Privacy Policy

Last Updated: 28/05/2026

Introduction

KKC Clinic, operated by Khongkwan Clinic Vejchagrum Co., Ltd. (“KKC Clinic,” “we,” “us,” or “our”), is committed to protecting the privacy of our patients, website visitors, and anyone who interacts with our services. This Privacy Policy explains how we collect, use, disclose, and protect your personal information in accordance with Thailand’s Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) and other applicable laws.

By using our website (kkcclinic.com), booking a consultation, or receiving treatment at any of our clinic branches, you acknowledge that you have read and understood this Privacy Policy.

Information We Collect

Personal Information You Provide

When you interact with KKC Clinic — whether through our website, messaging platforms, or in person — we may collect the following:

  • Contact information: Name, email address, phone number, and messaging platform identifiers (e.g., LINE, WhatsApp, WeChat)
  • Demographic information: Date of birth, gender, nationality, and preferred language
  • Medical information: Medical history, current medications, allergies, skin conditions, treatment records, pre- and post-treatment photographs, and consultation notes
  • Payment information: Billing details and transaction records (credit/debit card payments are processed through secure third-party payment providers — we do not store full card numbers)
  • Communication records: Messages, inquiries, and feedback you send to us through any channel

Information We Collect Automatically

When you visit our website, we may automatically collect:

  • Device and browser information: IP address, browser type, operating system, and screen resolution
  • Usage data: Pages visited, time spent on pages, referring URLs, and click behavior
  • Advertising identifiers: When you arrive from one of our online advertisements, the click identifier that the advertising platform adds to the link (for example, a Google Click ID)
  • Location data: General geographic location based on your IP address

This information is collected through cookies and similar technologies (see the Cookie Policy section below).

How We Use Your Information

We use the personal information we collect for the following purposes:

  • Providing medical services: To assess your needs, recommend treatments, deliver care, and manage follow-up appointments across our clinic branches
  • Communication: To respond to your inquiries, confirm appointments, send treatment reminders, and provide post-treatment care instructions
  • Payment processing: To process transactions and issue receipts or invoices
  • Service improvement: To analyze how our website and services are used, improve the patient experience, and develop new treatment offerings
  • Marketing and promotions: To send you information about treatments, promotions, and clinic news — only with your explicit consent, and you may opt out at any time
  • Advertising measurement: To understand which of our online advertisements lead to bookings. For this we use the advertising click identifier described above; we do not share your name, phone number, or treatment details with advertising platforms for this purpose
  • Legal compliance: To comply with applicable laws, regulations, and professional standards governing medical practice in Thailand

Legal Basis for Processing

Under the PDPA, we process your personal information based on one or more of the following legal grounds:

  • Consent: You have given explicit consent for the specific purpose (e.g., marketing communications, collection of health data)
  • Contractual necessity: Processing is necessary to provide the services you have requested (e.g., booking and delivering treatments)
  • Legal obligation: Processing is required to comply with Thai law or regulatory requirements
  • Vital interests: Processing is necessary to protect your life, health, or safety in an emergency
  • Legitimate interests: Processing is necessary for our legitimate business interests, provided these do not override your rights and freedoms

Sensitive Personal Data

Medical and health information is classified as sensitive personal data under the PDPA. We collect and process this data only with your explicit consent — for example, through the consent form you complete before treatment — or where permitted under legal exemptions for medical treatment, preventive medicine, or occupational health purposes. Pre- and post-treatment photographs are taken only with your consent and are used solely for your medical records unless you provide separate consent for other uses (e.g., before-and-after case studies on our website or social media).

How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

  • Service providers: With trusted third-party providers who help us operate our business and who process your data under written data-processing agreements. These include Cloudflare (hosting and processing for our booking and analytics systems), Google (analytics, advertising measurement, and business spreadsheets), LINE and WhatsApp Business (messaging), a third-party platform we use to manage customer conversations, and payment processors. Each is contractually required to protect your data and use it only to provide services to us.
  • Medical professionals: With other healthcare providers involved in your care, where necessary and with your consent
  • Legal requirements: When required by law, regulation, court order, or governmental authority
  • Business transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction. We will notify you of any such change.

