LiKQ Store
Privacy Policy
Published on: March 27, 2026
Effective Date: March 23, 2026
Last Updated: March 24, 2026
LiKQ Music ("we", "us", or "our") operates the LiKQ Store merchandise platform accessible at likqmusic.com/merch. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you browse, purchase products, or otherwise interact with our store.
By using LiKQ Store, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use our services.
1. Information We Collect
1.1 Account Information
When you create an account or sign in (via email/password or Google OAuth), we collect:
- Email address
- Display name
- Profile picture (if signing in via Google)
Authentication is handled by our identity provider (Supabase). We do not store your password directly.
1.2 Order & Purchase Information
When you place an order, we collect:
- Shipping address (for Physical Products) — full name, address line 1 & 2, city, province/state, postal code, country, phone number
- Billing address — if different from shipping address
- Order details — products ordered (physical and/or digital), quantities, sizes/variants, order total, applied discounts or promotions
- Communication preferences — language preference (EN/TH), email notification opt-in
1.3 Payment Information
Payments are processed by our third-party payment provider, Omise (Opn Payments). When you make a purchase:
- Your payment card details (card number, expiry date, CVV) are entered directly into Omise's secure payment form. We never receive, see, or store your full card details on our servers.
- We receive from Omise only: a payment token, transaction status, last 4 digits of the card, card brand, and authorization code.
- For PromptPay payments, equivalent tokenized references are stored.
1.4 Saved Addresses
You may choose to save one or more shipping addresses to your account for future use. Saved addresses are stored in our database and associated with your account. You can view, edit, or delete saved addresses at any time from your account settings.
1.5 Information Collected Automatically
- Session Cookies: Essential cookies to maintain your authentication session and shopping cart. These are strictly necessary and cannot be disabled.
- Locale Preference: Your language selection (EN/TH) is stored in the URL path and session.
- Server Logs: Our servers automatically record IP address, browser user-agent, pages visited, and referrer URL. Logs are used solely for debugging and security monitoring.
1.6 Information We Do NOT Collect
- We do not use analytics or advertising cookies (no Google Analytics, no third-party trackers, no retargeting pixels).
- We do not collect behavioral data or build advertising profiles.
- We do not store full payment card numbers on our servers.
2. How We Use Your Information
We do not sell, rent, or share your personal information with third parties for marketing purposes.
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Create and manage your account | Email, name, OAuth profile | Contract performance |
| Process and fulfill your orders | Order details, shipping address, payment token | Contract performance |
| Deliver Digital Products via email | Email address, order details, download links | Contract performance |
| Send order confirmations and shipping updates | Email, order details | Contract performance |
| Save your addresses for faster checkout | Shipping addresses | Consent (opt-in) |
| Process payments and refunds | Payment token, transaction details | Contract performance |
| Display content in your preferred language | Locale preference | Legitimate interest |
| Detect and prevent fraud | IP address, payment data, order patterns | Legitimate interest |
| Respond to support requests | Email, order history, account info | Legitimate interest |
| Comply with tax, accounting, and legal obligations | Order records, transaction data | Legal obligation |
3. Third-Party Services
We share data with the following third parties only as necessary to operate our store:
We do not share your data with advertising networks or data brokers.
Each third-party service operates under its own privacy policy. We require all third-party partners to handle your data in compliance with applicable data protection laws.
| Service | Purpose | Data Shared | Location |
|---|---|---|---|
| Supabase | Authentication & database | Email, hashed password, OAuth profile, account data | Singapore |
| Omise (Opn Payments) | Payment processing | Card details (direct to Omise), payment tokens, transaction amounts | Thailand |
| Google Cloud Run | Application hosting | IP address, request headers (server logs) | Bangkok, Thailand (asia-southeast3) |
| Google OAuth (optional) | Social sign-in | Email, display name, profile picture | Global |
| Shipping carriers | Order delivery (Physical Products) | Recipient name, shipping address, phone number, tracking number | Thailand |
| Email service | Transactional emails (order confirmation, shipping updates, digital delivery) | Email address, order details, download links | Varies |
4. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | As long as your account is active; deleted within 30 days of account deletion request |
| Order history & transaction records | 7 years (required for tax and accounting compliance) |
| Shipping addresses (saved) | Until you delete them or close your account |
| Payment tokens | As long as needed for refund eligibility period, then deleted |
| Digital Product download links | 30 days from delivery, then expired |
| Session cookies | Until sign-out or session timeout |
| Server logs | 30 days |
5. Data Security
We implement appropriate technical and organizational measures to protect your personal information:
- Encryption in transit: All data transmitted between your browser and our servers uses HTTPS/TLS encryption.
- Payment security: Card data is handled exclusively by Omise, which is PCI DSS Level 1 certified. We never process or store raw card numbers.
- Authentication: Tokens are validated on every API request via middleware. Admin access requires role-based permissions verified through JWT claims.
- Database security: Hosted on Supabase with row-level security (RLS) policies ensuring users can only access their own data.
- Access control: Employee access to personal data is restricted to authorized personnel on a need-to-know basis.
- Data residency: Application hosting on Google Cloud Run Bangkok (asia-southeast3) ensures primary data processing stays within Thailand.
6. Your Rights
Under the Thailand Personal Data Protection Act (PDPA) and other applicable laws, you have the following rights:
How to exercise your rights:
- Self-service: Delete saved addresses and update profile info from your account settings.
- Contact us: Email [email protected] for access requests, data export, or account deletion.
- Response time: We will respond within 30 days of receiving your request.
Note: Deleting your account does not erase order records that we are legally required to retain for tax/accounting purposes. Such records will be anonymized or deleted after the retention period expires.
| Right | Description |
|---|---|
| Access | Request a copy of the personal data we hold about you |
| Correction | Request correction of inaccurate or incomplete personal data |
| Deletion | Request deletion of your personal data, subject to legal retention requirements |
| Portability | Request your data in a structured, machine-readable format |
| Restriction | Request restriction of processing in certain circumstances |
| Objection | Object to processing based on legitimate interest |
| Withdraw consent | Withdraw consent at any time where processing is based on consent |
7. Cookies
We do not use any third-party cookies, advertising cookies, or tracking cookies.
| Cookie Type | Purpose | Duration | Required? |
|---|---|---|---|
| Session cookie | Authentication & cart state | Session / configurable timeout | Yes (essential) |
| Locale preference | Remember EN/TH selection | Stored in URL path | Yes (functional) |
8. International Data Transfers
Our services are primarily hosted in Thailand:
- Thailand (Bangkok) — Google Cloud Run application hosting (asia-southeast3), Omise payment processing
- Singapore — Supabase (database & authentication)
Most of your data is processed and stored within Thailand. For Supabase services hosted in Singapore, we ensure that transfers comply with applicable data protection laws including the PDPA.
If you access our store from outside these regions, your data will be transferred to and processed in the locations above. By using our service, you consent to this transfer.
9. Children's Privacy
LiKQ Store is not directed at children under the age of 13 (or the applicable age of consent in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us immediately and we will delete it.
10. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices, services, or legal requirements. When we make material changes:
- We will update the "Last Updated" date at the top of this page.
- For significant changes, we may notify you via email or a prominent notice on our website.
Continued use of LiKQ Store after changes constitutes acceptance of the updated policy. We encourage you to review this policy periodically.
11. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices:
- Email: [email protected]
- Website: www.likqmusic.com
For complaints regarding data handling, you may also contact the Office of the Personal Data Protection Committee (PDPC) of Thailand.
This policy applies to the LiKQ Store storefront at /merch, the store-service API, and all related customer-facing services. Administrative tools (inventory management) are governed by internal data handling procedures.