Privacy Policy

Version 1.0 · Last updated May 7, 2026 · Awaiting legal review

This is a v1 draft. A qualified data-protection lawyer should review before this policy ships to production. Contact privacy@messeatlas.com with corrections.

1. Who we are

Messe Asia Co., Ltd. (Reg. 0105569070485, registered in Bangkok, Thailand) operates the Messe Atlas platform at messeatlas.com. We are the data controller for personal data processed through this platform.

Contact: privacy@messeatlas.com · Messe Asia Co., Ltd., Bangkok, Thailand.

2. What data we process

Three categories:

2.1 B2B contact data (companies + individuals at companies)

We aggregate and enrich publicly-available B2B firmographic data about companies, their subsidiaries, and the named decision-makers who represent them in professional capacity (e.g. names, titles, corporate email addresses, professional phone numbers, LinkedIn URLs). Sources: Apollo, RocketReach, Apify-managed scrapers, public event websites, and licensed datasets from sister projects within the Messe Asia portfolio (PrideShow, Composites Bridge).

Lawful basis: legitimate interest (B2B prospecting), with consent required where local law mandates it (PDPA Thailand for Thai data subjects in marketing channels; GDPR Article 6(1)(f) + balancing test for EU data subjects; PIPL for any China-based subjects scraped in passing).

2.2 Operator and subscriber accounts

When you sign in to the operator console or subscribe to the Atlas Briefing newsletter, we store: email address, magic-link authentication tokens, and (operator-only) session activity metadata. Cookie data: see Cookies section below.

2.3 Consent + audit records

We log every external API call (vendor name, endpoint, our query) for cost attribution and replay-audit purposes. We log every consent grant or withdrawal with timestamp, source page, and IP hash. We log data subject requests with statutory due dates so we meet response deadlines.

3. How we use it

Power lead-intelligence operator workflows for the Messe Asia event portfolio
Send transactional emails (account, magic link)
Send the Atlas Briefing newsletter (you can unsubscribe anytime)
Improve dataset quality (entity resolution, dedup, fuzzy matching)
Compliance and audit (ourselves and vendor-quota reconciliation)

We do not sell personal data. We do not share contact data with third-party advertisers. We share only with vetted enrichment vendors and infrastructure providers under written DPAs (see §6).

4. Cookies

We use the smallest cookie set that lets the platform function:

Necessary: Supabase Auth session (sb-*-auth-token) — required for sign-in. No tracking. Cleared on sign-out.
Analytics (opt-in only): Vercel Analytics (anonymous pageview pings, no cookies, no fingerprinting). Off by default. Enabled only via the cookie banner.
Marketing: none.

You can change your cookie preferences anytime via the cookie banner footer link.

5. Data subject rights

Depending on where you are, you have the following rights and we meet the statutory response windows:

PDPA Thailand (in effect 2022): access, rectification, erasure, portability, restriction, objection. Response window: 30 days.
GDPR (EU): same rights. 30-day response window (extendable by 60 days for complex cases).
Singapore PDPA: access + correction primarily. 21 working days.
PIPL (China): access, rectification, deletion. 15 working days.
CCPA (California): know, delete, opt-out of sale (we don’t sell). 45 days.

File a request via the online form or email privacy@messeatlas.com with subject line “Data subject request: [type]”. We verify identity before responding.

6. Vendors and cross-border transfers

Atlas processes data through these vendors. All operate under written Data Processing Agreements (DPAs):

Supabase — Postgres + auth + storage (region: Singapore ap-southeast-1)
Vercel — frontend hosting (region: Singapore sin1)
Cloudflare — DNS + CDN
Apollo, RocketReach, Apify — B2B enrichment + managed scraping
Anthropic — entity resolution and summarization (no personal data sent in prompts; only deduplication signals)
Resend — transactional + newsletter email delivery
Vercel Analytics (opt-in only) — anonymous pageview analytics; no cookies, no cross-site tracking

Cross-border transfers (e.g. Thai data to US-based vendors) are covered by Standard Contractual Clauses (EU/GDPR), the Singapore PDPA Data Protection Trustmark, and equivalent safeguards under PDPA Thailand.

7. Retention

Raw scrapes: 90 days (replay-audit only)
Enriched contact data: 24 months from last refresh, unless renewed
Engagement records: indefinite (legitimate interest in BD timeline)
Operator session logs: 90 days
Newsletter subscribers: until unsubscribe
Consent records: indefinite (compliance evidence)

8. Security

We host on Supabase + Vercel under industry-standard controls (TLS in transit, AES-256 at rest, Row-Level Security on the warehouse, magic-link auth — no passwords). Service-to-service calls between sister projects use signed JWTs with project-scoped tokens. The operator console is gated behind authenticated sessions; raw enrichment payloads (Apollo / RocketReach JSON) are never exposed on public surfaces.

9. Changes to this policy

We’ll notify you of material changes by email (subscribers + operators) and post the updated date here. Continued use after the effective date constitutes acceptance.

10. Contact + complaints

Email privacy@messeatlas.com. You also have the right to complain to your local supervisory authority (Office of the Personal Data Protection Committee in Thailand; your national DPA in the EU; PDPC in Singapore; CAC in China; California Attorney General in CA).

← Home Terms File a data request