Wonderland Clinics
Wonderland Clinics

Privacy Policy

Wonderland Clinic — Thai Traditional Medicine

Bangkok, Thailand

Effective Date: 8 May 2026
Version: 1.0
Last Updated: 8 May 2026

1. INTRODUCTION

1.1 About This Policy

Wonderland Clinic (“we,” “our,” or “the Clinic”) is committed to protecting the privacy and confidentiality of all patients’ personal data in accordance with Thailand’s Personal Data Protection Act B.E. 2562 (2019) (“PDPA”), the Protection and Promotion of Thai Traditional Medicine Knowledge Act B.E. 2542 (1999), and the regulations of the Department of Thai Traditional and Alternative Medicine (DTAM) under the Ministry of Public Health.

We provide Thai Traditional Medicine (TTM) treatments including herbal medicines, hot herbal compression, cupping, herbal burning, medical tattoo, and detoxification programmes. We understand that our patients entrust us with personal and health information, and we are committed to maintaining the highest standards of data protection and confidentiality.

1.2 Data Controller Information

Clinic Name: Wonderland Clinic
Address: 93 Unit B, Sukhumvit Road, Watthana District, Bangkok 10110, Thailand
Phone: +66 8 2298 6442
Email: support@wonderlandclinics.com
Website: https://wonderlandclinics.com

Registered Thai Traditional Medicine Practitioner:
Patipat Promkaew
TTM Medical Licence No. 28274

1.3 Data Protection Officer (DPO)

Email: dpo@wonderlandclinics.com

For any questions about this Privacy Policy, how we handle your personal data, or to exercise your data subject rights, please contact our Data Protection Officer.

1.4 Regulatory Compliance

This Privacy Policy complies with:

  • Personal Data Protection Act B.E. 2562 (2019) (“PDPA”)
  • Protection and Promotion of Thai Traditional Medicine Knowledge Act B.E. 2542 (1999)
  • National Health Act B.E. 2550 (2007)
  • Practice of the Art of Healing Act B.E. 2542 (1999)
  • DTAM regulations and guidelines on personal data protection
  • Medical Council of Thailand standards (where applicable)

2. WHAT PERSONAL DATA WE COLLECT

We collect and process personal data that is necessary to provide you with safe and effective Thai Traditional Medicine treatments. Under the PDPA, health data is classified as Sensitive Personal Data requiring special protection.

2.1 Patient Registration Data

  • Full name (as per identification documents)
  • Date of birth and age
  • National ID number or passport number
  • Current address and contact information (phone, email)
  • Emergency contact information
  • Occupation (where relevant to treatment)
  • Preferred language of communication

2.2 Medical and Health Data

  • General medical history: Previous illnesses, surgeries, allergies, current medications
  • TTM assessment records: Traditional diagnostic findings (pulse diagnosis, element assessment, body constitution analysis)
  • Treatment records: Thai Traditional Medicine treatments administered (herbal prescriptions, hot herbal compression, cupping, herbal burning, medical tattoo, detoxification programme details)
  • Herbal prescription records: Herbal formulations prescribed, dosage, duration
  • Progress notes: Treatment response, follow-up observations, practitioner notes
  • Contraindications: Documented allergies, conditions, or medications that affect treatment
  • Referral records: If referring to or receiving referrals from other healthcare providers

2.3 Appointment and Communication Data

  • Appointment scheduling information
  • Attendance records
  • Communication records (emails, phone calls, messages)
  • Appointment reminders and follow-up communications

2.4 Financial Data

  • Payment information (credit/debit card details are processed securely via our payment processor and are not stored by the Clinic)
  • Billing records and receipts
  • Insurance information (if applicable)

2.5 Technical Data (Website)

  • IP address
  • Browser type and version
  • Device information
  • Pages visited on our website
  • Cookies (see Section 12)

2.6 Clinical Photography (Only with Separate Consent)

  • Treatment-area photographs for clinical documentation (e.g. before/after cupping, herbal compress treatment areas)
  • We will never take or use photographs without your explicit, separate written consent

3. HOW WE USE YOUR DATA (LEGAL BASIS)

Under the PDPA, we must have a valid legal basis for processing your personal data. We rely on the following:

3.1 Medical Treatment (Contract — PDPA Section 24(3))

We process your personal data to:

