1. INTRODUCTION

Aura Solution Company Limited (“Aura”, “we”, “us”, “our”) is committed to compliance with applicable legal and regulatory requirements relating to data protection, privacy and cybersecurity, as further set out in our Code of Business Conduct and Ethics. At Aura, we respect your privacy and this Policy, together with our Website Terms of Use and our Cookie Policy, governs how Aura collects, processes (as defined below) and uses your Personal Data (as defined below) when you use our websites (as defined below).

Annex A provides additional information for residents of certain U.S. states that supplements the information provided throughout this Policy and sets out privacy rights relevant to residents of such states.

​

This Policy applies to users of the Websites (as defined below).

For the purposes of applicable laws and regulations relating to data protection and privacy (“Data Protection Legislation”), Aura acts as a controller in respect of your Personal Data.

This Policy may change from time to time and you should review it periodically.

This Policy was last updated on August 29, 2025.

 

2. DEFINITIONS

The following definitions shall apply to this Policy:

“Aura”, “we”, “us”, “our” means Aura Solution Company Limited and any of its affiliated entities to which a Website relates.“Personal Data” has the meaning given to it or any similar term (e.g., “personal information”, “non‑public personal information”, “PII”, “personally identifiable information”) in applicable Data Protection Legislation and, for the avoidance of doubt, means any information which directly or indirectly identifies or otherwise relates to an individual, which is in the possession or under the control of Aura (or its representatives or service providers). Such Personal Data may include, without limitation, name, age, identification number, email address, address, telephone number, location data, financial data, or an online identifier. In addition to factual information, such Personal Data includes any expression of opinion about an individual and any indication of the intentions of Aura or any other person in respect of an individual.

 

“Process” or “Processing” means any operation that is carried out in respect of Personal Data, including but not limited to collecting, storing, using, disclosing, transferring or deleting Personal Data.

​

“Sensitive Personal Data” has the meaning ascribed to this or any similar term provided by applicable Data Protection Legislation (e.g., “sensitive personal information”, “sensitive data”, or “special categories of personal data”).

​

“Websites” means Aura websites that link to this Policy unless such websites have their own data protection policy and privacy notice, including without limitation https://www.aura.co.th.

 

3. THE TYPES OF PERSONAL DATA WE COLLECT

If you are an Aura employee or an Aura investor, Aura’s policies and practices regarding the collection and processing of your Personal Data are detailed in Aura’s Employee and Personnel Data Protection Policy and Privacy Notice and Investor Data Protection Policy and Privacy Notice, respectively. If you make an application for employment with Aura, the collection and processing of your Personal Data is detailed in Aura’s Applicant Data Protection Policy and Privacy Notice, which will be provided to you via our applications partner website before you submit your application.

​

For all other individuals, Aura may collect and process the following categories of Personal Data about you from the sources identified below:

 

a) Website Data. When you browse the Websites, depending on how you interact with them, we may collect (i) information submitted through online forms (including name, age, date of birth, email address, address, telephone number, identification number, online identifier, location, gender, nationality, citizenship and contact information); and (ii) technical information collected by cookies and similar technologies regarding your use of the Websites, which may include device‑specific information, navigation data, technical and browsing preferences, location and entry point to the Websites. If you do not provide certain Personal Data when requested (and where relevant, provide consent), we may be unable to provide access to all areas of the Websites or related services.

 

b) Identity Verification Data. Identity verification information such as images of government‑issued identification (passport, national ID card, or driving license), as permitted by applicable law, or other authentication information.

 

c) Communications Data. Personal Data you provide when you contact Aura for any reason, including to request information, submit enquiries, use “Contact Us” features, subscribe to communications, attend events or download content. This may include name, job title, company name, phone number, location and email address.

 

d) Reputation & Background Check Data. If you are a service provider, business partner, or a representative thereof, Personal Data obtained from you and third parties concerning contact details, business practices, creditworthiness, reputation, business history, and roles or job titles.

 

e) Data Generated by Aura. Personal Data generated through our interactions with you or in the course of providing services, including information about your relationship with Aura or the services provided.

 

Cookies. Please refer to our Cookie Policy, which forms part of this Policy.

Do Not Track. Browsers may permit “do not track” signals. Due to the absence of an industry standard, Aura does not currently respond to such signals. Third parties (e.g., analytics providers) may collect Personal Data across websites; their practices are governed by their own privacy policies.

