Effective date: 21 May 2026
Last updated: 21 May 2026
This Privacy Policy describes how Munmun Fellowship Company Limited ("English Munmun", "we", "us", "our") collects, uses, stores, and discloses your personal data when you contact us through Facebook Messenger, Instagram Direct Messages, or our websites. This policy is published in accordance with Thailand's Personal Data Protection Act B.E. 2562 (2019) ("PDPA"). The Thai version of this policy controls in the event of any conflict between the two languages for users located in Thailand.
| Data controller | Munmun Fellowship Company Limited |
| Registered address | 88/10-11 Ngamwongwan Road, Lat Yao Sub-district, Chatuchak District, Bangkok 10900 |
| Contact email | [email protected] |
| Phone | 090-071-1878 |
| Data Protection Officer (DPO) | Mr. Slatan Samkoses — [email protected] |
If you have any question about this policy or wish to exercise your rights under PDPA, please contact our DPO using the details above.
When you use our website, enroll in our courses, or send a message to our Facebook Page or Instagram account, we receive and store the following:
Information you give us directly:
•
Full name
•
Email address
•
Phone number
•
Date of birth / gender (only when you provide them so we can recommend a suitable course)
•
Your English level and learning goals
•
Profile picture (only if you upload one)
•
Certificate numbers (for courses that issue certificates)
Information collected automatically when you use the website:
•
IP address, device type, and browser
•
Browsing behavior (pages visited, time spent, links clicked)
•
Site preferences and settings
•
Cookie data (see §11 and the Cookie Policy)
Additional data when you contact us via Facebook Messenger or Instagram Direct Messages:
•
See Appendix A at the end of this document for full details.
We do not store payment data (credit card or bank account numbers) on our own systems. Payment data is processed by PCI DSS-compliant providers (see §5).
•
Directly from you when you complete a form, contact us, or enroll in a course.
•
Automatically via cookies and website analytics tools.
•
Through Meta's APIs when you message us via Messenger or Instagram (see Appendix A).
| Purpose | Legal basis under PDPA |
|---|---|
| To deliver our English courses and related services | Performance of a contract (Section 24(3)) |
| To answer your enquiries, provide consultation, and recommend a suitable course | Performance of a contract / pre-contract steps (Section 24(3)) |
| To issue receipts, tax invoices, and payment documentation | Legal obligation (Section 24(6)) |
| To verify identity, maintain security, and prevent fraud | Legitimate interest (Section 24(5)) |
| To send OTPs and confirm registration via email/SMS | Performance of a contract (Section 24(3)) |
| To measure website performance, advertising effectiveness, and sales conversations | Legitimate interest (Section 24(5)) |
| To send news, promotions, and marketing | Consent (Section 19) |
| To train our sales team and improve our service (using anonymized data) | Legitimate interest (Section 24(5)) |
| To comply with the law | Legal obligation (Section 24(6)) |
You can withdraw consent to marketing at any time using the unsubscribe link in our emails, or by contacting us per §13.
We only share your personal data with the following parties:
Our employees and contractors who handle sales, teaching, and customer service, on a need-to-know basis.
Service providers that help us operate the service (acting as data processors under PDPA):
| Provider | Role | Server location |
|---|---|---|
| Railway, Inc. | Application hosting + PostgreSQL database + Redis cache | United States (multi-region) |
| Cloudflare, Inc. | DNS, CDN, and attack protection | Global network (Anycast) |
| Amazon Web Services, Inc. | File storage (S3) and transactional email (SES) | United States |
| Omise / Opn Payments | Payment processing (credit/debit cards, PromptPay, installments) | Thailand and Singapore |
| ThaiBulkSMS Co., Ltd. | OTP and SMS delivery | Thailand |
| Google LLC | Workspace email, Google Analytics, and Google Apps Script | United States and global network |
| Meta Platforms, Inc. | Messenger/Instagram APIs and Meta Pixel for advertising (see Appendix A) | United States and global network |
| TikTok Pte. Ltd. | TikTok Pixel for marketing and advertising | United States / Singapore |
| Zoom Video Communications, Inc. | Online webinar / workshop platform (Zoom Events) via learnsocial.munmun.co.th | United States and global network |
These providers act as data processors under a Data Processing Agreement with us, bound by security standards and data use restrictions.
