Google Analytics andMindshare
|Product recommendations||To enrich your shopping experience by delivering personalised recommendations to you on some of our websites and application.||Adobe|
Google and Mindshare
|Online marketing||To personalise the Company's adverts shown to you via our Websites and on other websites based on your interactions with us. For example, by using data about your transactions with us, what you have in your basket and the pages and products you look at or webpage you frequently visit. We may also use your My Lotus’s membership card data to better personalise our marketing.||Egg Digital|
Google and Mindshare
|Delivering ads for us and our Retail Partners||To enable us to personalise and deliver online advertising on our online media for ourselves and on behalf of our Retail Partners.||Google Analytics|
|Security of our websites and apps||To enable us to prevent and monitor security of our systems and services.||Akamai|
This section explains the choices you have when it comes to the collection, use and disclosure of your personal data. You are at your choice to opt-in to the following activities and to withdraw your consent by taking steps as specified in this Policy.
We will study your spending behaviour, carry out customer profiling and marketing research based on your personal data. In case of My Lotus’s membership Customer, we will send you offers and information about our products and any other services, promotions, special offers and events which might be of your interest, subject to the consent that you have given to us in My Lotus’s membership application, in a number of ways including by email. You can change your preference regarding marketing research and communications over the process described in this Policy or by phone. However, if you decide to withdraw your consent for us to collect, use and/or disclosure your personal data for this purpose, you will no longer receives any news related to benefits to which My Lotus’s membership is entitled (such as not receiving information about marketing campaign, exclusive offers and etc). For the avoidance of doubt, marketing research and communication does not include any customer surveys that we may conduct from time to time.
Web browser cookies
You can use your browser settings to accept or reject new Cookies and to delete existing Cookies. You can also set your browser to notify you each time new Cookies are placed on your computer or other device. You can find more detailed information about how you can manage Cookies through your browser’s help function.
If you choose to disable some or all Cookies, you may not be able to make full use of our Websites. For example, you may not be able to add items to your shopping basket, proceed to checkout, or use any of our products and services that require you to sign in.
You can also manage advertising related Cookies used on our Services by opting-out through the Service Providers listed in the table above.
Cookies work differently on Mobile Apps as they are coded into the App itself and will use a unique identifier created by your mobile device for use for advertising activities. You can turn off or reset this advertising identifier through your mobile device’s privacy settings.
We also like to hear your views to help us improve our Services, so we may contact and invite you to give your feedbacks about our products and services or complete any customer surveys we prepare. However, if we contact you about this, you do not have to take part in the activities. We will respect your choice and this will not affect your ability to use our Services including your My Lotus’s membership.
Upon the full effectiveness of Personal Data Protection Act, you can exercise your rights relevant to your personal data as mentioned below by providing your information in the Data Subject Request Form. Please send your request with relevant documents to [email protected]
Right to withdraw consent: You are entitled to withdraw your consent at any time. However, this will not affect the lawfulness of collection, use and disclosure of your personal data based on your consent before its withdrawal.
If you are a My Lotus’s member but decide to withdraw consent from being My Lotus’s membership, your membership and all benefits including coins collected along with the My Lotus’s membership will be terminated and cannot be recalled although you re-apply for My Lotus’s membership. In addition, you will not be contacted for exclusive offers as My Lotus’s membership from both Lotus’s and Group.
If you still maintain your My Lotus’s membership member, but withdraw consent for allowing us to contact you for offering privilege or marketing campaign, you will no longer receive any offers to which My Lotus’s membership is entitled (such as not receiving information about marketing campaign, exclusive offers from Lotus’s and etc.).
However, if you are My Lotus’s member and still allow us to send you a direct marketing but withdraw consent from disclosing of your personal data to Group, you will no longer receive any privileges, marketing campaign or exclusive offers from Group as My Lotus’s membership.
Subject Access Request: You have the right to see the personal data we hold about you. You can also request to obtain a copy of your personal data.
Right to data portability: You have the right to receive your personal data in a structured, commonly used and machine readable format. In addition, you may request us to transmit such personal data to other data controller via automatic means and, where technically possible, to obtain such personal data we directly transferred to other data controller. For example, if you would like to apply for a Lotus credit card, you may request us to transfer your personal data to Lotus Money Service in order to link your Lotus credit card with My Lotus’s membership. In such case, your request will be deemed to constitute consent for us to disclose the personal data we collect about you to the transferee.
Right to objection: You have the right to object to our use of your personal information under the following circumstances:
General objection - We will consider your objection to our use of your personal data. If on balance, your rights outweigh our interests in using your personal data, then we will at your request either restrict our use of it (see section 6 below) or delete it (see section 5 below). Nevertheless, we may not uphold your request if we rely on your personal data to establish, exercise or comply with legal claim or to set up defence.
Objection in relation to direct marketing – If you make such an objection, we will stop using your personal data for direct marketing purposes.
Objection in relation to marketing research – We will discontinue processing your personal data for marketing research unless it is done for public interest.
Right to erasure: There are several situations when you can request us to delete your personal data, this includes (but is not limited to):
- your personal data has become irrelevant or unnecessary for the purposes stated in this Policy;
- you have successfully made an objection (listed in section 4 above);
- you have withdrawn your consent to us using your personal data (and we do not have any other grounds to use it); or
- we have unlawfully processed your personal data.
We may retain your personal data to comply with applicable laws and regulations and for other permissible purposes. Therefore, not all of your personal data may be deleted as per your request.
Right to restrict our use of it: There are several situations when you can restrict our use of your personal data (instead of deleting it), this includes (but is not limited to):
- we are in the process to verify your objection (listed in paragraph 4 above);
- you are challenging the accuracy of the personal data we hold; or
- we have used your personal data unlawfully or your personal data is no longer necessary, but you do not want us to delete it.
Right to rectification: if you believe we hold inaccurate or missing information, please let us know and we will correct it. In case we are unable to do so, we will record your request together with the reason for failing to fulfil it. For this purpose, My Lotus’s membership customers may contact 'My Lotus’s membership Service Centre at 1430 press 1.
We may deny or comply with your request in relation to the exercise of these rights only in part, subject to the applicable laws and regulations. For example, we may limit your Subject Access Request if such access would adversely affect the right and freedom of others or we may retain the personal data you request to be erased in exercise of our legal rights or in compliance with the obligation prescribed by law.
We’d like the chance to resolve any complaints you have, however you also have the right to complain to the Office of the Personal Data Protection Commission about how we have used your personal data.
If you have any questions about how we collect, store and use personal data please contact us.
Email: [email protected]
This Policy was last updated on 26 July 2023.