Privacy Policy
Last Updated: 29 January 2024
Clawverse Pte. Ltd. ("we", "us", "our") takes the privacy of users on the Clawverse online claw machine platform (clawverse.co and our mobile apps) seriously. This policy explains how we collect, use, disclose, store, and protect your personal data, in compliance with Thailand's Personal Data Protection Act B.E. 2562 (2019) (PDPA) and Singapore's Personal Data Protection Act 2012. By using our services you acknowledge and accept this policy.
1Personal data we collect
We collect only the data necessary to provide our services: (1) Account data — name, email, phone number, password (stored as a bcrypt hash), and date of birth for age verification; (2) Shipping data — destination address used solely to deliver prizes you win; (3) Transaction data — point top-ups, point usage, and purchase history; (4) Gameplay data — which machines you played, when, and the outcome, used to verify wins and shipments; (5) Technical data — IP address, device type, browser, operating system, and cookie data; (6) Approximate location data (derived from IP) so we can show you partner shops in your country. We do NOT store credit or debit card numbers. All payments are processed by PCI-DSS certified payment providers.
2Purposes and lawful bases for processing
We process your personal data only on the following lawful bases: (a) Performance of contract — to authenticate you, open your account, process gameplay, top up points, and ship prizes; (b) Legal obligation — age verification, retention of transaction records under tax and anti-money-laundering laws; (c) Legitimate interest — fraud prevention, fake-account detection, system security, and aggregated usage analytics to improve the service; (d) Consent — sending you marketing emails and promotional SMS (you can withdraw consent any time via the unsubscribe link). We will not use your data for any other purpose without obtaining additional consent first.
3Disclosure to third parties
We do NOT sell your personal data. We disclose data only as needed to provide the service: (1) Payment processors such as PromptPay (via licensed Thai banks) to process top-ups; (2) Partner shops where you play — limited to your member ID and the shipping address required to send your won prize; (3) Logistics providers such as Kerry Express, Flash Express, and J&T Express to deliver prizes; (4) Infrastructure providers such as Cloudflare (CDN and security), Google Analytics, and Google Tag Manager (aggregate-level usage analytics); (5) Government and law-enforcement authorities, when served with a valid legal request. All data processors must sign a Data Processing Agreement (DPA) and meet equivalent data-protection standards.
4Cookies and tracking technologies
We use three types of cookies on clawverse.co: (a) Strictly Necessary — to maintain login sessions and your point balance. These cannot be disabled because the core service depends on them; (b) Analytics — Google Analytics 4 and Cloudflare Insights collect anonymized usage data, such as pages visited, time on page, and click paths, to help us improve performance; (c) Marketing — for remarketing on platforms like Facebook and Google Ads. Marketing cookies require your consent before activation. You can manage your cookie consent through the banner shown on first visit, or clear cookies via your browser settings at any time.
5Data retention
We retain personal data only as long as needed to fulfill the purposes for which it was collected, or as required by law: (1) Active account data — for the lifetime of the account; (2) Transaction and payment records — 10 years, per Thai tax and anti-money-laundering laws; (3) Shipping addresses — 2 years from your last delivery, for dispute resolution and returns; (4) Gameplay logs — 90 days, to investigate any disputed wins; (5) Analytics cookie data — up to 26 months. When an account is closed or deleted, we remove personal data within 90 days, except for data we are legally required to retain longer.
6Security measures
We apply both technical and organizational measures to protect your data: (1) Encryption in transit (TLS 1.3) and at rest (AES-256 on the database); (2) User passwords stored as bcrypt hashes — never reversible; (3) HSTS preload, Content Security Policy, X-Frame-Options, and other OWASP-aligned HTTP security headers; (4) Access to data restricted by the Principle of Least Privilege; (5) Audit logs of all data access; (6) Regular internal security reviews and an annual third-party penetration test. No system is 100% secure. In the unlikely event of a data breach, we will notify affected users and the PDPC within 72 hours, as required by law.
7Your rights as a data subject
Under PDPA you have the following rights: (1) Right of access — request a copy of the personal data we hold about you; (2) Right to rectification — correct inaccurate or outdated data; (3) Right to erasure — request deletion (unless we have a legal basis to keep it); (4) Right to object — object to processing for direct marketing; (5) Right to restrict processing — temporarily pause processing; (6) Right to data portability — receive your data in a machine-readable format; (7) Right to withdraw consent — withdraw any consent-based processing; (8) Right to lodge a complaint — file a complaint with the Personal Data Protection Committee (PDPC). Exercise these rights by emailing [email protected]. We will respond within 30 days at no cost.
8Children's privacy
Clawverse is restricted to users 18 years and older. We do not knowingly collect personal data from children under 13. Users aged 13–17 must register with the consent of a parent or legal guardian. If we discover an account was created by a minor without consent, we will remove the data immediately. Parents who suspect their child has registered without permission may contact us at [email protected].
9Contacting our Data Protection Officer (DPO)
For questions, concerns, or requests regarding the processing of your personal data — or to exercise any of the rights listed above — contact our Data Protection Officer at: [email protected] (response within 30 business days); customer service: [email protected]; Clawverse Pte. Ltd., Singapore. If you are not satisfied with our handling of your request, you have the right to file a complaint with the Personal Data Protection Committee (PDPC) at pdpc.or.th. This policy may be updated from time to time. The most recent update date is shown at the top of this page.