Privacy Policy

Ploiwang is operated by an independent team. You can contact us at [email protected] or by mail at the address listed on our contact page.

We only collect data necessary to provide our service.

• Account information: email, display name, and profile picture (when signing up via Google).
• Password: stored as a hash only. We never store your actual password.
• Payment data: we only store your Stripe Customer ID to link your account. Credit card details are handled entirely by Stripe.
• Activity logs: we store only the type of activity (e.g., capsule created, opened) and the timestamp. We never store the content you write.
• Time Capsules: capsule content, unlock date, and images (if any) are stored in the database until you delete them.
• Preferences: Premium status, free trial status, notification settings, feature-related settings, the timestamp of your first use of each feature, and the list of badges you have unlocked (used to display Path Awareness badges on the dashboard) — we store only short slug identifiers (e.g. "start" / "ink"), never content.
• Feedback you submit via the Voice form: your message, rating (if provided), consent to be quoted as a testimonial, and display name (if entered) — stored completely separately from user accounts (no userId/email linkage). We store a SHA-256 hash of your IP to limit spam only; it is never exposed and never used to identify you.
• Open Up: the messages you choose to publish — posts, comments, and owner replies (passed through an AI filter that mostly keeps your own words; AI only rewrites when profanity, risky language, or PII is detected) — plus locale, a SHA-256 hash of your IP for abuse prevention, your reactions to other posts, the list of posts you've chosen to mute, an optional self-declared mood tag you may attach to a post (e.g. weary / sad / relieved), and a per-user counter of consecutive filter attempts (used by the 10-minute cooldown that kicks in after 5 back-to-back filter calls on the same draft — reset on successful publish). All linked to your userId for moderation and PDPA rights only, never exposed through the API or UI. Posts and their comments are auto-deleted together when the parent post reaches 30 days.
• Daily Zen replies: the reflection you choose to publish (passed through an AI filter that mostly keeps your own words — AI only rewrites when profanity or risky language is detected), the Zen date you replied to, and the locale used. Linked to your userId so we can enforce a one-reply-per-day limit and let you delete your own reflection. Replies are auto-deleted after 30 days and are displayed publicly without identity attribution (no name, email, or avatar — every author shares the same anonymous mark).

We use your data for the following purposes only.

• To provide the Ploiwang service as you request (contractual basis).
• To authenticate your identity and secure your account.
• To process Premium membership payments.
• To send service-related emails such as email verification, pre-unlock reminders (7 days before a capsule opens), capsule unlock notifications, and weekly summaries. All of these can be turned off in settings.
• To improve the service (legitimate interest) using aggregate data, never personal content.

We share data with the following providers only as necessary to deliver the service.

• Google OAuth — to authenticate when you choose to sign in with Google.
• Stripe — to process Premium membership payments.
• Resend — to send verification emails, notifications, and weekly summaries.
• Cloudflare R2 — to store images uploaded in Time Capsules.
• Google Gemini — for AI features such as Omikuji, Mirror, Room, the writing guide, Mend, Daily Zen, the filter step of the Open Up, and the filter step for replies to the Daily Zen. We send only the minimum text required and never send identifying information (no User ID, email, or IP). Daily Zen content itself sends no user data — it is automated creative content generated once per day.

Some of our third-party providers (Google, Stripe, Resend, Cloudflare) have servers located outside Thailand. These transfers comply with Sections 28 and 29 of the PDPA. We transfer data on a contractual basis (data necessary to provide the service you requested), and all providers maintain adequate personal data protection measures in accordance with international standards.

Vanish features (Ink, Water, Fire) are processed entirely in your browser. The text you type is never sent to any server and is never stored anywhere. The Ephemeral Room works the same way — conversations exist only in your browser and disappear when you close the tab.

When you use AI features (Omikuji, Mirror, the writing guide, Echo, Mend), your text is sent to Google Gemini once to generate a response, then immediately discarded. We never send identifying information (no User ID, email, or IP) with your text, and we do not store the text sent or responses received in our database, except for Omikuji results which are cached temporarily for the day. For the Open Up filter step, we cache only a hash (SHA-256) of the input paired with the filter result (the rewritten text, or a marker that the input was clean) for 7 days to avoid re-calling the AI when identical text is submitted again. This cache is keyed by content only, never by userId (zero-PII by construction). For Daily Zen, content is generated by Gemini once per day automatically with no user data involved, and stored as public content shown identically to every visitor.

We use the following cookies: (1) a session cookie (JWT) required for authentication, and (2) Google Analytics cookies (_ga, _ga_*) to measure anonymous site usage such as page views and time spent on the site. We do not use advertising cookies or cross-site tracking cookies. Data from Google Analytics is not linked to your account or your content.

Account data and Time Capsules are kept as long as your account is active. Activity logs are retained to generate weekly summaries. Open Up posts are auto-deleted after 30 days (posts hidden by admins to retain evidence of policy violations are kept for 180 days). The Open Up filter cache is purged within 7 days. Email verification links expire in 24 hours. Password reset links expire in 1 hour.

You have the following rights under the Personal Data Protection Act.

• Right of access — request a copy of your personal data.
• Right to correction — request correction of inaccurate data.
• Right to deletion — request deletion of your data and account.
• Right to object — object to certain types of data processing.
• Right to restriction — request limitation of your data use.
• Right to withdraw consent — withdraw consent at any time.
• Right to data portability — request your personal data in a machine-readable format.
• Right to lodge a complaint — if you believe your rights have been violated, you have the right to file a complaint with the Personal Data Protection Committee (PDPC).

To exercise these rights, please contact us at [email protected]. We will respond to your request within 30 days.

To delete your account and all associated data, please email [email protected]. We will process the deletion within 30 days.

In the event of a personal data breach, we will notify the Personal Data Protection Committee (PDPC) within 72 hours as required by law. If the breach poses a high risk to your rights and freedoms, we will notify you without undue delay. All incidents are logged internally to maintain an auditable trail.

Where we receive a court order or a request from an investigating officer under Section 18 of the Computer Crime Act B.E. 2550, we will disclose only what the order covers. Every disclosure is recorded in an internal audit log together with the case number and requesting authority, and we will notify the data subject by email immediately after action is taken — except when the order itself prohibits disclosure (a court-sealed order).

Administrator actions that touch your data (account suspension, legal disclosures, PDPA data exports, etc.) are written to a tamper-evident internal log that cannot be edited or deleted by application code. The log is kept for forensic and accountability purposes and is not made public.

We provide an abuse-reporting form at /report so users can flag harassment, spam, illegal content, or self-harm risks. Reports are confidential to the reported party. We retain the reporter's description, optional reference ID, and a SHA-256 hash of the reporter's IP address solely to triage reports and prevent abuse of the form (the hash is never displayed to anyone). We may rate-limit or block requests from specific IP addresses (stored only as SHA-256 hashes) when we observe abusive, spammy, or credential-stuffing behaviour.

Ploiwang is intended for users aged 13 and above. Users under 20 years of age (minors under Thai law) should obtain parental consent before using the service. We do not knowingly collect data from children under 10 years of age. If we become aware of such data, we will delete it immediately.

If we make significant changes to this policy, we will notify you by email.

For questions about this privacy policy, please contact [email protected].