Bench active · EN ↔ TH · TEL +66 02-859-2145 · NDA from first email · 1-hour quote SLA
EN TH
Request RFP
PRIVACY POLICY · THAI PDPA PRIMARY · EU GDPR FOR EUROPEAN MATTERS · REGIONAL PDPAs
Last Updated · 15 May 2026
Othello / Privacy Policy
★ THAI PDPA · EU GDPR · ASEAN PDPAs · ★ ENGAGEMENT-TIER DATA PROTECTION DISCIPLINE

Privacy Policy.
Institutional · multi-jurisdiction · NDA-disciplined.

Effective:15 May 2026
Version:v12.3
Controller:Othello International
Jurisdiction:Bangkok, Thailand

This Privacy Policy documents how Othello International — a Bangkok-domiciled institutional bilingual translation, interpretation, and ESG advisory firm — collects, processes, retains, and protects personal data across its scoping, engagement, production, and audit-trail workflows. Othello is registered in Thailand and primarily regulated under the Personal Data Protection Act B.E. 2562 (Thai PDPA · effective 1 June 2022). For European-language engagements (see European Languages Translation) and EU-domiciled client matters, EU GDPR (Regulation 2016/679) is the substantive primary anchor. For regional ASEAN engagements (Indonesian, Vietnamese, Malaysian, Singaporean, Philippines, Cambodian, Lao, Burmese matter), regional data-protection frameworks apply as set out in Section 06 · International Transfers and Section 07 · Your Rights. The substantive operational anchor of this policy is Othello’s engagement-tier NDA-from-first-email discipline — privacy protection begins at first contact, not at engagement-letter signature.

★ Privacy Commitments · Four Operational Anchors

Privacy commitments. Four operational anchors at engagement-tier.

Before the substantive policy sections, the four operational privacy commitments below anchor Othello’s engagement-tier data protection posture. These are the procurement-relevant commitments that institutional procurement panels routinely test for at scoping. They apply across in-house bench production (Thai-English · Japanese · German Desk) and partner-routed production (Korean · Chinese Simplified · Chinese Traditional · Lao · Burmese · Malay · Vietnamese · Khmer · Indonesian · European FR/ES/IT).

★ FOUR PRIVACY COMMITMENTS · ENGAGEMENT-TIER ANCHOR

Four privacy commitments. NDA-first · no consumer LLM · bench-direct sign-off · audit-trail consolidated.

The four anchors below operationalise the substantive privacy posture across every engagement, regardless of language or production tier. They are procurement-relevant rather than aspirational — they map to specific operational gates (scoping intake · termbase governance · QA sign-off · audit-trail retention) documented across the engagement-letter framework. Each anchor is enforced at a specific workflow stage and recorded in the engagement-letter chain.

★ COMMITMENT 01
NDA-from-first-email

Privacy protection begins at first contact · scoping content protected before engagement letter signed · chain-protected across in-house and partner-routed tiers

★ COMMITMENT 02
No consumer LLM endpoints

Substantive client content never routed through consumer-AI endpoints (ChatGPT/Claude/Gemini) · applies to bench and partner-routed production · engagement-letter bound

★ COMMITMENT 03
Bench-direct sign-off

QA cycle and sign-off Bangkok bench-direct · partner-routed deliverables never delivered partner-direct to client · privilege chain preserved

★ COMMITMENT 04
Audit-trail consolidated

One Bangkok-retained audit-trail file per engagement · partner-engagement records consolidated · Thai PDPA + EU GDPR + regional PDPA evidence-tier

01 · Who We Are · Data Controller Identity

The data controller — Othello International.

Othello International is the data controller for personal data collected and processed under this Privacy Policy. The substantive contact details, regulatory anchor, and substantive contact channels for privacy queries are documented below. For privacy queries, see Section 11 · Changes & Contact for the substantive routing.

Othello International is a Bangkok-domiciled institutional bilingual translation, interpretation, and ESG advisory firm operating from Sathon CBD, Bangkok, Thailand. The firm is registered in Thailand and primarily regulated under Thai data-protection law — the Personal Data Protection Act B.E. 2562 (Thai PDPA), effective 1 June 2022, supervised by the Personal Data Protection Committee (PDPC) under the Ministry of Digital Economy and Society (MDES). For European-language engagements and EU-domiciled client matters, EU GDPR applies as the substantive primary anchor — Othello does not have a separate EU establishment but processes EU personal data in the course of providing translation and advisory services to EU-domiciled clients, EU subsidiaries of Thai parents, and Thai subsidiaries of EU parents. The substantive controller-processor framework for institutional engagements is set out in the engagement-letter framework, with NDA discipline applied from first email contact.

