Data Privacy & Security
ai.KMITL takes your privacy and data security seriously. This guide explains how your data is protected, what information is collected, and your rights regarding your data.
Last Updated
This Privacy Policy was last updated on November 1, 2025.
Overview
Key principles:
- Encryption: All sensitive data is encrypted
- Privacy-first: Minimal data collection
- Secure storage: Industry-standard security
- Your control: You own your data
- Local: Managed by KDMC at KMITL
Information We Collect
A. Information You Provide Directly
KMITL Account Information:
- Your @kmitl.ac.th email address
- Display name
- Institutional affiliation
API Keys (BYOK):
- If you use "Bring Your Own Key", we store encrypted API keys
- Keys are encrypted at rest and in transit
- Only used for your designated provider
Conversation Data:
- Your chat messages and interactions with AI models
- AI responses to your queries
- Timestamps and thread organization
- Model used per message
Custom Configurations:
- MCP servers settings
- Supermemory integration
- Custom model endpoints
- Search provider preferences
Usage Preferences:
- Theme selection (light/dark)
- Model preferences
- Account settings
- Folder organization
B. Information Collected Automatically
Usage Statistics:
- Number of messages sent
- AI models used (aggregated)
- Feature access patterns
- Error rates for debugging
Device Information:
- Browser type and version
- IP address
- Operating system
- Device type (desktop, mobile, tablet)
Access Logs:
- Login times
- Session duration
- Last seen timestamp
- Active sessions
NOT Collected:
- ❌ Actual message content for analytics
- ❌ Personal identifiers in aggregated data
- ❌ Individual behavior tracking
- ❌ Browsing history outside platform
- ❌ Location data (unless explicitly shared)
- ❌ Social media profiles
- ❌ Contact lists
- ❌ Biometric data
How We Use Your Information
We use collected information for:
- ✅ Providing and maintaining the Platform
- ✅ Processing your requests and managing your account
- ✅ Tracking your monthly message quota and usage limits
- ✅ Improving Platform functionality and user experience
- ✅ Ensuring platform security and preventing abuse
- ✅ Communicating important updates or policy changes
- ✅ Complying with legal obligations
We do NOT:
- ❌ Sell your personal data to third parties
- ❌ Use your conversations for AI model training without consent
- ❌ Share your API keys with unauthorized parties
- ❌ Use your data for marketing purposes
- ❌ Track your behavior for advertising
- ❌ Share data with third parties for their marketing
Potential Model Training by Providers
Some AI models depending on the provider and your configuration may require the use of your conversation data for model training or improvement purposes. In such cases, ai.KMITL will display a clear warning and request your explicit consent before any data is sent to a provider that retains or uses conversations for training.
- Platform Safeguards:
- You will receive an on-screen popup with details before proceeding.
- No conversation data will be shared for training without your informed consent.
- You may always choose to cancel or switch to a model that does not require training data retention.
Please read all warnings carefully and review the privacy policies of any provider before proceeding with a model or feature that may use your data for training.
Data Security
Your data security is our top priority. We implement multiple layers of protection:
Encryption
In transit:
- HTTPS/TLS 1.3 for all communications
- Modern encryption protocols
- Secure connections to AI providers
At rest:
- Industry-standard encryption (AES-256)
- Encrypted database storage
- Encrypted backups
- Secure key management
API Keys:
- Encrypted at rest and in transit using industry-standard encryption
- Never logged in plain text
- Not accessible by staff
- You can delete anytime
Access Control
You (Full Access):
- All your conversations
- All your settings
- Your API keys (view masked, full for use)
- Your usage statistics
- Export and delete capabilities
KDMC Staff (Limited):
- Can see: Account exists, email, join date
- Cannot see: Actual conversations, API keys, message content
- Only for: Technical support, account issues
No One Else:
- Third parties cannot access your data
- AI providers process requests but don't store conversations
- No selling of data
- No marketing access
Security Measures
Platform security:
- 🔒 Regular security audits
- 🛡️ Firewall protection
- 🔍 Intrusion detection systems
- ⚡ DDoS protection
- 📝 Security event logging
- 🔄 Regular security updates
Authentication:
- 🔐 KMITL IAM integration (KMITL Account Gen.2)
- 🔑 Secure session management
- ⏱️ Auto logout after inactivity
- 🚫 No password storage
- 👥 Multi-device session management
Institutional Protection:
- All data housed on KMITL infrastructure
- Managed by KDMC (KMITL Data Management Center)
- Complies with KMITL IT policies
- Subject to academic data guidelines
Security Disclaimer
However, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.
