Skip to main content
§ 01 Privacy

Data, where it goes.

The contact form is the only data this site collects. Below: what comes in, who processes it on our behalf, how long it stays, and the rights that apply.

What this site collects.

The contact form on /contact accepts five fields. Three are required, two optional.

  • Name: required.
  • Email: required, used to reply.
  • Company: optional.
  • How did you find us?: optional, open-ended.
  • Message: required, up to 5,000 characters.

On submission, the backend also records the source IP address (provided by Cloudflare), a country code derived from that IP, and a UTC timestamp. Worker server logs hold counts and error codes only, never message bodies, names, or address strings.

This site loads no third-party scripts, sets no cookies, and uses no browser storage (no localStorage, no sessionStorage). No tracking pixels, no fingerprinting, no advertising tags.

Subprocessors.

Three subprocessors, each scoped to a specific function.

Cloudflare, Inc. (United States)
DNS, Worker hosting (the form endpoint at api.guritechnologies.com), Turnstile bot challenge, inbound routing for the company contact mailbox.
Data exposure: all form fields plus IP and country, briefly in transit.
Resend, Inc. (United States, on AWS SES infrastructure)
Outbound email delivery: the internal notification to the company contact mailbox, and the auto-reply to the submitter.
Data exposure: name, address, company, message, and the source field.
Google LLC (Google Workspace, United States)
Recipient inbox at the company contact alias, where notifications land and threads continue.
Data exposure: full email thread, retained per Google Workspace policy.

All transit is HTTPS / TLS-enforced. Cloudflare Turnstile is a privacy-respecting bot-challenge widget. Per Cloudflare's documentation it does not set cookies and does not fingerprint browsers.

Retention period.

Form submissions and the email thread that follows are retained for 24 months from last contact. After that window:

  • The Google Workspace thread is permanently deleted.
  • The Resend dashboard record is purged.
  • Cloudflare Worker logs (which only hold counts and error codes) have already cycled out of Cloudflare's default observability window, currently 24 hours per the service tier in use.

Data tied to an active engagement is retained per the engagement contract and statutory accounting obligations under Thai law (typically five years from contract close).

Cookies and analytics.

This site sets no cookies, no analytics tags, no fingerprinting scripts, and no third-party trackers. There is no consent banner because there is nothing to consent to. If that changes, this notice is updated and the change date below is revised.

Rights under PDPA and GDPR.

Under Thailand's Personal Data Protection Act (PDPA, B.E. 2562 / 2019), and the General Data Protection Regulation for visitors based in the EU, UK, or other GDPR-aligned jurisdictions, the following rights apply to data this site holds about you.

  • Access: request a copy of what is held.
  • Correction: ask for inaccurate data to be corrected.
  • Deletion: ask for the data to be erased.
  • Restriction: limit how the data is processed.
  • Portability: receive a machine-readable copy.
  • Objection: refuse processing on legitimate-interest grounds.
  • Withdrawal of consent: at any time, where processing rests on consent.
  • Complaint: to Thailand's Personal Data Protection Committee (PDPC), or to your local supervisory authority in the EU / UK.

To exercise any of these, use the contact form . Responses are issued within 30 days under PDPA, and within 30 days under GDPR (extendable to 60 days for complex requests, with notification).

Data controller.

Entity
Guri Technologies (Thailand) Co., Ltd.
Registered address
30 Soi Sukhumvit 61 (Sethbut), Khlong Tan Nuea, Watthana, Bangkok 10110
Sole director
Disclosed on request
Contact channel
The contact form on this site.

A separate Data Protection Officer is not appointed. Under PDPA Section 41, a DPO is mandatory only for specific processing activities (large-scale sensitive data, public-authority processing, regular and systematic monitoring), none of which apply at the current scale of operation. The sole director acts as the responsible person for data-protection enquiries.

Updates to this notice.

This notice was last updated on 2026-05-08. Material changes (new subprocessors, new collected fields, expanded retention) are recorded with a revised date. Cosmetic edits (typo fixes, link updates) do not trigger a date change.

Statutory entity disclosure on /legal .