WhichCard (the "Service") is operated by an individual natural person conducting business in Thailand, referred to in this document as the "Operator", "we", or "us". The Operator is the Data Controller under the Personal Data Protection Act B.E. 2562 (PDPA).

The Operator is currently an individual (not yet incorporated). The Data Controller's full name is shown at the point where consent is requested [Operator full name — to be filled in before public launch]. If a company is registered in the future, or the business is transferred to a successor, that entity/successor will become the Data Controller in our place and we will notify you via LINE. Any such transfer will not diminish your legal rights, and for consent-based processing we may seek fresh consent as required by law.

Our sole channel of contact, including for exercising your data-subject rights, is the WhichCard LINE Official Account. We deliberately do not publish an email address in public documents to prevent bot harvesting. The absence of a public email does not limit your legal rights.

Data from LINE when you log in: LINE user ID, display name, and profile picture.

Data you enter yourself: which catalog cards you hold, points balances (manually entered, optional), perks, and spend targets.

Usage data: messages you send to the AI assistant, the recommendation results the system generates, question counts, membership status, and general usage information.

Consent records: the versions of this Privacy Policy and the Terms you accepted, with timestamps, and your separate choices for (i) international transfer of data, (ii) confirmation that you are at least 20 years old / of legal age, and (iii) marketing communications. Each choice is logged independently in the consent audit trail (UserConsent) as evidence of consent.

What we never collect: we do not store credit-card numbers, not even the last 4 digits, nor CVV, expiry date, or any full card number (PAN), and we do not link your bank accounts. Cards in the system are catalog references only.

Payment data for Pro membership is held entirely by an external payment service provider (PSP). We store only a non-sensitive external subscription reference, which is not card data or sensitive financial data.

We process your data on different lawful bases according to each purpose, as follows:

(a) Providing the core service (the catalog card wallet, deterministic card ranking, managing your points, perks, and account): necessity for performance of the service contract (Section 24(3)).

(b) Sending LINE notifications, statistical analytics, and marketing communications (if any): consent (Section 19), which you may withdraw at any time.

(c) Sending your messages to AI model provider(s) to generate answers: contract necessity and/or your consent (including consent to international transfer — see Section 6).

(d) Improving and securing the service, fraud prevention, and legal compliance: legitimate interest (Section 24(5)) and/or legal obligation (Section 24(6)) where applicable. For service-improvement uses we work with de-identified / aggregated data that does not identify you.

Non-bundling of consent (Section 19 paras 4–5): the core service (the card wallet and deterministic ranking) is provided on contract necessity and does NOT require your consent to (i) cross-border AI processing or (ii) marketing. We collect cross-border and marketing consent separately as granular choices and never bundle them into "accepting the Terms". Refusing or withdrawing these consents only disables the AI assistant or the relevant marketing — it never blocks your account or the core service.

Withdrawing consent later does not affect the lawfulness of processing already carried out before withdrawal.

WhichCard's recommendations are produced by a deterministic rules engine together with an AI that only explains the result.

This does NOT constitute a "decision producing legal or similarly significant effects based solely on automated processing", because you always retain control of the actual payment decision (human-in-the-loop). We do not carry out profiling that has a significant effect on you.

You may ask how a particular recommendation was reached via the LINE Official Account.

We do not sell your personal data. We disclose data only as necessary to data processors that provide infrastructure and operational services to us, namely:

• LINE — messaging and identity (user ID and profile).

• AI model provider(s) (e.g. LLM provider) — processing your messages to generate answers.

• Hosting and infrastructure providers (e.g. Vercel for app hosting, Neon for the database, Cloudflare for CDN/edge).

• Payment service provider (PSP) (e.g. Stripe or Opn) — handling Pro membership billing and storing payment data. We store only a subscription reference.

We may disclose data where required by law, or to establish, exercise, or defend legal claims — including disclosing your consent records, subscription reference, and relevant usage logs to the PSP and card networks as evidence in a payment dispute (see the Terms of Service). Each processor is bound to process data only on our instructions and to keep it secure.

Our use of external processors does not reduce our obligations as a Data Controller under the PDPA.

