- Introduction
- Data administration
- GDPR/CCPA/PDPA
- The administrator of personal data
- Website Data Collection
- Chrome Extension Data Collection
- Webapp Data/Extension X Collection
- Data Collection Purposes
- Cookies and profiling
- Period of processing personal data
- Data recipients
- The rights of access to your personal data.
Introduction
This Privacy Policy was created to explain the processing of personal data obtained through the website https://www.gmbcrush.com/ (hereinafter the Website).
We point out that we do due diligence to make your personal data be processed in accordance with the requirements of applicable law, including in particular in accordance with the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016.Â
On the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation) (hereinafter the “GDPR”).
Bearing in mind the above, we inform you about the following:
Data administration
The processing of personal data is based on the lawfulness, reliability, and transparency of information. The data is collected by the Data Administrator for a specific, explicit, and legitimate purpose, and the scope of data is limited to the data necessary to achieve this purpose.
The Data Administrator makes the necessary efforts to ensure the greatest possible security and protection of personal data processed by him. Providing data is voluntary. Each of you has the right to inspect and check your personal data, update it, and to submit a request to delete your data.
Personal data have been collected by us primarily directly from you or from entities cooperating with us on the basis of your consent or to perform the contract/services in the cases referred to in paragraph 3 point. 6 below.
GDPR/CCPA/PDPA

PDPA Data Protection Compliance
Privacy Officer
We are committed to protecting your privacy. Based on the information that we store, please feel free to email us at privacy@gmbcrushcom with any questions or concerns about our practices in this area. Our privacy policy is built on the principles of equality and inclusion, meaning we never store any data that could potentially identify an individual. Our privacy policy is always up-to-date. We make sure that the data we collect from you and other sources never includes details that could be connected to any user like preferences of any type, religion, sexual preferences, politics etc.
Consent Form
Our website’s contact form, marketing forms, and cookie notice provide a clear description of how we use your personal data when registering for an account. We believe in providing our users with all of the information they need, so we make sure to include a consent box to each form, downloadable item forms, and marketing, and newsletter forms. Our website also includes an easy-to-use tick button at the registration/purchasing time that lets people accept terms and conditions before completing the checkout process.
Data Flow
Data Flow on slide 4, our team is trained and already experienced with data managementÂ
for the ongoing project and we can assure prompt action in any event
Data Flow Personnel Management
We have a team of trained professionals who can assure prompt actions in any event.
Establish a personal data protection policy
We take security seriously and we’ll never let anyone have access to your data unless they need it for legitimate purposes. You can read more about our policies on this page, all users are informed before going through any transaction or personal information.
Response plan in the event of a violation
If a data leakage or violation occurs, we will report it to the committee within 72 hours of becoming aware of this infringement. We have prepared an email template for this specific scenario, that all necessary information is included in one place and can be sent within the required period of time.
Facilitate the rights of personal data subjects
We give our users full control of their data and provide them with a way to unsubscribe from unwanted emails as well.
Explore and improve IT Security/Prevent unauthorized access
Both our Website and Web App are fully secured on web standards, with strict internal password management.
Train personnel to understand PDPA
We commit to training personnel to understand PDPA, and create data protection values within the organization such as document storage and filing cabinet locks. Turning off the screen after getting up from a desk, etc., which helps prevent Human Error that may result in abuse. Privacy and deontological method of growth are at the base of our company’s standards.
DPIA Form
We’ve prepared a Data Protection Risk Impact Assessment (DPIA) form to meet personal data protection standards if any part is found to be at high risk, and any step into our data management workflow needs improvements.
The administrator of personal data
The Personal Data Administrator is: SEO Heroes Bangkok Co., Ltd
With respect to your rights as personal data subjects (i.e. people to whom the data relates) and with respect to the mandatory rules of law, including especially the Regulation of the European Parliament and the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/WE (General Data Protection Regulation), hereinafter referred to as GDPR, the Thailand personal data protection Act (hereinafter referred to as the Act) and other relevant personal data protection laws, we commit to maintaining the safety and confidentiality of all personal data that you share with us.
All our employees have been properly trained in personal data protection, and our company, as the Personal Data Administrator, has introduced new security measures, as well as technical and organizational means, in order to ensure the highest possible level of personal data protection.
