This document is KepFai's Privacy Policy, covering what data the system processes, the roles of TecTony and the customer under Thailand's PDPA, where data is stored, security measures, and data-subject rights.
KepFai is designed to support — not certify — our customers' compliance with the PDPA. Legal responsibility as the data controller remains with the customer.
Data KepFai processes
The system processes messages and attachments (images, videos, documents, audio files) from LINE chats that the customer has approved its LINE OA to join, along with operational metadata such as sender user IDs, chat IDs, and timestamps. It also stores accounts for admins/owners enrolled in the system — email, display name, role, and an audit log of actions in the dashboard. The system does not process content from LINE chats that have not been approved in the customer's dashboard.
PDPA roles
The customer is the 'data controller' under Thailand's PDPA — they determine the purposes and means of processing personal data. TecTony acts as a 'data processor', operating on the customer's instructions within the scope set out in the contract. The customer is responsible for establishing a lawful basis for processing the personal data of LINE chat participants and for informing them of their PDPA rights.
Where data is stored
Archived files and recorded messages reside in the customer's own storage — the customer's Google Drive, OneDrive, or NAS — never on TecTony's servers. Operational metadata (chat records, upload logs, conversation logs, audit logs, admin accounts) is stored in a Cloudflare D1 database under the customer's own Cloudflare account, not TecTony's.
Consent and notice to chat members
Activation in any given LINE chat requires an admin to approve it in the KepFai dashboard, and the customer must add their LINE OA to that chat. The customer is responsible for informing chat members about the archiving as required by PDPA before activation — the KepFai dashboard surfaces in-product guidance reminding admins to notify members before turning on conversation recording. Conversation recording is off by default, opt-in per chat, and restricted to the Owner role.
Security measures
All connections are TLS-encrypted; LINE credentials (Channel Access Token, Channel Secret) are encrypted with AES-256-GCM before being stored in the database; admin sign-in requires a magic link plus mandatory TOTP 2FA on every login; every admin action is recorded in an append-only audit log; and the system rate-limits sign-in attempts to defend against brute force. Incoming LINE webhooks are verified by HMAC signature to confirm authenticity.
Retention and deletion
Retention periods for files and messages follow the customer's policy — KepFai does not automatically expire content stored in the customer's storage. The customer can delete data directly from their own storage and Cloudflare D1 database. On termination of the contract, TecTony decommissions the Worker; data residing in the customer's cloud and database remains under the customer's control.
Data subject rights
Individuals whose personal data is processed in LINE chats (chat members) have rights under PDPA — access, rectification, erasure, and objection, among others. The customer, as the data controller, is responsible for fulfilling these rights through their own systems and cloud — TecTony provides technical support on request. Requests to exercise rights should be directed to the customer in the first instance.
Privacy contact
If you are a chat member whose data is held in a customer's KepFai deployment and you want to exercise PDPA rights, please contact the company that owns the chat (the data controller) first. To contact TecTony as the data processor or for a copy of the full policy, email hello@kepfai.com or message LINE Official Account @TecTony.
Contact
For questions about this Privacy Policy or to request the full policy text, please contact the TecTony team. — hello@kepfai.com · LINE @TecTony