To provide the Service, some of your personal data — including the messages you send to the AI assistant and your LINE user ID — is processed and stored outside Thailand by processors that may be located in the United States, the European Union, or other regions (e.g. AI model providers and infrastructure providers).

Where the destination country lacks PDPC-recognised adequate protection, we rely on appropriate safeguards under Section 28 (e.g. standard contractual clauses / binding processor commitments in our data-processing agreements that impose standards comparable to the PDPA), and, for the AI assistant specifically, on your separate explicit consent under Section 29, recorded as a withdrawable flag.

If you do not give or you withdraw cross-border consent, only the AI assistant is disabled; you may still use non-AI features, and declining does not diminish any other right.

We apply appropriate technical and organizational measures to protect data, and the system is designed for data minimization. A key strength is that we store no card numbers, no last 4 digits, no CVV, no expiry, and no bank-account data at all, which limits the severity of any breach.

If a personal-data breach occurs, we will assess the risk and notify the Personal Data Protection Committee Office within 72 hours of becoming aware where the breach poses a risk to persons' rights and freedoms, under Section 37(4), and will notify you without undue delay where the risk to you is high.

Although we use reasonable efforts, no system is perfectly secure. You help maintain security by safeguarding your own LINE account.

Our marketing site and the LIFF mini-app may use cookies and similar technologies that are strictly necessary for the system to function (e.g. maintaining your login session and security), relying on contract necessity and legitimate interest.

If we use statistical analytics to understand usage and improve the Service, we do so in a way that minimizes identification where possible, and we will seek your consent first where the law requires it. You can manage cookies through your browser settings.

We do not use third-party cross-site advertising cookies in a way that would build a significant profile of you.

Account and wallet data (cards held, points, perks, targets): kept while your account is active, and deleted or anonymized within 90 days after you delete your account, or after more than 24 months of continuous inactivity.

Messages sent to the AI and recommendation results: kept for a short period, generally no more than 12 months, for conversation continuity and service improvement, then deleted or anonymized.

Consent records (UserConsent) and billing references: kept as long as necessary as legal evidence and for tax compliance, generally no more than 10 years from the relevant transaction.

After these periods, we delete or anonymize the data following appropriate practices.

Under the PDPA you have the rights to: (1) access and obtain a copy of your data; (2) rectification; (3) erasure/destruction; (4) data portability; (5) object to processing; (6) restrict processing; and (7) withdraw consent.

You exercise these rights by sending a request via the WhichCard LINE Official Account, which is our sole channel. We will act within 30 days of receiving the request, extendable as needed with notice to you.

You also have the right to lodge a complaint with the Personal Data Protection Committee Office (PDPC) if you believe our processing is unlawful. In some cases we may refuse or limit a right as permitted by law — e.g. where we must retain data by law, to establish or defend legal claims, or where others' rights are affected. We may ask for information to verify your identity before acting.

The Service is intended only for credit-card holders who have reached the age of majority (20 years or older, or otherwise of legal age) and is not intended for minors. Access requires you to affirmatively confirm at the consent step that you are at least 20. We record this confirmation in the consent audit trail and rely on it.

We do not intend, and have no means, to independently verify age. If we learn that an account belongs to a minor who consented without valid authority, or that an age confirmation was false, we may suspend and delete that account and its related data. The statutory rights of an actual minor as a data subject are unaffected.

If you are a guardian and believe a minor has provided us data, please contact us via the LINE Official Account so we can delete it.

We may update this Policy from time to time. We always state a version number and effective date.

If we make material changes, particularly to a consent basis or to cross-border transfers, we will notify you and ask you to accept the new version through fresh, affirmative consent before continuing to use the Service, recording your acceptance as evidence (UserConsent).

The current version and effective date appear at the top or bottom of this document.

WhichCard is an independent service, not affiliated with, sponsored by, or endorsed by any bank or card issuer. Bank and card-product names belong to their respective owners and are used only for reference and comparison.

If you, a bank, or a rights holder find inaccurate data or have a trademark/personal-data concern, please report it via the LINE Official Account. We will review in good faith and correct or remove the item within a reasonable period.