We have introduced appropriate procedures and policies to process personal data in accordance with GDPR, so that personal data processing occurs lawfully and reliably and you, as the persons to whom the data relates, may execute all your relevant rights. Additionally, if needed, we cooperate with the regulatory body within the territory of Thailand, i.e. the President of the Data Protection Authority (hereinafter referred to as PDPA).
Any questions, requests, or complaints relating to personal data processing in our company (the Personal Data Administrator), hereinafter referred to as Applications, should be sent via e-mail to the following e-mail address: privacy@gmbcrush.com
The Applications should clearly contain:
• the data of the person or persons to whom the Application relates,
• the event that the Application relates to,
• the filed requests and their legal basis,
• the desired means of solving the issue.
Type of personal data processed and purposes of personal data processing.
Website Data Collection
Our Website collects the following personal data:
E-mail address – we collect your email address in order to create an Account for you,
In connection with the use of the Website, additional data may be processed, in particular: IP address, domain name, browser type, access time or type of operating system, as well as navigation data, including information about links and references in which you decide to click and other actions taken by you in our Website.
In connection with the use of the Website, your personal data may be collected by:
• send an inquiry using the contact form.
• communications and marketing messages using e-mail messages as well as Messenger (Intercom) type messengers.
In the case of Entrepreneurs, the above scope of data may be extended to the entrepreneur’s company name, company number, and other identification numbers of the entrepreneur.
Providing the data specified above is voluntary but necessary in order to create an Account or use the paid version of it.
Chrome Extension Data Collection
Our GMB Crush Chrome Extension collects the following personal data:
E-mail address, Credentials – we collect your email address and your credentials in order to create an Account for you.
In connection with the use of the GMB Crush Chrome Extension, additional data may be processed, in particular: IP address, browser type, access time or type of operating system, as well as navigation data, including information about links and references in which you decide to click and other actions taken by you in our Website.
In connection with the use of the Website, your personal data may be collected by:
• sending an inquiry using the contact form.
• communications and marketing messages using e-mail messages as well as Messenger (Intercom) type messengers.
Providing the data specified above is voluntary but necessary in order to create an Account.
Webapp Data/Extension X Collection
Our GMB Crush WebApp collects the following data in order to create an Account for you:
- E-mail address
- Name & Surname
- Password
- Payment Method ( payments are processed via third parties )
- Billing Cycle
- Location
In connection with the use of the GMB Crush Webapp, additional data may be processed, in particular: IP address, browser type, access time or type of operating system, as well as navigation data, including information about links and references in which you decide to click and other actions taken by you in our Website.
In connection with the use of the Website, your personal data may be collected by:
• sending an inquiry using the contact form.
• communications and marketing messages using e-mail messages as well as Messenger (Intercom) type messengers.
Providing the data specified above is voluntary but necessary in order to create an Account.
Data Collection Purposes
Your personal data are processed for the following purposes:
The correct performance of the contract or taking action at your request before the conclusion of the contract, in particular the answers to the questions asked, e.g. via the contact form (Article 6 paragraph 1 point b of the GDPR).
Fulfill the legal obligation incumbent on the Administrator (see: Art. 6, paragraph. 1 point RODO c)
Possible determination, investigation or defense against claims, as legitimate interests of the data controller (see Article 6 (1) (f) of the GDPR).
The correct use of the contact/login form service posted on the Website to perform the contract provided electronically (Article 6 (1) (b) GDPR – the necessity to perform the contract for the provision of the contact form service).
Subscribing to and receiving information about services and their functionalities available on the Website in order to perform a contract the subject of which is an electronic service.
Legal basis – consent of the data subject to perform the contract (art.6 par.1 lit.a RODO, consent of the data subject to perform the contract; as well as art.10 of the Act of 18.07.2002 – on the provision of electronic services and art. 172 Act of 16.07.2004 – Telecommunications Law);
The Administrator may also collect navigation data from users of the Website, including information about links and references in which they decide to click or other activities are undertaken on the Website consisting in facilitating the use of services provided electronically and improving the functionality of these services (art.6 par.1 lit.f RODO, legitimate interest).
Facilitating the use of services provided electronically and improving the functionality of these services, i.e. on the basis of the Administrator’s legitimate interest (Article 6 (1) (f) of the GDPR).
Your personal data is processed by our company (the Personal Data Administrator) in order to execute services provided to you (i.e. persons to whom the data relates) and offered by the Website.
As per the rule of minimization, we only process the categories of personal data that are considered necessary to achieve the purposes specified in the previous sentence.
