Privacy Policy (Personal Data Protection Notice) - Sundae Cloud (SundaeVPS)

Last updated: February 21, 2026

Sundae VPS places the highest priority on respecting and protecting the privacy of its customers. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data, as well as the legal rights available to you. By registering for and using our services, you acknowledge that you have read, understood, and agreed to this Privacy Policy in full.

1. Personal Data We Collect

We collect only the personal data necessary to provide our services. This may include the following categories:

  • Full name, email address, mobile phone number, and billing address, which we use to verify customer identity and, where necessary, to investigate suspicious transactions.
  • Order history, payment history, payment slips, and package details. We do not store full credit card information. Such information is processed securely by third-party payment gateway providers.
  • IP address, login logs, browser type and version, time zone, operating system, website traffic data, and activity logs within the Control Panel.
  • Conversation history, email correspondence, and other inquiries you send to the Service Provider.

2. Purposes of Processing

We process your personal data on a lawful basis for the following purposes:

  • To provide services, including account creation, identity verification, Instance provisioning, billing, and technical support.
  • To maintain security and prevent fraud by detecting suspicious activity, preventing fake account registrations, preventing cyberattacks, and preventing the use of stolen credit cards or accounts.
  • To comply with legal obligations, including retention of logs under the Computer Crime Act and the preparation of tax records.
  • To improve and notify, including service status updates, such as maintenance or low balance warnings, service analytics, and marketing communications, which you may opt out of at any time.

3. Consequences of Refusing to Provide Information or Providing False Information

  • The data we collect is essential to entering into and performing the service contract. If you do not wish to provide such information, we reserve the right to refuse service.
  • Customers must provide true and current information at all times. If the system detects, or there is reasonable cause to believe, that you have used a false name, temporary email address, unreachable telephone number, or another person’s information, the Service Provider has the absolute right to suspend the account, permanently delete the Instance data, hold any remaining balance, and may forfeit such funds to cover penalties or damages caused by your conduct, immediately and without prior notice and without any refund in any case.

4. Disclosure and Sharing of Personal Data

We are committed to not selling, exchanging, or leasing your personal data to third parties. We may share your information only in the following circumstances:

  • Third-party service providers, such as data centers for network coordination, payment gateways, and email or SMS delivery providers, each of whom must maintain strict confidentiality.
  • Law enforcement and government authorities. We will cooperate with and disclose personal data, including usage logs, to police officers, courts, or government agencies immediately upon lawful request, including where required by a court order, without obtaining your prior consent.

5. Data Retention and Security

  • We retain your personal data for as long as you remain a customer and for an additional 3 years after your account is closed, for accounting dispute purposes or as otherwise required by law.
  • Even if you delete an Instance or request account deletion, Thai law requires us to retain traffic logs and IP address records for at least 90 days.
  • We apply strict technical and administrative safeguards, such as SSL encryption, firewalls, and access controls, to prevent loss, unauthorized access, alteration, or disclosure of data.

Under the Personal Data Protection Act (PDPA), you have the following rights:

  • Right of access and copy: you may request access to the personal data we hold about you.
  • Right to rectification: you may update your data through the Control Panel to ensure it is accurate and current.
  • Right to erasure: you may request deletion of your data when it is no longer necessary. However, this right is not absolute. We reserve the right to refuse deletion if retention is still necessary to prevent fraud, preserve evidence in a dispute, or comply with criminal law or the Computer Crime Act.
  • Right to object and restrict processing: you may object to the use of your data for marketing purposes.

7. Cookies

Our website uses cookies to distinguish you from other users, which helps you remain logged in, provides a smoother user experience, and allows us to analyze website performance through tools such as Google Analytics. If you disable cookies in your browser, some Control Panel features may not function properly.

8. Changes to This Policy

The Service Provider reserves the right to update, amend, or modify this Privacy Policy at any time. For changes that materially affect your personal data, we will notify you by email or by a clear notice on the website before the changes take effect. Continued use of the services after the revised policy becomes effective constitutes acceptance of the updated policy.

9. Allocation of Responsibility and Sensitive Data Handling

The Service Provider and the Customer agree to operate under a shared responsibility model, which is legally binding under the PDPA and the Computer Crime Act, as follows.

9.1 Service Provider’s Responsibility

  • The Service Provider acts only as an infrastructure provider and a personal data processor with respect to the information used for account registration, such as name, email, and telephone number.
  • The Service Provider is responsible only for the physical security of the data center, hardware stability, and upstream Hypervisor and network security.

9.2 Customer Responsibility

  • The Customer acts as the data controller for all information stored, uploaded, or processed within the Customer’s Instance.
  • If the Customer stores highly sensitive personal data under the PDPA, such as health data, biometric data, criminal records, religion, third-party passwords, or credit card data, the Customer is solely responsible for encrypting such data at rest, in transit, and in use.
  • Security of the operating system, software updates, access control, and internal firewall configuration are the Customer’s sole responsibility.

9.3 Liability Conditions and Limitations

  • The Service Provider shall be liable for damages only if the Customer can prove under applicable law that the data breach resulted from the Service Provider’s gross negligence at the infrastructure level.
  • Where the Service Provider is not liable, the Service Provider shall bear no civil or criminal liability if sensitive data is leaked through application-level compromise, errors in Customer code, or third-party intrusion through the Customer’s own systems.
  • If a court or government authority ultimately requires the Service Provider to share liability, the Service Provider’s maximum liability shall be limited to the amount of service fees paid by the Customer to the Service Provider for the most recent billing cycle of the affected Instance. The Service Provider shall not be liable for consequential damages, loss of opportunity, or the value of lost data in any case.

10. Data Breach Response Measures

The Service Provider maintains a structured process for responding to data breaches and allocates responsibility based on the origin of the incident as follows.

10.1 Breach Originating from the Service Provider’s Infrastructure

If an attack or failure occurs at the infrastructure level, including hardware, Hypervisor, or the SUNDAE VPS Control Panel, the Service Provider will follow the protocol below:

  1. Investigation: engineers and security specialists will begin root cause analysis, assess the scope of the damage, and identify the affected data within 24 hours of notice or detection.
  2. Mitigation: the affected systems will be isolated, source IP addresses involved in the attack will be blocked, access may be temporarily disabled, and patches will be applied immediately to prevent further exposure.
  3. Recovery: infrastructure will be restored from secure backup systems and returned to normal service as quickly as possible.
  4. Countermeasures: the security architecture will be reviewed, firewall rules updated, employee access policies revised, and a post-incident report prepared.
  5. Notification Protocol: if the breach is assessed as posing a high risk to the rights and freedoms of affected users, the Service Provider will notify affected users and the Personal Data Protection Committee (PDPC) within 72 hours after becoming aware of the incident, in accordance with PDPA requirements.

10.2 Breach Originating Within the Customer’s Instance

  • If the data leak arises from hacking through an application, website, weak password, vulnerable script, or weak security configuration within the Customer’s own OS, the incident is the Customer’s 100 percent responsibility as the data controller, and the Customer must conduct investigation, mitigation, recovery, and reporting to government authorities on its own.
  • In such a case, the Service Provider has the absolute right to disconnect or delete the Instance immediately to prevent malware or the attack from spreading to the shared network, and such action shall not constitute wrongdoing by the Service Provider.

11. Contact Us

If you have any questions regarding this Privacy Policy or wish to exercise your personal data rights, please contact us at:

  • Facebook: sundaevps
  • Instagram: sundaecloud_th