NET Training Logo
Important Information

Privacy Policy

Effective from 1 May 2026 (version v2-2026-05) | Natural Energy Tech Co., Ltd.

This policy is prepared in accordance with the Personal Data Protection Act B.E. 2562 (Personal Data Protection Act — PDPA) and explains how we collect, use, disclose, and protect the personal data of those who use our safety training and consulting services.

1. Information We Collect

We collect your personal data in order to provide training, issue certificates, and perform our contractual obligations, categorized as follows:

1.1 General Personal Data

  • Full name and title
  • Email and telephone number
  • Address (for issuing tax invoices and delivering certificates)
  • Job position and affiliated company/organization

1.2 Trainee-Specific Data

  • National ID / passport number — used for identity verification
  • Date of birth and educational qualifications
  • Trainee photograph (where required for a certificate or ID card, e.g. CP Safety Passport)
  • Copy of ID card, educational certificates, or documents verifying course-specific eligibility

1.3 Trainee Data You Submit

If you are an HR officer / coordinator registering on behalf of trainees in the name of a company, the personal data of trainees that you provide to us will likewise be processed under this policy. You must be authorized to submit other persons' data and must inform the trainees in advance that their data will be processed by NET for training purposes.

NET's legal role: NET acts as the Data Controller for all processing described in this policy — including data submitted via HR officers/coordinators. NET directly determines the purposes and means of processing.

1.4 Sensitive Health Data (certain courses only)

For courses involving physical risk where the law requires trainees to pass a medical examination, such as working at height (towers) and confined-space work, we may collect your medical certificate, which is classified as sensitive personal data under PDPA Section 26.

  • We collect only the data necessary to assess readiness to attend the training
  • Access is restricted to authorized personnel only
  • Deleted or destroyed after the end of its useful life under the retention policy (Section 6)

1.5 Website Usage Data

  • IP address, browser type, operating system
  • Pages visited, time spent, and click behavior
  • Cookies and similar technologies (details in Section 3)

2. Purposes and Legal Bases for Processing

Under PDPA Section 24, your data will be processed under one of the following legal bases:

PurposeLegal Basis
Registering, organizing, and delivering the training you signed up forPerformance of a contract (§24(3))
Issuing receipts, tax invoices, and keeping accounting recordsCompliance with the law (§24(6))
Issuing certificates and printing ID cards for trainees who passPerformance of a contract (§24(3))
Retaining medical certificates for high-risk coursesConsent (§26) + public health interest (§26(5))
Reporting to government agencies as required by law (e.g. Department of Skill Development, Department of Industrial Works)Compliance with the law (§24(6))
Analyzing website usage to improve our servicesLegitimate interest (§24(5))
Maintaining system security and preventing misuseLegitimate interest (§24(5))

3. Use of Cookies

Our website uses cookies and similar technologies to provide a better service, in three categories:

Necessary Cookies

Essential to the operation of the website — cannot be disabled. Used for login, identity verification, and security.

Tools: Firebase Authentication, session cookie

Analytics Cookies

Help us understand how visitors use the website in order to improve performance. Data is collected in anonymized form.

Tools: Firebase Analytics / Google Analytics (lifetime up to 26 months)

Functional Cookies

Remember your settings and preferences, such as language, color theme, and temporarily saved forms.

Tools: localStorage (stored in your own browser)

You can manage cookies through your browser settings. Disabling certain types of cookies may cause some services to function incompletely.

4. Sharing Data with Third Parties

We do not sell, trade, or provide your personal data to outside parties for marketing purposes. However, we may disclose data to the following third parties in order to provide our services for their stated purposes:

4.1 Technology Service Providers (Data Processors)

  • Google Firebase / Google Cloud — database (Firestore), authentication, file storage (Cloud Storage), and processing (App Hosting)
  • Cloudflare — Content Delivery Network (CDN), DNS, and DDoS protection
  • Email service providers — for sending OTP notification emails and registration confirmations
  • Document delivery providers — for delivering certificates, PVC cards, and paper receipts

4.2 Training-Related Organizations

  • CP Safety Passport system (cpsafetypassport.net) — if you take a course within the Charoen Pokphand Group (CP Group), we will submit the data of those who pass into the system to issue cards
  • Metropolitan Electricity Authority (MEA) / Provincial Electricity Authority (PEA) — for courses certified by these agencies
  • Department of Skill Development / Department of Industrial Works / Department of Energy Business — reporting trainees who pass, as required by law
  • Commissioning company (for In-house Training) — we will provide the list of trainees and training results to the company that organized the training

4.3 Government Agencies and Law Enforcement

  • The Revenue Department and accounting/tax agencies as required by law
  • Law enforcement agencies, where required by a court order or the law

All data recipients are bound by confidentiality terms and process the data solely for the stated purposes.

5. Cross-Border Data Transfers

Our systems use cloud services from international providers, which may process and store your data in the following countries:

  • Google Firebase / Google Cloud — primary data is stored in Singapore (asia-southeast1). Some processing, such as sending email and cross-region backups, may be carried out in the United States where the provider deems it necessary.
  • Cloudflare — a CDN network distributed across data centers worldwide, used to accelerate website loading and provide security-essential cookies. Data passing through Cloudflare is anonymized.