The source of the personal data processed by the Personal Data Administrator is the persons to whom the data relates.
When filling out the login form on the Website, the user provides:
• e-mail address,
• confidential password just for the acknowledgment of the User,
• relevant consent for data processing.
Cookies and profiling
Our Website utilizes the Cookies technology to match its functionality to your individual needs.
You may therefore consent to have your entered data and information saved, so that they may be later on used on subsequent visits to the Website without having to enter them again.
Owners of other Websites will not have access to this data and information.
If, however, you do not agree to personalization of the Website, you may disable the Cookies in your Internet browsers.
Anyone using our Website may choose whether and how they wish to use our services and share their data and information within a certain scope, as per this Privacy Policy.
The personal data is not profiled by the Personal Data Administrator.
Period of processing personal data
Your data will be processed for the period necessary to perform the contract and services and may be processed for the period necessary to implement the legitimate interests of the Data Administrator.
In a situation where the basis for the processing of your personal data is consent, then these data are processed by the Administrator until the consent is revoked, and after revoking the consent for a period of time corresponding to the period of limitation of claims that may be raised by the Administrator and which may be raised against him, and also to be able to fulfill statutory legal obligation if we are obliged to perform certain legal obligations (inter alia Tax obligations).
We shall process the personal data only for however long it is necessary to achieve said purposes. The personal data may be processed for a longer period of time only when the Personal Data Administrator is required by the relevant mandatory rules of law to do so, or when the provided service is continuous.
We shall process the personal data only for however long it is necessary to achieve said purposes.
The personal data may be processed for a longer period of time only when the Personal Data Administrator is required by the relevant mandatory rules of law to do so, or when the provided service is continuous.
Data recipients
Your personal data may be transferred to entities cooperating with GMB Crush Ltd, in particular entities providing marketing/SEO services and entities providing to GMB Crush services in the field of PR, to accounting and IT companies serving us, as well as to all institutions defined by applicable law, in particular to Tax Offices and, if necessary, to entities providing archiving services. In justified cases, your data may be sent outside the EU.Â
In this case, GMB Crush Ltd each time will ensure the confidentiality of the data provided and that only the data necessary for the proper performance of the contract and based on appropriate safeguards for personal data required by applicable law are provided.
Personal data may be shared with entities that process the data on our request, i.e. on the request of the Personal Data Administrator. In such cases, as the Personal Data Administrator, we conclude a contract for personal data processing with such an entity.
The processing entity processes the shared personal data solely for purposes specified in the aforementioned contract.
Without sharing personal data with such entities we would not be able to conduct our business activity on our Website. As the Personal Data Administrator, we share the personal data for processing with entities:
• providing hosting services for the Website
• providing other services to us (the Personal Data Administrator), which are necessary for the proper functioning of the Website
According to the GDPR, each person whose personal data is being processed by the personal data administrator has the right to:
Be informed of the processing of their personal data, as per art. 12 of the GDPR – the Administrator is obliged to share information specified in the GDPR (incl. relating to data itself, contact details, purposes and legal basis for personal data processing, personal data recipients or categories of recipients, if any exist, or the period for which the data shall be processed or criteria, based on which such a period is set) with the person to whom the data relates;
This obligation should be executed immediately at the moment when the data is first acquired, and if the data is not acquired from the person to whom it relates, but from another source, then it should be executed within a reasonable time frame, depending on the circumstances; the Administrator may choose to not provide this information to the person to whom the data relates if this person has already been informed.
Have access to their personal data, as per art. 15 of the GDPR – when providing us with your personal data, you have the right to access and review it; it does not mean, however, that you have access to all documents that contain your data, seeing as such documents may contain confidential information; you do have the right to be informed as to which of your data is being processed and how, as well as the right to receive copies of your personal data, with the first copy being issued free of charge, and for each subsequent one, according to the GDPR, we may charge a relevant administrative fee relating to the making of the copy.
Correct or update the personal data, as per art. 16 of the GDPR – if your personal data has changed, please inform us, as the Personal Data Administrator, of this fact, so that the personal data we are holding corresponds to the actual information and is up to date; also, in situations where the personal data has not changed, but for some reason, the data we hold is incorrect or has been incorrectly saved (e.g. due to an editorial mistake), please inform us of this, so that we may correct the relevant data points.
