Privacy Policy

1. Introduction

Heritor is a family business advisory practice based in Bangkok, Thailand. We work with family businesses on governance, continuity, and leadership. In providing these services, we handle personal information carefully and with respect for the trust that our clients and enquirers place in us.

This Privacy Policy explains what personal data we collect, how we use it, how we protect it, and what rights you have in relation to it. It applies to information collected through our website and through the course of our advisory engagements.

We are subject to Thailand's Personal Data Protection Act B.E. 2562 (PDPA), which came into full effect in June 2022. Where clients are based in the European Union or European Economic Area, we also give regard to GDPR principles in the handling of their data.

If you have questions about this policy or about how we handle your data, please contact us at [email protected].

2. Personal Data We Collect

We collect only the personal data that is necessary to respond to enquiries and deliver our advisory services. This includes:

2.1 Information you provide directly

• Name — to address you appropriately and identify the individuals involved in an engagement
• Email address — to communicate with you about your enquiry or engagement
• Phone number — where provided, to arrange calls or meetings
• Message content — any details you include in the contact form or in correspondence
• Business information — the name and nature of your family business, where relevant to the scope of an engagement

2.2 Information collected automatically

• Technical data — IP address, browser type, pages visited, and time of visit, collected via analytics tools
• Cookie data — see Section 6 and our Cookie Policy for full details

2.3 Legal basis for processing (PDPA / GDPR)

• Consent — for marketing communications and analytics cookies, where you have given consent
• Legitimate interest — for website analytics and improving our services
• Contractual necessity — to deliver advisory engagements you have engaged us to provide
• Legal obligation — where we are required to retain records by applicable law

2.4 Retention periods

• Contact enquiry data is held for up to 2 years from the date of enquiry if no engagement follows
• Engagement records are held for up to 7 years following the close of an engagement, in accordance with Thai accounting and commercial record requirements
• Analytics data is retained for up to 26 months, in line with standard analytics platform settings

3. How We Use Your Personal Data

3.1 To respond to enquiries

When you contact us through the website form, we use your name, email address, and message to respond to your enquiry and to assess whether an engagement may be appropriate.

3.2 To deliver advisory services

Where an engagement proceeds, we use personal data to communicate with you, to schedule meetings and interviews, and to produce written outputs agreed under the engagement. We handle all such data with the strict confidentiality that is standard to our practice.

3.3 To improve our website

We use aggregated analytics data to understand how our website is used and where it can be improved. This data does not identify you personally.

3.4 Data sharing with third parties

We do not sell, rent, or trade personal data. We may share data with the following third parties only as necessary:

• Google Analytics — for website usage analytics (anonymised)
• Email and calendar providers — to manage correspondence and scheduling
• Professional advisors — accountants and legal advisors, where required by law

All third parties are required to handle personal data in accordance with applicable data protection law.

3.5 Marketing communications

We do not send marketing emails without your explicit consent. If you have given consent and wish to withdraw it, you may do so at any time by contacting [email protected].

4. How We Protect Your Data

We take the security of personal data seriously. The measures we maintain include:

• Encryption in transit — all data transmitted between your browser and our website is encrypted via HTTPS (TLS)
• Access controls — personal data held in our systems is accessible only to those who need it to deliver our services
• Secure storage — engagement documents and correspondence are held in access-controlled digital environments
• Minimal collection — we do not collect personal data beyond what is necessary for the purposes described in this policy
• Breach notification — in the event of a data breach that affects your rights, we will notify you and the relevant supervisory authority within the timeframes required by applicable law

5. International Data Transfers

Our primary operations are based in Bangkok, Thailand. Where we use third-party services (such as cloud-based email or analytics platforms) that may process data outside Thailand, we take steps to ensure that appropriate safeguards are in place, consistent with the requirements of the PDPA and, where applicable, GDPR.

6. Cookies

Our website uses cookies to support basic functionality and, with your consent, to collect anonymised usage data. The cookies we use fall into the following categories:

• Essential cookies — required for the website to function; they cannot be disabled
• Analytics cookies — used to understand how visitors use the site; only set with your consent
• Preference cookies — used to remember your cookie consent choice

You can manage your cookie preferences at any time through our Cookie Policy page.

7. Your Rights

Under the Thailand PDPA and, where applicable, GDPR, you have the following rights in relation to your personal data:

• Right to access — to request a copy of the personal data we hold about you
• Right to rectification — to ask us to correct inaccurate or incomplete data
• Right to erasure — to ask us to delete your personal data, subject to any legal obligations to retain it
• Right to data portability — to receive your data in a structured, commonly used format
• Right to object — to object to processing based on legitimate interest
• Right to withdraw consent — to withdraw consent for processing at any time, without affecting the lawfulness of prior processing
• Right to lodge a complaint — with the Personal Data Protection Committee (PDPC) in Thailand, or with your local supervisory authority if you are based in the EEA

To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days.

8. Third-Party Links

Our website may contain links to external websites or resources. We are not responsible for the privacy practices of those sites. We encourage you to read the privacy policy of any external site you visit.

9. Children's Privacy

Our services are directed at individuals aged 18 and above. We do not knowingly collect personal data from anyone under the age of 18. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of the page. If we make material changes, we will take reasonable steps to inform you — for example, by placing a notice on our website. Your continued use of our website after any changes constitutes your acknowledgement of the updated policy.

11. Contact

For any questions or requests relating to this Privacy Policy or to the handling of your personal data, please contact us: