Introduction
This Privacy Policy explains how fasu.dev collects, uses, stores, and protects your personal information. This policy complies with the Thailand Personal Data Protection Act B.E. 2562 (PDPA).
By using this website, you acknowledge that you have read and understood this Privacy Policy.
Data Controller
Website: fasu.dev Contact Email: contact@fasu.dev
If you have questions about this Privacy Policy or want to exercise your data subject rights, contact me at the email address above.
Personal Data Collected
Data You Provide
- Account information — name, email address, and password (stored in hashed form)
- Profile image — uploaded directly (stored on Cloudflare R2) or sourced from your GitHub account via OAuth
- Comments — content you post on blog articles, including edit history and threading metadata
- Comment reports — reason and description when you report a comment (max 1000 characters)
Data Collected Automatically
- IP address — recorded when you sign in, post comments, or submit comment reports
- User agent — your browser and device information, recorded with each session
- Session data — authentication tokens and session expiry timestamps
- Page views — aggregate view counts on blog posts (not linked to individual users)
- Error tracking data — when an error occurs, Sentry captures the error message, stack trace, browser and OS information, page URL, and request metadata. This data is not linked to your user account.
- Session replay data — Sentry records a sample of browsing sessions (10% of normal sessions, 100% of sessions where an error occurs) as DOM snapshots. Replays capture page structure, clicks, and navigation but mask all text input fields by default. Session replays are not linked to your user account.
- Performance data — Sentry collects page load times, navigation timing, and API request durations to monitor application performance.
Data From Third Parties
- GitHub — if you sign up using GitHub OAuth, your GitHub profile information (name, email, avatar URL) is received as authorized by your GitHub account settings
Analytics Data (Consent Required)
- Vercel Analytics and Speed Insights — website usage data collected only if you accept analytics via the consent banner. No analytics data is collected if you decline.
Purposes of Data Processing
| Data Category | Purpose | Legal Basis (PDPA) |
|---|---|---|
| Account info | Account creation and authentication | Consent (Section 19) |
| Profile image | Display alongside your comments and profile | Consent (Section 19) |
| Comments | Enable discussion on blog posts | Consent (Section 19) |
| Comment reports | Content moderation and community safety | Legitimate interest (Section 24) |
| IP address | Security, abuse prevention, and moderation | Legitimate interest (Section 24) |
| User agent | Session management and security monitoring | Legitimate interest (Section 24) |
| Session data | Maintaining your authenticated state | Contractual necessity (Section 24) |
| Error tracking | Identifying and fixing application errors | Legitimate interest (Section 24) |
| Session replay | Diagnosing errors in context | Legitimate interest (Section 24) |
| Performance data | Monitoring and improving site performance | Legitimate interest (Section 24) |
| Analytics data | Improving website performance | Consent (Section 19) |
Cookies and Tracking
The following cookies and local storage are used:
- Session cookie — an authentication token set on the
.fasu.devdomain to maintain your login state. This is a strictly necessary cookie. - Analytics consent — your consent preference is stored in your browser's local storage under the key
fasu-analytics-consent. This is not a tracking cookie.
Vercel Analytics and Speed Insights load only after you grant consent via the banner at the bottom of the page. You can change your preference at any time by clearing your browser's local storage.
Sentry error tracking and session replay are loaded automatically without requiring consent. These tools are used to maintain the stability and security of the website under legitimate interest. No advertising or cross-site tracking is performed.
Third-Party Services
The following third-party services are used to operate fasu.dev:
| Service | Purpose | Data Shared |
|---|---|---|
| Neon | PostgreSQL database hosting | All stored personal data |
| Cloudflare | API hosting (Workers), file storage (R2), caching (KV), and CDN | Request data, uploaded avatars |
| Vercel | Frontend hosting, analytics, and performance monitoring | Page visits, performance metrics (consent required for analytics) |
| Sentry | Error tracking, session replay, and performance monitoring | Error data, DOM snapshots, browser info, page URLs |
| Resend | Transactional email delivery | Email address, email content |
| GitHub | OAuth authentication | OAuth tokens, profile information |
Each service processes data under their own privacy policies and data processing agreements.
Cross-Border Data Transfers
In accordance with PDPA Section 28, your personal data may be transferred to and processed in countries outside of Thailand:
| Service | Country/Region | Data Transferred | Safeguards |
|---|---|---|---|
| Neon (Database) | United States / European Union | Account data, comments, sessions, IP addresses | SOC 2 compliance; data encrypted at rest and in transit |
| Cloudflare (CDN & Workers) | Global edge network (including US, EU, Asia) | API requests, uploaded avatars, cached content | ISO 27001 certified; Standard Contractual Clauses (SCCs); global data processing addendum |
| Vercel (Hosting) | United States | Page visits, performance data, frontend assets | SOC 2 Type II; data processing addendum; analytics loaded only with consent |
| Sentry (Error Tracking) | United States | Error reports, session replays, performance traces | SOC 2 Type II; data processing addendum; data encrypted in transit and at rest |
| Resend (Email) | United States | Email address, email content (verification, password reset) | Data encrypted in transit; processed only for email delivery |
| GitHub (OAuth) | United States | OAuth tokens, GitHub profile data (name, email, avatar) | SOC 2 certified; data processed only for authentication |
Safeguards
The following measures protect your data when transferred internationally:
- Service provider selection — providers maintain recognized security certifications (SOC 2, ISO 27001) and offer data processing agreements.
- Encryption — all data is transmitted using TLS/HTTPS. Database connections use encrypted channels.
- Data minimization — only the minimum data necessary for each service to fulfill its purpose is shared.
- Contractual protections — service providers are bound by their published data processing agreements.
If you have concerns about the transfer of your data outside Thailand, contact me at contact@fasu.dev.
Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Retained until you delete your account |
| Session data | Sessions expire after 7 days of inactivity |
| Comments | Retained until you delete the comment or your account |
| Comment reports | Retained until reviewed and resolved by an administrator |
| Verification tokens | Retained until used or expired |
| Error tracking data | Retained by Sentry for 90 days |
| Session replays | Retained by Sentry for 90 days |
| Analytics data | Managed by Vercel per their retention policy |
When you delete your account, all associated personal data — sessions, comments, linked accounts, and reports — is permanently deleted via cascading deletion. Error tracking and session replay data stored in Sentry is not linked to user accounts and expires per Sentry's retention schedule.
Data Export
You can export all your personal data from your account settings. The export includes your account information, sessions, comments, and reports in a machine-readable format. Password verification is required for accounts using email and password authentication.
Your Rights Under PDPA
As a data subject under the PDPA, you have the following rights:
- Right of access (Section 30) — request a copy of the personal data held about you.
- Right to data portability (Section 31) — export your personal data in a machine-readable format from your account settings.
- Right to rectification (Section 35) — request correction of inaccurate personal data.
- Right to erasure (Section 33) — request deletion of your personal data. You can delete your account from your account settings.
- Right to restrict processing (Section 34) — request that processing of your data be limited.
- Right to object (Section 32) — object to data processing based on legitimate interest.
- Right to withdraw consent (Section 19) — withdraw your consent at any time. For analytics, decline or clear your consent via the cookie banner. For your account, delete it from your account settings.
To exercise any of these rights, contact me at contact@fasu.dev. I will respond within 30 days.
Children's Privacy
fasu.dev is not directed at children under the age of 20 (as defined by PDPA Section 4). Personal data from children is not knowingly collected. If you believe a child has provided personal data, contact me at contact@fasu.dev and it will be deleted.
Changes to This Policy
This Privacy Policy may be updated from time to time. Previous versions remain accessible via the version history on the legal page.
Contact
If you have questions or want to exercise your data subject rights, contact me at:
- Email: contact@fasu.dev
- Website: https://fasu.dev
- GitHub: @pyyupsk