Introduction
This Privacy Policy explains how fasu.dev collects, uses, stores, and protects your personal information. This policy complies with the Thailand Personal Data Protection Act B.E. 2562 (PDPA).
By using this website, you acknowledge that you have read and understood this Privacy Policy.
Data Controller
Website: fasu.dev Contact Email: contact@fasu.dev
If you have questions about this Privacy Policy or want to exercise your data subject rights, contact me at the email address above.
Personal Data Collected
Data You Provide
- Account information — name, email address, and password (stored in hashed form)
- Profile image — uploaded directly (stored on Cloudflare R2) or sourced from your GitHub account via OAuth
- Comments — content you post on blog articles, including edit history and threading metadata
- Comment reports — reason and description when you report a comment (max 1000 characters)
Data Collected Automatically
- IP address — recorded when you sign in, post comments, or submit comment reports
- User agent — your browser and device information, recorded with each session
- Session data — authentication tokens and session expiry timestamps
- Page views — aggregate view counts on blog posts (not linked to individual users)
Data From Third Parties
- GitHub — if you sign up using GitHub OAuth, your GitHub profile information (name, email, avatar URL) is received as authorized by your GitHub account settings
Analytics Data (Consent Required)
- Vercel Analytics and Speed Insights — website usage data collected only if you accept analytics via the consent banner. No analytics data is collected if you decline.
Purposes of Data Processing
| Data Category | Purpose | Legal Basis (PDPA) |
|---|---|---|
| Account info | Account creation and authentication | Consent (Section 19) |
| Profile image | Display alongside your comments and profile | Consent (Section 19) |
| Comments | Enable discussion on blog posts | Consent (Section 19) |
| Comment reports | Content moderation and community safety | Legitimate interest (Section 24) |
| IP address | Security, abuse prevention, and moderation | Legitimate interest (Section 24) |
| User agent | Session management and security monitoring | Legitimate interest (Section 24) |
| Session data | Maintaining your authenticated state | Contractual necessity (Section 24) |
| Analytics data | Improving website performance | Consent (Section 19) |
Cookies and Tracking
The following cookies and local storage are used:
- Session cookie — an authentication token set on the
.fasu.devdomain to maintain your login state. This is a strictly necessary cookie. - Analytics consent — your consent preference is stored in your browser's local storage under the key
fasu-analytics-consent. This is not a tracking cookie.
Vercel Analytics and Speed Insights load only after you grant consent via the banner at the bottom of the page. You can change your preference at any time by clearing your browser's local storage.
Third-Party Services
The following third-party services are used to operate fasu.dev:
| Service | Purpose | Data Shared |
|---|---|---|
| Neon | PostgreSQL database hosting | All stored personal data |
| Cloudflare | API hosting (Workers), file storage (R2), caching (KV), and CDN | Request data, uploaded avatars |
| Vercel | Frontend hosting, analytics, and performance monitoring | Page visits, performance metrics (consent required for analytics) |
| Resend | Transactional email delivery | Email address, email content |
| GitHub | OAuth authentication | OAuth tokens, profile information |
Each service processes data under their own privacy policies and data processing agreements.
Cross-Border Data Transfers
In accordance with PDPA Section 28, your personal data may be transferred to and processed in countries outside of Thailand:
| Service | Country/Region | Data Transferred | Safeguards |
|---|---|---|---|
| Neon (Database) | United States / European Union | Account data, comments, sessions, IP addresses | SOC 2 compliance; data encrypted at rest and in transit |
| Cloudflare (CDN & Workers) | Global edge network (including US, EU, Asia) | API requests, uploaded avatars, cached content | ISO 27001 certified; Standard Contractual Clauses (SCCs); global data processing addendum |
| Vercel (Hosting) | United States | Page visits, performance data, frontend assets | SOC 2 Type II; data processing addendum; analytics loaded only with consent |
| Resend (Email) | United States | Email address, email content (verification, password reset) | Data encrypted in transit; processed only for email delivery |
| GitHub (OAuth) | United States | OAuth tokens, GitHub profile data (name, email, avatar) | SOC 2 certified; data processed only for authentication |
Safeguards
The following measures protect your data when transferred internationally:
- Service provider selection — providers maintain recognized security certifications (SOC 2, ISO 27001) and offer data processing agreements.
- Encryption — all data is transmitted using TLS/HTTPS. Database connections use encrypted channels.
- Data minimization — only the minimum data necessary for each service to fulfill its purpose is shared.
- Contractual protections — service providers are bound by their published data processing agreements.
If you have concerns about the transfer of your data outside Thailand, contact me at contact@fasu.dev.
Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Retained until you delete your account |
| Session data | Sessions expire after 7 days of inactivity |
| Comments | Retained until you delete the comment or your account |
| Comment reports | Retained until reviewed and resolved by an administrator |
| Verification tokens | Retained until used or expired |
| Analytics data | Managed by Vercel per their retention policy |
When you delete your account, all associated personal data — sessions, comments, linked accounts, and reports — is permanently deleted via cascading deletion.
Data Export
You can export all your personal data from your account settings. The export includes your account information, sessions, comments, and reports in a machine-readable format. Password verification is required for accounts using email and password authentication.
Your Rights Under PDPA
As a data subject under the PDPA, you have the following rights:
- Right of access (Section 30) — request a copy of the personal data held about you.
- Right to data portability (Section 31) — export your personal data in a machine-readable format from your account settings.
- Right to rectification (Section 35) — request correction of inaccurate personal data.
- Right to erasure (Section 33) — request deletion of your personal data. You can delete your account from your account settings.
- Right to restrict processing (Section 34) — request that processing of your data be limited.
- Right to object (Section 32) — object to data processing based on legitimate interest.
- Right to withdraw consent (Section 19) — withdraw your consent at any time. For analytics, decline or clear your consent via the cookie banner. For your account, delete it from your account settings.
To exercise any of these rights, contact me at contact@fasu.dev. I will respond within 30 days.
Children's Privacy
fasu.dev is not directed at children under the age of 20 (as defined by PDPA Section 4). Personal data from children is not knowingly collected. If you believe a child has provided personal data, contact me at contact@fasu.dev and it will be deleted.
Changes to This Policy
This Privacy Policy may be updated from time to time. Previous versions remain accessible via the version history on the legal page.
Contact
If you have questions or want to exercise your data subject rights, contact me at:
- Email: contact@fasu.dev
- Website: https://fasu.dev
- GitHub: @pyyupsk