Data Retention
Active Accounts
While you use the platform:
- Conversations: Retained while your account is active
- Account data: Maintained as long as account exists
- Usage statistics: Rolling 12 months
- API keys: Until you delete them
- File uploads: Processed temporarily, then deleted after a while
Inactive Accounts
If you stop using:
- Account remains: Active indefinitely
- Data preserved: Not automatically deleted
- Retention period: 12 months after last login, then data deleted
- Reactivation: Login before 12 months to keep data
Alumni & Former Staff
After graduation or resignation:
- Account Access: If your KMITL Account Gen.2 access ends (for example, upon graduation for students or resignation for staff), your access to ai.KMITL will be revoked immediately. This enforcement is automatic and depends on KMITL IAM records.
- Data Deletion: All associated account data, conversations, files, and settings will be deleted 12 months after access is revoked, following the same retention policy as inactive accounts.
Message Quota
Monthly resets:
- Message counts reset on the 1st of each month
- Usage history maintained for 12 months
- Quota tracking for service management
Deleted Data
When you delete:
- Immediate removal from active systems
- Backups purged within 30 days
- Logs within 90 days (complied with Thailand's Computer-related Crime Act 2007)
- Cannot be recovered after deletion
Deletion requests:
- You may request data deletion at any time
- Contact kdmc@kmitl.ac.th or dpo@kmitl.ac.th
Third-Party Services
AI Providers
ai.KMITL integrates with external AI providers:
- Claude (Anthropic)
- GPT (OpenAI)
- Gemini (Google)
- Grok (xAI)
- DeepSeek
- Meta Llama
- Other Custom Models
When you interact with these services:
- Your messages are sent to the respective AI provider
- Each provider has its own privacy policy
- We recommend reviewing their policies at their websites
- API keys you provide are sent only to your designated provider
With system API keys (default access):
- Requests sent to AI providers via our managed keys
- Providers process but don't store conversations (see below)
- Subject to providers' privacy policies
- KDMC manages API keys securely
With your own API keys (BYOK):
- Direct connection to provider using your key
- Subject to provider's terms and conditions
- Your API key, your responsibility
- More control over data flow and costs
Zero Data Retention Policy
No Training on Your Data
For every AI model that supports requesting no data retention, we actively request that all API calls have zero data retention on cloud servers.
This means:
- ✅ Your conversations are NOT stored by AI providers for training purposes
- ✅ Your data is processed in real-time and NOT retained after response generation
- ✅ We configure all applicable models with the strictest no-retention policies available
- ✅ Your conversations don't train OpenAI, Anthropic, or other providers' models
Important
Despite these protections, you should never send sensitive, confidential, or private data through the platform. While we implement the strongest available safeguards, users remain responsible for the information they choose to share with AI models.
Provider Privacy Policies
Major providers:
- OpenAI: openai.com/privacy
- Anthropic: anthropic.com/privacy
- Google: policies.google.com/privacy
- xAI: x.ai/legal/privacy-policy
- Openrouter: openrouter.ai/privacy and openrouter.ai/docs/features/privacy-and-logging
We recommend reviewing these policies. We are not responsible for third-party privacy practices.
Web Search Providers
When web search is enabled:
- Queries sent to search providers (Brave, Tavily, Firecrawl, Serper)
- Results processed temporarily
- No personal data shared with search services
- Your IP not exposed to target sites
- Privacy-focused providers preferred (Brave)
- Can disable feature anytime
Cookies & Tracking
What We Use
We use cookies for:
Session Management and Authentication:
- Maintain your logged-in state
- Secure session tokens
- Multi-device session tracking
User Preferences:
- Theme selection (light/dark)
- Language preferences
- Chat width settings
Security and Fraud Prevention:
- CSRF protection
- Session validation
- Abuse detection
What We Don't Use
- ❌ No tracking cookies for advertising
- ❌ No third-party analytics trackers
- ❌ No behavioral profiling pixels
- ❌ No social media tracking
Control: You can control cookies through your browser settings. Disabling cookies may limit Platform functionality.
