MewNam

Tenant Admin — Privacy Policy

Last updated: June 2, 2026

This Privacy Policy describes how the MewNam product, operated by Space Salmon Co., Ltd. (a company registered in Thailand, Tax ID 0-1055-69100-32-5), referred to in this policy as “MewNam”, “we”, “us”, or “our”, collects, uses, stores, and shares personal data when you, as a venue operator or staff member, register for, access, or use the MewNam tenant administration console (the “Admin Console”) and the supporting platform services (collectively, the “Service”). It also describes how MewNam processes the personal data of your customers on your behalf when you use the Service.

This policy applies to the marketing site at mewnam.com, the Admin Console at app.mewnam.com, the customer-facing LINE LIFF booking app you operate under your tenant, and the back-end APIs and infrastructure that support them. The booking app has a separate privacy policy aimed at end customers.

If you don’t provide required information. Some of the information described below is required for us to create your account, perform our contract with you, or comply with Thai law. If you refuse to provide it, we may not be able to create your account, accept an invitation, process a booking, or issue a receipt that depends on that information. Where specific information is required, we tell you at the point we ask for it.

1. Roles under the PDPA

For personal data about you and your team members (Operator account data), MewNam acts as the data controller.

For personal data about your customers (their name, phone, LINE identifier, bookings, payments, and slip images), MewNam acts as a data processor on your behalf, and you remain the data controller. You are responsible for providing your own privacy notice to your customers and for collecting any consents required by law.

2. Information we collect about Operators and staff

When you sign up, accept an invitation, or use the Admin Console we collect:

  • Account information — your name, email address, your role, and a record of sign-ins used to detect abuse and enforce account-lockout protection.
  • Verification codes — for password reset and email change flows.
  • Audit information — actions you perform inside the Admin Console, with the actor’s name. This audit trail is necessary to give your team a reliable view of who did what.
  • Technical data — basic device and connection information needed to operate and secure the Service.

3. Information you submit about your tenant and customers

When you operate your tenant, you submit information that the Service stores and processes on your behalf:

  • Tenant configuration — the settings of your venue and credentials for any third-party integrations you set up. Credentials are stored under strict access control and are masked in the Admin Console.
  • Branch and facility information — what you publish about the venues you operate.
  • Customer records — the information you maintain about your customers.
  • Bookings and payments — booking records and the payment information associated with them, including any payment-slip images uploaded by customers.

4. How we use personal data

We use the personal data described above to:

  • Authenticate Operators and staff and enforce role-based access control.
  • Operate the Service: create and update bookings, send LINE notifications, generate secure URLs for payment slips, and produce activity logs.
  • Send transactional email (sign-up confirmation, invitation, password reset, and account-change notices). We do not send marketing email without a separate opt-in.
  • Detect and prevent abuse, fraud, brute-force authentication attempts, and excessive OTP requests.
  • Provide customer support, debug issues you report to us, and improve the Service.
  • Comply with legal obligations and respond to lawful requests from public authorities.

Where the PDPA or another applicable law requires a legal basis, we rely on:

  • Performance of a contract with you (the Terms of Service) for account, billing, and core platform processing.
  • Legitimate interests for security, abuse prevention, and Service improvement, balanced against your reasonable expectations.
  • Legal obligation for retention of financial records and responses to lawful requests.
  • Consent, where consent is the appropriate basis (for example, optional analytics or marketing). You can withdraw consent at any time without affecting prior processing.

6. Cookies and similar technologies

The marketing site uses only essential cookies (and no analytics cookies that collect personal data without consent). The Admin Console stores its authentication token in your browser and sets a secure session cookie that is cleared when you sign out. The booking app stores its authentication token in your browser for the duration of your LINE session.

7. Sub-processors and recipients

We use a limited set of carefully chosen third-party providers to operate the Service. Each is bound by a written agreement that requires a level of data protection no less protective than this policy.

  • Stripe Payments, Inc. (Delaware, USA) processes your subscription billing — invoice generation, payment collection, the customer portal, payment-method storage, and dispute handling. Data shared with Stripe includes your name, email address, tenant identifier, billing address, tax ID where provided, subscription state, and payment-method metadata. Card and bank credentials are collected and stored by Stripe and do not pass through our servers.
  • Other service providers — we also use other carefully selected third-party providers to operate the Service, including cloud hosting and database, object storage, LINE messaging delivery, SMS, transactional email, and error monitoring.

We share customer personal data with the Operator that owns the tenant in which the data was collected. We do not sell personal data to third parties, and we do not aggregate or share customer data across tenants for analytics, benchmarking, or any other purpose, except where required by law.

If we propose to add or change a third-party provider in a way that materially affects how your personal data is processed, we will notify you at least thirty (30) days before the change takes effect. If you reasonably object on data-protection grounds, you may terminate the affected Service within that window and receive a refund of any prepaid, unused fees for the affected period.

8. International transfers

The Service is primarily operated from data centres in the Asia-Pacific region. Stripe processes billing data in the United States under Stripe’s data-processing addendum at stripe.com/legal/dpa and Stripe’s standard contractual clauses. Some other third-party providers may also process limited data outside Thailand under similar safeguards. Where cross-border transfers occur, we rely on data-protection mechanisms recognised by Thai law.

9. Retention

  • Operator account data is retained while your account is active and for a reasonable period after closure, unless a longer period is required by law.
  • Tenant configuration, bookings, payments, and customer records are retained for at least thirty (30) days after termination so that you can export them, after which they are deleted or anonymised, except where Thai tax or accounting law requires longer retention.
  • Authentication and login-attempt logs are retained for up to twelve (12) months for security investigations, which also satisfies our log-retention obligations as a Thai online-service provider.
  • Payment slip images are retained for as long as the booking exists, plus any retention period required by law.

10. Security

We implement appropriate technical and organisational security measures to protect personal data against unauthorised access, alteration, disclosure, and destruction. No system can be guaranteed to be perfectly secure, and you should report any suspected vulnerability to support@mewnam.com.

Breach notification. Where required by Thai data-protection law, we will notify the Personal Data Protection Committee within seventy-two (72) hours of becoming aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, and we will notify the affected Operator without undue delay where the breach is likely to result in a high risk.

11. Your rights

Subject to the PDPA you have the right to:

  • access the personal data we hold about you;
  • correct inaccurate or incomplete data;
  • request deletion or anonymisation, where applicable;
  • restrict or object to processing in defined circumstances;
  • request data portability for personal data you have provided to us;
  • withdraw consent where processing is based on consent;
  • file a complaint with the Office of the Personal Data Protection Committee.

To exercise any of these rights for Operator account data, contact us at support@mewnam.com. To exercise rights with respect to customer data stored in a tenant, contact the Operator that controls the tenant; we will assist that Operator on request.

12. Children

The Service is not directed at children under the age of fifteen (15). Operators must not knowingly collect personal data from children below that age through the Service without verifiable parental consent.

13. Changes to this policy

We may update this policy from time to time. The “Last updated” date at the top of the page reflects the latest version. Material changes will be notified to the registered email of the tenant owner at least thirty (30) days before the change takes effect.

14. Contact

For privacy questions, including PDPA requests, please contact:

  • Email: hello@mewnam.com
  • Registered entity: Space Salmon Co., Ltd. (Thai company, Tax ID 0-1055-69100-32-5)
  • Public contact details: see Contact us