Cross-Border Transfer Safeguards (PDPA §28-29)

  • All providers are certified to ISO/IEC 27001, SOC 2, and other relevant security standards
  • Data is encrypted both in transit (TLS 1.3) and at rest (AES-256)
  • Governed by a Data Processing Agreement — the cloud providers (Google, Cloudflare) have signed DPAs requiring them to process data only on our instructions and to protect data to international standards
  • The destination countries have an adequate level of data protection by international standards

6. Data Retention Periods

We will retain your data for as long as necessary for its purpose, or as required by law, as follows:

Data TypePeriodReason
Registration data, receipts, tax invoices10 yearsRevenue Code / tax law
Certificates and training historyFor the lifetime of the certificateUsed to verify the validity of the certificate
Medical certificates (health data)2 years after the trainingSafety verification and legal liability
User accounts and profile dataUntil the account is deletedService provision
Analytics cookies26 monthsThe analytics tool's default setting
System logs (audit log)2 yearsSecurity verification and access traceability

Once the period ends, we will delete or destroy the data in a manner that cannot be recovered.

7. Security Measures

Under PDPA Section 37, we apply appropriate technical and organizational measures to protect your data:

  • Encryption — data is encrypted both in transit (TLS 1.3) and at rest (AES-256)
  • Access Control — a Role-Based Access Control (RBAC) system restricts access to employees who have a genuine need
  • Authentication — multi-factor authentication for staff who access sensitive data
  • Audit Log — all data access and modifications are logged for retrospective review
  • Backup — daily backups in a separate system for recovery in emergencies
  • Security review — regular system updates, vulnerability scanning, and staff security training

8. Your Rights and How to Exercise Them

Under the PDPA, you have the following rights:

  • Right of access (§30) — request a copy of your personal data that we hold
  • Right to rectification (§35) — correct data that is inaccurate or out of date
  • Right to erasure / the right to be forgotten (§33) — request deletion of your data, unless the law requires us to retain it
  • Right to object to processing (§32) — object to processing based on legitimate interest
  • Right to data portability (§31) — receive your data in a machine-readable format
  • Right to withdraw consent (§19) — withdraw consent previously given at any time
  • Right to restrict use (§34) — request restriction of the use of your data while its accuracy is being verified

How to Exercise Your Rights

Submit a request through any one of the following channels:

  • Email: [email protected] (state "PDPA rights request" in the subject line)
  • Line Official: @net10
  • Contact form: /contact
  • Phone: 02-109-4264 (Mon–Sat, 08:00–17:00)

We will respond to your request within 30 days in accordance with PDPA Section 30, free of charge, except in the case of repetitive or excessive requests, where we may charge a fee based on the actual cost incurred.

9. Data Breach Notification

In the event of a personal data breach that may affect you, we will act in accordance with PDPA Section 37:

  • Notify the Personal Data Protection Committee Office (PDPC) within 72 hours of becoming aware of the incident
  • Notify you directly by email or another appropriate channel, if the breach poses a high risk to your rights and freedoms
  • Take measures to mitigate the impact and prevent a recurrence of similar incidents
  • Advise you on the self-protection measures you should take

10. Right to Lodge a Complaint with the PDPC

If you believe that our processing of your data does not comply with the PDPA, you may lodge a complaint directly with the Personal Data Protection Committee Office (PDPC):

Personal Data Protection Committee Office (PDPC)

Website: https://www.pdpc.or.th

Email: [email protected]

Phone: 02-142-1033

However, we ask that you inform us first (Section 13) so that we can address the matter promptly.

11. Age Restriction for Users

Our safety training courses are open only to those who are at least 18 years of age, because the content concerns work in high-risk environments and labor law sets a minimum working age. If you are under 18, please do not submit data through our system. If we discover a registration by a person under 18, we will delete the data and cancel the registration immediately, and notify the guardian as required by PDPA Section 20.

Note: PDPA Section 20 requires those who are not yet of legal age (under 20 years old) to obtain guardian consent in certain cases. Our 18-year threshold is stricter than the legal requirement, as a company safety policy.

12. Changes to This Policy

We may update this policy from time to time to reflect changes in the law, technology, or our services:

  • Minor changes (correcting typos, refining wording) — announced on the website, with the effective date and version updated
  • Material changes (adding/removing processing purposes, changing a key provider) — notified by email and announced on the website at least 30 days before they take effect, and we may seek fresh consent where necessary

You can view the current version and effective date at the top of this page.

13. Contact Us

If you have questions about this policy, or wish to exercise your rights under the PDPA, please contact:

Data Protection Contact

Natural Energy Tech Co., Ltd.

44/99 Moo 9, Bang Phut Subdistrict, Pak Kret District, Nonthaburi 11120

PDPA email: [email protected]

Phone: 02-109-4264 (Mon–Sat, 08:00–17:00)

Line Official: @net10

← Back to home

Version v2-2026-05 · Effective 1 May 2026