Privacy Policy

Privacy Policy

Cyto Aurora Biotechnology (Thailand) Co., Ltd. recognizes the importance of protecting the personal data of its service users, customers, and website visitors. This Policy has been prepared to explain the purposes, methods, and guidelines for the collection, use, and disclosure of personal data in accordance with the Personal Data Protection Act B.E. 2562 (the “Personal Data Protection Act” or “PDPA”).

Scope of Use

This Privacy Policy applies to the personal data collected by Cyto Aurora Biotechnology (Thailand) Co., Ltd. through the use of or contact via various channels, including:

Use of the Company’s website, such as visiting, registering, or using online services, where certain data may be automatically collected (e.g. IP address or cookies) to improve the user experience.
Completion of online forms, such as appointment forms, newsletter subscriptions, or surveys, where necessary information such as name, telephone number, or email address may be requested in order to provide appropriate services.
Communications with the Company via telephone, email, or social media, where the information received will be used to provide services, respond to inquiries, or carry out your requests.

The Company will collect, use, and protect your personal data in accordance with the Personal Data Protection Act B.E. 2562 (PDPA) and strict security measures to ensure that your information is properly safeguarded.

Types of Data We Collect

We collect only the information necessary for providing our services and carrying out our operations, which may include:

1. Personally Identifiable Information

  • First name, last name, date of birth, gender
  • Address, email address, and telephone number
  • National ID number or passport number (when necessary)

2. Health and Medical Information (Sensitive Data)

  • Medical history, diagnoses, laboratory test results, genetic test results (if any)
  • Treatment information, medications, and records of medical visits

3. Payment Information

  • Billing information, receipts, and payment details (some of which may be passed on to payment service providers)

4. Website and Technical Information

  • Website usage data such as IP address, browser type, cookies, and usage behavior (for service improvement)

The Company will collect only the data necessary for clearly defined purposes and will not use the data for any other purposes beyond those communicated, unless consent has been obtained from the data subject.

Purposes of Data Use

We will use your data only for clearly defined purposes, as follows:

To provide diagnostic and medical treatment services to patients
To manage appointments, issue receipts, and process billing
To communicate and send important notifications related to treatment, test results, or appointments
To improve the quality of our services, and for internal research and development (with your data anonymized when used for statistical analysis)
To comply with applicable laws, regulations, or orders issued by government authorities
For direct marketing purposes (with your prior consent), such as news, promotions, and clinic activities

Legal Bases for Processing Personal Data

Our processing of personal data is based on at least one of the following legal grounds:

Consent of the data subject – for marketing activities or processing that is not strictly necessary for the provision of services
Performance of a contract or steps prior to entering into a contract- such as providing medical treatment and managing appointments
Compliance with legal obligations – to fulfill legal and regulatory requirements
Legitimate interests of the data controller – such as fraud prevention or ensuring the security of our systems

Disclosure of Data to Third Parties

The Company may disclose personal data to:

Information technology service providers (such as cloud service providers and system administrators) to support our operations
Partner healthcare providers (specialist physicians, laboratories) when necessary for patient care
Payment service providers and accounting service providers
Government agencies or regulatory authorities when requested or as required by law

Such disclosures will be carried out under data protection agreements (Data Processing Agreements) or appropriate contracts to ensure adequate data protection and limitations on the use of such data.

Cross-Border Data Transfers

If personal data is transferred to other countries, the Company will proceed in compliance with applicable laws and will ensure that the recipient provides an adequate level of data protection or that appropriate safeguards are in place.

Data Security

The Company implements appropriate technical and organizational measures to protect personal data, such as:

Data encryption where necessary
Role-based access control
Data backup, monitoring, and event logging
Staff training on data protection

Although these measures are in place, no system can be 100% secure. Therefore, we have procedures for incident notification and response in the event of a data breach.

Data Retention Period

Personal data will be retained only for the purposes notified and for the period required by law, for example:

Patient information and medical records: retained for the period specified by applicable laws or professional standards
Financial and accounting records: retained in accordance with tax and accounting laws

After the applicable retention period has ended, the Company will delete or anonymize the data in accordance with appropriate standards.

Rights of Data Subjects

You have rights under personal data protection laws (such as the PDPA), including but not limited to the right to:

Request access to your personal data
Object to certain types of data processing
Request correction of inaccurate or incomplete data
Request deletion or suspension of the processing of your data (where permitted by law)
Request the transfer of your data in a machine-readable format (data portability)

If you wish to exercise any of these rights, please contact our Data Protection Officer.

Cookies and Related Technologies

Our website may use cookies and tracking technologies for purposes such as improving user experience, analyzing usage, and supporting advertising activities. You can manage your cookie preferences through your browser settings or via the tools we provide on our website.

Contact and Complaints

If you have any questions, requests, or wish to exercise your rights, please contact:

Data Protection Officer (DPO)
Email: [admin@cytoaurora.co.th]
Telephone: +66 65-715-2539
Address: CytoAurora Biotechnology (Thailand) Co., Ltd.

If you are not satisfied with our response, you may lodge a complaint with the Personal Data Protection Committee or the relevant supervisory authority.

Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. Any significant changes will be announced on our website and/or communicated to you.

Additional Provisions for Sensitive Data

The processing of health data and other sensitive personal data will be carried out under strict limitations and, in general, will require written consent or be based on a clearly defined legal basis.

Third-Party Data Processors

When we engage external service providers to process personal data on our behalf, we will enter into a Data Processing Agreement that specifies security requirements, scope of use, and restrictions on data transfers.