Privacy Policy

HOLO is operated by HOLO Collectibles Co., Ltd., a company incorporated in Thailand. For the purposes of the PDPA, HOLO is the data controller for the personal data described in this Policy.

Data Protection Officer contact: dpo@hologacha.com

Account data: email, username, password hash, display name, optional avatar, language preference, referral code.

KYC and seller data (collected only when you complete identity verification): legal name; residential address; mobile phone number; Thai national ID or passport number; ID document and selfie images; bank name, account holder name, account number, and a photograph of your bank book; verification status and reviewer notes.

Shipping data: recipient name, phone number, and shipping address.

Transaction and financial data: order history, marketplace listings and offers, escrow events, withdrawal requests, Seller Balance ledger entries, PromptPay payment-slip images, transaction reference numbers returned by the slip verification API (payer name, payer bank, paid timestamp).

Activity data: cards owned, pack openings, opening results, wishlist, achievements unlocked, daily-claim and login streak counters, notifications you receive.

Device and technical data: IP address, browser user agent, approximate location derived from IP, session cookies, language cookie, and aggregate analytics.

Customer support data: messages you send to us, dispute submissions, content you upload for review.

To create and operate your account, authenticate logins, and provide the Platform's features.

To process Pack purchases, HOLO Singles purchases, marketplace transactions, escrows, Seller Balance movements, withdrawals, and shipments.

To verify your identity for KYC and to satisfy our anti-money-laundering, anti-fraud, and consumer-protection obligations.

To verify PromptPay payment slips against the third-party Thai Slip Verification API.

To detect, prevent, and investigate fraud, abuse, and security incidents (including pattern analysis across accounts).

To send you transactional notifications (order paid, shipment shipped, dispute opened, withdrawal status, achievement unlocked, etc.) by in-app notice or email.

To send service announcements and, with your consent where required, marketing communications. You may opt out of marketing at any time without affecting transactional notices.

To respond to your support requests and to investigate disputes.

To comply with legal obligations and lawful requests from authorities.

Under the PDPA we rely on the following lawful bases:

• Contract performance — to provide the services you have requested and to administer your account.
• Legal obligation — for KYC, anti-money-laundering, tax, and consumer-protection compliance.
• Legitimate interest — for fraud prevention, network security, service improvement, and aggregate analytics, balanced against your rights.
• Consent — where required (e.g. optional marketing emails). Consent can be withdrawn at any time without affecting the lawfulness of processing before withdrawal.

We do not sell your personal data. We share data only as needed to operate the Platform or to comply with the law.

• Other users: your username, public profile, marketplace listings, and aggregated pull activity (where you opt in) are visible to other users. Your KYC data, contact details, and balance are not visible to other users.
• Buyers and sellers in a transaction: when a transaction completes, the parties involved see each other's username, the recipient name and shipping address for fulfilment, and dispute messages exchanged during the transaction.
• Payment processors and slip verification: PromptPay payment-slip images and the data extracted from them (transaction reference, payer name, payer bank) are transmitted to a third-party Slip Verification API for the limited purpose of verifying that payment was made.
• Shipping carriers: recipient name, phone number, and shipping address are shared with the chosen carrier (Kerry Express, Thailand Post, J&T, etc.) for delivery.
• Service providers: cloud hosting, database, email delivery, and SMS providers acting on our instructions under data-processing agreements.
• Legal disclosures: we may disclose data when required by law, court order, lawful regulatory request, or to protect the rights, property, or safety of HOLO, our users, or the public.
• Business transfers: in the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity, subject to commitments to maintain protections substantially equivalent to this Policy.

We primarily host and process data in Thailand or in regions providing adequate protection comparable to the PDPA. Where we transfer data internationally (for example, to cloud service providers outside Thailand), we ensure appropriate safeguards are in place such as standard contractual clauses, the recipient's certification under approved schemes, or your explicit consent where required.

Account data: while your account is active and for a reasonable period afterwards (typically twenty-four months) to handle disputes and chargebacks, unless a longer retention is legally required.

KYC and AML records: for the period required by applicable Thai anti-money-laundering law (currently a minimum of five years from the end of the customer relationship).

Transaction records (orders, escrow, ledger entries, withdrawals): for at least seven years from the date of the transaction, to satisfy tax and accounting obligations.

Payment slips: for at least five years from upload.

Marketing preferences: until you withdraw consent or your account is closed.

Customer support correspondence: typically for two years after resolution.

After applicable retention periods, we delete or anonymise data unless we are legally required to retain it.

Subject to the conditions and exceptions in the PDPA, you have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — request correction of inaccurate or incomplete data.
• Erasure — request deletion of your data, subject to our legal retention obligations.
• Restriction — request that processing of your data be limited in certain circumstances.
• Portability — request a copy of certain data in a structured, commonly used, machine-readable format.
• Objection — object to processing based on legitimate interest, including for direct marketing.
• Withdraw consent — for processing based on consent, at any time.
• Complain — file a complaint with the Personal Data Protection Committee (PDPC) of Thailand.

To exercise any of these rights, contact dpo@hologacha.com. We will respond within thirty (30) days, extendable as permitted by the PDPA.

We protect your data with administrative, technical, and physical safeguards appropriate to the risk, including encryption in transit (HTTPS) for all Platform traffic, password hashing with bcrypt, role-based access controls, server-side rate limiting on sensitive endpoints, audit logging of administrative actions and Seller Balance movements, and physical access controls at our Bangkok vault.

No method of transmission or storage is perfectly secure. If we become aware of a personal data breach that creates a high risk to your rights, we will notify you and the PDPC in accordance with the PDPA.

We use cookies and similar technologies to operate the Platform (e.g. session cookies that keep you signed in, a language cookie that remembers your locale, a Seller Balance cache cookie used by the checkout flow) and to measure aggregate usage. You can control cookies through your browser settings; disabling essential cookies may break Platform functionality.

The Platform is not directed to users under the age of 18. We do not knowingly collect personal data from children. If we learn that we have collected such data, we will delete it.

The Platform may link to third-party websites or services we do not control. This Policy does not apply to those sites. We encourage you to review their privacy practices.

We may update this Policy from time to time. Material changes will be notified via in-app notice or email at least seven (7) days before they take effect. The "last updated" date at the top of this Policy reflects the most recent version.

Privacy questions or requests to exercise your rights: dpo@hologacha.com

General support: support@hologacha.com

Postal address: HOLO Collectibles Co., Ltd., Bangkok, Thailand.