top of page

Privacy Policy of Schema Co., Ltd.

Effective Date: 25 March 2025

1. INTRODUCTION
This Privacy Policy governs the manner in which Schema Co., Ltd. / Schema Agency ("the Agency," "we," "us," or "our") collects, processes, stores, and protects the personal and business data of our clients, website visitors, and business partners. We uphold the highest ethical and legal standards in data protection, ensuring compliance with the General Data Protection Regulation (GDPR), the Thailand Personal Data Protection Act (PDPA), the California Consumer Privacy Act (CCPA/CPRA), and all other relevant data protection laws.

As an act of enforcement of our ethical communication standards, this Privacy Policy does not apply to Russian entities or Russian-affiliated parties, as outlined in our Terms and Conditions and Activist Statement. Any data collected from such entities may be used in cooperation with Ukrainian law enforcement authorities, Thai authorities, EU authorities, and third-party activist organizations, as well as in furtherance of our sole agency activism. If such an entity is discovered, the conditions outlined in the Terms and Conditions regarding contract termination and legal recourse shall apply.
 

2. DATA WE COLLECT & LAWFUL BASIS FOR PROCESSING
We collect the following categories of personal and business data, with a clear lawful basis for processing under GDPR and PDPA:

  • Client and Business Partner Data: Name, company information, contact details, billing details, contractual agreements, and project requirements.

    • Lawful Basis: Contractual necessity (to fulfill services) and legitimate interest (ongoing business relationships).

  • E-Commerce User Data: Order history, transaction details, payment information (processed via secure third-party payment processors), shipping addresses, and customer support interactions.

    • Lawful Basis: Contractual necessity (to complete transactions) and legal obligation (financial compliance).

  • Website Visitor Data: IP address, browser type, browsing behavior, device identifiers, referral sources, and analytics data.

    • Lawful Basis: Legitimate interest (website optimization and security) and consent (for cookies and analytics where required).

  • Marketing & Communication Data: Email correspondence, social media interactions, newsletter preferences, and advertising analytics.

    • Lawful Basis: Consent (for marketing communications) and legitimate interest (business growth).

  • Employment & Collaboration Data: CVs, professional qualifications, and other information provided for employment or collaboration purposes.

    • Lawful Basis: Consent (job applications) and contractual necessity (employment processing).

Sensitive data is processed only with explicit consent or as legally required.
 

3. DATA SUBJECT RIGHTS & HOW TO EXERCISE THEM
Under GDPR, PDPA, and CCPA/CPRA, individuals have the following rights:

  • Right to Access: Obtain a copy of your personal data.

  • Right to Rectification: Correct inaccurate or incomplete data.

  • Right to Erasure: Request deletion under lawful conditions.

  • Right to Data Portability: Obtain and reuse data across services.

  • Right to Object: Restrict or object to processing, where applicable.

  • Right to Withdraw Consent: Withdraw consent for data processing at any time.

  • Right to Limit Use and Disclosure of Sensitive Data: (CCPA/CPRA-specific)

To exercise any of these rights, contact us at hello@schemacreative.agency. Requests will be processed within legally required timeframes.

For CCPA/CPRA compliance, we provide a “Do Not Sell or Share My Personal Information” link and a “Notice at Collection” where required.
 

4. DATA SECURITY & INFRASTRUCTURE
We uphold the highest industry standards in data security:

  • Hosting via Wix Studio with built-in security certifications.

  • Business email communications via Google (Gmail for Business).

  • Secure data storage with Google Drive, Microsoft OneDrive, and Adobe Cloud.

  • Encrypted financial transactions through trusted third-party payment gateways.

  • Multi-factor authentication and access control mechanisms for all stored data.

  • Regular security audits and compliance reviews.
     

5. THIRD-PARTY DATA SHARING & INTERNATIONAL TRANSFERS
We only share personal data with third parties under the following conditions:

  • Legal Compliance: When required by Thai, EU, or other applicable laws.

  • Service Providers: Trusted cloud storage, payment processors, and marketing tools.

  • Business Transfers: In the event of a merger, acquisition, or asset sale.

  • Ethical Enforcement: In cases involving unethical business practices or violations of our Terms and Conditions, particularly with respect to prohibited Russian-aligned entities.

International Data Transfers:

  • Data may be transferred internationally via Standard Contractual Clauses (SCCs) where required.

  • Transfers comply with GDPR adequacy decisions or binding corporate rules where applicable.

We do not sell personal data under any circumstances.


6. DATA RETENTION POLICY
We retain data only for as long as necessary:

  • Client data: Up to 5 years post-contract.

  • E-commerce data: Up to 7 years for financial compliance.

  • Website analytics data: Up to 3 years.

  • Employment-related data: Up to 2 years post-application unless required otherwise by law.

Data minimization and purpose limitation principles are strictly followed.


7. JURISDICTION & DISPUTE RESOLUTION
Schema Agency is subject to Thai and EU data protection laws. Legal disputes related to privacy matters shall be resolved in Thai courts, with EU courts as an alternative jurisdiction where applicable.

For ethical violations, such as affiliations with Russian-aligned entities, legal action may be pursued in cooperation with Lithuanian, EU, Thai and Ukrainian authorities as applicable, as well as other relevant international enforcement bodies. It is the responsibility of all parties to be aware of all ethical and service provision conditions. Please see our Service Terms & Conditions, Refund Policy, Activist Statement, relevant contractual agreements and official communication relevant to the definitions of our ethical standards.


8. ACCOUNTABILITY & COMPLIANCE MEASURES
We demonstrate compliance through:

  • Data Protection Impact Assessments (DPIAs) for high-risk data processing.

  • Regular policy reviews and audits to ensure ongoing compliance.

  • Potential appointment of a Data Protection Officer (DPO) if required.

  • Data Breach Notification Procedures for authorities and affected individuals.
     

9. CONSENT MECHANISMS

  • Consent is freely given, specific, informed, and unambiguous.

  • Users can withdraw consent at any time by contacting hello@schemacreative.agency.

  • Explicit consent is required for sensitive personal data processing.
     

10. POLICY MAINTENANCE & UPDATES

  • This policy is reviewed annually or as required by regulatory changes.

  • We actively monitor legislative developments to ensure compliance.

  • Updates will be published on our website and communicated where necessary.
     

11. DEFINITIONS

  • Personal Data: Information that can identify an individual (as per GDPR, PDPA, CCPA/CPRA).

  • Sensitive Personal Data: Data requiring additional protection under law (e.g., biometric data, racial/ethnic origin, financial information).


For inquiries, contact us at hello@schemacreative.agency

bottom of page