Privacy Policy

 

(Effective 1 August 2025 – supersedes all prior versions)

 

OCA (THAILAND) COMPANY LIMITED, Thai company registration number 0105566086950, having its registered office at 357 Soi Vibhavadi Rangsit 42, Lat Yao Sub-District, Chatuchak District, Bangkok, operates the online platform located at rustsupreme.com (hereinafter, “the Company,” “we,” “us,” or “our”). The domain, together with any sub-domains, mobile sites, web applications and application-programming interfaces now existing or hereafter developed, is collectively referred to as “the Website.”

 

By accessing or using the Website you (“User,” “you,” or “your”) acknowledge that you have read, understood and agreed to the collection, use, disclosure and other processing of your Personal Data in accordance with this Privacy Policy (“Policy”) and the Personal Data Protection Act B.E. 2562 (2019) of Thailand (“PDPA”).

 

1. Definitions

 

Unless otherwise defined herein, capitalised terms have the meanings ascribed in the Terms and Conditions. In addition:

•“Personal Data” means any data relating to an identified or identifiable natural person as defined under the PDPA.

•“Controller” means the person or entity having the power to determine the purposes and means of the processing of Personal Data; in this Policy the Controller is the Company.

•“Processor” means a person or entity which processes Personal Data on behalf of the Controller.

•“Processing” (and its variants) means any operation performed upon Personal Data, whether by automated means or otherwise, such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, transfer, alignment, combination, restriction, erasure or destruction.

 

2. Categories of Personal Data We Collect

 

Category Examples

Identity Data Full name, date of birth, nationality, government-issued ID details, selfie photographs, Steam® account ID.

Contact Data Email address, telephone number, correspondence address, social-media handles.

Financial Data Payment-card brand and last four digits, e-wallet identifier, bank name, transaction reference, tokenised payment instrument, withdrawal address.

Technical Data IP address, device identifier, browser type and version, time-zone setting, operating system, language, cookies, log files.

Usage Data Log-in timestamps, clickstream, viewed pages, purchase history, search queries, trading activity, communication records with customer support.

KYC/AML Data Proof of address, source-of-funds declaration, politically exposed person (PEP) status, sanctions-screening results.

 

We do not intentionally collect Sensitive Personal Data (e.g., biometric templates, health data) save where required by AML regulations (e.g., facial photograph for identity verification). Where collection of Sensitive Personal Data is unavoidable, we will obtain your explicit consent unless a PDPA exemption applies.

 

3. Legal Bases for Processing

 

We rely on one or more of the following legal bases under Sections 24 and 26 PDPA:

1.Contractual Necessity – to perform our obligations under the Terms and Conditions or to take steps at your request prior to entering into a contract.

2.Legal Obligation – to comply with Thai laws such as the Anti-Money Laundering Act, Revenue Code and PDPA.

3.Legitimate Interests – to operate, maintain and improve the Website; detect and prevent fraud; protect network security; assert legal claims; undertake corporate due diligence.

4.Consent – for direct marketing, optional cookies or any processing that does not fall under the foregoing bases. You may withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

5.Vital Interests – to prevent or suppress danger to life, body or health when you are incapable of giving consent.

 

4. Methods of Collection

•Direct: information you provide through registration forms, KYC uploads, customer-support tickets or survey responses.

•Automated: data captured via cookies, web beacons and server logs when you browse or use the Website.

•Third-Party: data received from payment processors, identity-verification vendors, sanctions-screening databases and publicly available sources.

 

5. Purposes of Processing

 

Purpose Example Activities

Account Creation & Management Registering an Account, linking Steam ID, resetting passwords, providing user dashboards.

Transaction Facilitation Displaying listings, matching buyers and sellers, generating Steam trade offers, processing payments and withdrawals.

KYC/AML Compliance Verifying identity, screening against sanctions lists, monitoring suspicious activity, generating STRs to AMLO.

Customer Support Responding to inquiries, troubleshooting errors, communicating order status.

Security & Fraud Prevention Detecting bot activity, rate-limiting requests, logging access attempts, investigating chargebacks.

Analytics & Improvement Aggregating usage statistics, A/B testing new features, measuring campaign efficacy.

Marketing (with consent) Sending promotional emails, personalised offers, loyalty-programme communications.

 

 

6. Disclosure of Personal Data

 

We may share Personal Data with the following categories of recipients, each acting as Processor or independent Controller, as the context requires:

1.Payment-service providers licensed under the Payment Systems Act B.E. 2560 (2017).