Controller Details

Othello International

  • Legal nameOthello International
  • AddressUnit 12-03, Chartered Square, 152 N Sathon Rd, Si Lom, Bang Rak, Bangkok 10500
  • JurisdictionThailand · Bangkok-domiciled
  • Email[email protected]
  • Phone+66 02-859-2145
  • HoursBangkok office hours · ICT (UTC+7)
Regulatory Framework

Thai PDPA · EU GDPR · regional

  • Thai PDPAPersonal Data Protection Act B.E. 2562 · effective 1 June 2022 · PDPC under MDES
  • EU GDPRRegulation (EU) 2016/679 · effective 25 May 2018 · applies to EU-domiciled matters
  • IndonesiaUU PDP · Law No. 27 of 2022 · fully effective Oct 2024
  • VietnamPDPD · Decree 13/2023 · effective 1 July 2023
  • Other ASEANSingapore PDPA · Malaysia PDPA · Philippines DPA · HK PDPO · Japan APPI as applicable
  • Privacy queries[email protected] · subject “Privacy —”

CONTROLLER-PROCESSOR FRAMEWORK · For institutional engagement-letter clients, Othello may act as data controller (for its own scoping and BD data) and/or as data processor (for substantive client content provided for translation). The controller-processor framework is set out in the engagement-letter framework on a per-engagement basis, with NDA discipline applied from first email contact and substantive content protection under the engagement-letter chain.

02 · Data Categories Collected

What data we collect. Six substantive categories.

Othello collects personal data across six substantive categories, each tied to a specific operational purpose. The categories below are exhaustive for institutional engagement workflows; ancillary data (e.g. job applicant data, employee data) is governed by separate internal privacy notices on a need-to-know basis. Substantive client content (engagement-protected) is treated under the engagement-letter NDA framework, not under this Privacy Policy’s general public-data framework.

CATEGORY 01

Scoping intake data

Data submitted via initial contact — name, email, phone, employer, role, substantive engagement context (sector, language combination, deliverable type, target timeline). Collected via email, contact form, scheduled call, RFP submission. NDA-protected from first email under Othello’s standard scoping discipline.

NDA-FIRSTSCOPING
CATEGORY 02

Engagement-letter data

Data recorded at engagement-letter execution — signatory details, billing contact, deliverable schedule, NDA chain documentation, partner-routed engagement records (where applicable). Retained as part of the engagement-letter audit-trail at Bangkok. One audit-trail file per engagement, retained for 6 years post engagement-letter conclusion.

ENG. LETTER6-YEAR
CATEGORY 03

Substantive client content

Substantive content provided for translation, interpretation, or ESG advisory — may include personal data within client documents (board materials, BEI/SET disclosures, M&A contracts, arbitration pleadings, etc.). Treated under the engagement-letter NDA framework; processing as data processor on behalf of the client controller.

PROCESSORNDA-BOUND
CATEGORY 04

Termbase governance data

Engagement-specific terminology and translation memory consolidated under the bench’s 6-year termbase. Substantive client-specific terminology is segmented per engagement — not shared across clients, not used for ML training. The termbase is bench-direct governance, not partner-direct.

6-YEARSEGMENTED
CATEGORY 05

Website & analytics data

Visitor data collected via the website — IP address (truncated), user agent, referrer, page views, session duration. Cookies set per the Cookies Notice. No cross-site tracking, no third-party advertising cookies, no fingerprinting.

WEBSITECOOKIES
CATEGORY 06

Business communication data

Email correspondence, calendar entries, call records for institutional BD and engagement management. Bangkok-domiciled communication infrastructure with engagement-letter-tier NDA discipline. No consumer messaging app routing for substantive content.

EMAILCALENDAR
03 · Legal Bases for Processing

Legal bases for processing. Five operational anchors.

Othello processes personal data on five substantive legal bases as set out below. The legal-basis framework aligns with both Thai PDPA s.24 (lawful basis requirements) and EU GDPR Article 6 (lawfulness of processing). The applicable legal basis is determined per data category and per processing purpose — multiple bases may apply concurrently to a given engagement, in which case the most operationally appropriate basis is applied.

01
BASIS 01 · CONTRACT

Contract performance

Processing necessary for the performance of an engagement letter or scoping agreement to which the data subject is party, or to take steps prior to entering such a contract (scoping intake, NDA execution). The substantive basis for engagement-letter chain processing.

PDPA s.24(3) · GDPR Art.6(1)(b)
02
BASIS 02 · LEGITIMATE INTEREST

Legitimate interests

Processing necessary for the legitimate interests of Othello or a third party — institutional BD, IT security, fraud prevention, internal administrative purposes, network security. Balanced against the rights and freedoms of the data subject under a legitimate-interest assessment (LIA).

PDPA s.24(5) · GDPR Art.6(1)(f)
03
BASIS 03 · CONSENT

Consent

Processing on the basis of freely-given, specific, informed, and unambiguous consent — applies to optional marketing communications, newsletter subscriptions, and other non-essential processing. Consent may be withdrawn at any time without affecting processing prior to withdrawal.

PDPA s.19 · GDPR Art.6(1)(a) / Art.7
04
BASIS 04 · LEGAL OBLIGATION

Legal obligation

Processing necessary for compliance with a legal obligation to which Othello is subject — tax record retention (Thai Revenue Code), accounting record retention (Thai Civil and Commercial Code), AML/CFT obligations where applicable, regulatory reporting obligations, court-order compliance. Operationally rare but documented.

PDPA s.24(6) · GDPR Art.6(1)(c)
05
BASIS 05 · VITAL INTERESTS

Vital interests & public interest

Processing necessary to protect the vital interests of the data subject or another natural person, or for tasks carried out in the public interest. Operationally exceptional — applies primarily in emergency contact or safety-critical interpretation contexts, and recorded under engagement-letter exception protocols.

PDPA s.24(1),(4) · GDPR Art.6(1)(d),(e)
★ PROCESSOR FRAMEWORK

Data processor for substantive client content

For substantive client content provided for translation, interpretation, or ESG advisory, Othello acts as data processor on behalf of the client controller. The engagement-letter framework records the controller-processor relationship, with Othello processing solely on the client’s documented instructions under engagement-letter NDA discipline.

PDPA s.40 · GDPR Art.28
04 · Retention Periods

Retention periods. Bangkok bench-anchored audit-trail.

Othello retains personal data for operationally-defined periods aligned to engagement-letter chain governance, regulatory obligations, and substantive client-relationship needs. The substantive anchor is the 6-year retention period for engagement-letter audit-trail consolidation — which aligns with Thai Civil and Commercial Code record-keeping requirements (10-year statute of limitations for contractual matters reduced to 6 years for practical engagement-letter chain governance) and EU GDPR storage limitation principle. Specific category-level retention periods are documented below.

Data Category
Substantive Purpose
Retention
CAT 01Scoping intake data
Scoping content, contact data, initial engagement exploration. Auto-purged if scoping does not progress to engagement-letter within 90 days, except where ongoing dialogue.
90 DAYS · OR ENG. LETTER
CAT 02Engagement-letter chain
Engagement-letter audit-trail file consolidated at Bangkok — signatory data, deliverable schedule, NDA chain, partner-routed engagement records, regulatory-cycle compliance evidence. Aligned to Thai CCC statute of limitations & tax record retention.
★ 6 YEARS POST-CONCLUSION
CAT 03Substantive client content
Client documents provided for translation/advisory — purged per the engagement-letter framework. Default purge at engagement-letter conclusion unless retention specifically required by client or by regulatory obligation. Encrypted-at-rest during active engagement.
PER ENG. LETTER · DEFAULT PURGE
CAT 04Termbase governance
Engagement-specific termbase entries segmented under the bench’s 6-year termbase governance. Substantive terminology consolidated under engagement-letter chain. Termbase entries are not shared across engagements and not used for ML training.
★ 6 YEARS · SEGMENTED
CAT 05Website & analytics
Aggregated and anonymised analytics data retained for institutional BD performance assessment. Truncated-IP storage · no cross-site tracking · no third-party advertising.
26 MONTHS · AGGREGATED
CAT 06Business communication
Email, calendar, call records for institutional BD and engagement management. Retained under Bangkok-domiciled communication infrastructure. Linked to engagement-letter audit-trail where applicable.
6 YEARS · OR ENG. LETTER
SPECIALTax & accounting
Tax records, invoice records, accounting records under Thai Revenue Code and Thai Civil and Commercial Code requirements. Retention period set by statutory obligation.
5 YEARS · STATUTORY

RETENTION AS PROCUREMENT-RELEVANT POSTURE · The 6-year engagement-letter audit-trail retention is operationally why institutional procurement panels validate Othello’s engagement-tier posture. Procurement governance · attorney-client privilege chain · regulatory-cycle compliance evidence · partner-routed chain documentation — all anchor on the audit-trail file, which is one consolidated Bangkok-retained file per engagement.