 

4. HOW WE COLLECT YOUR PERSONAL DATA

Aura may collect Personal Data:

a) directly from you (e.g., via the Websites, email, visits to our premises or other communications);

b) through automated technologies (e.g., cookies and similar tools);

c) from within Aura and our affiliates;

d) from third parties acting on your behalf (e.g., intermediaries, legal counsel or service providers);

e) from publicly available sources; and

f) from other organizations (e.g., fund administrators and service providers).

 

5. HOW WE USE YOUR PERSONAL DATA

Aura collects and processes Personal Data for the purposes and on the legal bases described below, including to:

a) provide marketing communications and business updates;

b) understand your needs and respond to enquiries;

c) analyze and improve services;

d) manage and administer our business;

e) provide subscribed products and services;

f) comply with applicable laws, regulations, codes and internal policies;

g) verify identity and conduct due diligence and sanctions screening;

h) detect, investigate and prevent fraud or malpractice;

i) conduct or defend legal proceedings and obtain legal advice;

j) administer databases and IT systems;

k) meet contractual obligations;

l) maintain Website security, functionality and resilience;

m) analyze Website traffic and usage trends;

n) enable Website features and access;

o) conduct cybersecurity threat detection and analysis; and

p) other purposes set out in this Policy.

Aura relies on one or more of the following legal bases: performance of a contract; consent (where required); compliance with legal obligations; establishment, exercise or defense of legal rights; and legitimate business interests that do not override your rights.

Where required by law, by accepting this Policy you consent to the collection, use, processing and disclosure of your Personal Data as described.

 

6. Disclosure of Your Personal Data to Third Parties

Aura Solution Company Limited may disclose Personal Data to affiliates and carefully selected third parties strictly for legitimate business, operational, and legal purposes. Such disclosures are limited to what is necessary and proportionate to fulfill defined institutional objectives.

 

Third-party recipients may include, but are not limited to:

• Group affiliates and controlled entities

• Professional advisors, including legal, regulatory, audit, and compliance service providers

• Technology and infrastructure providers supporting system administration, data hosting, cybersecurity, and operational resilience

• Payment, settlement, escrow, and transaction support providers

• Regulatory authorities, law enforcement bodies, courts, or governmental agencies where disclosure is required by law

• Counterparties involved in corporate transactions, restructurings, or change-of-control events, subject to applicable legal safeguards

 

All third parties receiving Personal Data are required to adhere to appropriate confidentiality, data protection, and information security obligations consistent with applicable law and Aura’s governance standards. Where required, contractual safeguards or other legally recognized protections are implemented to ensure lawful processing and continued protection of Personal Data.

 

Aura may also disclose Personal Data where necessary to establish, exercise, or defend legal rights, to protect institutional interests, or to comply with legal or regulatory obligations.

Where data is anonymized or aggregated such that individuals can no longer be identified, Aura may use or share such data for lawful analytical, operational, or institutional purposes.

Aura does not engage in automated decision-making, including profiling, that produces legal or similarly significant effects based solely on Personal Data, except where expressly permitted by applicable law and subject to appropriate safeguards.

 

7. Links to Other Websites

Aura’s websites may contain links to third-party websites or external resources that are not owned, operated, or controlled by Aura Solution Company Limited.

This Privacy Policy applies solely to Aura’s websites and services. Aura is not responsible for the privacy practices, content, security, or data handling policies of third-party websites. Accessing linked third-party sites is done at the user’s own discretion and risk.

Aura encourages individuals to review the privacy policies and terms of use of any external websites before providing Personal Data or engaging with their services.

8. Transfers of Personal Data

Aura Solution Company Limited operates on a global basis and, in the course of its operations, may transfer Personal Data to jurisdictions outside the country in which the data subject resides. Such transfers occur only where necessary to support lawful business operations, regulatory obligations, or client mandates.Where cross-border transfers are subject to legal restrictions, Aura implements appropriate safeguards in accordance with applicable law. These safeguards may include approved contractual protections, legally recognized transfer mechanisms, or other measures required by data protection authorities. Where mandated, Aura will obtain explicit consent prior to transferring Personal Data internationally. All transfers are governed by Aura’s internal data governance standards to ensure continued confidentiality, integrity, and lawful processing.

 

9. How We Safeguard Your Personal Data

Aura maintains robust technical, organizational, and administrative safeguards designed to protect Personal Data against unauthorized access, loss, misuse, alteration, or disclosure.

These measures include, but are not limited to, controlled access systems, physical security protections, information security protocols, and mandatory confidentiality obligations for employees and authorized service providers. Access to Personal Data is restricted strictly to individuals with a legitimate business or legal need. Aura regularly reviews its safeguards to ensure they remain effective, proportionate, and aligned with evolving legal and security requirements.

 

10. Retention and Destruction of Personal Data

Aura retains Personal Data only for as long as necessary to fulfill the purposes for which it was collected, to meet contractual commitments, and to comply with applicable legal, regulatory, or reporting obligations.Once Personal Data is no longer required, Aura ensures that it is securely deleted, destroyed, or irreversibly anonymized in accordance with applicable law and internal retention schedules. Retention practices are periodically reviewed to ensure compliance with regulatory expectations and data minimization principles.

 

11. Your Rights

Subject to applicable law, individuals may have certain rights in relation to their Personal Data. These rights may include the right to access, correct, update, delete, restrict, or object to the processing of Personal Data; the right to withdraw consent where processing is consent-based; the right to request data portability; and the right to receive information regarding disclosures of Personal Data.

Individuals may also have the right to lodge a complaint with a competent data protection authority. To exercise these rights, Aura may require submission of a formal Subject Access Request or verification of identity to ensure data security and lawful handling.

 

12. Children

Aura’s websites, services, and communications are intended solely for individuals aged eighteen (18) years and over. Aura does not knowingly collect, process, or retain Personal Data relating to children under the age of eighteen.If Aura becomes aware that Personal Data relating to a minor has been collected inadvertently, appropriate steps will be taken to delete such information promptly in accordance with applicable law.

 

13. Marketing Communications

Where permitted by applicable law, Aura may send marketing or informational communications related to its services. Individuals may opt out of marketing communications at any time using the methods provided in the communication or by contacting Aura directly.

Opting out of marketing communications does not affect the receipt of non-marketing communications, including legal notices, regulatory disclosures, service-related communications, or other messages required for lawful business operations.

​

14. Additional Information for Certain U.S. State Residents

For residents of certain U.S. states, Aura confirms that it does not sell Personal Data and does not engage in processing activities that require opt-in consent for sensitive Personal Data under applicable state privacy laws.Where de-identified or aggregated data is used, Aura maintains safeguards to ensure such data is not re-identified, except where permitted or required by law. Aura processes Personal Data in a manner consistent with applicable U.S. state privacy requirements.

 

15. California Privacy Notice

For residents of California, Aura complies with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), as applicable.

Aura does not sell Personal Information and does not share Personal Information for cross-context behavioral advertising. California residents may exercise their statutory rights in accordance with applicable law by submitting a verified request to Aura.

 

16. Contact

For questions regarding this Privacy and Data Protection framework, or to exercise applicable data protection rights, individuals may contact Aura’s designated Privacy Officer:

Privacy Officer
Aura Solution Company Limited
📧 PrivacyOfficer@aura.co.th

All requests will be handled in accordance with applicable legal requirements and Aura’s internal governance procedures.

 

17. Changes to This Privacy Policy

Aura Solution Company Limited reserves the right to amend, update, or modify this Privacy Policy at any time to reflect changes in legal requirements, regulatory guidance, operational practices, or institutional governance standards.Any material changes will become effective upon publication on Aura’s official platforms or through other lawful means of notification where required. Continued interaction with Aura’s services following such updates constitutes acknowledgment of the revised policy, subject to applicable law.

Aura encourages periodic review of this Privacy Policy to remain informed of how Personal Data is governed and protected.

​

18. Legal Basis for Processing

Aura processes Personal Data only where a lawful basis exists under applicable data protection laws. Such legal bases may include the performance of contractual obligations, compliance with legal or regulatory requirements, protection of legitimate institutional interests, or consent where required by law.Where consent is relied upon, it is obtained in a clear and lawful manner and may be withdrawn at any time, subject to legal and regulatory constraints. Aura ensures that all processing activities are proportionate, justified, and documented in accordance with its governance framework.

 

19. Limitation of Liability

While Aura implements rigorous legal, technical, and organizational safeguards to protect Personal Data, no system can guarantee absolute security. To the extent permitted by applicable law, Aura shall not be held liable for unauthorized access, loss, or disclosure of Personal Data arising from events beyond its reasonable control, including force majeure events or unlawful acts of third parties.

 

Nothing in this Privacy Policy limits or excludes liability where such limitation is prohibited by law.

 

20. Governing Law and Jurisdiction

This Privacy Policy, and any disputes arising from or related to it, shall be governed by and construed in accordance with the laws applicable to Aura Solution Company Limited, without regard to conflict of law principles.Any legal proceedings relating to this Privacy Policy shall be subject to the exclusive jurisdiction of the competent courts or authorities, unless otherwise required by mandatory applicable law.

​