  • Provide Thai Traditional Medicine consultations and assessments
  • Prepare and administer herbal medicines and treatments
  • Monitor treatment progress and adjust treatment plans
  • Manage appointments and follow-up care
  • Coordinate referrals to other healthcare providers (with your consent)

3.2 Legal Obligations (PDPA Section 24(4))

We process your personal data to comply with:

  • Practice of the Art of Healing Act — requirements to maintain treatment records
  • DTAM regulations on practitioner record-keeping
  • Thai FDA regulations on herbal medicine prescriptions
  • Tax and accounting legal requirements
  • Court orders or legal proceedings

3.3 Preventive Medicine and Healthcare (PDPA Section 26(5)(a))

We process sensitive health data for:

  • Preventive healthcare and health monitoring
  • Traditional medical diagnosis and treatment planning
  • Provision of Thai Traditional Medicine services
  • Healthcare system management and quality improvement

3.4 Your Explicit Consent (PDPA Sections 19 & 26)

We obtain your explicit, written consent for:

  • Sharing information with third-party healthcare providers
  • Clinical photography
  • Marketing communications or newsletters
  • Any processing not covered by the above legal bases

You have the right to withdraw consent at any time (see Section 5.7).

3.5 Vital Interest (Emergency — PDPA Section 24(2))

In medical emergencies where obtaining consent is not possible, we may process your data to protect your life or physical well-being.

4. SENSITIVE PERSONAL DATA — SPECIAL PROTECTIONS

4.1 What Is Sensitive Personal Data?

Under PDPA Section 26, health data requires special protection and explicit consent. All medical and treatment data processed at Wonderland Clinic falls into this category.

4.2 Protection Measures

Technical Measures:

  • All electronic patient records are stored on our secure, encrypted Network Attached Storage (NAS) system using AES-256 encryption
  • RAID configuration provides data redundancy and protection against hardware failure
  • Automated encrypted backups
  • Network segmentation — the medical records system is isolated from the public network
  • Firewall protection and intrusion detection
  • Role-based access controls — only authorised clinical staff can access patient data
  • Audit logging — every access to patient data is logged with timestamp and user identity

Organisational Measures:

  • Explicit consent obtained before processing health data
  • Staff confidentiality agreements
  • Regular data protection training for all staff
  • Need-to-know access policies
  • Incident response procedures

Physical Measures:

  • Secure, access-restricted room for NAS infrastructure
  • Locked storage for any paper records
  • Visitor restrictions to clinical and record-keeping areas
  • Secure document disposal (shredding)

5. YOUR RIGHTS UNDER THE PDPA

Thailand’s PDPA grants you comprehensive rights over your personal data. We are committed to upholding these rights.

5.1 Right to Access (Section 30)

You may request confirmation of whether we process your personal data, access your data, and receive copies of your treatment records.

  • Submit a written request to our DPO at dpo@wonderlandclinics.com
  • We will respond within 30 days
  • First request is free; subsequent requests may incur a reasonable administrative fee

5.2 Right to Rectification (Section 32)

You may request correction of inaccurate or incomplete personal data.

  • Contact our reception or DPO
  • We will update records promptly upon verification

5.3 Right to Erasure (Section 33)

You may request deletion of your personal data when it is no longer necessary, you withdraw consent with no other legal basis, or data was unlawfully processed.

Medical exception: Under Thai healthcare law, we are legally required to retain treatment records for a minimum period (see Section 7). During that period, we cannot fully erase medical records but can restrict access and mark records for deletion after the retention period expires.

5.4 Right to Data Portability (Section 34)

You may receive your personal data in a structured, commonly used, machine-readable format (e.g. PDF) and request transfer to another healthcare provider.

5.5 Right to Object (Section 35)

You may object to processing based on legitimate interests or direct marketing.

5.6 Right to Restrict Processing (Section 36)

You may request that we pause processing while verifying data accuracy, when processing is unlawful but you do not want deletion, or while we assess an objection.

5.7 Right to Withdraw Consent (Section 19)

You may withdraw consent at any time. Withdrawal is as easy as giving consent.