Your Privacy Rights
Right to Access
You can:
- View all your data in the platform
- Request a copy of your personal data
- See usage statistics and patterns
- Review all stored conversations
Right to Correction
You can:
- Edit messages in conversations
- Correct profile data
- Modify preferences
How: Edit in-app Settings
To exercise these rights, contact: kdmc@kmitl.ac.th
Compliance
PDPA (Thailand)
ai.KMITL complies with Thailand's Personal Data Protection Act (PDPA):
- ✅ Lawful data collection
- ✅ Explicit consent obtained
- ✅ Data minimization practiced
- ✅ Purpose limitation enforced
- ✅ User rights respected
- ✅ Security measures in place
- ✅ Data breach notification procedures
KMITL Policies
Operates under:
- KMITL IT policies and guidelines
- Academic data protection standards
- KDMC security standards
- Educational use terms
- Institutional ethics guidelines
International Standards
Following best practices from:
- GDPR principles (even though not in EU)
- Industry standards for data protection
Children's Privacy
ai.KMITL is intended for KMITL students and staff. We do not knowingly collect information from children under 13. If we become aware of such collection, we will
- Delete the information immediately
- Notify parents/guardians
- Take corrective measures
- Update our procedures
International Users
ai.KMITL is hosted on KMITL servers in Thailand and complies with Thai data protection regulations.
If you access from outside Thailand:
- You acknowledge data transfer to Thailand
- Data subject to Thai laws and regulations
- KMITL infrastructure location: Bangkok, Thailand
- Governed by Thai data protection standards
Changes to This Policy
We may update this Privacy Policy periodically to reflect:
- Changes in legal requirements
- New features or services
- Security improvements
- User feedback
When we update:
- Changes posted on this page and ai.kmitl.ac.th/privacy-policy
- "Last Updated" date revised
Continued use of the Platform after changes constitutes acceptance of the updated policy.
Incident Response
Reporting Security Issues
If you find a vulnerability:
Contact:
- Email: kdmc@kmitl.ac.th
- Phone (mobile): (+66) 091-190-6000
- Phone (office): (+66) 02-329-8000 ext. 6000
- Line: @kdmc
Please:
- Describe the issue clearly and thoroughly
- Provide steps to reproduce (if applicable)
- Don't exploit the vulnerability further
- Give us reasonable time to fix before public disclosure
We promise:
- Take all reports seriously
- Respond promptly to confirmed issues
- Fix verified vulnerabilities quickly
- Credit security researchers (if desired)
- No legal action against good-faith researchers
Best Practices for You
Protecting Your Account
Do:
- ✅ Use a strong KMITL password
- ✅ Sign out on shared devices
- ✅ Monitor your usage regularly
- ✅ Review active sessions periodically
- ✅ Report suspicious activity immediately
Don't:
- ❌ Share your KMITL credentials with anyone
- ❌ Use public computers without signing out
- ❌ Share your screen with sensitive conversations visible
- ❌ Ignore security warnings or notifications
Protecting Your Data
Recommendations:
- Delete old conversations you don't need
- Be careful what personal information you share with AI
- Don't include sensitive personal data unnecessarily
- Use BYOK for additional control over your data
- Review privacy settings periodically
- Monitor active sessions for unauthorized access
API Key Security
If using BYOK:
- ✅ Create unique keys specifically for ai.KMITL
- ✅ Monitor usage at provider dashboards
- ✅ Set spending limits to prevent unexpected charges
- ✅ Rotate keys periodically for security
- ✅ Delete unused keys immediately
- ✅ Never share API keys with others
- ✅ Report lost keys to providers immediately
Contact & Questions
Privacy Questions
For privacy inquiries:
- Email: kdmc@kmitl.ac.th
- Alternative: dpo@kmitl.ac.th (Data Protection Officer)
Data Requests
For access, deletion, or correction requests:
- Email kdmc@kmitl.ac.th or dpo@kmitl.ac.th
Response time: Within 7 days
Contact Information
KMITL Data Management Center (KDMC)
- Address: 1 Chalong Krung Road, KLLC Building, Lat Krabang District, Bangkok 10520, Thailand
- Email: kdmc@kmitl.ac.th
General Support
See Support page for other inquiries.
Governing Law
This Privacy Policy is governed by the laws of Thailand and is subject to Thai data protection regulations, including the Personal Data Protection Act (PDPA) B.E. 2562 (2019).
Any disputes arising from this Privacy Policy shall be subject to the jurisdiction of Thai courts.
Stay Informed
Privacy policies and practices may be updated.