This Privacy Policy documents how Othello International — a Bangkok-domiciled institutional bilingual translation, interpretation, and ESG advisory firm — collects, processes, retains, and protects personal data across its scoping, engagement, production, and audit-trail workflows. Othello is registered in Thailand and primarily regulated under the Personal Data Protection Act B.E. 2562 (Thai PDPA · effective 1 June 2022). For European-language engagements (see European Languages Translation) and EU-domiciled client matters, EU GDPR (Regulation 2016/679) is the substantive primary anchor. For regional ASEAN engagements (Indonesian, Vietnamese, Malaysian, Singaporean, Philippines, Cambodian, Lao, Burmese matter), regional data-protection frameworks apply as set out in Section 06 · International Transfers and Section 07 · Your Rights. The substantive operational anchor of this policy is Othello’s engagement-tier NDA-from-first-email discipline — privacy protection begins at first contact, not at engagement-letter signature.
Before the substantive policy sections, the four operational privacy commitments below anchor Othello’s engagement-tier data protection posture. These are the procurement-relevant commitments that institutional procurement panels routinely test for at scoping. They apply across in-house bench production (Thai-English · Japanese · German Desk) and partner-routed production (Korean · Chinese Simplified · Chinese Traditional · Lao · Burmese · Malay · Vietnamese · Khmer · Indonesian · European FR/ES/IT).
The four anchors below operationalise the substantive privacy posture across every engagement, regardless of language or production tier. They are procurement-relevant rather than aspirational — they map to specific operational gates (scoping intake · termbase governance · QA sign-off · audit-trail retention) documented across the engagement-letter framework. Each anchor is enforced at a specific workflow stage and recorded in the engagement-letter chain.
Privacy protection begins at first contact · scoping content protected before engagement letter signed · chain-protected across in-house and partner-routed tiers
Substantive client content never routed through consumer-AI endpoints (ChatGPT/Claude/Gemini) · applies to bench and partner-routed production · engagement-letter bound
QA cycle and sign-off Bangkok bench-direct · partner-routed deliverables never delivered partner-direct to client · privilege chain preserved
One Bangkok-retained audit-trail file per engagement · partner-engagement records consolidated · Thai PDPA + EU GDPR + regional PDPA evidence-tier
Othello International is the data controller for personal data collected and processed under this Privacy Policy. The substantive contact details, regulatory anchor, and substantive contact channels for privacy queries are documented below. For privacy queries, see Section 11 · Changes & Contact for the substantive routing.
Othello International is a Bangkok-domiciled institutional bilingual translation, interpretation, and ESG advisory firm operating from Sathon CBD, Bangkok, Thailand. The firm is registered in Thailand and primarily regulated under Thai data-protection law — the Personal Data Protection Act B.E. 2562 (Thai PDPA), effective 1 June 2022, supervised by the Personal Data Protection Committee (PDPC) under the Ministry of Digital Economy and Society (MDES). For European-language engagements and EU-domiciled client matters, EU GDPR applies as the substantive primary anchor — Othello does not have a separate EU establishment but processes EU personal data in the course of providing translation and advisory services to EU-domiciled clients, EU subsidiaries of Thai parents, and Thai subsidiaries of EU parents. The substantive controller-processor framework for institutional engagements is set out in the engagement-letter framework, with NDA discipline applied from first email contact.
★ CONTROLLER-PROCESSOR FRAMEWORK · For institutional engagement-letter clients, Othello may act as data controller (for its own scoping and BD data) and/or as data processor (for substantive client content provided for translation). The controller-processor framework is set out in the engagement-letter framework on a per-engagement basis, with NDA discipline applied from first email contact and substantive content protection under the engagement-letter chain.
Othello collects personal data across six substantive categories, each tied to a specific operational purpose. The categories below are exhaustive for institutional engagement workflows; ancillary data (e.g. job applicant data, employee data) is governed by separate internal privacy notices on a need-to-know basis. Substantive client content (engagement-protected) is treated under the engagement-letter NDA framework, not under this Privacy Policy’s general public-data framework.
Data submitted via initial contact — name, email, phone, employer, role, substantive engagement context (sector, language combination, deliverable type, target timeline). Collected via email, contact form, scheduled call, RFP submission. NDA-protected from first email under Othello’s standard scoping discipline.
