Overview
J Nac (Thailand) Co., Ltd. (“we”), the provider of CNC Costify AI, recognizes the importance of your personal data and is committed to complying with Thailand's Personal Data Protection Act B.E. 2562 (PDPA).
This policy explains what data we collect, how we use it, how it's stored, retention periods, and your rights as the data subject.
Data We Collect
We collect only data necessary for service operation, in three categories:
Account Data
- •Email (registration/login)
- •Name (if provided)
- •Company name (if provided)
- •Hardware ID (bound to your license)
- •Password (bcrypt-hashed — never visible to staff)
Usage Data
- •Files processed per day (for quota management)
- •File type (STEP/PDF/JPG) — content NOT stored
- •Usage timestamps + device token
- •IP address (for security)
Payment Data
- •Payment slip (temporary, for order verification)
- •Order number + amount
- •No credit card / bank info stored
How We Use Data
- 1Authenticate and provide services per your purchased plan
- 2Manage daily usage quotas (Free: 3 files/day, Monthly: 30 files/day)
- 3Issue invoices and process payments
- 4Send critical email notifications (license expiry, updates, security)
- 5Improve usability and develop new features (aggregate, non-identifiable stats)
- 6Comply with applicable laws
AI Processing
CNC Costify AI uses external AI services to analyze drawings. You should understand what happens:
Google Gemini
Primary| Data sent | Only the drawing image/PDF you upload |
| Purpose | Extract Material, Stock, Coating, Tolerance |
| Retention | Per Google AI Privacy Policy |
OpenRouter
Auto-fallback| Data sent | Prompt text + drawing image |
| Purpose | Replace Gemini when quota exhausted |
| Retention | Per OpenRouter Privacy Policy |
Storage & Security
bcrypt (12 rounds) — staff cannot see your password
JWT in HttpOnly cookies — XSS/CSRF protected
Ed25519 cryptographic signatures — offline verifiable
SQLite on Linux VPS — daily backups
All connections use TLS 1.3 — no plaintext data
Payment slips deleted after order confirmed (max 30 days)
Data Retention
| Data Type | Retention |
|---|---|
| User accounts | Lifetime of account + 2 years after closure (per PDPA) |
| Daily usage records | 12 months (for stats and customer service) |
| Payment slips | Max 30 days after order confirmed |
| Invoices / Receipts | 10 years (per Thai tax law) |
| Device tokens | 365 days idle → auto-deleted |
| Server logs | 90 days, then destroyed |
Your Rights (PDPA)
Under Thailand's PDPA, you have the following rights:
Minors
Our service is designed for professional use in the CNC industry. Users must be 18 years or older — we do not knowingly collect data from anyone under 18.
If you are a parent and discover your child registered without permission, please contact us for account deletion.
Policy Changes
We may update this policy periodically to reflect service changes, legal updates, or technology
- ▸Material changes will be notified via email 30 days in advance
- ▸Minor changes (typos, formatting) update without notice
- ▸Last-updated date shown at the top of this document
Contact
For questions about this Privacy Policy or to exercise your PDPA rights, contact: