Privacy Policy

Prewelle Clinic ("we", "us", "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, disclose, and safeguard your personal information — including sensitive health data — when you visit our clinic, use our services, or interact with our website (prewelle.com).

This policy is issued in accordance with the Personal Data Protection Act, B.E. 2562 (2019), the Thai Medical Council's professional standards, and the Ministry of Public Health's regulations governing medical records and patient confidentiality.

To provide our medical and wellness services, we may collect the following categories of personal data:

• Identification & contact: full name, national ID or passport number, date of birth, gender, address, phone, email, LINE ID, emergency contact.
• Demographics: age, nationality, occupation, marital status, language preference.
• Health & medical: medical history, current medications, allergies, family history, lifestyle (sleep, diet, exercise, substance use), symptoms, physician notes, imaging.
• Laboratory data: blood, urine, stool, saliva, genetic, and other lab results performed by our partner laboratories.
• Device & continuous-monitoring data: CGM readings, wearable data (where you choose to share it).
• Payment data: name on payment instrument, payment method, transaction records, tax invoice details. We do not store full card numbers — payments are processed by certified PCI-DSS providers.
• Technical data: when you visit our website, your browser type, language preference (stored in your browser's local storage), and IP address may be logged for security purposes.

We use your personal data only for clearly defined purposes:

• To deliver medical, diagnostic, and preventive-medicine services tailored to your needs.
• To order, process, and interpret laboratory tests.
• To monitor treatment progress and provide follow-up care.
• To communicate with you about appointments, test results, prescriptions, and clinic updates.
• To process payments, issue receipts and tax invoices.
• To comply with legal, regulatory, and professional medical obligations (e.g., reporting notifiable diseases).
• To improve service quality through internal audits — always using de-identified or aggregated data.

We process your personal data under one or more of the following PDPA-recognized bases:

• Consent — you have given us explicit, informed consent (especially for sensitive health data, per Section 26 PDPA).
• Contract — processing is necessary to deliver the medical service you've engaged us for.
• Legitimate interest of medical care — provision of preventive medicine, diagnosis, and treatment by qualified healthcare professionals (Section 26(5)(a) PDPA).
• Vital interest — protecting your life or another person's life in an emergency.
• Legal obligation — compliance with Thai law, including the Medical Profession Act and Ministry of Public Health regulations.

We do not sell your personal data. We share data only when necessary, with the following recipients:

• Partner laboratories — including BNH Hospital Laboratory, Bumrungrad International Lab, N Health, Professional Laboratory Management, and other certified labs, solely to perform the tests you have agreed to.
• Referring or receiving physicians — when continuity of care requires it, with your knowledge.
• Insurance companies & corporate sponsors — only with your explicit consent, for claims and direct billing.
• Pharmacy fulfillment partners — for prescription dispensing where applicable.
• Legal & regulatory authorities — when required by Thai law, court order, or to report notifiable communicable diseases.
• IT service providers — for hosting, backup, and secure communications, all bound by confidentiality agreements.

We retain your data only as long as necessary:

• Medical records are kept for at least 10 years after your last visit, in accordance with the Ministry of Public Health's regulations on medical records (and longer where required by the Medical Profession Act).
• Contact and marketing data are retained until you withdraw consent or request deletion.
• Financial records (invoices, receipts) are retained for at least 5 years per the Revenue Code.
• Website technical logs are retained for no more than 90 days.

After the applicable retention period, data is securely deleted or anonymized.

As the data subject, you have the following rights under the PDPA:

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — correct inaccurate or incomplete data.
• Right to erasure — request deletion (subject to the legal retention periods above).
• Right to restrict processing — limit how we use your data in certain situations.
• Right to data portability — receive your data in a structured, machine-readable format and transmit it to another provider.
• Right to object — to processing based on legitimate interest or for direct marketing.
• Right to withdraw consent — at any time; withdrawal does not affect lawful processing already carried out.
• Right to lodge a complaint — with the Personal Data Protection Committee (PDPC) of Thailand if you believe your rights have been violated.

To exercise any of these rights, contact our Data Protection Officer (see Section 10).

We apply appropriate technical and organizational measures to protect your data, including:

• Encryption of data in transit (TLS 1.2+) and at rest for medical records.
• Role-based access controls — only authorized clinicians and staff with a clear need-to-know may access your records.
• Audit logging of every record access, with periodic reviews.
• Physical security at our clinic premises, including locked filing and secured server access.
• Staff training on patient confidentiality and PDPA obligations.
• Regular vulnerability assessments and security audits.
• Incident response procedures including breach notification within 72 hours where required.

Our website (prewelle.com) is intentionally minimal. We do not use marketing or tracking cookies. We do not use Google Analytics, Facebook Pixel, or similar third-party trackers on this site.

We use only your browser's localStorage to remember your language preference so you don't have to choose again next visit. This data never leaves your device.

If you submit our appointment form, the data is transmitted directly via a secure form-relay service (FormSubmit) to our clinical inbox; we do not store form submissions on this website.

For any privacy-related question, to exercise your rights, or to file a complaint, please contact our Data Protection Officer:

• Email: cs@prewelle.com (subject: "PDPA Request")
• Phone: +66 63 343 1500
• Postal address: Data Protection Officer, Prewelle Clinic, 399/4 CP HUB Room 4, Silom Soi 7, Silom Rd., Silom, Bangrak, Bangkok 10500

We will acknowledge your request within 7 business days and respond substantively within 30 days, as required by PDPA.

If you are not satisfied with our response, you may file a complaint with the Personal Data Protection Committee (PDPC) of Thailand — see pdpc.or.th.

We may update this Privacy Policy from time to time to reflect changes in law, technology, or our services. When we make significant changes, we will notify registered patients by email and post a prominent notice on this page. The "last updated" date below indicates the latest revision.