Privacy Policy

MuCraft is operated by TecTony Co., Ltd. ("the Company" or "we"). We respect your privacy and comply strictly with Thailand's Personal Data Protection Act B.E. 2562 (PDPA). This policy describes what we collect, how we use and disclose it, and how we protect it. By using the service you agree to the terms set out here.

(a) Account data — email, display name, profile picture from your OAuth provider (Google, LINE), and access/refresh tokens stored in encrypted form. (b) Birth data — name, date, time, and place of birth. (c) Biometric data — scores extracted from face and palm scans in a non-reversible form; we never keep raw images. (d) Usage data — readings, Oracle questions, remedy purchases, and technical logs needed for debugging.

To compute and display your readings; to create and run your personal AI Guardian; to manage your account and process payments; to send essential service communications; and to improve quality. We do not use your data for behavioural advertising, and we do not do cross-site tracking.

We do not sell your data. We disclose only to the processors we need to run the service: Cloudflare (infrastructure, compute and storage in ASEAN), Sanity (CMS), Stripe (payments), and AI providers that encrypt in transit and do not retain content. All third parties are bound by data-protection agreements.

Account and birth data are kept as long as you use the service. When you delete your account we erase within 30 days. Biometric data is kept for no more than 72 hours and then auto-deleted. Payment records are retained 7 years to comply with the Thai Revenue Code. Technical logs are kept for 90 days.

Under the PDPA you have rights to access, rectify, erase, restrict, port, object, and withdraw consent. See /pdpa for details and how to exercise each right, or email hello@mucraft.app. We respond within 30 days as required by law.

PII is encrypted at rest with AES-256-GCM; HTTPS/HSTS is enforced everywhere; a Content-Security-Policy guards against XSS; every webhook is HMAC-verified; rate limits block abuse; and access logs are reviewed regularly. OAuth tokens are field-encrypted before storage.

Data Protection Officer (DPO): TecTony Co., Ltd., Bangkok. Email hello@mucraft.app. For regulatory complaints, contact Thailand's Personal Data Protection Committee (PDPC) at https://www.pdpc.or.th.