Privacy policy

Last updated: 16 February 2026

Oh La La Bakery (“we”, “us”) operates this store and website (the “Services”). This Privacy Notice explains how we collect, use, disclose, store, and protect your personal data when you visit, use, or make a purchase through the Services or contact us.

This Notice applies to customers in Thailand and is intended to meet Thailand’s Personal Data Protection Act (PDPA) requirements.

1) Personal data we collect

Depending on how you interact with the Services, we may collect:

  • Contact and delivery details: name, phone number, email address, shipping address, billing address
  • Business details (B2B): company name, tax ID/branch number (if needed for invoices), business address, contact person name and position
  • Order and account details: orders, items purchased, returns/exchanges, preferences, messages you send to us
  • Payment-related details: payment status and transaction references (we do not store full card details)
  • Technical and usage data: IP address, device/browser information, pages viewed, and usage data collected through cookies and similar technologies (including Google Analytics)

2) Why we use your personal data

We use personal data to:

  • Provide the Services: process orders, handle returns/exchanges, provide customer support
  • Payments: process and confirm payments and prevent fraud
  • Shipping and delivery: deliver products and coordinate with logistics providers
  • Invoices and compliance: issue tax invoices/receipts and comply with accounting and legal requirements
  • Improve our website: understand how visitors use our site and improve performance (including via Google Analytics)
  • Communicate with you: respond to enquiries and send order/service updates

3) Legal bases we rely on

We process personal data based on one or more of the following legal bases under PDPA, depending on the activity:

  • Contract necessity: to fulfill orders and provide the Services you request
  • Legal obligation: to comply with tax, accounting, and other legal requirements
  • Legitimate interests: to keep our Services secure, prevent fraud, and improve our website and operations (balanced against your rights)
  • Consent: where required (for example, certain cookie/analytics choices)

4) Cookies and Google Analytics

We use cookies and similar technologies to operate the website and understand website usage.

  • Essential cookies are needed for core functions such as cart and checkout.
  • Analytics cookies may be used to measure and improve website performance, including Google Analytics.

Where required, we will request consent for non-essential cookies. You can also manage cookies through your browser settings.

5) LINE communications and marketing

We use LINE primarily for customer communications (for example, responding to enquiries and providing order or service-related updates when you contact us on LINE).

Marketing on LINE: We may send promotional messages on LINE only after you add our LINE Official Account. You can opt out of LINE promotional messages at any time by using the available LINE features (such as blocking the account) or by messaging us to request removal from promotional broadcasts.

We do not send marketing messages by email unless you have asked for them or consented where required.

6) Who we share personal data with

We share personal data only as needed to operate the Services, including with:

  • Shopify (our e-commerce platform) and related service providers/apps used to run the store
  • Payment provider: Omise (for payment processing and payment confirmation)
  • Shipping and logistics partners: third-party logistics providers in Thailand (for delivery and related coordination)
  • Analytics provider: Google Analytics (to understand and improve website performance)
  • Professional advisors and authorities: accountants, auditors, legal advisors, and government authorities where required by law

We do not sell your personal data.

7) International transfers

Some providers we use (including Shopify and certain technology providers) may process or store personal data outside Thailand. Where personal data is transferred internationally, we will use appropriate safeguards as required by applicable law, such as contractual protections and vendor security measures.

8) Your rights under PDPA

Subject to PDPA and applicable exceptions, you may have the right to:

  • Access and obtain a copy of your personal data
  • Request correction of inaccurate data
  • Request deletion or anonymization in certain circumstances
  • Restrict or object to certain processing (especially direct marketing)
  • Withdraw consent (where processing is based on consent)
  • Request data portability where applicable
  • Lodge a complaint with Thailand’s Personal Data Protection Committee (PDPC)

To exercise your rights, contact us at cs@ohlala-bakery.com. We may request reasonable information to verify your identity.

9) Data retention

We keep personal data only as long as necessary for the purposes in this Notice and to meet legal/tax requirements. When data is no longer needed, we delete or anonymize it unless we must retain it by law.

10) Data security and incidents

We use reasonable technical and organizational measures to protect personal data (such as access controls and account security). No system is perfectly secure. If a personal data breach occurs, we will handle it and make notifications as required by applicable law.

11) Children

The Services are not intended for children. If you believe a child has provided personal data to us, please contact us and we will take appropriate steps.

12) Changes to this Notice

We may update this Privacy Notice from time to time. The latest version will be posted on our website with an updated “Last updated” date.

Contact

Email: cs@ohlala-bakery.com

LINE Official Account: @ohlalabakery

If you would like to exercise your PDPA rights (see Section 9), please contact us using the details above.