05 · Who We Share Data With

Who we share data with. Four categories · chain-protected.

Othello shares personal data with four substantive recipient categories under the operational anchors of the engagement-letter chain. The substantive anchor is the partner-routed chain protection — for partner-routed engagements (Korean · Chinese Simplified · Chinese Traditional · Lao · Burmese · Malay · Vietnamese · Khmer · Indonesian · French · Spanish · Italian), partner specialists operate under back-office NDA mirroring the engagement-letter NDA, with substantive privilege chain preservation. Othello does not sell personal data, does not share data with third-party advertisers, and does not route substantive client content to consumer LLM endpoints.

★ CATEGORY 01 · PARTNER SPECIALISTS

Partner-routed language specialists

For partner-routed languages (Korean · Chinese Simplified · Chinese Traditional · Lao · Burmese · Malay · Vietnamese · Khmer · Indonesian · French · Spanish · Italian), substantive content is shared with the sector-matched partner specialist selected at engagement-letter execution. Partner operates under back-office NDA mirroring the engagement-letter NDA — privilege chain preserved, audit-trail consolidated at Bangkok, no client-direct delivery.

PARTNER CHAINBACK-OFFICE NDASECTOR-MATCHED
CATEGORY 02 · SERVICE PROVIDERS

Service providers & processors

Engaged service providers operating under data processing agreements (DPAs) — hosting infrastructure, email infrastructure, accounting/payroll, professional advisors (legal, tax, audit). Each service provider is contractually bound to engagement-tier confidentiality and processes only on documented instructions. Service providers operating outside Thailand are subject to international transfer safeguards (see Section 06).

DPA-BOUNDPROCESSORS
CATEGORY 03 · AUTHORITIES & LEGAL

Regulatory authorities & legal compliance

Where required by court order, lawful enforcement request, or regulatory obligation — to Thai authorities (PDPC, BoT, SEC, AMLO, Revenue Department, court orders), EU supervisory authorities under GDPR cooperation framework, regional ASEAN data-protection authorities. Disclosure is limited to what is legally compelled, reviewed by counsel where appropriate, and notified to data subjects where legally permissible.

LEGALLIMITED
CATEGORY 04 · BUSINESS TRANSACTIONS

Corporate transactions

In the event of a merger, acquisition, reorganisation, or asset sale, personal data may be transferred to the successor entity under engagement-tier confidentiality and continuity-of-engagement protection. Data subjects would be notified where required by applicable law, and successor entity bound to the substantive privacy commitments documented in this Policy.

M&A CONTINUITY

WHAT OTHELLO NEVER DOES · Othello does not sell personal data, does not share data with third-party advertisers, does not route substantive client content to consumer LLM endpoints (ChatGPT, Claude, Gemini, or other consumer-AI endpoints), does not use third-party fingerprinting, does not engage in cross-site behavioural advertising, and does not share termbase entries across engagements or use them for ML training.

06 · International Transfers · Cross-Border Data Flow

International transfers. Multi-jurisdiction safeguards.

Personal data may be transferred internationally in the course of substantive engagement-letter chain processing — for partner-routed engagements, where partners may be domiciled outside Thailand, and for service-provider relationships where infrastructure or providers operate outside Thailand. Cross-border transfers are subject to substantive safeguards documented below, aligned to Thai PDPA cross-border transfer requirements (s.28-29), EU GDPR Chapter V (Articles 44-50) where applicable, and regional ASEAN data-protection cross-border frameworks.

★ THAI PDPA · CROSS-BORDER

Thai PDPA s.28-29 cross-border transfer framework

Personal data transferred from Thailand to a foreign country is subject to Thai PDPA cross-border transfer requirements. Othello relies on substantive safeguards under s.28-29 — adequacy determination by the PDPC where available, binding corporate rules (BCRs) where applicable, standard data-protection clauses (SDPCs), explicit data-subject consent, or contractual safeguards aligned to PDPC guidance. For partner-routed engagements outside Thailand, back-office NDA mirroring the engagement-letter NDA operates as a substantive contractual safeguard.