Government authorities or regulators, where required by law.
Successors or buyers in the event of a share sale, merger, business sale, or corporate restructuring.
We do not sell your personal data and do not share it with third parties for their own marketing purposes.
Several of our service providers process data outside Thailand, in particular:
•
In the United States — Railway, AWS, Google, Meta, Zoom, TikTok, and Cloudflare.
•
In Singapore / Asia region — Omise and TikTok.
•
Global Anycast / multi-region network — Cloudflare.
ThaiBulkSMS processes data within Thailand and is not a cross-border transfer.
For cross-border transfers, we rely on contractual safeguards with each provider (Data Processing Agreements) and on the exceptions under PDPA Section 28, including your consent where required.
| Data | Retention |
|---|---|
| User account and learning records | For as long as you remain a student + 5 years after your last class (to support retroactive certificate requests) |
| Financial documents (receipts, tax invoices, payments) | 10 years, as required by the Revenue Code |
| Messenger/Instagram chat content and Meta identifiers | 24 months after your last contact, then anonymized (see Appendix A for details) |
| Marketing data (email lists) | Until you withdraw consent |
| Consent records | 7 years after withdrawal, as evidence |
| Cookies | According to each cookie's lifetime (see the Cookie Policy) |
You can request earlier deletion at any time — see §9 — except for data we are required by law to retain.
We protect your data with:
•
HTTPS encryption in transit, at every step.
•
Encryption at rest provided by our database provider.
•
Role-based access control.
•
Limited and audited administrator access.
•
Two-factor authentication (2FA) for sensitive back-office systems.
•
Regular risk assessments and security policy reviews.
If a personal data breach occurs that could affect your rights and freedoms, we will notify the Personal Data Protection Committee (PDPC) within 72 hours and notify you directly if the incident poses a high risk to you.
You have the right to:
•
Access — ask what personal data we hold about you.
•
Rectification — correct inaccurate data.
•
Erasure — ask us to delete your data ("right to be forgotten").
•
Restriction — limit how we use your data.
•
Objection — object to processing based on legitimate interest.
•
Data portability — receive a copy of your data in a portable format.
•
Withdraw consent — at any time, with no effect on processing carried out before withdrawal.
•
Lodge a complaint with the Personal Data Protection Committee (PDPC).
To exercise these rights: email our DPO at [email protected] or use the contact channels in §13. We will respond within 30 days as required by PDPA.
Our courses are offered to adults aged 20 and over only. We do not knowingly enroll or serve minors (anyone under 20).
If we discover that we have unintentionally collected personal data from a minor, we will delete it immediately. Please contact our DPO if you become aware of such a case or learn that a minor has enrolled with us.
munmun.co.th uses the following cookies and analytics tools:
| Type | Provider | Purpose |
|---|---|---|
| Essential cookies | Munmun Fellowship | Maintain login session and cart |
| Google Analytics (×2 properties) | Google LLC | Measure website usage |
| Meta Pixel | Meta Platforms | Measure Facebook/Instagram ad performance |
| TikTok Pixel | TikTok | Measure TikTok ad performance |
You can disable some cookies via the consent banner on our site, or via your browser settings. See the Cookie Policy for full details.
We may update this policy from time to time. The "Last updated" date at the top reflects the most recent change. Material changes will be announced at least 7 days before they take effect, via our Facebook Page and website, and by email to current students.