Delete the data (the right to be forgotten), as per art. 17 of the GDPR – in other words, you have the right to demand that we “delete” the data held by us, as the Personal Data Administrator, and the right to request that we, as the Personal Data Administrator, inform other administrators we shared your data with, of your wish to have it deleted. You may request the deletion of your personal data first and foremost when:
• the purposes for which the personal data had been shared have been fulfilled, e.g. we fully executed the sale contract we had concluded,
• the basis for the processing of your personal data was an express consent that was subsequently withdrawn and there is no other legal basis for us to further process your personal data,
• you filed a rejection of the processing of your personal data by us, as per art. 21 of the GDPR, and believe that we have no underlying legal basis allowing us to further process your personal data,
• your personal data was being processed illegally, i.e. for purposes that were against the law or without any legal basis for its processing – please remember that in such cases you will need to provide a basis for such a request,
• the need to delete your personal data results from the mandatory rules of law,
• the personal data relates to a minor and was collected as part of an information society service,
limiting the processing, as per art. 18 of the GDPR – you may request from our company that we limit the scope of the processing of your personal data (meaning that until the matter is clarified, we would limit ourselves to merely storing the data), if:
• you question the accuracy of your personal data, or
• you believe that we are processing your personal data without a legal basis, but simultaneously you do not want us to delete the personal data (i.e. you are not realizing the aforementioned right), or
• you filed a Rejection, as per the letter g) of this point, or
• your personal data is needed to ascertain or defend against claims, e.g. before a court of law,
transfer the data, as per art. 20 of the GDPR – you have the right to receive your data in a format allowing you to review it on your computer and the right to transfer the data in such format to another administrator; you have this right only when the basis for the processing of your personal data was an express consent or the data was processed automatically.
File a rejection to the processing of the personal data, as per art. 21 of the GDPR – you have the right to file a rejection if you do not agree to us processing your personal data that we had processed thus far for specific purposes, in accordance with the mandatory rules of law, refuse profiling, as per art. 22, relating to art. 4.4 of the GDPR – in our Website you shall not be subject to automated decision-making or profiling, as per the GDPR, unless you provide us with express consent to do so; additionally, you shall always be informed of any instances of profiling, should they occur, file a complaint to a regulatory body (i.e. to the President of the Data Protection Authority), as per art. 77 of the GDPR – If you believe we are processing your personal data illegally or in any way that violates your rights resulting from the mandatory rules of personal data protection laws or the supervisory authority of another Member State of the European Union with jurisdiction over the place of habitual residence or your job or the person to the place of the alleged infringement.
In the event of a Website user with the right under the abovementioned rights, the Data Administrator shall comply with the request or refuse to comply with it immediately, but no later than within one month after receiving it. However, it may happen that due to the complicated nature of the request or the number of requests, the Data Administrator will not be able to fulfill the request within the month referred to in the previous sentence, then it will fulfill it within the next two months, at the same time informing the user about the intended extension of the deadline and its reasons.
At any time, the user of a Website may submit to the Administrator any complaints, queries, and requests regarding the processing of his personal data and the exercise of his rights.
The rights of access to your personal data.
At any time you have the right to object to the processing of your personal data processed for the purposes and on the basis set out in this Privacy Policy records.
Consent and information about the possibility of withdrawal of consent.
You have the right to withdraw your consent to the processing of your personal data at any time, but the withdrawal of consent does not affect the lawfulness of the processing based on your prior consent before its withdrawal.
Final Provisions
Should you wish to exercise any of your abovementioned rights, please refer to the relevant tabs on our Website that allow you to delete your account and data collected by our Website or please send an email to the following address: privacy@gmbcrush.com or contact the Personal Data Administrator.
Each ascertained instance of a security breach is documented, and should any of the events, as described by the GDPR or the Act, occur, the persons to whom the data relates, as well as the PDPA, if applicable, shall be informed of it.
All words that are capitalized have meanings defined in the Regulations of our Website unless stated otherwise in this Privacy Policy.
All matters not regulated by this Privacy Policy shall be regulated by the relevant mandatory rules of law. Should any of the provisions of this Privacy Policy not comply with the above-mentioned rules of law, the rules of law shall take precedence.
By using https://www.gmbcrush.com/, you agree to these terms of the privacy policy. Please be advised that cookie settings can be changed at any time using your browser settings.
The Privacy Policy may change, and the Data Administrator will inform you 7 (seven) days in advance of any change.
Questions regarding the Privacy Policy should be directed to: privacy@gmbcrush.com
Date of the last modification: 31 January 2023