International Data Transfers

Because we serve international customers and use trusted international service providers, your personal data may be transferred to, stored in, or accessed from countries outside Thailand. The main recipients, and the safeguards we rely on, are:

  • Kinsta (United States) — website hosting — Standard Contractual Clauses in Kinsta’s data-processing agreement
  • Cloudflare (United States / Hong Kong) — hosting and processing for our booking and analytics systems — Standard Contractual Clauses in Cloudflare’s data-processing agreement
  • Customer-messaging platform (Malaysia / Singapore) — manages our conversations with you across WhatsApp, LINE, and Facebook Messenger — data-processing agreement with Standard Contractual Clauses
  • Google (United States) — website analytics, advertising measurement, and business spreadsheets — Standard Contractual Clauses in Google’s data-processing addendum
  • LINE (Japan) — customer messaging and operational notifications — processed under LINE’s platform terms

The Personal Data Protection Committee of Thailand has not designated these countries as providing adequate data protection, so we rely on the appropriate safeguards listed above in accordance with Section 29 of the PDPA. You may contact us for a copy of the safeguards we rely on, or to exercise your rights, using the details below.

Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes described in this Privacy Policy, or as required by law. Specifically:

  • Medical records: Retained in accordance with Thai medical record-keeping requirements and professional standards
  • Communication records: Retained for up to 2 years after your last interaction with us, unless a longer period is required for legal or medical purposes
  • Booking and advertising-analytics records: Retained for up to 24 months after your last interaction, after which they are deleted or anonymized so that they no longer identify you
  • Financial and transaction records: Retained as required by Thai tax and accounting law (generally up to 5 years)
  • Website usage data: Retained for up to 12 months
  • Marketing consent records: Retained for as long as your consent remains active, plus a reasonable period afterward for compliance documentation

When your information is no longer needed, we will securely delete or anonymize it.

Your Rights Under the PDPA

As a data subject under the PDPA, you have the following rights:

  • Right to be informed: To know what personal data we collect about you and how it is used
  • Right of access: To request a copy of the personal data we hold about you
  • Right to rectification: To request correction of inaccurate or incomplete personal data
  • Right to deletion: To request that we delete your personal data, subject to legal and regulatory retention requirements
  • Right to restriction: To request that we limit how we process your personal data in certain circumstances
  • Right to data portability: To receive your personal data in a structured, commonly used format
  • Right to object: To object to the processing of your personal data in certain circumstances
  • Right to withdraw consent: To withdraw your consent at any time, without affecting the lawfulness of processing carried out before withdrawal

To exercise any of these rights, please contact us using the details provided below. We will respond to your request within 30 days.

Data Security

We implement appropriate technical and organizational measures to protect your personal information from unauthorized access, loss, misuse, alteration, or destruction. These measures include encrypted data transmission (SSL/TLS), access controls limiting data access to authorized personnel, secure storage of medical records, and regular review of our security practices.

However, no method of transmission over the internet or electronic storage is completely secure. While we strive to protect your personal data, we cannot guarantee absolute security.

Children’s Privacy

Our services are intended for individuals aged 18 and older. We do not knowingly collect personal information from anyone under the age of 18 without parental or guardian consent. If you are under 18 and wish to receive treatment at KKC Clinic, a parent or legal guardian must provide consent and accompany you during the consultation process.

Third-Party Links

Our website may contain links to third-party websites, social media platforms, or services that are not operated by us. We are not responsible for the privacy practices of these third parties and encourage you to review their privacy policies before providing any personal information.

Cookie Policy

What Are Cookies?

Cookies are small text files placed on your device when you visit a website. They help the website recognize your device and remember certain information about your visit.

Cookies We Use

We use the following types of cookies on our website:

Essential Cookies — These are necessary for the website to function properly. They enable basic features such as page navigation, secure access, and language preferences. These cookies do not collect personal information and cannot be disabled.

Analytics Cookies — We use analytics tools (such as Google Analytics) to understand how visitors interact with our website. These cookies collect information such as the number of visitors, pages viewed, and traffic sources. This data is aggregated and anonymized. You may opt out of analytics cookies through your browser settings or by using the Google Analytics opt-out browser add-on.

Marketing Cookies — With your consent, we may use marketing cookies to deliver relevant advertisements and track the effectiveness of our marketing campaigns. These cookies may be set by third-party advertising partners (such as Google Ads or Meta).

Managing Cookies

You can control and manage cookies through your browser settings. Most browsers allow you to block or delete cookies. Please note that disabling certain cookies may affect the functionality of our website.

When you first visit our website, you will be presented with a cookie consent banner that allows you to accept or decline non-essential cookies.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements. When we make changes, we will update the “Last Updated” date at the top of this page. We encourage you to review this Privacy Policy periodically.

Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data subject rights, or have concerns about how your personal information is handled, please reach us through our contact page.