Privacy Policy

DataSabai acts as both a data controller (for account and website data) and a data processor (when processing business documents and transactions on behalf of our enterprise clients). Where we act as a processor, our processing activities are governed by our Data Processing Agreement (DPA) with the relevant client.

If you are an employee, supplier, or trading partner whose data is processed through a client's integration with DataSabai, please contact that client (the data controller) directly for information about their privacy practices.

We use the information we collect for the following purposes:

• To provision, operate, and maintain our EDI, IDP, compliance, and Web EDI services
• To onboard trading partners and manage ERP integration configurations
• To translate, validate, and route electronic business documents between parties
• To perform intelligent document capture and data extraction (IDP workflows)
• To monitor transaction compliance against trading partner standards and regulations
• To process payments and manage billing
• To provide technical support and respond to service requests
• To send service notifications, security alerts, and product updates
• To maintain audit trails and generate compliance reports
• To detect, investigate, and prevent fraudulent or unauthorized activity
• To improve platform performance, accuracy, and reliability
• To fulfill our legal and regulatory obligations
• To send marketing communications (only with your consent, where required by law)

We rely on the following legal bases to process personal data:

We use cookies and similar technologies on our website and web-based platform to:

• Maintain secure user sessions and authentication state
• Remember user preferences and configuration settings
• Analyze usage patterns to improve platform usability
• Monitor platform performance and uptime

We do not use third-party advertising cookies. You can manage cookie preferences through your browser settings. Disabling essential cookies may impair the functionality of our secure platform.

We do not sell, rent, or trade your personal information or business transaction data. We may share information in the following limited circumstances:

DataSabai is headquartered in Thailand and operates globally. Your data may be stored or processed in countries other than your own, including countries that may have different data protection standards.

For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland, we implement appropriate safeguards including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements (DPAs) with all relevant parties
• Technical and organizational security measures appropriate to the risk

For transfers involving other jurisdictions, we apply equivalent protections in accordance with applicable local law.

We retain data only as long as necessary to fulfill the purposes for which it was collected, meet our contractual commitments, and comply with legal obligations. Our general retention schedules are:

• Account and profile data: retained for the duration of the customer relationship and up to 24 months after account closure
• EDI and IDP transaction records: typically retained for 7 years to satisfy trading partner agreement requirements and tax/audit obligations, unless a different period is contractually agreed
• Audit logs and security logs: retained for a minimum of 12 months, or longer as required by applicable law or client agreement
• Marketing and consent records: retained until consent is withdrawn, plus a reasonable period thereafter

Upon expiry of the applicable retention period, data is securely deleted or anonymized in accordance with our data disposal procedures.

Protecting business-critical ERP and EDI data is central to our mission. We implement robust technical and organizational security measures including:

• Encryption of data in transit using TLS 1.2 or higher
• Encryption of data at rest using AES-256 or equivalent
• Role-based access controls (RBAC) and principle of least privilege
• Multi-factor authentication (MFA) for platform access
• Regular vulnerability assessments and penetration testing
• Comprehensive audit logging and anomaly detection
• Business continuity and disaster recovery planning
• Employee security training and background screening

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected parties and relevant supervisory authorities as required by applicable law, within the legally mandated timeframes.

Depending on your country of residence, you may have the following rights regarding your personal data:

• Access: obtain a copy of the personal data we hold about you
• Rectification: request correction of inaccurate or incomplete data
• Erasure: request deletion of your data (subject to legal and contractual retention obligations)
• Restriction: request that we limit certain processing activities
• Portability: receive your data in a structured, machine-readable format
• Objection: object to processing based on legitimate interests or for direct marketing
• Withdraw Consent: revoke previously provided consent at any time
• Opt Out of Marketing: unsubscribe from commercial communications at any time

To exercise any of these rights, please submit a request to privacy@datasabai.com . We will verify your identity and respond within 30 days (or within the timeframe required by your local law). Note that where we act as a data processor on behalf of an enterprise client, you should direct your request to that client in the first instance.

Our Services are designed for business use and are not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe we have inadvertently received data from a minor, please contact us at privacy@datasabai.com and we will promptly delete it.

Our platform may connect to third-party ERP systems, trading partner portals, and external services as part of EDI and Web EDI integrations. This Privacy Policy does not govern those third-party systems. We encourage you to review the privacy policies of any systems you integrate with. DataSabai is not responsible for the privacy practices of third-party platforms.

We may update this Privacy Policy from time to time to reflect changes in our services, legal requirements, or data practices. When we make material changes, we will:

• Update the "Last Updated" date at the top of this document
• Notify registered users by email or prominent in-platform notice
• Where required by law, seek renewed consent

Continued use of our Services following notification of changes constitutes acceptance of the revised policy. We encourage you to review this page periodically.

For any questions, concerns, or data subject requests regarding this Privacy Policy or our data practices, please contact:

For EU/EEA users: if you are unsatisfied with our response, you have the right to lodge a complaint with your national data protection authority. For UK users, this is the Information Commissioner's Office (ICO) at ico.org.uk