PDPA s.28-29 · SDPCs · Adequacy
★ EU GDPR · CHAPTER V

EU GDPR Chapter V transfer framework

For personal data subject to EU GDPR transferred outside the EEA (including to Thailand for Bangkok-based processing), Othello relies on GDPR Chapter V transfer mechanisms — Standard Contractual Clauses (SCCs · 2021 Commission Implementing Decision 2021/914), adequacy decisions where available, derogations under Article 49 where applicable. Substantive transfer impact assessments (TIAs) are conducted for European-language engagements per the Schrems II framework.

GDPR Art.44-50 · SCCs · TIA
REGIONAL · INDONESIA

Indonesia UU PDP · Law No. 27 of 2022

For Indonesian-language engagements, the Indonesian UU PDP cross-border transfer framework applies — Indonesia’s Personal Data Protection Law (fully effective Oct 2024) restricts cross-border transfers to jurisdictions with comparable data-protection standards or under specific contractual safeguards. The engagement-letter framework records substantive UU PDP compliance for Indonesian-domiciled data subjects.

UU PDP · Law No. 27 of 2022
REGIONAL · VIETNAM

Vietnam PDPD · Decree 13/2023

For Vietnamese-language engagements, the Vietnam PDPD framework (Decree 13/2023 · effective 1 July 2023) applies. Cross-border transfers require Transfer Impact Assessment (TIA) submission to the Department of Cybersecurity and High-Tech Crime Prevention (A05) under the Ministry of Public Security. Engagement-letter chain documents the PDPD-aligned safeguards for Vietnamese-domiciled data subjects.

PDPD · Decree 13/2023 · A05 TIA
REGIONAL · OTHER ASEAN

Singapore PDPA · Malaysia PDPA · Philippines DPA · HK PDPO

For other ASEAN regional engagements, applicable regional data-protection frameworks apply — Singapore PDPA (2012), Malaysia PDPA (2010), Philippines DPA (2012), Hong Kong PDPO, Cambodia’s emerging data-protection framework. Each engagement-letter records the substantive jurisdictional framework applied for cross-border transfer safeguards.

Regional PDPAs · Per-engagement
★ PARTNER-ROUTED CHAIN

Partner-routed transfer safeguards

For partner-routed engagements where partner specialists are domiciled outside Thailand, the back-office NDA framework operates as substantive contractual safeguards. Engagement-letter records partner domicile, applicable jurisdictional framework, transfer-mechanism deployed, and substantive privilege chain preservation. The 4-part institutional discipline verification at QA sign-off includes cross-border safeguard verification.

Back-office NDA · Per-partner
07 · Your Rights · Data Subject Rights

Your rights. Eight substantive rights by jurisdiction.

Data subjects have eight substantive rights under the applicable data-protection frameworks, with specific anchoring varying by jurisdiction. The substantive rights set out below apply to Thai PDPA data subjects, EU GDPR data subjects, and regional ASEAN data subjects with jurisdiction-specific calibration. To exercise any right, contact Othello using the privacy query channel set out in Section 11, citing the substantive right invoked and providing identity verification proportionate to the request.

Rights exercise procedure: Email [email protected] with subject prefix “Privacy — Data Subject Rights Request” specifying the substantive right invoked and the substantive engagement or data category. Othello responds within 30 days under Thai PDPA s.30 and within 1 month under EU GDPR Article 12(3), with extension permitted for complex requests. Identity verification proportionate to the request is required. No fee for the first request in a 12-month period; reasonable fee may apply for excessive or repetitive requests under PDPA s.30(2) and GDPR Art.12(5).

RIGHT 01Right of access

Right to confirm whether Othello processes your personal data, and to obtain a copy of that data plus supplementary information (purposes, categories, recipients, retention, sources, automated decision-making). Verification proportionate to request.

PDPA s.30 · GDPR Art.15

RIGHT 02Right to rectification

Right to have inaccurate personal data corrected, and to have incomplete data completed (including by means of providing a supplementary statement). Othello will action rectification without undue delay and notify recipients where applicable.

PDPA s.36 · GDPR Art.16

RIGHT 03Right to erasure

Right to have personal data erased (“right to be forgotten”) where the data is no longer necessary, consent is withdrawn, processing is unlawful, or other grounds apply. Subject to legal obligation, contract performance, or legitimate interest overrides.

