Privacy Policy

1. Document status

This Privacy Policy is an operational draft for the public marketplace MVP. It is designed to explain current platform data practices for visitors, customers, providers, messaging, translations, AI tools, moderation, and future payment readiness. It remains subject to owner confirmation and legal review before any full public revenue launch.

2. Who we are and who controls data

The final legal name of the controller or operator, its registered address, and any appointed representative or DPO details still require owner confirmation. Until then, Optilo.app is operated by the entity or individual designated by the owner for marketplace operations.

• Controller legal name: [OWNER REQUIRED]
• Registered address: [OWNER REQUIRED]
• Privacy contact email: [OWNER REQUIRED]
• DPO or representative details, if applicable: [OWNER REQUIRED]

3. Scope of this policy

This policy covers visitors, registered users, customers, providers, public listings, profile content, chat, attachments, translation and AI features, moderation records, credits or ledger records, and support interactions connected to the Optilo marketplace.

4. Data we collect

• Account data such as name, email, username, role, and authentication details.
• Profile and provider data such as categories, skills, location, languages, service descriptions, portfolio items, and public media.
• Job, project, service, and listing content including titles, descriptions, categories, metadata, and translations.
• Chat messages, attachments, attachment metadata, and moderation or safety signals.
• Credits, plan state, payment-state placeholders, future transaction records when enabled, and AI usage records.
• Device, browser, IP, log, cookie, and analytics information.
• Support and complaint submissions.

5. How we use personal data

Optilo uses personal data to operate accounts, render listings, match customers and providers, run the messenger, enforce contact protection, support English-Thai communication, provide AI listing tools, prevent fraud, maintain security logs, handle support requests, moderate content, improve marketplace quality, and comply with legal obligations.

6. Legal bases

For GDPR-oriented analysis, Optilo expects to rely on a combination of contract necessity, legitimate interests, consent where required, and legal obligation where applicable. For Thai PDPA-oriented analysis, Optilo expects to rely on contract, consent where required, legitimate interest or other lawful bases recognized by PDPA, and legal obligation where applicable.

7. Contact protection processing

Optilo may inspect, classify, mask, or block messages, previews, listings, attachments, and other user content to detect phone numbers, email addresses, LINE or WhatsApp details, exact addresses, direct links, map pins, social handles, and similar direct-contact attempts where platform rules prohibit them before unlock.

This processing supports security, moderation, platform-rule enforcement, and safer marketplace interactions.

8. Translation and AI providers

Optilo may use configured AI or translation providers, such as Gemini, OpenAI, or other approved processors, for bilingual translation and premium AI listing features. Where platform design requires it, contact-protection controls should run before content is sent to the provider.

Provider availability may change. If a provider fails, the platform should not pretend that translation succeeded. International transfer safeguards, vendor roles, and processor documentation require ongoing owner and legal review.

9. Cookies and similar technologies

Optilo may use cookies or similar technologies for session management, login persistence, language preference, security controls, consent records, limited analytics, and feature preferences. A cookie notice and privacy controls should explain the difference between necessary, preference, analytics, and any future marketing cookies.

10. Analytics

Optilo may collect limited analytics or usage signals to understand page performance, language usage, marketplace activity, and service quality. If analytics providers are expanded later, the cookie and privacy documentation should also be updated accordingly.

If a specific analytics tool is not yet fully confirmed by the owner, this policy should be read as covering limited current analytics with future updates required when tooling changes.

11. How we share data

• Hosting, infrastructure, and technical support providers.
• AI and translation providers used for supported features.
• Payment providers if and when payment is activated later.
• Legal authorities or regulators where required by law or lawful process.
• Other users only to the extent necessary for marketplace interaction and allowed contact sharing.

12. International transfers

Optilo may use infrastructure or processors located in Thailand, the EU, or other jurisdictions depending on hosting, provider, analytics, email, or AI tooling. Where personal data is transferred across borders, Optilo should use appropriate safeguards such as contractual protections, technical controls, and any other measures required by applicable law.

13. Retention

Optilo may retain account records, listings, chat messages, attachments, translations, logs, credits or ledger records, analytics data, and backups for as long as reasonably required for platform operation, support, fraud prevention, legal compliance, dispute handling, and backup integrity. Exact retention schedules should be refined by owner policy and legal review.

14. Security

Optilo uses technical and organizational measures such as access controls, role-based administration, security logging, backups, and other appropriate protections to reduce unauthorized access, loss, misuse, or alteration of data. No system can guarantee absolute security.

15. User rights

Depending on applicable law, users may have rights such as access, rectification, deletion, restriction, objection, portability, withdrawal of consent where relevant, and complaint rights. Users may also have rights under Thailand PDPA, including access, correction, deletion or withdrawal where applicable, and complaint rights under the PDPA framework.

Final response procedures, identity verification steps, and authority references should be confirmed in the owner legal review process.

16. Children and minors

Optilo is not intended for unlawful collection of children’s personal data. Users should only use the platform if they have the legal capacity required by applicable law. If Optilo learns that data was collected unlawfully from a child or minor, it may restrict or remove the affected data and account access.

17. Automated decisions and AI assistance

Optilo uses AI and automated processing to assist with translation, content enhancement, contact-protection detection, and moderation signals. Optilo does not intend this operational MVP to rely on solely automated decisions that produce legal or similarly significant effects without a human or owner-controlled review path.

18. Changes to this policy

Optilo may update this Privacy Policy as the product, legal obligations, moderation systems, providers, or payment state evolve. Updates should be reflected through an effective date, last-updated date, version, and where appropriate a notice to users.

19. Contact and complaints

Before any full revenue launch, Optilo should publish verified privacy and legal contact details, complaint channels, and, where relevant, representative or DPO information.