← Massageasy

Privacy Policy

Last updated: 14 June 2026

This policy explains what data Massageasy collects, why, and how it is handled. It is written to align with Thailand’s Personal Data Protection Act (PDPA). Massageasy acts as a data processor for guest session data collected on behalf of venues; each venue is the data controller for its guests’ data.

1. Data we collect from venue owners

  • Account data: email address, password (stored hashed), venue name, address, and settings.
  • Billing data: plan, billing period, and subscription status. Card details are handled by our payment provider (Stripe) and never stored on our servers.
  • Usage data: standard server logs (IP address, timestamps) for security and reliability.

2. Data collected from guests on the tablet

The intake flow is designed for data minimisation. No guest name, email, phone number, or account is required. A session records:

  • Chosen language, massage type, duration, add-ons, and pressure preference.
  • Body-map selections (focus and avoid areas).
  • Optional, guest-volunteered health flags and notes (for example “recent injury”) so the therapist can adjust the session. These are sensitive data under PDPA — guests choose freely whether to provide them, and they are used only to deliver the session.
  • Session timing, payment method as marked by staff (cash / QR / card — never card numbers), optional rating, feedback note, and tip amount.

3. How data is used

  • To run the session flow and show the therapist the guest’s preferences.
  • To give the venue its own dashboard, reports, and CSV exports.
  • We do not sell data, use it for advertising, or share it with third parties except the service providers below.

4. Service providers (sub-processors)

We use a small number of trusted providers to run the Service. The current list, including what each one processes and where it is located, is published at massageasy.com/subprocessors. Material changes are announced at least 30 days in advance.

5. Retention and deletion

  • Session data is retained while the venue’s account is active, so the venue can use its history and exports.
  • When an account is closed, data is deleted within 30 days of the export window ending.
  • Venues may request deletion of specific sessions (for example, on a guest’s request) by contacting us.

6. Security

  • All traffic is encrypted in transit (HTTPS).
  • Database access is restricted per venue with row-level security — one venue can never read another venue’s data.
  • Dashboard access on shared tablets is protected by a staff PIN.

7. Lawful basis and consent

Under PDPA we rely on the following bases for processing:

  • Contract — to run the Service for venues that have an active account.
  • Legitimate interests — to keep the Service secure, debug issues, and prevent abuse.
  • Explicit consent — for sensitive personal data (Section 26 PDPA), such as guest health flags or notes about injuries. Guests may skip these fields at any time and the session still completes. Health information is shown only to the therapist serving that session and is not used for any other purpose.
  • Legal obligation — for tax, accounting, and other compliance records.

8. Guest and data-subject rights (PDPA)

Anyone whose personal data we process may exercise the following rights under PDPA:

  • Access — request a copy of personal data we hold about you.
  • Correction — ask us to fix inaccurate or incomplete data.
  • Erasure — ask us to delete personal data we no longer need.
  • Restriction — ask us to limit how we process data while a dispute is resolved.
  • Portability — receive your data in a machine-readable format (CSV export is available from the dashboard).
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — withdraw any consent you previously gave.
  • Complain — lodge a complaint with the Personal Data Protection Committee (PDPC) of Thailand.

Guests should normally direct requests to the venue they visited (the data controller). Because sessions are not linked to names or contact details, the venue may need the session code from the guest’s visit to locate the record. Venues can fulfil these requests from the dashboard or by contacting us. We will respond to a verified request within 30 days.

9. Security and breach notification

We take reasonable technical and organisational measures to protect personal data, including encryption in transit (HTTPS), encryption at rest for credentials, row-level database security, PIN-protected dashboard access on shared tablets, and rate-limiting on authentication endpoints. If we become aware of a personal-data breach that poses a risk to data subjects, we will notify the PDPC and affected venues without undue delay and in any event within 72 hours.

10. International transfers

The Service is hosted on Supabase (database) and Vercel (application) servers, which operate globally. Where data is transferred outside Thailand we rely on the receiving country’s data-protection adequacy or on standard contractual safeguards required by PDPA.

11. Changes

We will post any changes to this policy on this page and update the date above. Material changes will be announced to account owners by email.

12. Contact

Massageasy is operated by Noom Studio Co., Ltd. (Thailand). The privacy contact point for access, correction, deletion, and complaint requests under PDPA is massageasyapp@gmail.com. You may also contact us via the homepage.

Terms of Service · Privacy Policy · Sub-processors