top of page

Privacy Policy

for Nexac

Issued by InHDY Co., Ltd.

Last Updated: 19 November 2025

1. Purpose of this Policy

1.1 This Privacy Policy (the “Policy”) is issued to explain how InHDY Co., Ltd. (the “Company”, “we”, “us”, or “our”) collects, uses, discloses, transfers, and protects personal data in connection with the use of the Nexac application and related services (“Nexac” or the “Services”).

1.2 The Company is committed to complying with the Personal Data Protection Act B.E. 2562 (PDPA) of Thailand and other applicable data protection laws, and to protecting the privacy and security of your health information as a priority.

2. Scope of Application

2.1 This Policy applies to the processing of personal data collected through:

  • the Nexac application;
     

  • the Nexac AI functionality;
     

  • the Care Circle feature; and
     

  • any contact channels with the Company that relate to the Nexac Services.

2.2 Where the Company issues any separate or service-specific privacy notices, such notices shall be deemed to supplement this Policy unless expressly stated otherwise.

3. Definitions

Unless otherwise specified, the following terms shall have the meanings set out below:

3.1 “Personal Data” means any information relating to an identified or identifiable natural person, as defined under applicable data protection laws.

3.2 “Sensitive Personal Data” means Personal Data that is subject to special protection under applicable laws, including but not limited to data relating to health, medical history, test results, diagnosis, physical or mental conditions, and similar health-related information.

3.2 “Sensitive Personal Data” means Personal Data that is subject to special protection under applicable laws, including but not limited to data relating to health, medical history, test results, diagnosis, physical or mental conditions, and similar health-related information.

3.3 “Data Subject” means the natural person who is the subject of the Personal Data, and includes parents or legal guardians in the case of minors or persons who cannot lawfully give consent on their own.

3.4 “Nexac Services” means the Nexac application and all related functions, including Nexac AI and the Care Circle feature.

4. Categories of Personal Data We Collect

The Company may collect the following categories of Personal Data, as necessary and appropriate for the purposes described in this Policy.

4.1 General Information

  • First and last name;
     

  • Email address, phone number;
     

  • User Account information;
     

Technical information relating to your device (e.g. device identifiers, operating system, app version, general usage data).

4.2 Health and Sensitive Personal Data

  • Appointment slips, discharge summaries, prescriptions;
     

  • Laboratory test results and other medical reports;
     

  • Medical history, medication history, symptoms, and health conditions recorded by you;
     

  • Images or files of medical documents that you upload;
     

  • Health-related information derived or summarised by Nexac AI from data you provide or upload.

4.3 Usage Data

  • Login records and activity logs relating to your use of various features;
     

  • Content and interaction data from your use of Nexac AI (e.g. questions, prompts, and responses);
     

  • Data relating to your Care Circle, including names of members, permission levels, and access history.

The Company will collect Personal Data only to the extent necessary for the provision of the Services and will avoid collecting excessive data, in line with the principle of data minimisation.

5. Sources of Personal Data

The Company may obtain Personal Data from the following sources:

5.1 Data provided directly by you, such as during registration, completion of forms, uploading of documents, or when interacting with Nexac or Nexac AI.

5.2 Data automatically generated from your use of the Services, including technical and usage logs, as captured by the Company’s systems.

5.3 Data relating to other individuals that you add to your Care Circle, in respect of which you represent that you have the legal right and valid consent to provide and manage such data.

6. Purposes and Legal Bases for Processing

The Company processes Personal Data for the purposes set out below, relying on appropriate legal bases under the PDPA.

6.1 To provide and manage the Nexac Services

  • creating and managing User Accounts;
     

  • providing features for storing, recording, and displaying health information;
     

operating the Care Circle and managing access rights.

6.2 To provide Nexac AI

  • processing data to generate general explanations or summaries of health-related information;
     

  • improving the quality, accuracy, and user experience of Nexac AI, in a manner that reduces identifiability where reasonably possible.

6.3 To communicate with and support users

  • responding to queries, requests, or complaints;
     

  • sending service-related notifications, alerts, or important updates.

6.4 To comply with legal obligations

  • complying with court orders, regulatory requirements, and lawful requests from competent authorities;
     

  • fulfilling obligations under the PDPA and other applicable laws.