Data recorded at engagement-letter execution — signatory details, billing contact, deliverable schedule, NDA chain documentation, partner-routed engagement records (where applicable). Retained as part of the engagement-letter audit-trail at Bangkok. One audit-trail file per engagement, retained for 6 years post engagement-letter conclusion.
Substantive content provided for translation, interpretation, or ESG advisory — may include personal data within client documents (board materials, BEI/SET disclosures, M&A contracts, arbitration pleadings, etc.). Treated under the engagement-letter NDA framework; processing as data processor on behalf of the client controller.
Engagement-specific terminology and translation memory consolidated under the bench’s 6-year termbase. Substantive client-specific terminology is segmented per engagement — not shared across clients, not used for ML training. The termbase is bench-direct governance, not partner-direct.
Visitor data collected via the website — IP address (truncated), user agent, referrer, page views, session duration. Cookies set per the Cookies Notice. No cross-site tracking, no third-party advertising cookies, no fingerprinting.
Email correspondence, calendar entries, call records for institutional BD and engagement management. Bangkok-domiciled communication infrastructure with engagement-letter-tier NDA discipline. No consumer messaging app routing for substantive content.
Othello processes personal data on five substantive legal bases as set out below. The legal-basis framework aligns with both Thai PDPA s.24 (lawful basis requirements) and EU GDPR Article 6 (lawfulness of processing). The applicable legal basis is determined per data category and per processing purpose — multiple bases may apply concurrently to a given engagement, in which case the most operationally appropriate basis is applied.
Processing necessary for the performance of an engagement letter or scoping agreement to which the data subject is party, or to take steps prior to entering such a contract (scoping intake, NDA execution). The substantive basis for engagement-letter chain processing.
PDPA s.24(3) · GDPR Art.6(1)(b)Processing necessary for the legitimate interests of Othello or a third party — institutional BD, IT security, fraud prevention, internal administrative purposes, network security. Balanced against the rights and freedoms of the data subject under a legitimate-interest assessment (LIA).
PDPA s.24(5) · GDPR Art.6(1)(f)Processing on the basis of freely-given, specific, informed, and unambiguous consent — applies to optional marketing communications, newsletter subscriptions, and other non-essential processing. Consent may be withdrawn at any time without affecting processing prior to withdrawal.
PDPA s.19 · GDPR Art.6(1)(a) / Art.7Processing necessary for compliance with a legal obligation to which Othello is subject — tax record retention (Thai Revenue Code), accounting record retention (Thai Civil and Commercial Code), AML/CFT obligations where applicable, regulatory reporting obligations, court-order compliance. Operationally rare but documented.
PDPA s.24(6) · GDPR Art.6(1)(c)Processing necessary to protect the vital interests of the data subject or another natural person, or for tasks carried out in the public interest. Operationally exceptional — applies primarily in emergency contact or safety-critical interpretation contexts, and recorded under engagement-letter exception protocols.
PDPA s.24(1),(4) · GDPR Art.6(1)(d),(e)For substantive client content provided for translation, interpretation, or ESG advisory, Othello acts as data processor on behalf of the client controller. The engagement-letter framework records the controller-processor relationship, with Othello processing solely on the client’s documented instructions under engagement-letter NDA discipline.
PDPA s.40 · GDPR Art.28Othello retains personal data for operationally-defined periods aligned to engagement-letter chain governance, regulatory obligations, and substantive client-relationship needs. The substantive anchor is the 6-year retention period for engagement-letter audit-trail consolidation — which aligns with Thai Civil and Commercial Code record-keeping requirements (10-year statute of limitations for contractual matters reduced to 6 years for practical engagement-letter chain governance) and EU GDPR storage limitation principle. Specific category-level retention periods are documented below.
★ RETENTION AS PROCUREMENT-RELEVANT POSTURE · The 6-year engagement-letter audit-trail retention is operationally why institutional procurement panels validate Othello’s engagement-tier posture. Procurement governance · attorney-client privilege chain · regulatory-cycle compliance evidence · partner-routed chain documentation — all anchor on the audit-trail file, which is one consolidated Bangkok-retained file per engagement.
Othello shares personal data with four substantive recipient categories under the operational anchors of the engagement-letter chain. The substantive anchor is the partner-routed chain protection — for partner-routed engagements (Korean · Chinese Simplified · Chinese Traditional · Lao · Burmese · Malay · Vietnamese · Khmer · Indonesian · French · Spanish · Italian), partner specialists operate under back-office NDA mirroring the engagement-letter NDA, with substantive privilege chain preservation. Othello does not sell personal data, does not share data with third-party advertisers, and does not route substantive client content to consumer LLM endpoints.