For privacy-related questions or to exercise your rights:
•
Email: [email protected] (DPO: Mr. Slatan Samkoses)
•
Phone: 090-071-1878
•
Mail: Munmun Fellowship Company Limited — 88/10-11 Ngamwongwan Road, Lat Yao Sub-district, Chatuchak District, Bangkok 10900
To lodge a complaint with the regulator: Office of the Personal Data Protection Committee (PDPC) — https://www.pdpc.or.th
Effective date of this Appendix: 21 May 2026
In addition to the main Privacy Policy above, this Appendix describes how Munmun Fellowship Company Limited ("English Munmun", "we") collects and processes personal data when you contact us through our Facebook Messenger or Instagram Direct Messages.
When you message our Facebook Page or our Instagram account, our system automatically receives the following data from Meta Platforms, Inc. ("Meta") via the Messenger Platform API and Instagram Messaging API:
•
Meta-issued identifiers — Page-Scoped ID (PSID) for Messenger or Instagram-Scoped ID for Instagram. These are anonymized identifiers assigned by Meta, unique to our Page or account, and cannot be linked back to your profile by third parties.
•
Your display name as shown on Facebook or Instagram.
•
Message content you send to us and our replies, including text, images, and other media.
•
Timestamps for each message.
•
Ad referral metadata — if you reached us by clicking "Send Message" from a Facebook or Instagram ad, we receive the associated ad ID, ad set ID, and campaign ID.
If you share it in the conversation, we may also collect:
•
Your phone number, when you provide it for a follow-up call.
•
Other details about yourself, such as your English level, learning goals, and availability.
We do not receive your email, real name, payment information, or any other Meta profile data unless you provide it to us directly in the conversation.
| Purpose | Legal basis under PDPA |
|---|---|
| Answering enquiries and consulting on our courses | Performance of a contract / pre-contract steps (Section 24(3)) |
| Recommending the right course for you | Legitimate interest (Section 24(5)) |
| Follow-up (in chat or by phone if you share your number) | Consent (Section 19) — you give consent by continuing the conversation after our privacy notice, or by sharing your phone number |
| Measuring the effectiveness of ads and sales conversations | Legitimate interest (Section 24(5)) |
| Training our sales staff using anonymized conversation patterns | Legitimate interest (Section 24(5)) |
In addition to the sub-processors named in the main policy, we use the following providers to process chat data from Messenger and Instagram:
| Provider | Role | Server location |
|---|---|---|
| Meta Platforms, Inc. | Source of messages and the communication platform | United States and globally |
| Railway, Inc. | Application hosting and database (PostgreSQL) | United States |
These providers act as data processors under a Data Processing Agreement with us, bound by security standards and data use restrictions.
Data processed through this service is transferred and stored outside Thailand:
•
In the United States and elsewhere — services provided by Meta and Railway.
We rely on the exceptions under PDPA Section 28, including Data Processing Agreements with each provider and, in some cases, your direct consent.
| Data | Retention |
|---|---|
| Message content, Meta display name, Meta identifiers | 24 months after your last contact, then anonymized: name, phone, and content are replaced with hashed values. Anonymized statistical records are kept thereafter. |
| Phone number | 24 months after last contact, then deleted |
| Consent records | 7 years after withdrawal, as evidence |
You can withdraw consent and ask us to stop processing your chat data immediately by:
•
Replying "STOP" in the Messenger or Instagram conversation. Our system will log the withdrawal, stop further processing, and send no follow-up messages.
•
Emailing our DPO at [email protected].
Your other PDPA rights (access, rectification, erasure, restriction, objection, portability, and the right to lodge a complaint) are as stated in the main Privacy Policy.
Our services are offered only to adults aged 20 and over (see §10 of the main policy). If we discover that a minor has contacted us via Messenger or Instagram unintentionally, we will delete that minor's data immediately.
For questions specifically about data processing through Messenger or Instagram, please contact our DPO using the channels in §13, or reply "STOP" in the chat to stop processing immediately.