Comparing v1 → v2

+## Introduction

+This Privacy Policy explains how fasu.dev collects, uses, stores, and protects your personal information when you visit [https://fasu.dev](https://fasu.dev) or use its services. This policy is designed to comply with the Thailand Personal Data Protection Act B.E. 2562 (PDPA).

+By using this website, you acknowledge that you have read and understood this Privacy Policy.

+## Data Controller

+**Website:** fasu.dev

+**Contact Email:** [contact@fasu.dev](mailto:contact@fasu.dev)

+If you have questions about this Privacy Policy or wish to exercise your data subject rights, please contact me at the email address above.

+## Personal Data Collected

+### Data You Provide

+- **Account information:** name, email address, and password (stored in hashed form)

+- **Profile image:** obtained from your GitHub account if you sign up via GitHub OAuth

+- **Comments:** content you post on blog articles

+- **Comment reports:** reason and description when you report a comment

+### Data Collected Automatically

+- **IP address:** recorded when you sign in, post comments, or submit comment reports, for security and abuse prevention purposes

+- **User agent:** your browser and device information, recorded with each session

+- **Session data:** authentication tokens and session expiry timestamps

+- **Page views:** aggregate view counts on blog posts (not linked to individual users)

+### Data From Third Parties

+- **GitHub:** if you sign up using GitHub OAuth, your GitHub profile information (name, email, avatar URL) is received as authorized by your GitHub account settings

+### Analytics Data (Consent Required)

+- **Vercel Analytics and Speed Insights:** website usage data collected only if you accept analytics cookies via the consent banner. No analytics data is collected if you decline.

+## Purposes of Data Processing

+| Data Category | Purpose | Legal Basis (PDPA) |

+| ------------------- | ------------------------------------------------- | ---------------------------------- |

+| Account information | Account creation and authentication | Consent (Section 19) |

+| Profile image | Display alongside your comments and profile | Consent (Section 19) |

+| Comments | Enable discussion on blog posts | Consent (Section 19) |

+| Comment reports | Content moderation and community safety | Legitimate interest (Section 24) |

+| IP address | Security, abuse prevention, and moderation | Legitimate interest (Section 24) |

+| User agent | Session management and security monitoring | Legitimate interest (Section 24) |

+| Session data | Maintaining your authenticated state | Contractual necessity (Section 24) |

+| Analytics data | Improving website performance and user experience | Consent (Section 19) |

+## Cookies and Tracking

+

+The following cookies and local storage are used:

+

+- **Session cookie:** an authentication token set on the `.fasu.dev` domain to maintain your login state across the site. This is a strictly necessary cookie.

+- **Analytics consent:** your consent preference is stored in your browser's local storage under the key `fasu-analytics-consent`. This is not a tracking cookie.

+

+Vercel Analytics and Speed Insights are loaded only after you grant consent via the banner displayed at the bottom of the page. You may change your preference at any time by clearing your browser's local storage.

+

+The following third-party services are used to operate fasu.dev:

+| Service | Purpose | Data Shared |

+| -------------- | --------------------------------------------------------------- | ----------------------------------------------------------------- |

+| **Neon** | PostgreSQL database hosting | All stored personal data |

+| **Cloudflare** | API hosting (Workers), file storage (R2), caching (KV), and CDN | Request data, uploaded files |

+| **Vercel** | Frontend hosting, analytics, and performance monitoring | Page visits, performance metrics (consent required for analytics) |

+| **Resend** | Transactional email delivery | Email address, email content |

+| **GitHub** | OAuth authentication | OAuth tokens, profile information |

+Each service processes data under their own privacy policies and data processing agreements.

+## Cross-Border Data Transfers

+In accordance with **PDPA Section 28**, your personal data may be transferred to and processed in countries outside of Thailand. International service providers are used to operate fasu.dev, and your data may be stored or processed in the following jurisdictions:

+| Service | Country/Region | Data Transferred | Safeguards |

+| -------------------------------- | -------------------------------------------- | ----------------------------------------------------------- | ----------------------------------------------------------------------------------------- |

+| **Neon** (Database) | United States / European Union | Account data, comments, sessions, IP addresses | SOC 2 compliance; data encrypted at rest and in transit |

+| **Cloudflare** (CDN & Workers) | Global edge network (including US, EU, Asia) | API requests, uploaded files, cached content | ISO 27001 certified; Standard Contractual Clauses (SCCs); global data processing addendum |

+| **Vercel** (Hosting & Analytics) | United States | Page visits, performance data, frontend assets | SOC 2 Type II; data processing addendum; analytics loaded only with consent |

+| **Resend** (Email) | United States | Email address, email content (verification, password reset) | Data encrypted in transit; processed only for email delivery |

+| **GitHub** (OAuth) | United States | OAuth tokens, GitHub profile data (name, email, avatar) | SOC 2 certified; data processed only for authentication |

+### Safeguards for Cross-Border Transfers

+The following measures are taken to ensure your data is protected when transferred internationally:

+1. **Service provider selection:** providers are selected that maintain recognized security certifications (SOC 2, ISO 27001) and offer data processing agreements.

+2. **Encryption:** all data is transmitted using TLS/HTTPS encryption. Database connections use encrypted channels.

+3. **Data minimization:** only the minimum data necessary for each service to fulfill its purpose is shared.

+4. **Contractual protections:** service providers are bound by their published data processing agreements and privacy commitments.

+If you have concerns about the transfer of your data outside Thailand, you may contact me at [contact@fasu.dev](mailto:contact@fasu.dev).

+## Data Retention

+| Data Type | Retention Period |

+| ------------------- | -------------------------------------------------------- |

+| Account data | Retained until you delete your account |

+| Session data | Sessions expire after 7 days of inactivity |

+| Comments | Retained until you delete the comment or your account |

+| Comment reports | Retained until reviewed and resolved by an administrator |

+| Verification tokens | Retained until used or expired |

+| Analytics data | Managed by Vercel per their retention policy |

+When you delete your account, all associated personal data (sessions, comments, linked accounts, and reports) is permanently deleted via cascading deletion.

+## Your Rights Under PDPA

+As a data subject under the PDPA, you have the following rights:

+- **Right of access** (Section 30): Request a copy of the personal data held about you.

+- **Right to data portability** (Section 31): Export your personal data in a machine-readable format. You can do this from your [account settings](https://fasu.dev/account) using the "Export data" feature.

+- **Right to rectification** (Section 35): Request correction of inaccurate personal data.

+- **Right to erasure** (Section 33): Request deletion of your personal data. You can delete your account from your [account settings](https://fasu.dev/account).

+- **Right to restrict processing** (Section 34): Request that processing of your data be limited.

+- **Right to object** (Section 32): Object to data processing based on legitimate interest.

+- **Right to withdraw consent** (Section 19): Withdraw your consent at any time. For analytics, you can decline or clear your consent via the cookie banner. For your account, you can delete it from your account settings.

+To exercise any of these rights, contact me at [contact@fasu.dev](mailto:contact@fasu.dev). I will respond to your request within 30 days.

+fasu.dev is not directed at children under the age of 20 (as defined by PDPA Section 4). Personal data from children is not knowingly collected. If you believe a child has provided personal data, please contact me at [contact@fasu.dev](mailto:contact@fasu.dev) and it will be promptly deleted.

+This Privacy Policy may be updated from time to time. When updated, the "Last Updated" date at the top of this page will be revised and a new version published. Previous versions remain accessible via the version history on the [legal page](https://fasu.dev/legal/privacy).

+If you have questions, concerns, or wish to exercise your data subject rights, please contact: