1. What is the purpose of this Privacy Policy?
Creveling & Creveling Financial Planning Ltd. (“C&C” or “we”) is an investment adviser registered with the U.S. Securities and Exchange Commission (the “SEC”) under the Investment Advisers Act of 1940, as amended, (the “Advisers Act”) and the Securities and Exchange Commission of Thailand. C&C is providing this Notice of Privacy Policy in order to explain how C&C collects, uses or discloses the Personal Data of the existing and prospective clients, family members of the clients, and website users. 

More specifically, we want the Data Subjects to know how C&C protects the Personal Data and properly handles such Personal Data according to the U.S. SEC’s Privacy of Consumer Financial Information rule (commonly known as “Regulation S-P”) and the Thailand’s Personal Data Protection Act B.E. 2562 (2019).  

2. Definitions
“Personal Data” means any information relating to a natural person, which enables the identification of such person, whether directly or indirectly, but not including the information of the deceased persons in particular. 

“Sensitive Personal Data” means the Personal Data according to Section 26 of the Personal Data Protection Act consisting of data pertaining to racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union information, genetic data, biometric data, or of any of the data which may affect the Data Subject in the same manner as prescribed by the Personal Data Protection Committee. 

“Data Subject” or “Data Subjects” means a natural person whose Personal Data are collected, used or disclosed by C&C. 

“Data Controller” means a natural person or a juristic person having the power and duties to make decisions regarding the collection, use, or disclosure of the Personal Data. 

3.    What are purposes of collection, use or disclosure of Personal Data
3.1 Lawful basis for collection, use or disclosure of Personal Data

We process the Personal Data as it is necessary for the scope set out in this Privacy Policy as follows:

  1. Where C&C obtains consent from the Data Subject as required by law;
  2. To prevent or suppress a danger to a person’s life, body or health;
  3. Where it is necessary for performing contractual obligations between the Data Subject and C&C or taking steps at the Data Subject’s request prior to entering into a contract;
  4. Where it is necessary for legitimate interests of C&C or any other persons or juristic persons, except where such interests are overridden by fundamental rights of the Data Subject’s Personal Data;
  5. To comply with laws to which C&C is subjected.

In some cases, we may need to collect the Data Subject’s Sensitive Personal Data. In the case where we collect the Sensitive Personal Data, we shall always obtain explicit consent from the Data Subjects prior to the time of such collection of Sensitive Personal Data, unless the explicit consent is not required by the Personal Data Protection Act B.E. 2562 (2019). 

3.2 Purposes of collection for use or disclosure of Personal Data 
We collect the Data Subjects’ Personal Data for various purposes depending on relationship between the Data Subjects and C&C as follows: 

3.2.1 For proceeding with and managing inquiries regarding our services to offer information for further communication and coordination. 
3.2.2 For entering into a service agreement including conducting a background check, e.g. KYC (Know Your Customer) and AML (anti-money laundering), etc. as prerequisites for further entering into such service agreement. 
3.2.3 For performance of obligations under the scope of service agreement, for example, providing financial planning and financial advice, etc., including other necessary or relevant undertakings, e.g. issuance of invoices, tax invoices and receipts of payment, etc.
3.2.4 For providing blogs and e-books via C&C’s website to any website users who sign up to download such blogs and e-books. 
3.2.5 For conducting planning, reporting, evaluation and data analysis for C&C’s operations. 
3.2.6 For management of risks, prevention and undertaking of audits, reporting and undertaking of internal administration as required by Thai and US laws, or internal instructions of C&C. 
3.2.7 For undertaking detection and investigation under legal procedures and other regulations, complying with laws, rules, orders, legal requirements and obligations under Thai and US laws of C&C, and reporting or disclosing information to government authorities as required by laws, or upon receiving summons or writ of executions from police officers, government authorities, courts, or other competent authorities. This includes proceeding with the judicial process, establishment, compliance or exercise of the rights to legal claims or defending against the rights to legal claims. 

4. What is Personal Data and What Personal Data do we collect about the Data Subjects?
The Personal Data we collect from the Data Subjects in order to provide our services may include (but is not limited to) the following Personal Data: 

  • First and Last names
  • Pseudonym
  • Marital status
  • Names and information of spouses and children
  • Gender
  • Nationality
  • Date of Birth
  • Home address and residency
  • Telephone numbers
  • Email addresses
  • Personal Identification Numbers to include Passport and National IDs
  • Social Security and tax identification numbers
  • Details of insurance policy
  • Investment, Bank and Pension Account numbers
  • Tax returns and other tax details
  • Financial statements
  • Name of employer and position at employer
  • Salary, compensation and benefit packages at employer
  • Investment Positions and transactions
  • Details of various types of household debt
  • Financial Information of a general nature to include account holdings and balances
  • Pension plan
  • Details appeared on documents, e.g. wills, power of attorney, a copy of Passport, tax documents, etc.

