Privacy Policy

Last updated: May 22, 2026

The Thai version of this Privacy Policy is the controlling version. This English translation is provided for convenience only. In the event of any inconsistency, the Thai version shall prevail.

This policy explains how Quack Base Co., Ltd. ("Blebook", "we") collects, uses, and discloses personal data when you use blebook.com, the admin system at admin.blebook.com, and the booking pages of shops that use Blebook.

1. Data We Collect

1.1 From Merchants

  • Shop name, email, phone number
  • Dashboard user information (name, email, password hash)
  • Connected PromptPay account or Stripe account details
  • Service catalog, schedules, and uploaded content (logos, images, service descriptions)

1.2 From End Customers (Customers of Merchants)

  • Name and phone number entered during booking
  • LINE userId, profile picture, display name (if the customer uses LINE Login)
  • Booking history and PromptPay payment slips uploaded by the customer
  • Additional fields configured by the Merchant

1.3 Technical Data

  • IP address, User-Agent, browser language
  • Login cookies/identifiers (e.g. pb_token, pb_customer, pb_line)
  • Usage analytics — pages visited, time on page, booking volume

1.4 From Third-Party Providers

  • Google Analytics and Google Ads — for traffic and conversion analytics on blebook.com
  • LINE Login — when an end customer chooses to log in via LINE
  • PromptPay slip verification provider — on Plus and Pro plans
  • Stripe — on the Pro plan

2. Lawful Basis and Purpose

Data Purpose Lawful basis
Merchant account data Service delivery, invoicing Contract
End-customer data Process on behalf of Merchant Determined by Merchant
Technical data Security, abuse prevention Legitimate interest
Analytics/advertising cookies Improve site, measure campaigns Consent
Tax and payment records Tax law compliance Legal obligation

3. Processing End-Customer Data

For end-customer data, the Merchant is the Data Controller and Blebook acts as the Data Processor on the Merchant's instructions.

  • We use end-customer data only to deliver the service per our contract with the Merchant
  • We do not sell end-customer data to third parties for marketing
  • We do not use end-customer data to market directly to those customers

4. Disclosure

We may disclose data in the following cases:

  • The Merchant a customer booked with — booking data is disclosed to that Merchant for the purpose of the booking
  • Necessary service providers — Google Cloud (hosting), slip verification provider, Stripe, LINE Login — under data protection agreements
  • Authorities under law — where legally required
  • Mergers and acquisitions — in the event of sale, transfer, or merger of Blebook, with advance notice

5. Storage and International Transfer

  • Data is stored on Google Cloud Platform, region asia-southeast1 (Singapore). Under PDPA, Singapore is treated as having an adequate level of data protection.
  • Data is encrypted in transit (TLS 1.2+) and at rest
  • Blebook uses a multi-tenant architecture isolating shop data at the database level

6. Retention

  • Merchant account data — retained while the account is active and for 90 days after closure
  • Booking data — per Merchant policy, up to a maximum of 2 years from booking date
  • Accounting and tax records — retained for 5 years as required by law
  • Technical logs — retained for up to 90 days

7. Data Subject Rights

Under PDPA you have the right to:

  • Access and request a copy of your data
  • Request correction of inaccurate data
  • Request erasure (subject to legal retention)
  • Request restriction of processing
  • Object to processing
  • Request data portability
  • Withdraw consent
  • Lodge a complaint with the Personal Data Protection Committee

If you are an end customer of a Merchant, these rights primarily attach to that Merchant, who is the Data Controller. Please contact the Merchant first.

8. Cookies

Our website and admin use the following cookies:

  • Strictly necessary — required for login and core system functions. Cannot be disabled.
  • Analytics — e.g. Google Analytics, to understand site usage
  • Advertising — e.g. Google Ads, to measure campaign conversion

You can disable cookies in your browser settings, but some features may not work correctly.

9. Security

  • Encryption in transit (HTTPS/TLS) and at rest
  • Passwords stored as hashes, never in plaintext
  • Database-level access control using business_id as the tenant key
  • Regular backups with integrity checks
  • Ongoing security review and patching

Despite reasonable measures, no system is 100% secure. In the event of a data breach that may affect rights or freedoms, we will notify affected parties and the regulator within 72 hours as required by law.

10. Changes to This Policy

We may update this policy from time to time. The "Last updated" date at the top of the page reflects the latest version. For material changes, we will provide advance notice via email or the Dashboard.

11. Contact

Blebook's Data Protection Officer:

  • Email: [email protected]
  • Address: Quack Base Co., Ltd., 388/205 Pleno Suksawat 30 (2), Soi Suksawat 30, Bang Pakok, Rat Burana, Bangkok, Thailand