Legal

Privacy Policy

Q Lighting Co., Ltd. · Last updated: 13 May 2026

01

Introduction

This Privacy Policy explains how Q Lighting Co., Ltd. ("Company", "we", "us", or "our") collects, uses, discloses, and protects personal data in connection with Project Work (the "Platform"), accessible at https://project.quill-shop.com.

This Policy is issued in compliance with the Personal Data Protection Act B.E. 2562 (2019) ("PDPA") of the Kingdom of Thailand and applies to all individuals whose personal data is processed through the Platform, including tenant staff, client users, and visitors.

By accessing or using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please discontinue use of the Platform.

02

Who We Are

Data Controller: Q Lighting Co., Ltd.

Kingdom of Thailand

The Platform is a multi-tenant project management and design approval tool. For the purposes of the PDPA, Q Lighting Co., Ltd. is the data controller in respect of personal data processed at the platform level.

Tenant companies that subscribe to the Platform and manage their own staff and client data may act as data controllers in respect of the personal data they collect and upload through the Platform. In such cases, Q Lighting Co., Ltd. acts as a data processor on their behalf.

03

Categories of Users

The Platform serves three categories of users:

  • Tenant Staff — Employees or representatives of a subscribed tenant company who create and manage projects, upload revision documents, and conduct internal review and client approval workflows.
  • Client Users — External individuals (such as project owners, consultants, or developers) who are invited by tenant staff to view, comment on, and approve or reject project revisions.
  • Super Administrators — Employees of Q Lighting Co., Ltd. who manage platform-level operations and tenant accounts.

04

Personal Data We Collect

4.1 Data Collected at Sign-In

When you authenticate using Google or Microsoft OAuth, we receive and store:

  • Full name
  • Email address
  • OAuth provider identifier (a unique token issued by Google or Microsoft)
  • Profile picture URL (where provided by the OAuth provider)
  • OAuth provider name (Google or Microsoft)

We do not receive or store your password. Authentication is handled entirely by Google or Microsoft.

4.2 Data Generated During Platform Use

  • Client interaction records: when a client views a revision, leaves a comment, approves, or rejects, we record the action type, the content of any comment, a timestamp, IP address, and browser/device user agent string.
  • View engagement data: the date and time a client first viewed a revision, the number of times they viewed it, and the approximate duration of each viewing session in seconds.
  • Electronic signatures: when a tenant requires client e-signature on approval, we store the signature as an image together with the date and time of signing, the revision identifier, and the client account identifier.
  • Internal team comments: comments made by tenant staff during internal review. These are stored separately from client interactions and are never accessible to client users.
  • PDF revision documents: files uploaded by tenant staff are stored on the Platform's secure file storage, accessible only to authorised users.
  • Usage events: the Platform logs certain in-app actions for internal operational analytics. These logs are not shared with third-party analytics providers.
  • Invitation tokens and access codes: stored only in cryptographically hashed form. The plaintext value is never stored.

4.3 Data We Do Not Collect

  • We do not use third-party advertising cookies or tracking pixels.
  • We do not sell personal data to third parties.
  • We do not collect payment or billing card information directly.

05

Lawful Basis for Processing

Under the PDPA, we process personal data on the following lawful bases:

  • Contractual necessity — to provide the Platform services to tenant companies and their invited client users.
  • Legitimate interests — to maintain the security and integrity of the Platform, generate internal analytics, and send transactional notifications.
  • Consent — where required by law and not covered by another lawful basis.
  • Legal obligation — where we are required to retain or disclose data to comply with applicable Thai law.

06

How We Use Personal Data

  • Authenticate users and maintain secure sessions
  • Route users to the correct workspace based on their account type
  • Enable tenant staff to create projects, upload revision documents, and manage internal workflows
  • Deliver revision documents and project information to invited client users
  • Record and display client actions as part of the project audit trail
  • Send transactional email notifications relating to project activity
  • Send automated reminder emails when a revision has not been viewed or responded to
  • Provide tenant staff with visibility of client engagement
  • Detect and investigate misuse or security incidents
  • Comply with applicable laws and regulatory requirements

07

Transactional Email Notifications

The Platform sends transactional email notifications using Brevo. Notifications are sent from project@quill-shop.com.

For tenant staff

  • New revision uploaded
  • Revision submitted for internal review
  • Client invited to a project
  • Client viewed, commented, approved, or rejected a revision
  • Revision finalized and locked
  • Automated reminders when clients have not viewed or responded

For client users

  • Added to an organisation
  • Revision released for their review
  • Revision finalized
  • Reminder that a revision is awaiting their review

Tenant administrators may configure which notification events are active for their workspace.

08

Data Sharing and Disclosure

We do not sell your personal data. We share personal data only in the following circumstances:

  • Service providers — Brevo (email delivery) and Sentry (error monitoring) process data on our behalf under appropriate agreements.
  • Within the Platform — Name, email, and profile picture are visible to authorised users within the same tenant workspace. Internal staff comments are never visible to client users.
  • Legal requirements — We may disclose personal data where required by Thai law or a lawful government authority request.
  • Business transfer — In the event of a merger or acquisition, personal data may be transferred. Affected users will be notified.

09

Data Retention

  • Account data (name, email, OAuth identifiers) is retained for the lifetime of the account and a reasonable period after deactivation.
  • Client action records (views, comments, approvals, rejections) are retained as part of the append-only project audit trail for the lifetime of the associated project.
  • PDF revision documents are retained for the lifetime of the project within the tenant workspace.
  • Electronic signatures are retained for the lifetime of the associated revision record.
  • Usage event logs are retained for internal operational analytics and are not disclosed to third parties.

When a tenant account is suspended or terminated, data is subject to our data deletion procedures as agreed in the applicable service agreement.

10

Your Rights Under the PDPA

Under the Personal Data Protection Act B.E. 2562 (2019), you have the following rights:

  • Right to be informed — You have the right to be informed about how your personal data is collected and used.
  • Right of access — You may request access to the personal data we hold about you.
  • Right to rectification — You may request correction of inaccurate or incomplete personal data.
  • Right to erasure — You may request deletion in certain circumstances. Note that some data forms part of an append-only audit trail and cannot be individually deleted.
  • Right to restriction — You may request that we limit processing in certain circumstances.
  • Right to data portability — You may request your personal data in a structured, machine-readable format where technically feasible.
  • Right to object — You may object to processing based on legitimate interests in certain circumstances.
  • Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, please contact us using the details in Section 13.

11

Cross-Border Data Transfers

The Platform is hosted on infrastructure located outside Thailand (currently on Hetzner Cloud). By using the Platform, personal data may be transferred to and stored on servers outside the Kingdom of Thailand.

We take appropriate measures to ensure that such transfers comply with the PDPA, including ensuring adequate safeguards are in place where required. Third-party service providers (including Brevo and Sentry) may process data outside Thailand and are selected on the basis of internationally recognised data protection standards.

12

Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or disclosure — including database-level row-level security, tenant isolation, HTTPS/TLS encryption, hashed storage of sensitive tokens, and application-level access controls.

No method of transmission or storage is completely secure. If you become aware of any security vulnerability or incident, please contact us immediately. See our Security practices page for further detail.

13

Contact Us

For questions, to exercise your rights under the PDPA, or to report a privacy concern:

Q Lighting Co., Ltd.

Kingdom of Thailand

Email: project@quill-shop.com

14

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Platform, or applicable law. We will notify users of material changes by updating the "Last updated" date at the top of this document and, where appropriate, through in-Platform or email notification.

Your continued use of the Platform after any update constitutes your acknowledgement of the revised Policy.