PDPA s.33 · GDPR Art.17

RIGHT 04Right to restrict processing

Right to restrict processing in specific circumstances (contested accuracy, unlawful processing where erasure is opposed, data no longer needed but required for legal claims, objection pending). Restricted data may only be processed with consent or for legal claims.

PDPA s.34 · GDPR Art.18

RIGHT 05Right to data portability

Right to receive personal data in a structured, commonly-used, machine-readable format, and to transmit that data to another controller. Applies to data processed on the basis of consent or contract performance, and processed by automated means.

PDPA s.31 · GDPR Art.20

RIGHT 06Right to object

Right to object to processing based on legitimate interests, public interest, or for direct marketing purposes. For direct marketing objection, processing ceases immediately; for other objections, Othello assesses whether compelling legitimate grounds override.

PDPA s.32 · GDPR Art.21

RIGHT 07Right to withdraw consent

Right to withdraw consent at any time where processing is based on consent — without affecting the lawfulness of processing prior to withdrawal. Withdrawal is as easy as giving consent; processing on alternative legal bases may continue where applicable.

PDPA s.19 · GDPR Art.7(3)

RIGHT 08Right to lodge a complaint

Right to lodge a complaint with the relevant supervisory authority — PDPC (Thailand · primary), the relevant EU supervisory authority under GDPR (for EU data subjects), or the relevant regional ASEAN data-protection authority. Othello encourages prior contact to resolve concerns directly where possible.

PDPA s.73 · GDPR Art.77
SUPERVISORY AUTHORITIES · COMPLAINT ROUTING

Supervisory authority routing by jurisdiction.

Data subjects retain the substantive right to lodge a complaint directly with the supervisory authority of their habitual residence, place of work, or place of alleged infringement. The substantive supervisory authorities relevant to Othello’s engagement footprint are documented below. Othello encourages prior contact to enable direct resolution where possible — but the right to authority complaint is not contingent on prior contact.

ThailandPersonal Data Protection Committee (PDPC) under the Ministry of Digital Economy and Society (MDES) · Bangkok
EU / EEAThe relevant EU supervisory authority for the data subject’s habitual residence, place of work, or place of alleged infringement under GDPR Art.77
IndonesiaUU PDP supervisory authority (under formation pursuant to Law No. 27 of 2022, Kementerian Komunikasi dan Digital · interim oversight)
VietnamDepartment of Cybersecurity and High-Tech Crime Prevention (A05) · Ministry of Public Security
SingaporePersonal Data Protection Commission (PDPC Singapore)
MalaysiaDepartment of Personal Data Protection (JPDP)
Hong KongOffice of the Privacy Commissioner for Personal Data (PCPD)
JapanPersonal Information Protection Commission (PPC) · individual.gov
08 · Cookies & Analytics

Cookies & analytics. Minimal · transparent · cross-linked.

Othello uses a minimal, transparent set of cookies on the website to support essential functionality, analytics, and engagement performance assessment. No third-party advertising cookies, no cross-site tracking, no fingerprinting. The substantive cookies framework, category breakdown, retention periods, and opt-out mechanisms are documented separately at the Cookies Notice cross-linked below.

Cookies policy summary

Othello uses three substantive cookie categories: strictly necessary cookies (essential for website functionality · no consent required), analytics cookies (institutional BD performance assessment · truncated-IP storage · 26-month retention · consent-based for non-essential analytics), and preference cookies (language preference, theme preference · consent-based). No third-party advertising cookies, no behavioural tracking, no fingerprinting. The substantive consent banner appears on first visit; granular consent management is available via the cookie preference centre.

Open Full Cookies Notice
09 · Security Commitments

Security commitments. Six operational anchors.

Othello applies six operational security commitments to safeguard personal data — aligned to Thai PDPA s.37 (appropriate security measures) and EU GDPR Article 32 (security of processing). The substantive operational anchor is engagement-letter NDA discipline applied through the chain — from first email scoping through partner-routed production through Bangkok bench QA sign-off and audit-trail consolidation. The substantive security framework is documented in detail at Data Security.

Encryption at rest & in transit

Substantive client content encrypted at rest during active engagement and in transit between scoping, production, and delivery. TLS 1.2+ for transport, AES-256 equivalent for at-rest where applicable.

Access control & need-to-know

Access to substantive client content limited to engagement-letter chain participants on a need-to-know basis. Bangkok bench access for in-house engagements; partner specialist access under back-office NDA for partner-routed.