We collect Personal Data from the Data Subjects in order to provide financial planning and investment advisory services. We are also required to collect and maintain certain Personal Data under US and Thai Law according to the regulations of various entities to include the US Securities and Exchange Commission, the Thai Security and Exchange Commission, and the Thai Anti-Money Laundering Organization. 

In the case where the Personal Data collected by us as stated above is necessary for C&C’s compliance with applicable laws or performance of contract and if the Data Subjects do not provide us with such necessary Personal Data, C&C may be subject to legal liabilities and/or may not be able to manage or administer contract or facilitate the needs of the Data Subjects.   

5. Sources of Personal Data
We collect Personal Data directly from the Data Subjects via our initial Data Collection Questionnaire and various financial documents and statements provided by the Data Subjects at the outset of the engagement of our services. Personal Data is periodically updated by the Data Subjects throughout the provision of our services. 

We also obtain position and transaction details on investment accounts and pensions from the Data Subjects’ custodians that our linked to our Master Account at the relevant custodian. This is necessary for us to provide investment advisory services. The Data Subjects authorize the sharing of this Personal Data by providing authorization through the Data Subjects’ custodian. The Data Subjects can revoke that authorization at any time by directly contacting the Data Subjects’ custodian.  

6. To whom do we disclose the Personal Data of the Data Subjects?
We do not disclose or share the Personal Data of the Data Subjects with any third-party except under the following conditions: 

  • Certain Personal Data is required to be utilized with certain third-party financial planning and portfolio accounting platforms in order to provide financial planning and investment advisory services. Such platforms include, but are not limited to, the financial planning platform, portfolio accounting platform, the secure file sharing and back up service. We attempt to limit the amount of personally identifying information on these platforms to the extent possible and remove data when no longer needed to provide our services.
  • As required by US or Thai law under the regulation of the US and Thai Securities and Exchange Commissions.
  • As authorized in writing by the Data Subjects to share with other advisors such as tax and estate attorneys and/or a designated person(s) to whom the Data Subjects have authorized in writing to receive such information.
  • For purposes of internal administration of C&C, e.g. to share with accounting outsource firm or external auditors.
  • For purposes of responding to any disputes with the client and services provided by C&C.

In some cases, C&C may transmit or transfer the Personal Data to foreign countries. In such case, C&C shall ensure that the destination country or international organization that receives such Personal Data shall have adequate data protection standard, and C&C shall provide appropriate protection and security measures and comply with the Personal Data Protection Act B.E. 2562 (2019) including obtaining consent from the Data Subjects for the transmission or transfer of Personal Data to foreign countries as required by law. 

7. How do we safeguard the Personal Data of the Data Subjects?
We restrict access to the Personal Data to those employees, third-party service providers and regulators who require that Personal Data  in order for us to carry out the advisory services that the Data Subjects  have asked us to provide. We maintain physical, electronic, and procedural safeguards under C&C’s Cybersecurity and Information Protection Policies and Procedures that comply with US federal and Thai standards to prevent unauthorized or unlawful loss, access to, use, alteration, correction or disclosure of Personal Data. The Data Subject may request of copy of those policies and procedures if the Data Subject desires more information. 

In the case where we assign third parties to process the Personal Data pursuant to the orders given by or on behalf of us, we shall appropriately supervise such third parties to ensure that they will maintain the security of the Data Subjects’ Personal Data according to the Personal Data Protection Act B.E. 2562 (2019). 

8. How long do we keep the Personal Data of the Data Subjects?
We retain the Data Subjects’ Personal Data for as long as it is considered necessary for the purpose for which it was collected, used or disclosed as set out in this Privacy Policy. The criteria used to determine C&C’s retention period include: we retain the Personal Data for the duration we have an ongoing relationship with the Data Subjects; and we may retain the Personal Data for a longer period as necessary to comply with applicable laws, or to be in accordance with legal prescription, or to establish, comply with or exercise the rights to legal claims or defend against the rights to legal claims, or to comply with, for any other cause, our internal policies and regulations. 

By law we are required to maintain the Personal Data of the Data Subjects for 5 years after the termination of our services to the Data Subjects. Additionally, the Thai Anti-Money Laundering Organization requires us to maintain certain data for 10 years after termination of our services. After the mandated statutory period, we will securely destroy all the Data Subjects’ Personal Data as outlined in our Information Protection Policies and Procedures. 