How to withdraw:

  • In person: Tell any staff member at the Clinic
  • Email: Send an email to dpo@wonderlandclinics.com with subject “WITHDRAW CONSENT”

What happens after withdrawal:

  • We cease processing based on that consent immediately
  • We confirm withdrawal in writing within 7 days
  • Previous processing remains lawful
  • We may be unable to continue certain treatments if relevant data can no longer be processed
  • Medical record retention obligations still apply

5.8 Right to Lodge a Complaint (Section 77)

If you believe your rights have been violated, you may:

  1. Contact our DPO first (we will try to resolve your concern internally)
  2. File a complaint with the Personal Data Protection Committee (PDPC):

6. DATA SECURITY

6.1 Technical Security

NAS Infrastructure:

  • Enterprise-grade NAS with AES-256 encryption at rest
  • RAID configuration for redundancy
  • Automated encrypted backups to a secondary secure location
  • Network segmentation — medical records isolated from public network
  • Enterprise firewall and intrusion detection
  • VPN with multi-factor authentication for any authorised remote access

Application Security:

  • Role-based access control (RBAC)
  • Audit logging of every access, edit, or deletion with timestamp and user ID
  • Automatic session timeout after inactivity
  • Strong password requirements
  • TLS 1.3 encryption for all data in transit

6.2 Organisational Security

  • Data Protection Policy reviewed annually
  • Confidentiality agreements signed by all staff
  • Mandatory PDPA training for all staff (initial and annual refresher)
  • Access reviews conducted quarterly
  • Immediate access revocation upon staff departure

6.3 Physical Security

  • Secure server room with restricted access for NAS
  • Locked cabinets for any paper records
  • Clean desk policy — no patient data left visible
  • Secure shredding of documents scheduled for disposal

6.4 Data Breach Response

In the event of a personal data breach:

  1. Containment (0–24 hours): Immediate investigation, containment, and evidence preservation
  2. PDPC Notification (within 72 hours): Report to the Personal Data Protection Committee
  3. Patient Notification (without undue delay): If the breach is likely to pose a high risk to your rights and freedoms, we will notify you directly, explaining:
    • Nature of the breach
    • Data affected
    • Likely consequences
    • Measures we have taken
    • How to contact us for further information
  4. Remediation: Root cause analysis, corrective measures, documentation, and policy updates

7. DATA RETENTION

7.1 Treatment Records

Under the Practice of the Art of Healing Act and DTAM regulations, we retain complete treatment records for a minimum of 5 years after your last visit. Our policy is to retain records for 7 years to ensure continuity of care.

Treatment records include: patient registration data, medical history, TTM assessments, treatment notes, herbal prescriptions, progress notes, consent forms, and referral records.

7.2 Other Retention Periods

Data CategoryRetention PeriodBasis
Appointment records5 years after last visitHealthcare regulation
Financial / billing records7 yearsRevenue Code B.E. 2481
Consent forms7 years or until withdrawalPDPA compliance
Marketing consentUntil withdrawal or 3 years of inactivityPDPA compliance
Communication records3 yearsBusiness record-keeping
Audit logs (data access)2 yearsSecurity monitoring
CCTV footage30 days (unless incident)Security

7.3 Secure Deletion

After retention periods expire:

  • Electronic records: Securely erased from all systems and backups
  • Paper records: Cross-cut shredded
  • Deletion documented for compliance records

8. DATA SHARING AND DISCLOSURE

We do not sell, rent, or trade your personal data.

8.1 Within the Clinic

Data is shared among clinic staff on a need-to-know basis:

  • TTM Practitioner: Full access to treatment records
  • Clinical assistants: Access to relevant treatment information
  • Reception / admin staff: Limited access to scheduling and contact details
  • DPO: Access for compliance and rights fulfilment

All staff are bound by confidentiality agreements.

8.2 External Healthcare Providers (With Your Consent)

We may share data with:

  • Referring or referred-to healthcare providers
  • Pharmacies or herbal dispensaries (prescription details only)
  • Laboratories (if diagnostic testing is required)

We obtain your explicit written consent before sharing information externally. You may specify exactly what is shared.

8.3 Third-Party Service Providers (Data Processors)

We use service providers who process data on our behalf under strict Data Processing Agreements (DPAs):

Provider TypePurposeSafeguards
Cloud / NAS backupEncrypted data backupDPA, AES-256 encryption
Email servicePatient communicationsDPA, TLS encryption
Appointment systemSchedulingDPA, access controls
Payment processorBillingPCI-DSS compliant, tokenisation
IT supportSystem maintenanceDPA, NDA, supervised access

All third-party providers are contractually prohibited from using your data for their own purposes.