For partner-routed languages (Korean · Chinese Simplified · Chinese Traditional · Lao · Burmese · Malay · Vietnamese · Khmer · Indonesian · French · Spanish · Italian), substantive content is shared with the sector-matched partner specialist selected at engagement-letter execution. Partner operates under back-office NDA mirroring the engagement-letter NDA — privilege chain preserved, audit-trail consolidated at Bangkok, no client-direct delivery.
Engaged service providers operating under data processing agreements (DPAs) — hosting infrastructure, email infrastructure, accounting/payroll, professional advisors (legal, tax, audit). Each service provider is contractually bound to engagement-tier confidentiality and processes only on documented instructions. Service providers operating outside Thailand are subject to international transfer safeguards (see Section 06).
Where required by court order, lawful enforcement request, or regulatory obligation — to Thai authorities (PDPC, BoT, SEC, AMLO, Revenue Department, court orders), EU supervisory authorities under GDPR cooperation framework, regional ASEAN data-protection authorities. Disclosure is limited to what is legally compelled, reviewed by counsel where appropriate, and notified to data subjects where legally permissible.
In the event of a merger, acquisition, reorganisation, or asset sale, personal data may be transferred to the successor entity under engagement-tier confidentiality and continuity-of-engagement protection. Data subjects would be notified where required by applicable law, and successor entity bound to the substantive privacy commitments documented in this Policy.
★ WHAT OTHELLO NEVER DOES · Othello does not sell personal data, does not share data with third-party advertisers, does not route substantive client content to consumer LLM endpoints (ChatGPT, Claude, Gemini, or other consumer-AI endpoints), does not use third-party fingerprinting, does not engage in cross-site behavioural advertising, and does not share termbase entries across engagements or use them for ML training.
Personal data may be transferred internationally in the course of substantive engagement-letter chain processing — for partner-routed engagements, where partners may be domiciled outside Thailand, and for service-provider relationships where infrastructure or providers operate outside Thailand. Cross-border transfers are subject to substantive safeguards documented below, aligned to Thai PDPA cross-border transfer requirements (s.28-29), EU GDPR Chapter V (Articles 44-50) where applicable, and regional ASEAN data-protection cross-border frameworks.
Personal data transferred from Thailand to a foreign country is subject to Thai PDPA cross-border transfer requirements. Othello relies on substantive safeguards under s.28-29 — adequacy determination by the PDPC where available, binding corporate rules (BCRs) where applicable, standard data-protection clauses (SDPCs), explicit data-subject consent, or contractual safeguards aligned to PDPC guidance. For partner-routed engagements outside Thailand, back-office NDA mirroring the engagement-letter NDA operates as a substantive contractual safeguard.
PDPA s.28-29 · SDPCs · AdequacyFor personal data subject to EU GDPR transferred outside the EEA (including to Thailand for Bangkok-based processing), Othello relies on GDPR Chapter V transfer mechanisms — Standard Contractual Clauses (SCCs · 2021 Commission Implementing Decision 2021/914), adequacy decisions where available, derogations under Article 49 where applicable. Substantive transfer impact assessments (TIAs) are conducted for European-language engagements per the Schrems II framework.
GDPR Art.44-50 · SCCs · TIAFor Indonesian-language engagements, the Indonesian UU PDP cross-border transfer framework applies — Indonesia’s Personal Data Protection Law (fully effective Oct 2024) restricts cross-border transfers to jurisdictions with comparable data-protection standards or under specific contractual safeguards. The engagement-letter framework records substantive UU PDP compliance for Indonesian-domiciled data subjects.
UU PDP · Law No. 27 of 2022For Vietnamese-language engagements, the Vietnam PDPD framework (Decree 13/2023 · effective 1 July 2023) applies. Cross-border transfers require Transfer Impact Assessment (TIA) submission to the Department of Cybersecurity and High-Tech Crime Prevention (A05) under the Ministry of Public Security. Engagement-letter chain documents the PDPD-aligned safeguards for Vietnamese-domiciled data subjects.
