MACLLM AI API — Effective Date: March 18, 2026
MACLLM collects only the minimum data necessary to provide and improve our Services. We categorize collected data as follows:
| Data Type | Details | Purpose |
|---|---|---|
| Account Information | Email address, display name, password (hashed) | Authentication, account management |
| Billing Information | Payment method (last 4 digits only), billing history | Payment processing, invoicing |
| Usage Data | API call counts, endpoints used, response times, error rates | Rate limiting, billing, service improvement |
| Query Content | API request/response payloads (temporary processing only) | Service delivery, temporary troubleshooting |
| Technical Data | IP address, User-Agent, request timestamps | Security, abuse prevention, debugging |
What we do NOT collect: We do not collect browsing history, device fingerprints, social media profiles, or any data beyond what is listed above.
We use your data exclusively for the following purposes:
We do NOT use your data for: Advertising, profiling, selling to third parties, or training other AI models (unless you explicitly opt in).
All data is encrypted at rest (AES-256) and in transit (TLS 1.3). Passwords and API keys are stored using industry-standard one-way hashing algorithms (bcrypt/argon2).
Your data is stored on servers located in:
We do not transfer your personal data outside of the above infrastructure without your explicit consent.
| Data Type | Retention Period |
|---|---|
| Account Information | Duration of account + 90 days after deletion |
| Billing Records | 5 years (Thai tax law requirement) |
| Usage Logs | 90 days (rolling) |
| Query Content | Not stored permanently (see Section 05) |
| Technical/Security Logs | 30 days |
We do NOT sell your personal data. Ever.
We may share limited data only with the following parties, and only as necessary:
| Third Party | Data Shared | Purpose |
|---|---|---|
| Omise | Payment card token (not full card number) | Credit/debit card payment processing |
| GBPrimePay | Payment reference, amount | Bank transfer & PromptPay processing |
| Cloudflare | IP address, request metadata | CDN, DDoS protection, SSL termination |
We may also disclose data if required by Thai law, court order, or governmental regulation. We will notify you of such requests unless legally prohibited from doing so.
Your API queries are private.
API request and response content (queries and answers) are processed in memory for the duration of the request and are not stored permanently in any database or log file. Temporary processing buffers are cleared within minutes of request completion.
Your queries are not used to train, fine-tune, or improve MACLLM's AI models or any third-party models. The BrainV3 engine learns from its own curated knowledge base, not from user queries.
If you choose to provide feedback on API responses (e.g., thumbs up/down, corrections), that feedback may be used to improve service quality. This is entirely voluntary and clearly marked when available.
Query content may be temporarily retained (up to 72 hours) in the following limited circumstances:
API keys are stored using one-way cryptographic hashing (SHA-256 with unique salt). The plain-text key is shown only once at the time of creation. MACLLM staff cannot view, recover, or reconstruct your API key.
For your convenience, we display a key prefix (first 8 characters) and creation date in your dashboard. This allows you to identify and manage multiple keys without exposing the full key.
We recommend rotating your API keys every 90 days. You can revoke any key instantly from your dashboard, and the revocation takes effect immediately across all API endpoints.
If we detect that your API key may have been compromised (e.g., anomalous usage patterns), we will:
MACLLM uses only essential cookies. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
| session_id | Essential | Maintain your login session | Session (cleared on browser close) |
| csrf_token | Essential | Prevent cross-site request forgery | Session |
| theme_pref | Functional | Remember your display preferences | 1 year |
No consent banner is required for essential cookies under PDPA. You can clear cookies at any time through your browser settings.
Under the Thai Personal Data Protection Act (PDPA) and our commitment to data privacy, you have the following rights:
| Right | Description | How to Exercise |
|---|---|---|
| Access | Request a copy of all personal data we hold about you | Email DPO or use Dashboard > Privacy |
| Correction | Request correction of inaccurate or incomplete data | Dashboard > Profile, or email DPO |
| Deletion | Request deletion of your personal data and account | Dashboard > Account > Delete, or email DPO |
| Portability | Receive your data in a machine-readable format (JSON) | Dashboard > Privacy > Export, or email DPO |
| Objection | Object to specific data processing activities | Email DPO |
| Withdraw Consent | Withdraw previously given consent at any time | Dashboard > Privacy, or email DPO |
We will respond to all data rights requests within 30 days. In complex cases, we may extend this period by an additional 30 days with notification. All requests are processed free of charge.
MACLLM is fully committed to compliance with the Thai Personal Data Protection Act B.E. 2562 (2019) (PDPA), which came into full effect on June 1, 2022.
Data Controller: MACLLM, operated by Surasak Khankasikam, Bangkok, Thailand
We process your personal data under the following legal bases:
If personal data needs to be transferred outside Thailand (e.g., to Singapore for backup), we ensure the receiving jurisdiction has adequate data protection standards, or we implement appropriate safeguards as required by PDPA Section 28.
MACLLM Services are not directed at individuals under 18 years of age. We do not knowingly collect data from minors. If we discover that we have collected data from a minor without parental consent, we will delete it promptly.
We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. When we make material changes:
Continued use of the Services after the updated policy takes effect constitutes your acknowledgment of the changes. If you disagree with the updated policy, you may delete your account and discontinue use of the Services.
For any privacy-related questions, concerns, or data rights requests, please contact our Data Protection Officer (DPO):
If you are unsatisfied with our response, you have the right to lodge a complaint with the Office of the Personal Data Protection Committee (PDPC) of Thailand.