2.Identity-verification and fraud-detection vendors compliant with PDPA and international ISO 27001 standards.

3.Cloud-hosting and IT-service providers located in Thailand or jurisdictions offering equivalent data-protection safeguards.

4.Professional advisers (lawyers, auditors, consultants) under a duty of confidentiality.

5.Regulatory and law-enforcement authorities where disclosure is mandated by Applicable Law or court order.

6.Corporate transferees in connection with a merger, acquisition, re-organisation or sale of substantially all assets, provided that the transferee agrees to honour this Policy or adopt materially equivalent protections.

 

We do not sell or rent Personal Data to third parties for monetary consideration.

 

7. Cross-Border Transfers

 

Where Personal Data is transferred to a recipient outside Thailand, we will ensure that the destination country has adequate data-protection standards as prescribed by the PDPA, or we will implement binding corporate rules, standard contractual clauses or other lawful safeguards. You may obtain a copy of the relevant safeguards by contacting us per Clause 13.

 

8. Data Retention

 

Personal Data is retained for as long as necessary for the purposes stated herein, subject to:

•Statutory Retention – at least five (5) years for KYC/AML records under the Anti-Money Laundering Act.

•Contractual Limitation – ten (10) years after account closure for potential legal claims under the Civil and Commercial Code.

•Tax Records – at least ten (10) years pursuant to the Revenue Code.

 

Data will be anonymised or securely deleted once retention periods lapse, unless further retention is required to comply with a legal obligation or to establish, exercise or defend legal claims.

 

9. Data Subject Rights

 

Subject to conditions and exemptions under the PDPA, you have the following rights:

1.Right to Access – obtain a copy of your Personal Data and information about its processing.

2.Right to Rectification – request correction of inaccurate or incomplete data.

3.Right to Erasure – request deletion or anonymisation where the data is no longer needed or consent has been withdrawn.

4.Right to Restrict Processing – request suspension of processing in specific circumstances.

5.Right to Data Portability – receive Personal Data in a structured, commonly used and machine-readable format and transmit it to another controller.

6.Right to Object – object to processing based on legitimate interests or direct marketing.

7.Right to Withdraw Consent – withdraw previously given consent at any time.

8.Right to Lodge a Complaint – complain to the Personal Data Protection Committee (PDPC) or a competent court if you believe your rights have been infringed.

 

To exercise any right, please contact us as provided in Clause 13. We will respond within thirty (30) days of receiving a complete request.

 

10. Security Measures

 

We employ administrative, technical and physical safeguards proportionate to the risk level, including:

•Transport Layer Security (TLS) encryption for data-in-transit.

•AES-256 encryption for sensitive data-at-rest.

•Multi-factor authentication for privileged accounts.

•Role-based access controls and least-privilege principles.

•Real-time intrusion-detection and log monitoring.

•Annual penetration testing and regular vulnerability scans.

 

No method of transmission or storage is absolutely secure; therefore, while we strive to use commercially acceptable means to protect Personal Data, we cannot guarantee its absolute security.

 

11. Cookies and Similar Technologies

 

The Website uses:

•Strictly Necessary Cookies – essential for core functionalities such as authentication and session integrity.

•Performance Cookies – collect aggregated statistics on page load times and error rates.

•Functional Cookies – remember user preferences such as language and time zone.

•Targeting/Advertising Cookies – used only with your prior consent to deliver personalised content.

 

You can control cookies through your browser settings; however, disabling certain cookies may impair Website functionality.

 

12. Children’s Privacy

 

The Website is intended exclusively for persons eighteen (18) years of age or older. We do not knowingly collect Personal Data from anyone under eighteen. If we learn that we have inadvertently processed data of a minor, we will promptly delete such data and terminate the related account.

 

13. Contact Information

 

All inquiries, requests or complaints concerning Personal Data should be directed to:

 

Data Protection Officer (DPO)

OCA (THAILAND) COMPANY LIMITED

357 Soi Vibhavadi Rangsit 42, Lat Yao Sub-District, Chatuchak District, Bangkok 10900

Email: [email protected]

 

14. Changes to This Policy

 

We may amend this Policy to reflect changes in legal requirements, technological developments or business practices. Material amendments will be announced on the Website at least thirty (30) days before they become effective. Your continued use of the Website after the effective date constitutes acceptance of the amended Policy.

 

15. Acknowledgment

 

By creating an Account, clicking “Agree,” or otherwise accessing or using the Website, you acknowledge that you have read, understood and consented to the practices described in this Policy.