PDPD · Decree 13/2023 · A05 TIAFor other ASEAN regional engagements, applicable regional data-protection frameworks apply — Singapore PDPA (2012), Malaysia PDPA (2010), Philippines DPA (2012), Hong Kong PDPO, Cambodia’s emerging data-protection framework. Each engagement-letter records the substantive jurisdictional framework applied for cross-border transfer safeguards.
Regional PDPAs · Per-engagementFor partner-routed engagements where partner specialists are domiciled outside Thailand, the back-office NDA framework operates as substantive contractual safeguards. Engagement-letter records partner domicile, applicable jurisdictional framework, transfer-mechanism deployed, and substantive privilege chain preservation. The 4-part institutional discipline verification at QA sign-off includes cross-border safeguard verification.
Back-office NDA · Per-partnerData subjects have eight substantive rights under the applicable data-protection frameworks, with specific anchoring varying by jurisdiction. The substantive rights set out below apply to Thai PDPA data subjects, EU GDPR data subjects, and regional ASEAN data subjects with jurisdiction-specific calibration. To exercise any right, contact Othello using the privacy query channel set out in Section 11, citing the substantive right invoked and providing identity verification proportionate to the request.
Rights exercise procedure: Email [email protected] with subject prefix “Privacy — Data Subject Rights Request” specifying the substantive right invoked and the substantive engagement or data category. Othello responds within 30 days under Thai PDPA s.30 and within 1 month under EU GDPR Article 12(3), with extension permitted for complex requests. Identity verification proportionate to the request is required. No fee for the first request in a 12-month period; reasonable fee may apply for excessive or repetitive requests under PDPA s.30(2) and GDPR Art.12(5).
Right to confirm whether Othello processes your personal data, and to obtain a copy of that data plus supplementary information (purposes, categories, recipients, retention, sources, automated decision-making). Verification proportionate to request.
PDPA s.30 · GDPR Art.15Right to have inaccurate personal data corrected, and to have incomplete data completed (including by means of providing a supplementary statement). Othello will action rectification without undue delay and notify recipients where applicable.
PDPA s.36 · GDPR Art.16Right to have personal data erased (“right to be forgotten”) where the data is no longer necessary, consent is withdrawn, processing is unlawful, or other grounds apply. Subject to legal obligation, contract performance, or legitimate interest overrides.
PDPA s.33 · GDPR Art.17Right to restrict processing in specific circumstances (contested accuracy, unlawful processing where erasure is opposed, data no longer needed but required for legal claims, objection pending). Restricted data may only be processed with consent or for legal claims.
PDPA s.34 · GDPR Art.18Right to receive personal data in a structured, commonly-used, machine-readable format, and to transmit that data to another controller. Applies to data processed on the basis of consent or contract performance, and processed by automated means.
PDPA s.31 · GDPR Art.20Right to object to processing based on legitimate interests, public interest, or for direct marketing purposes. For direct marketing objection, processing ceases immediately; for other objections, Othello assesses whether compelling legitimate grounds override.
PDPA s.32 · GDPR Art.21Right to withdraw consent at any time where processing is based on consent — without affecting the lawfulness of processing prior to withdrawal. Withdrawal is as easy as giving consent; processing on alternative legal bases may continue where applicable.
PDPA s.19 · GDPR Art.7(3)Right to lodge a complaint with the relevant supervisory authority — PDPC (Thailand · primary), the relevant EU supervisory authority under GDPR (for EU data subjects), or the relevant regional ASEAN data-protection authority. Othello encourages prior contact to resolve concerns directly where possible.
PDPA s.73 · GDPR Art.77Data subjects retain the substantive right to lodge a complaint directly with the supervisory authority of their habitual residence, place of work, or place of alleged infringement. The substantive supervisory authorities relevant to Othello’s engagement footprint are documented below. Othello encourages prior contact to enable direct resolution where possible — but the right to authority complaint is not contingent on prior contact.
Othello uses a minimal, transparent set of cookies on the website to support essential functionality, analytics, and engagement performance assessment. No third-party advertising cookies, no cross-site tracking, no fingerprinting. The substantive cookies framework, category breakdown, retention periods, and opt-out mechanisms are documented separately at the Cookies Notice cross-linked below.
Othello uses three substantive cookie categories: strictly necessary cookies (essential for website functionality · no consent required), analytics cookies (institutional BD performance assessment · truncated-IP storage · 26-month retention · consent-based for non-essential analytics), and preference cookies (language preference, theme preference · consent-based). No third-party advertising cookies, no behavioural tracking, no fingerprinting. The substantive consent banner appears on first visit; granular consent management is available via the cookie preference centre.
