Privacy Policy

TMES Company Limited ("TMES", "we", "us", or "our") is committed to protecting the privacy, confidentiality and integrity of personal information in accordance with the Personal Data Protection Act B.E. 2562 (PDPA), ISO/IEC 27701:2019 (Privacy Information Management System), and ISO/IEC 27001:2022 (Information Security Management System). This Privacy Policy applies to all personal information processed by TMES in the course of our business activities, including: • Client and prospect data collected during sales, pre-sales, and service delivery • Employee, contractor, and candidate personal information • Supplier and business partner contact information • Website visitor and enquiry data collected via tmes.co.th • Personal information processed on behalf of clients as a data processor TMES acts as a Data Controller for information collected for our own business purposes, and as a Data Processor when handling personal data on behalf of our clients. Where TMES acts as a processor, data handling is governed by contractual Data Processing Agreements.

Data Controller: TMES Company Limited 43 Thai CC Tower, 22nd Floor, Unit A228-A229 South Sathon Road, Yannawa, Sathon, Bangkok 10120 Thailand Data Protection Officer (DPO): Email: dpo@tmes.co.th Phone: +66 (0) 92 462 9779 We have appointed a Data Protection Officer (DPO) responsible for overseeing compliance with this Policy and applicable data protection laws. You may contact the DPO directly for any privacy-related matters.

We collect and process the following categories of personal information, depending on the nature of our relationship with you: Identity and Contact Data: Full name, job title, company name, business email address, telephone number, postal address. Commercial and Transactional Data: Purchase history, service agreements, invoices, enquiry records, proposals, and correspondence. Technical and Usage Data: IP address, browser type and version, device identifiers, pages visited, time and date of access, and referral sources when you interact with our website or digital platforms. Employment and Recruitment Data: Curriculum vitae (CV), educational and professional credentials, employment history, identification documents, and references (collected from candidates and employees). Sensitive Personal Data: Where required and with your explicit consent (or as permitted by law), we may process sensitive data such as national identification numbers or health-related information for employment purposes. We collect personal information directly from you (e.g., via contact forms, contracts, or job applications), from your employer or colleagues, from publicly available business sources, and — in limited cases — from third-party partners where permitted.

We process your personal information only where we have a valid lawful basis. Our key processing purposes are: Service Delivery: Providing, managing, and supporting the technology solutions and services you have contracted with us. Lawful basis: Performance of a contract. Client Relationship Management: Managing client accounts, communications, and renewals. Lawful basis: Legitimate interests / performance of a contract. Sales and Marketing: Sending relevant information about our solutions, events, and industry insights. Lawful basis: Legitimate interests (B2B) / Consent (where required). Website and Platform Operation: Maintaining website functionality, security, and analytics. Lawful basis: Legitimate interests. Recruitment and Employment: Processing job applications and managing employment relationships. Lawful basis: Pre-contractual measures / performance of a contract / legal obligation. Legal and Regulatory Compliance: Meeting obligations under applicable Thai law and international standards. Lawful basis: Legal obligation. Information Security: Protecting systems and data from unauthorised access, consistent with our ISO 27001 ISMS. Lawful basis: Legitimate interests / legal obligation. Where processing is based on consent, you have the right to withdraw that consent at any time without affecting the lawfulness of prior processing.

We use personal information only for the purposes described in Section 4. We do not sell, rent, or trade personal information to third parties for their own marketing purposes. We may share personal information with: • Service Providers and Sub-processors: Technology partners, cloud infrastructure providers (e.g., AWS, Alibaba Cloud), email services, and other vendors who process data on our behalf under contractual Data Processing Agreements that ensure equivalent protection. • Business Partners: Where necessary to deliver contracted services, with appropriate data sharing agreements in place. • Professional Advisors: Lawyers, auditors, and insurers, subject to professional confidentiality obligations. • Regulatory and Law Enforcement Authorities: Where required by applicable law, court order, or to protect the rights and safety of individuals. • Corporate Transactions: In the event of a merger, acquisition, or business transfer, personal information may be transferred to the relevant parties subject to appropriate safeguards. All third parties with whom we share personal information are required to maintain appropriate technical and organisational security measures consistent with our information security standards.

TMES operates across Southeast Asia, and personal information may be transferred to, stored in, or processed in countries outside Thailand. Where such transfers occur, we ensure that appropriate safeguards are in place, including: • Transfers to countries with an adequate level of protection as recognised by applicable law. • Use of contractual clauses that impose data protection obligations on the receiving party. • Binding corporate rules or equivalent mechanisms where applicable. A list of countries where personal information may be transferred is available from our DPO upon request.

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. Our general retention guidelines are: • Client and contract data: 7 years following the end of the contractual relationship (or longer if required by law). • Marketing and enquiry records: 3 years from the date of last contact, or until consent is withdrawn. • Website and technical logs: Up to 12 months. • Employment and recruitment data: 2 years for unsuccessful candidates; duration of employment plus 7 years for employees, or as required by Thai labour law. • Financial and accounting records: As required under the Thai Revenue Code and related regulations (generally 5–7 years). When personal information is no longer required, it is securely deleted or anonymised in accordance with our data disposal procedures.

TMES maintains an Information Security Management System (ISMS) certified to ISO/IEC 27001:2022 and a Privacy Information Management System (PIMS) aligned to ISO/IEC 27701:2019. Our security measures include: • Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA), and the principle of least privilege across all systems handling personal information. • Encryption: Encryption of personal data in transit (TLS 1.2 or higher) and at rest where technically feasible. • Vulnerability Management: Regular vulnerability assessments, penetration testing, and patch management processes. • Physical Security: Physical access controls to offices and data centre facilities, including CCTV, badge access, and visitor management. • Employee Awareness: Mandatory annual information security and privacy training for all personnel with access to personal information. • Incident Response: A formal Information Security Incident Management procedure aligned to ISO 27001 Annex A, with defined response timelines. • Supplier Security: Due diligence and contractual security requirements for all third parties processing personal information on our behalf. No system is completely secure. However, we continually review and improve our controls to protect the personal information entrusted to us.

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, TMES will: • Notify the relevant supervisory authority (the Personal Data Protection Committee, PDPC) within 72 hours of becoming aware, where required under the PDPA. • Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms. • Maintain records of all personal data breaches and the actions taken in response. If you believe your personal information held by TMES has been compromised, please contact our DPO immediately at dpo@tmes.co.th.

Under the PDPA and applicable privacy laws, you have the following rights with respect to your personal information: Right of Access: To request confirmation of whether we process your personal information and to receive a copy of that information. Right to Rectification: To request correction of inaccurate or incomplete personal information. Right to Erasure: To request deletion of your personal information where processing is no longer necessary or lawful, subject to legal retention obligations. Right to Restriction: To request that we restrict processing of your personal information in certain circumstances. Right to Data Portability: To receive your personal information in a structured, commonly used, machine-readable format and to request transmission to another controller, where technically feasible. Right to Object: To object to processing based on legitimate interests or for direct marketing purposes. Right to Withdraw Consent: To withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing. Right to Lodge a Complaint: To lodge a complaint with the Personal Data Protection Committee (PDPC) at www.pdpc.or.th if you believe your rights have been infringed. To exercise any of these rights, please contact our DPO at dpo@tmes.co.th. We will respond within 30 days of receipt of your request. In some cases, we may require you to verify your identity before processing your request.

Our website (tmes.co.th) uses cookies and similar technologies to ensure the website functions correctly, to analyse usage, and to improve the user experience. We use: • Strictly Necessary Cookies: Essential for the operation of the website. These cannot be disabled. • Analytics Cookies: Used to understand how visitors interact with our website (e.g., Google Analytics). These are only set with your consent. • Functional Cookies: Enable enhanced functionality and personalisation. You may control cookie preferences through your browser settings or our cookie consent tool. Note that disabling certain cookies may affect website functionality. For detailed information about the specific cookies we use, please contact us at dpo@tmes.co.th.

Where a processing activity is likely to result in a high risk to the rights and freedoms of individuals, TMES conducts a Data Protection Impact Assessment (DPIA) prior to commencing processing. DPIAs are required for activities such as: • Large-scale processing of sensitive personal data. • Systematic monitoring of individuals. • Use of new technologies with significant privacy implications. DPIAs are reviewed and approved by the DPO and relevant business stakeholders before implementation.

Our services and website are not directed at children under the age of 20 (the age of majority in Thailand) or under the applicable minimum age in other jurisdictions. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child, we will take steps to delete that information promptly. If you believe we hold personal information about a child, please contact dpo@tmes.co.th.

TMES reviews this Privacy Policy at least annually, or whenever there are material changes to our processing activities or applicable law. When we make significant changes, we will update the "Last updated" date at the top of this Policy and, where appropriate, notify affected individuals by email or through prominent notice on our website. Your continued engagement with TMES following notification of changes constitutes your acknowledgement of the updated Policy (to the extent permitted by law).

For any questions, requests, or complaints regarding this Privacy Policy or our data handling practices, please contact: Data Protection Officer (DPO) TMES Company Limited 43 Thai CC Tower, 22nd Floor, Unit A228-A229 South Sathon Road, Yannawa, Sathon, Bangkok 10120 Thailand Email: dpo@tmes.co.th Phone: +66 (0) 92 462 9779 If you are not satisfied with our response, you have the right to lodge a complaint with the Personal Data Protection Committee (PDPC), the supervisory authority in Thailand: Website: www.pdpc.or.th