NDA-from-first-email discipline

NDA discipline applied from first email scoping contact, before engagement-letter signature. Back-office NDA mirroring the engagement-letter NDA operates through the partner-routed chain; privilege chain preserved.

No consumer LLM endpoints

Substantive client content never routed through consumer LLM endpoints (ChatGPT · Claude · Gemini · etc.). Engagement-letter NDA explicitly covers the no-consumer-AI-endpoint commitment across in-house and partner-routed tiers.

Audit-trail consolidation

One Bangkok-retained audit-trail file per engagement — terminology decisions, revision cycles, regulatory-cycle compliance, partner-engagement records. Aligned to Thai PDPA + EU GDPR + regional PDPA evidence-tier requirements.

Incident response & breach notification

Substantive incident response framework for personal data breaches — assessment of breach severity, notification to PDPC within 72 hours where required (PDPA s.37(4)), GDPR Art.33 notification framework where applicable, data subject notification per applicable framework.

10 · Children’s Privacy

Children’s privacy. Service not directed to minors.

Othello’s institutional bilingual translation, interpretation, and ESG advisory services are not directed to children. The substantive client base is institutional — corporate, financial, legal, and regulated-sector clients — and the substantive engagement-letter chain assumes adult institutional signatories. Othello does not knowingly collect personal data from children under 20 (the Thai PDPA threshold for adult capacity for consent under s.20) or under 16 (the EU GDPR threshold for children’s consent under Art.8) without verifiable parental or guardian consent.

Children’s personal data handling

If personal data relating to a minor is provided to Othello as part of substantive client content (for example, in family-law translation contexts, immigration matters, or educational documentation), that data is treated under the engagement-letter NDA framework with heightened sensitivity discipline. Substantive minor-related content processing is on a per-engagement basis with the engagement-letter framework recording the substantive safeguards applied. Othello does not market services to children, does not maintain children-directed online services, and does not engage in any processing of children’s personal data outside the substantive engagement-letter framework.

If you believe Othello has inadvertently collected personal data from a child without appropriate parental or guardian consent, please contact [email protected] with subject “Privacy — Children’s Data”. Such reports will be substantively investigated and any data collected without appropriate consent will be promptly erased.

11 · Changes & Contact

Policy changes & contact. Versioned · transparent · Bangkok-direct.

Othello may update this Privacy Policy from time to time to reflect operational changes, regulatory developments, or substantive engagement-model evolution. The substantive operational anchor is versioned transparency — each update increments the version number recorded in the hero metadata, with the effective date updated. Material updates are notified to active engagement-letter clients via the engagement-letter chain.

POLICY CHANGES

Versioning & change history

This Privacy Policy is versioned — current version v12.3, effective 15 May 2026. Substantive changes are recorded with version increments. For institutional engagement-letter clients, material updates are notified through the engagement-letter chain with reasonable advance notice for procurement governance review. The current version is always available at this URL; archived versions are available upon request to [email protected].

★ PRIVACY CONTACT

Privacy queries & rights requests

For privacy queries, data subject rights requests, or substantive engagement-letter privacy framework discussion: email [email protected] with subject prefix “Privacy —” specifying the substantive query type. Response within 30 days under Thai PDPA s.30, within 1 month under EU GDPR Art.12(3), with extension permitted for complex requests. Phone +66 02-859-2145 during Bangkok office hours for substantive procurement-governance privacy framework discussion.

Privacy queries.
NDA-disciplined · Bangkok-direct.

Othello International handles privacy queries, data subject rights requests, and substantive engagement-letter privacy framework discussion directly from the Bangkok bench. Response within 30 days under Thai PDPA s.30, within 1 month under EU GDPR Art.12(3), with extension permitted for complex requests. For institutional procurement-governance discussion of the engagement-letter chain privacy framework, the bench’s substantive responses are at engagement-tier with NDA-from-first-email discipline applied to substantive queries.

+66 02-859-2145 · [email protected]
Unit 12-03, Chartered Square · 152 N Sathon Rd · Si Lom · Bangkok 10500
Privacy Policy · v12.3 · Effective 15 May 2026 · Thai PDPA Primary · EU GDPR for European Matters · Regional ASEAN PDPAs · NDA From First Email · No Consumer LLM Endpoints · Bangkok-Retained Audit-Trail · Bangkok Sathon CBD Othello International