8.4 Legal and Regulatory Disclosures

We may disclose data without your consent only when required by law:

  • Court orders or subpoenas
  • PDPC audits or investigations
  • DTAM regulatory inspections
  • Thai FDA inspections (herbal medicine compliance)
  • Public health authorities (disease reporting as required)

We will verify the legitimacy of any request, disclose only the minimum necessary, and notify you when legally permitted.

8.5 Emergency Situations

In a medical emergency, we may share data with emergency services to protect your life (PDPA Section 24(2)).

9. CROSS-BORDER DATA TRANSFERS

9.1 Data Location

Our primary data is stored in Thailand on our NAS infrastructure at the Clinic premises and at our backup facility in Bangkok.

9.2 International Transfers

Some third-party service providers (e.g. email, cloud backup) may process data on servers outside Thailand. Where this occurs:

  • We ensure the destination country has adequate data protection standards, or
  • We use Standard Contractual Clauses (SCCs), or
  • We obtain your explicit consent after informing you of the risks

All international transfers are encrypted in transit and at rest.

9.3 Your Control

If you prefer your data to remain exclusively in Thailand, please inform our DPO. We will make reasonable efforts to accommodate your request.

10. MINORS’ DATA

10.1 Consent Requirements

AgeConsent Requirement
Under 10Parent or legal guardian consent only
10–19Both patient and parent/guardian consent required
20 and overIndependent patient consent

10.2 Procedures

  • A parent or legal guardian must accompany minor patients to the initial consultation
  • Both patient and parent/guardian must sign consent forms
  • We take particular care to explain treatments in age-appropriate language

11. THAI TRADITIONAL MEDICINE — HERBAL FORMULATION PRIVACY

11.1 Your Herbal Prescription Data

Wonderland Clinic prepares individualised herbal formulations based on traditional Thai medical assessment. Your herbal prescription records include:

  • Specific herbs and ingredients prescribed
  • Dosages and preparation instructions
  • Duration of treatment
  • Practitioner notes on formulation rationale

This data is treated as sensitive medical data and is protected with the same security measures as all other health records.

11.2 DTAM Compliance

Our herbal prescriptions comply with:

  • DTAM regulations on TTM herbal formulations
  • Thai FDA regulations on controlled herbal substances
  • Protection and Promotion of Thai Traditional Medicine Knowledge Act B.E. 2542 — protecting traditional herbal knowledge

11.3 No Commercial Use of Your Health Data

We will never use your individual health data, treatment outcomes, or herbal prescription details for commercial purposes, marketing, or sale to third parties without your explicit, separate consent.

12. COOKIES AND WEBSITE

12.1 Cookies We Use

Strictly Necessary Cookies:

  • Session management
  • Security
  • Load balancing

Legal Basis: Necessary for website functionality (PDPA Section 24(1))

We do NOT use:

  • ❌ Advertising or tracking cookies
  • ❌ Social media tracking cookies
  • ❌ Third-party behavioural tracking

12.2 Analytics

If we use website analytics:

  • Data is anonymised (IP addresses masked)
  • No personally identifiable information is collected
  • Analytics data is not shared with third parties

12.3 Managing Cookies

You can disable or delete cookies in your browser settings at any time. Disabling cookies may limit certain website functionality.

13. CONSENT MANAGEMENT

13.1 Types of Consent

Consent TypePurpose
General Treatment ConsentTTM consultation, assessment, and treatment
Herbal Medicine ConsentPrescription and administration of herbal formulations
Information Sharing ConsentSharing records with external healthcare providers
Clinical Photography ConsentAny clinical photographs
Marketing ConsentNewsletters, health tips, promotions

13.2 How We Obtain Consent

  • All consents are documented in writing (paper or electronic signature)
  • Separate consent forms for each purpose
  • Clear, plain language in Thai and English
  • Not bundled with other documents
  • Consent requires clear affirmative action (signature, checkbox)
  • Pre-checked boxes are not used

13.3 Consent Records

We maintain records of: date consent was given, specific purposes, any limitations you specified, and your signature or electronic confirmation.

13.4 Withdrawing Consent

See Section 5.7 above. Withdrawal is always as easy as giving consent.

14. YOUR RESPONSIBILITIES

  • Provide accurate information: Accurate medical history is essential for safe TTM treatment, particularly regarding allergies, current medications, and existing conditions
  • Inform us of changes: Update us promptly if your contact details, health status, or consent preferences change
  • Communication security: Standard email is not fully encrypted; for sensitive information, contact us by phone or in person

15. UPDATES TO THIS POLICY

We may update this Privacy Policy to comply with changes in law, reflect changes in our data processing practices, or improve clarity.

