Privacy Policy
Version 2026-05-12 · Effective 2026-05-12
M-Factory (the "Service", "we", "us") is operated from Thailand. This Privacy Policy explains what personal data we collect, why, and the rights you have under the Thailand Personal Data Protection Act, B.E. 2562 (2019) ("PDPA").
1. Data Controller
M-Factory Studio, Thailand. Data Protection contact: privacy@m-factory.app.
2. Data We Collect
Account & identity
- Email address and display name (via Clerk authentication).
- Profile image URL if you upload one.
- Clerk-assigned user ID.
Service usage
- Prompts, uploaded files, generation metadata, generated assets.
- Project titles, settings, and timestamps.
- Credit balance and transaction history.
- API request logs (endpoint, status code, IP address, user agent, timestamp).
Payment
- Stripe customer ID, subscription ID, payment intent IDs, plan, amount, status.
- We do not store full card numbers, CVV, or bank credentials — Stripe handles all card data directly.
Technical
- IP address, browser type, device info, cookies (see Cookie Policy).
- Error reports (Sentry) — limited stack traces with PII redacted.
3. Why We Collect It (Lawful Basis)
| Purpose | Lawful basis (PDPA s.24) |
|---|---|
| Provide & operate the Service | Performance of contract |
| Charge subscriptions / top-ups | Performance of contract |
| Customer support | Legitimate interest |
| Service abuse / fraud prevention | Legitimate interest |
| Legal compliance (tax, court orders) | Legal obligation |
| Product analytics & improvement | Consent (you can opt out) |
4. Third-Party Processors
We share necessary data with the following sub-processors, each under their own privacy commitments:
- Clerk — authentication, account management.
- Supabase (PostgreSQL) — primary database.
- Cloudflare R2 — file storage (uploads, generated assets).
- Stripe — payment processing.
- KIE.AI (Suno / Nano Banana / Seedance models) — AI generation.
- Upstash — Redis queue.
- Sentry — error tracking.
- Vercel / Render — hosting.
We do not sell your personal data.
5. International Transfer
Our processors operate globally. By using the Service you understand that your data may be processed outside Thailand (notably in the United States and the European Union) under standard contractual clauses or equivalent safeguards.
6. Retention
- Account data: kept while your account is active and for up to 12 months after deletion (for tax/audit records).
- Payment records: 7 years (Thai tax law).
- Generated assets in R2: deleted when you delete a project or close your account.
- API logs: 90 days.
- Error reports: 30 days.
- Consent logs: retained as proof until account deletion + 30 days.
7. Your PDPA Rights
You have the right to:
- Access — request a copy of personal data we hold about you;
- Rectify — correct inaccurate data;
- Erase — request deletion of your data ("right to be forgotten");
- Restrict — pause processing in specific cases;
- Port — receive your data in a machine-readable format;
- Withdraw consent — at any time, where processing is based on consent;
- Complain — to the Personal Data Protection Committee (PDPC) of Thailand.
Self-service tools live in Settings → Legal & Privacy: data export, account deletion, withdraw consent. For other requests, email privacy@m-factory.app; we respond within 30 days.
8. Security
We use industry-standard practices: TLS in transit, encrypted storage, row-level security in the database, principle-of-least-privilege access for staff, idempotent webhook processing, signed payment requests. No method is perfectly secure; we cannot guarantee absolute security.
9. Children
The Service is not directed at children under 13 (or the minimum age under your local law). We do not knowingly collect data from children. If we learn that we have, we will delete it.
10. Changes
We may update this Policy. Material changes are pushed via in-app notification and re-acceptance prompt at next sign-in.
11. Contact the DPO
For privacy questions or to exercise your rights: privacy@m-factory.app