Privacy Policy

Last updated: 9 March 2026

Kruu ("we", "us", or "our") operates kruu.pro. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights under Thailand's Personal Data Protection Act B.E. 2562 (PDPA).

1. Data Controller

Kruu is the data controller for personal data collected through this Platform. For any privacy-related enquiries or to exercise your rights, contact us at: [email protected]

2. Data We Collect

We collect the following categories of personal data:

Providers (tutors/coaches): name, email address, LINE user ID, profile picture, PromptPay ID, business name and description, booking page slug, social media links.
Clients (students/customers): name, LINE user ID, email address (optional), phone number (optional), LINE display name and profile picture (if signed in via LINE).
Booking data: selected service, date and time, booking status, payment status, notes provided at booking.
Payment slips: images uploaded by Clients as proof of PromptPay transfer.
Assignment data: assignment titles, instructions, attached files, submission files, scores, and feedback (where Assignments is enabled).
Technical data: IP address, browser type, and usage logs collected automatically for security and performance.

3. Legal Basis for Processing

We process personal data under the following legal bases:

Contractual necessity: to provide the booking and scheduling service you use.
Legitimate interests: to operate, improve, and secure the Platform.
Legal obligation: to comply with applicable Thai law.
Consent: where we ask for it explicitly (e.g. optional profile data).

4. How We Use Your Data

To create and manage your account.
To display your public booking page and make it bookable.
To process and confirm bookings between Providers and Clients.
To generate PromptPay QR codes and facilitate payment verification.
To enable assignment creation, submission, and review.
To send booking confirmation and notification messages via LINE.
To prevent fraud, abuse, and security threats.
To improve the Platform through aggregate usage analytics.

5. Data Sharing and Third Parties

We share data only as necessary:

Supabase (Supabase Inc.): our database and file storage provider. All data is stored in Supabase's cloud infrastructure. Supabase is SOC 2 Type II certified. See their privacy policy at supabase.com/privacy.
LINE Corporation: LINE Login is used for authentication. When you sign in with LINE, LINE shares your LINE user ID, display name, and profile picture with us. See LINE's privacy policy at line.me/en/terms/policy.
Google (Alphabet Inc.): Providers may optionally connect Google Calendar for scheduling sync. If connected, we access Google Calendar event data with the scope you authorise. See Google's privacy policy at policies.google.com/privacy.
Vercel Inc.: our hosting provider. Vercel processes network requests and logs. See vercel.com/legal/privacy-policy.

We do not sell, rent, or trade your personal data to any third party.

6. Provider–Client Data Relationship

When a Client books a session with a Provider, the Client's personal data (name, LINE ID, contact details) is visible to that Provider within their dashboard. The Provider acts as a separate data controller for their client relationships. Providers are responsible for handling client data in compliance with applicable law, including the PDPA.

7. Payment Slips

Payment slip images are stored in a private cloud storage bucket and are accessible only to the relevant Provider and Kruu's systems. Slips are not publicly accessible. We retain slip images for the duration of your account plus 90 days after account closure.

8. Data Retention

Account data: retained for the lifetime of your account. Deleted within 30 days of account closure.
Booking data: retained for 3 years from the booking date for record-keeping purposes, then deleted.
Payment slips: retained for the lifetime of the account plus 90 days.
Assignment files: retained for the lifetime of the account plus 30 days.
Technical logs: retained for up to 90 days.

9. Your Rights Under the PDPA

Under Thailand's Personal Data Protection Act B.E. 2562, you have the following rights:

Right to access: request a copy of the personal data we hold about you.
Right to rectification: request correction of inaccurate or incomplete data.
Right to erasure: request deletion of your personal data (subject to legal retention requirements).
Right to restriction: request that we limit processing of your data.
Right to data portability: request your data in a structured, machine-readable format.
Right to object: object to processing based on legitimate interests.
Right to withdraw consent: withdraw consent at any time where processing is based on consent.

To exercise any of these rights, email us at [email protected]. We will respond within 30 days. You may also file a complaint with the Personal Data Protection Committee of Thailand (PDPC) at pdpc.or.th.

10. Cookies and Local Storage

We use session cookies and browser local storage to maintain your logged-in state. We do not use third-party advertising or tracking cookies.

11. Data Security

We implement industry-standard security measures including encrypted connections (HTTPS), database-level Row Level Security (RLS) policies, and private storage buckets for sensitive files. However, no system is completely secure and we cannot guarantee absolute security.

12. International Data Transfers

Your data may be transferred to and processed in countries outside Thailand (e.g. servers operated by Supabase and Vercel). We ensure such transfers are made with appropriate safeguards in accordance with the PDPA.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you by updating the "Last updated" date at the top of this page. Continued use of the Platform after changes constitutes acceptance of the updated Policy.

14. Contact

For any privacy questions or data subject requests, contact us at:
[email protected]