Privacy Protocol

Overview

Echelon Security Consulting LLC ("ESC," "we," "our," or "us") respects the privacy of every individual who visits our website at echelon.security or engages with us in connection with our services. This Privacy Protocol (the "Policy") explains how we collect, use, disclose, and safeguard personal information in compliance with applicable laws, including the Thailand Personal Data Protection Act B.E. 2562 (2019) ("PDPA") and other relevant regional legislation across Southeast and East Asia.

By accessing our website or providing your information to us, you acknowledge that you have read, understood, and agree to the terms of this Policy. If you do not agree, please discontinue use of our website and services.

Data Controller

The data controller responsible for your personal information is:

Information We Collect

We collect personal information only where it is necessary for a legitimate purpose.

Information You Provide Directly

• Contact details — full name, email address, telephone number, and company affiliation submitted through our contact form or direct correspondence.
• Inquiry content — details of the matter, concern, or request you describe when you contact us.
• Professional information — your job title, seniority level, or sector, when voluntarily provided during an engagement discussion.
• Communication records — emails, WhatsApp messages, and LINE conversations initiated by you.

Information Collected Automatically

• Log data — IP address, browser type and version, operating system, referring URL, pages visited, and time and date of each request.
• Device information — device type, screen resolution, and general hardware identifiers.
• Cookie data — session and preference data stored via cookies and similar tracking technologies (see Section 11).
• Analytics data — aggregated and anonymised interaction metrics used to improve site performance.

Sensitive Information

We do not intentionally collect sensitive categories of personal data (e.g., health, biometric, political, or religious data) through our website. Should sensitive information become relevant in the course of a professional engagement, it will be handled under a separate, specific written agreement and in full compliance with applicable law.

How We Use Information

We use the personal information we collect strictly for the purposes for which it was obtained:

• Responding to inquiries and initiating, conducting, or concluding professional engagements.
• Assessing the nature of a prospective client's security requirements and determining our ability to assist.
• Administering, maintaining, and improving our website and digital communications.
• Complying with applicable legal obligations and regulatory requirements in the jurisdictions where we operate.
• Protecting the rights, property, safety, and operational security of ESC, our staff, and third parties.
• Sending service-related communications and, where consent has been obtained, relevant security intelligence updates or firm announcements.
• Conducting internal analysis and performance monitoring to enhance the quality of our services.

We do not sell, rent, or trade your personal information to third parties for marketing or commercial purposes.

Legal Basis for Processing

Under the Thailand PDPA and other applicable frameworks, we rely on the following legal bases:

• Contractual necessity — processing required to enter into or perform a contract or engagement with you.
• Legitimate interests — processing necessary for our legitimate business interests, where those interests are not overridden by your rights.
• Legal obligation — processing required to comply with applicable law, court orders, or regulatory directions.
• Consent — where we rely on your explicit consent. You may withdraw consent at any time without affecting the lawfulness of prior processing.

Disclosure of Information

We treat all personal information with strict confidentiality and do not disclose it except in the following limited circumstances:

• Service partners and subcontractors — trusted operational partners who assist in delivering services, subject to binding confidentiality and data processing obligations.
• Professional advisors — legal counsel, auditors, and compliance advisors acting under professional privilege or confidentiality duties.
• Law enforcement and regulators — where disclosure is required by applicable law, court order, or a lawful request from a competent authority.
• Business transfers — in the event of a merger, acquisition, or restructuring, personal data may transfer as part of that transaction, subject to equivalent privacy protections.
• Your consent — in any other circumstance where you have expressly authorised the disclosure.

International Data Transfers

ESC operates regionally across Southeast and East Asia, with operations and personnel in Thailand (Headquarters), Vietnam, the Philippines, Hong Kong, Japan, South Korea, Taiwan, Singapore, and Malaysia. Your personal information may be accessed by or transferred to personnel or partners in these jurisdictions in connection with a specific engagement.

Where personal information is transferred across borders, we ensure such transfers comply with Section 28 of the Thailand PDPA and equivalent provisions under applicable law, including the use of contractual safeguards or other recognised legal mechanisms.

Data Retention

We retain personal information only for as long as necessary to fulfil the purposes set out in this Policy or as required by law:

• Inquiry records — retained for up to 24 months from the date of last contact, unless a professional engagement is initiated.
• Engagement records — retained for a minimum of five (5) years following conclusion of the engagement, in accordance with our legal and professional obligations.
• Website analytics — aggregated, anonymised data may be retained indefinitely. Identifiable log data is purged after 90 days.
• Marketing consent records — retained for the duration of the relationship plus a reasonable compliance period thereafter.

Upon expiry of the applicable retention period, personal data is securely deleted or anonymised to prevent re-identification.

Security Measures

As a security consultancy, we apply rigorous organisational and technical controls to protect personal information:

• Encryption of data in transit via TLS 1.2 / 1.3 and at rest using industry-standard protocols.
• Access controls based on the principle of least privilege, with regular access reviews.
• Multi-factor authentication for internal systems and communications platforms.
• Secure communications channels (encrypted email, Signal-class platforms) for sensitive client communications.
• Personnel training and vetting, with binding confidentiality obligations for all staff and contractors.
• Regular security assessments, including vulnerability reviews of systems that handle personal data.
• Documented incident response procedures aligned with PDPA notification obligations (72-hour regulatory notification window where applicable).

In the event of a data breach affecting your rights, we will notify you and relevant authorities in accordance with applicable law.

Your Rights

Subject to applicable law, you may have the following rights regarding your personal information:

To exercise any of these rights, submit a written request to [email protected]. We will respond within 30 days. We may need to verify your identity before processing. Exercising these rights is free of charge unless the request is manifestly unfounded or excessive.

Cookies & Tracking Technologies

Our website uses cookies and similar technologies to ensure proper functionality, analyse site performance, and improve your experience:

• Strictly necessary cookies — essential for core site functionality and security. These cannot be disabled without impairing the website.
• Performance and analytics cookies — used to understand how visitors interact with our site. Data is aggregated and anonymised where possible.
• Functional cookies — remember your preferences to improve your experience on return visits.

We do not use advertising, remarketing, or behavioural profiling cookies. Where required by law, we will obtain your consent before placing non-essential cookies.

Third-Party Links

Our website may contain links to external platforms, including WhatsApp and LINE, used to facilitate urgent communications. These services operate under their own privacy policies, which we encourage you to review. ESC is not responsible for the privacy practices of any third-party platform and has no control over the content or security of external sites.

Children's Privacy

Our website and services are directed exclusively at business professionals and are not intended for individuals under the age of 18. We do not knowingly collect personal information from minors. If we become aware that we have inadvertently received personal information from a person under 18, we will delete it promptly.

Policy Updates

We may update this Policy from time to time to reflect changes in applicable law, our operations, or industry best practice. The most current version will always be available at echelon.security/privacy, with the effective date and last-reviewed date updated accordingly.

For material changes that significantly affect how we handle your personal information, we will notify you by email or by a prominent notice on our website prior to the change taking effect. Continued use of our website following notification of a material change constitutes acceptance of the revised Policy.

Contact & Complaints

For questions, concerns, or requests relating to this Policy, please contact our privacy team:

If you are unsatisfied with our response, you have the right to file a complaint with the Personal Data Protection Committee (PDPC), the supervisory authority in Thailand, or with the relevant data protection authority in your country of residence.