6.5 To pursue legitimate interests

  • maintaining the security and integrity of systems and data;
     

  • monitoring for and preventing misuse, fraud, or unlawful activities.

For Sensitive Personal Data (such as health information), the Company will generally process such data based on the explicit consent of the Data Subject, except where an exception under the PDPA applies.

7. Use and Disclosure of Personal Data

7.1 The Company will use Personal Data only for the purposes stated in Section 6, and will not use or disclose such data for any other purposes without obtaining your prior consent, unless permitted or required by law.

7.2 The Company may disclose Personal Data to the following categories of recipients, on a strict need-to-know basis:

  • IT and cloud service providers supporting the operation of Nexac;
     

  • professional advisers, such as legal or security consultants, where necessary;

  • government agencies or regulators, where required by law, court order, or lawful instruction.

7.3 At present, the Company does not grant direct access to your data to clinics or healthcare providers through the Nexac system. Any sharing of data with healthcare providers occurs only when:

  • you actively choose to share or present your data using features within the Services; or

  • you voluntarily connect or add a Care Circle member using mechanisms provided within the Services (e.g. by scanning a QR code).

If, in the future, a feature is introduced to allow healthcare providers to access data directly, the Company will implement an additional, explicit consent process before any such access is enabled.

8. Cross-Border Transfers of Personal Data

8.1 As of the date of this Policy, the Company stores data on systems located within the Kingdom of Thailand.

8.2 If, in the future, the Company needs to use infrastructure or services located outside Thailand (e.g. cloud services provided by AWS or other providers), the Company will comply with the cross-border transfer requirements under the PDPA and, where required, obtain additional consent from you before transferring your Personal Data.

9. Data Retention

The Company will retain your Personal Data only for as long as necessary to fulfil the purposes for which it was collected, or for as long as required or permitted by applicable law.

When Personal Data is no longer needed for those purposes, the Company will delete, destroy, or anonymise such data in accordance with applicable legal requirements and the Company’s security standards.

10. Data Security

10.1 The Company implements appropriate technical and organisational measures to safeguard Personal Data against unauthorised or unlawful access, use, alteration, or disclosure, including but not limited to:

  • encryption of data in transit and at rest, as appropriate;
     

  • access control and permission management;
     

  • logging and monitoring of access to data (audit logs);
     

  • periodic review and enhancement of security measures.

10.2 In the event of a personal data breach, the Company will take steps and make notifications in accordance with the PDPA, including notification to the Personal Data Protection Committee and/or affected Data Subjects where required.

11. Rights of Data Subjects

Under the PDPA, and subject to certain legal limitations, you have the following rights in relation to your Personal Data:

(a) Right of access – to request access to and a copy of your Personal Data held by the Company;
(b) Right to rectification – to request correction of inaccurate or incomplete data;
(c) Right to erasure – to request deletion, destruction, or anonymisation of your Personal Data when it is no longer necessary or when there is no lawful basis for its continued processing;
(d) Right to restriction of processing – to request that the Company restrict certain processing activities in specific circumstances;
(e) Right to object – to object to certain types of processing as permitted by law;
(f) Right to data portability – to request that certain Personal Data be provided or transferred to another data controller in a structured, commonly used, and machine-readable format, where technically feasible;
(g) Right to withdraw consent – to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

You may exercise these rights by contacting the Company using the contact details set out in Section 13. The Company will consider and respond to your request within the timeframes required by law.

12. Withdrawal of Consent and Complaints

12.1 If you wish to withdraw your consent or exercise any of your rights as a Data Subject, you may contact the Company through the channels specified in Section 13.

12.2 If you believe that the Company or its personnel have failed to comply with the PDPA or this Policy, you have the right to lodge a complaint with the Personal Data Protection Committee or another competent authority in accordance with applicable procedures.

13. Contact Information

If you have any questions, suggestions, or requests regarding this Policy or your rights as a Data Subject, you may contact us at:

InHDY Co., Ltd.
Email: contact@inhdy.com

14. Changes to this Policy

14.1 The Company may review and update this Policy from time to time to reflect changes in the Services, legal requirements, or data protection practices.

14.2 The Company will notify you of material changes to this Policy through appropriate channels. Your continued use of the Nexac Services after the effective date of the updated Policy will be deemed as your acceptance of such updated Policy.

For additional information about the exercise of your data protection rights or any privacy concerns,

please contact our team directly.

bottom of page