Open Full Cookies NoticeOthello applies six operational security commitments to safeguard personal data — aligned to Thai PDPA s.37 (appropriate security measures) and EU GDPR Article 32 (security of processing). The substantive operational anchor is engagement-letter NDA discipline applied through the chain — from first email scoping through partner-routed production through Bangkok bench QA sign-off and audit-trail consolidation. The substantive security framework is documented in detail at Data Security.
Substantive client content encrypted at rest during active engagement and in transit between scoping, production, and delivery. TLS 1.2+ for transport, AES-256 equivalent for at-rest where applicable.
Access to substantive client content limited to engagement-letter chain participants on a need-to-know basis. Bangkok bench access for in-house engagements; partner specialist access under back-office NDA for partner-routed.
NDA discipline applied from first email scoping contact, before engagement-letter signature. Back-office NDA mirroring the engagement-letter NDA operates through the partner-routed chain; privilege chain preserved.
Substantive client content never routed through consumer LLM endpoints (ChatGPT · Claude · Gemini · etc.). Engagement-letter NDA explicitly covers the no-consumer-AI-endpoint commitment across in-house and partner-routed tiers.
One Bangkok-retained audit-trail file per engagement — terminology decisions, revision cycles, regulatory-cycle compliance, partner-engagement records. Aligned to Thai PDPA + EU GDPR + regional PDPA evidence-tier requirements.
Substantive incident response framework for personal data breaches — assessment of breach severity, notification to PDPC within 72 hours where required (PDPA s.37(4)), GDPR Art.33 notification framework where applicable, data subject notification per applicable framework.
Othello’s institutional bilingual translation, interpretation, and ESG advisory services are not directed to children. The substantive client base is institutional — corporate, financial, legal, and regulated-sector clients — and the substantive engagement-letter chain assumes adult institutional signatories. Othello does not knowingly collect personal data from children under 20 (the Thai PDPA threshold for adult capacity for consent under s.20) or under 16 (the EU GDPR threshold for children’s consent under Art.8) without verifiable parental or guardian consent.
If personal data relating to a minor is provided to Othello as part of substantive client content (for example, in family-law translation contexts, immigration matters, or educational documentation), that data is treated under the engagement-letter NDA framework with heightened sensitivity discipline. Substantive minor-related content processing is on a per-engagement basis with the engagement-letter framework recording the substantive safeguards applied. Othello does not market services to children, does not maintain children-directed online services, and does not engage in any processing of children’s personal data outside the substantive engagement-letter framework.
If you believe Othello has inadvertently collected personal data from a child without appropriate parental or guardian consent, please contact [email protected] with subject “Privacy — Children’s Data”. Such reports will be substantively investigated and any data collected without appropriate consent will be promptly erased.
Othello may update this Privacy Policy from time to time to reflect operational changes, regulatory developments, or substantive engagement-model evolution. The substantive operational anchor is versioned transparency — each update increments the version number recorded in the hero metadata, with the effective date updated. Material updates are notified to active engagement-letter clients via the engagement-letter chain.
This Privacy Policy is versioned — current version v12.3, effective 15 May 2026. Substantive changes are recorded with version increments. For institutional engagement-letter clients, material updates are notified through the engagement-letter chain with reasonable advance notice for procurement governance review. The current version is always available at this URL; archived versions are available upon request to [email protected].
For privacy queries, data subject rights requests, or substantive engagement-letter privacy framework discussion: email [email protected] with subject prefix “Privacy —” specifying the substantive query type. Response within 30 days under Thai PDPA s.30, within 1 month under EU GDPR Art.12(3), with extension permitted for complex requests. Phone +66 02-859-2145 during Bangkok office hours for substantive procurement-governance privacy framework discussion.
Othello International handles privacy queries, data subject rights requests, and substantive engagement-letter privacy framework discussion directly from the Bangkok bench. Response within 30 days under Thai PDPA s.30, within 1 month under EU GDPR Art.12(3), with extension permitted for complex requests. For institutional procurement-governance discussion of the engagement-letter chain privacy framework, the bench’s substantive responses are at engagement-tier with NDA-from-first-email discipline applied to substantive queries.