9. Personal Data of minors, incompetent persons and quasi-incompetent persons
In some cases, we may collect the Personal Data of minors, incompetent persons or quasi-incompetent persons. In the case where the Data Subjects are minors, incompetent persons or quasi-incompetent persons, C&C shall comply with the laws relating to collection, use or disclosure of Personal Data of minors, incompetent persons and quasi-incompetent persons, which include obtaining consent from the legal representative, the curator or the custodian as required by law where C&C has no legitimate grounds other than obtaining consent for the collection, use or disclosure of such information. 

10. What are the rights of Data Subjects?
The Data Subjects have certain rights according to the Personal Data Protection Act B.E. 2562 (2019) including the following rights: 

10.1 Right to withdraw consent 
The Data Subjects have the right to withdraw consent given to C&C for collecting, using or disclosing the Data Subjects’ Personal Data at any time, unless there is a restriction of the withdrawal of consent by law or the contract which gives benefits to the Data Subjects.  
To withdraw consent, the clients will need to notify us in writing under the terms of the Wealth Advisory Services Agreement. 
However, the withdrawal of consent shall not affect the collection, use or disclosure of Personal Data that the Data Subjects have already given consent legally. 

10.2 Right of access 
The Data Subjects have the right to request access to and obtain copy of the Data Subjects’ Personal Data, which is under C&C’s responsibility, or to request the disclosure of the acquisition of the Personal Data obtained without the Data Subjects’ consent. 

10.3 Right to  data portability 
Where C&C arranges the Data Subjects’ Personal Data to be in the format which is readable or commonly used by ways of automatic tools or equipment, and can be used or disclosed by automated means, the Data Subjects have the right to receive the Data Subjects’ Personal Data from C&C and request C&C to send or transfer the Data Subjects’ Personal Data in such formats to other Data Controllers as provided by the law. 

10.4 Right to object 
The Data Subjects have the right to object to the collection, use or disclosure of the Data Subjects’ Personal Data on grounds stipulated by law. 

10.5 Right to erasure 
The Data Subjects have the right to request C&C to erase, destroy or make the Data Subjects’ Personal Data become unidentifiable data under certain circumstances as provided by law. 

10.6 Right to restriction of use 
The Data Subjects have the right to request C&C to restrict the use of the Data Subjects’ Personal Data under certain circumstances as provided by law. 

10.7 Right to rectification 
The Data Subjects have the right to request C&C to modify the Data Subjects’ Personal Data to be accurate, up-to-date, complete, and not misleading. 

10.8 Right to complaint 
The Data Subjects have the right to file a complaint to an authorized officer appointed by the Personal Data Protection Act B.E. 2562 (2019) when C&C violates or does not comply with such law. 

In the case where the Data Subjects request to exercise the rights according to the provisions of the Personal Data Protection Act B.E. 2562 (2019), upon receiving the request, C&C will proceed with such request within the period as stipulated by law. In this regard, C&C reserves the right to refuse or not process the request under certain circumstances as stipulated by law. 

11. Marketing Activities and Campaigns
We do not give, sell or otherwise use the Data Subjects’ Personal Data with any third-parties for any type of marketing or promotional activities. When the Data Subjects engage our services, we sign the Data Subjects up to C&C’s blog. If the Data Subjects do not wish to receive this, the Data Subjects can unsubscribe or notify us directly and we will remove the Data Subjects from C&C’s blog distribution list. 

12. Changes to our Privacy Policy
We may update this Privacy Policy periodically according to our data protection policies and procedures and in compliance with relevant law. In case of any significant update to this Privacy Policy, we will inform the Data Subjects via appropriate channel(s).   

13. Limitation of Liability.
To the maximum extent permitted by applicable law, in no event shall C&C (including its directors, employees, and representatives) be liable for any indirect, incidental, special or consequential damages, or damages for loss of profits/reputational harm, revenue, data, or use, incurred by other party or any third party, whether in an action in contract or tort, even if such party has been advised of the possibility of such damages, including without limitation data breaches, security breaches, or cyberattack. C&C’s (including its directors, employees, and representatives) aggregate liability is limited in all cases and in the aggregate to the amount of fees actually paid by the client in the previous six (6) months preceding the date of the event that is the basis for the first claim. The client acknowledges that data breaches can occur and that no data transmissions over the Internet can be guaranteed to be 100% secure.   

14. If I have questions about this Notice of Privacy Policy, to whom to I direct my questions?
Questions about C&C’s Notice of Privacy Policy, exercise of the Data Subjects’ rights, or any complaints should be directed to Peggy Creveling, our Chief Compliance Officer, who can be reached at: peggy@crevelingandcreveling.com.