When we make material changes:

  • We update the “Last Updated” date at the top
  • We notify you by email (if we hold your email)
  • We post notice at the Clinic reception
  • We publish the updated policy on our website
  • For significant changes, we may request renewed consent

Previous versions are available upon request from the DPO.

16. DTAM AND PROFESSIONAL STANDARDS

16.1 Practitioner Registration

All Thai Traditional Medicine treatments at Wonderland Clinic are provided by or under the supervision of:

Patipat Promkaew
Registered Thai Traditional Medicine Practitioner
TTM Medical Licence No. 28274
Licensed by the Department of Thai Traditional and Alternative Medicine (DTAM), Ministry of Public Health

16.2 Professional Standards

We comply with:

  • Protection and Promotion of Thai Traditional Medicine Knowledge Act B.E. 2542 (1999)
  • Practice of the Art of Healing Act B.E. 2542 (1999)
  • DTAM practitioner standards and continuing education requirements
  • Thai FDA regulations on herbal medicines and controlled substances
  • Quality assurance and patient safety standards

16.3 Record-Keeping

As required by DTAM and healthcare law, we maintain complete treatment records including traditional diagnostic assessments, herbal prescriptions, treatments administered, and patient progress. These records are protected under this Privacy Policy and applicable law.

17. CONTACT INFORMATION

17.1 Data Protection Officer

For privacy questions, data subject rights, or complaints:

Email: dpo@wonderlandclinics.com

17.2 Clinic General Contact

Wonderland Clinic
93 Unit B, Sukhumvit Road, Watthana District, Bangkok 10110, Thailand
Phone: +66 8 2298 6442
Email: support@wonderlandclinics.com
Website: https://wonderlandclinics.com

17.3 File a Complaint with PDPC

Personal Data Protection Committee (PDPC)
Website: https://www.pdpc.or.th/

17.4 DTAM

Department of Thai Traditional and Alternative Medicine
Website: https://www.dtam.moph.go.th/

18. LANGUAGE

This Privacy Policy is provided in Thai and English.

In the event of any discrepancy between the two versions, the Thai version shall prevail for legal interpretation purposes.

APPENDIX A: YOUR RIGHTS — QUICK REFERENCE

Your RightWhat It MeansHow to Exercise
AccessGet copies of your dataEmail dpo@wonderlandclinics.com
RectificationCorrect inaccurate dataContact DPO or reception
ErasureDelete data (with medical exceptions)Email DPO
Data PortabilityReceive data in transferable formatEmail DPO
ObjectStop certain processingNotify DPO
RestrictPause processing temporarilyEmail DPO
Withdraw ConsentTake back consent at any timeEmail, phone, or tell any staff
ComplainReport violationsContact PDPC

Response Time: 30 days
Cost: Free (first request)

APPENDIX B: CONSENT WITHDRAWAL

All methods are equally valid:

  1. ✉️ Email: dpo@wonderlandclinics.com — Subject: “WITHDRAW CONSENT”
  2. ☎️ Phone: +66 8 2298 6442
  3. 🏥 In person: Tell any staff member at the Clinic

APPENDIX C: GLOSSARY

TermDefinition
PDPAPersonal Data Protection Act B.E. 2562 (2019) — Thailand’s primary data protection law
DTAMDepartment of Thai Traditional and Alternative Medicine, Ministry of Public Health
TTMThai Traditional Medicine
Sensitive Personal DataHealth data, genetic data, biometric data, and other categories requiring extra protection under PDPA Section 26
Data ControllerThe entity (Wonderland Clinic) that determines how and why personal data is processed
Data ProcessorA third-party service provider that processes data on our behalf under contract
DPOData Protection Officer — the person responsible for overseeing data protection compliance
NASNetwork Attached Storage — our secure, encrypted data storage infrastructure
ConsentFreely given, specific, informed, and unambiguous agreement to data processing
Data BreachUnauthorised or unlawful access, disclosure, alteration, or destruction of personal data
PDPCPersonal Data Protection Committee — Thailand’s national data protection authority

Wonderland Clinic
Thai Traditional Medicine — providing holistic, evidence-based traditional healthcare with the highest standards of privacy and confidentiality.

Effective Date: 8 May 2026
Version: 1.0
Next Review Date: 8 May 2027