Who owns the data in Goodwill construction software?

You do — completely. Every project gets an isolated PostgreSQL database under the project owner's control. There is no shared multi-tenant database. Upon project completion, all data transfers to the O&M phase with zero dependency on Goodwill.

Can I migrate my data out of Goodwill software?

Yes. We provide full data export at any time — including PostgreSQL database dumps, document archives, and structured CSV exports. There is no vendor lock-in. Your data is portable from day one.

What is construction PMIS and why do I need it?

A Project Management Information System (PMIS) centralises your WBS, Gantt scheduling, Earned Value Management (EVM), and project dashboards in one platform. It replaces scattered spreadsheets with real-time, cloud-based project control — accessible from site or office.

How does Goodwill differ from large construction software vendors?

We are a boutique team of 5 professionals with real construction site experience. Our founder is a licensed architect and BIM manager. You work directly with the people who build the software — no sales layers, no offshore support. Every product is born from actual project deployment.

What technology stack does Goodwill software use?

Our current stack is Next.js, TypeScript, Prisma ORM, Neon PostgreSQL, and Vercel — deployed as Progressive Web Apps (PWA). We migrated from legacy PHP/MySQL to this modern architecture for better performance, security, and offline capability.

Does Goodwill software support BIM workflows?

Yes. Our Autodocs platform supports ISO 19650 BIM management. Our founder holds BIM Manager certification and Autodesk Revit Professional certification, ensuring our software aligns with international BIM standards used in Thailand and Japan.

Privacy Policy

This Privacy Policy explains how Goodwill of Work Company Limited ("Goodwill of Work", "we", "us", or "our") collects, uses, discloses, and safeguards personal data when you visit goodwill.work, use our products (including ONE-PMIS, Autodocs, the Defect Inspection System, and HOOK Architects ERP), submit a request for a quote or demo, or otherwise interact with us. Goodwill of Work is a company registered in Thailand and its data processing activities are governed by the Personal Data Protection Act B.E. 2562 (2019) of Thailand ("Thai PDPA").

1. Data Controller

Goodwill of Work Company Limited is the data controller responsible for the personal data described in this Policy.

Registered office: 106 Soi Ramkhamhaeng 26/1, Ramkhamhaeng Road, Huamark, Bangkapi, Bangkok 10240, Thailand.

Email: support@goodwill.work · Tel: +66 2 118 6324.

2. Personal Data We Collect

We collect the following categories of personal data, only to the extent necessary for the purposes set out in this Policy:

Identification & contact data

Full name, job title, company name
Business email address and telephone number
Postal or business address, where you choose to provide it

Account & customer data

Login credentials limited to what is strictly necessary for authentication (typically an email address and a salted password hash, or an OAuth identifier where you sign in through a third-party provider). We apply data minimisation at sign-up and do not collect profile information beyond what each product strictly requires.
Role, organisation, and project assignments within ONE-PMIS, Autodocs, the Defect Inspection System, and HOOK Architects ERP
For ERP applications that include scheduling features (such as HOOK Architects ERP and ONE-PMIS): Google Calendar events (read and write, via OAuth scope calendar.events) on your primary Google Calendar, collected solely to create, update, and delete appointment events triggered by your actions in our applications. Calendar data is accessed through Google's OAuth flow and is subject to the Google API Services User Data Policy (see Section 8). We only access events our applications created, identified by event IDs in our database; we never read, store, or analyse other calendar events on your calendar. These are recorded only when you enable the corresponding feature and grant consent, and are not used for any other purpose.
Records of support requests, contracts, invoices, and payment status

Technical & device data

IP address, device identifiers, browser type and version, operating system, screen resolution, and language preference
Server logs, error reports, and crash diagnostics

Usage & analytics data

Pages visited, links clicked, referring URLs, session duration, and similar engagement metrics
Information collected through cookies, pixels, and similar technologies (see Section 5)

Communications data

Content of form submissions (e.g., request-a-quote), enquiries, and correspondence with our sales or support teams
Marketing preferences and consent records

We do not knowingly collect sensitive personal data (such as data revealing racial or ethnic origin, religion, health, or biometric data) through this website. Please do not submit such information through our forms.

3. How We Collect Personal Data

We collect personal data from the following sources:

Directly from you, when you fill out a form, request a quote or demo, sign a contract, or otherwise communicate with us;
Automatically, when you interact with our website or products, through cookies, server logs, and analytics tools;
From your organisation, where your employer or client provides your contact details so that we can deliver services;
From publicly available or third-party sources, such as company registries, professional networks, or business contact databases, where lawful.

4. Purposes of Processing & Legal Bases

We process personal data only when we have a lawful basis to do so under the Thai PDPA. The principal purposes and legal bases are:

Performance of a contract (Thai PDPA s.24(3))

Providing access to and operating ONE-PMIS, Autodocs, the Defect Inspection System, and HOOK Architects ERP
Processing your request for a quote, demo, or other pre-contractual steps
Issuing invoices, processing payments, and providing customer support

Legitimate interests (Thai PDPA s.24(5))

Securing our website and products against fraud, abuse, and unauthorised access
Improving our products, content, and user experience based on aggregated usage data
Conducting B2B marketing of construction-software products to business contacts who have a reasonable expectation of such communications

Consent (Thai PDPA s.19)

Sending electronic marketing communications where consent is required by law
Setting non-essential cookies and similar tracking technologies (see Section 5)
Any processing of sensitive personal data, where applicable

Legal obligation (Thai PDPA s.24(6))

Complying with tax, accounting, anti-money-laundering, and other statutory record-keeping obligations
Responding to lawful requests from public authorities, courts, or regulators

5. Cookies and Similar Technologies

We use cookies, pixels, and similar technologies to operate our website, remember your preferences, measure performance, and (with your consent) deliver targeted marketing.

Strictly necessary cookies are required for the website to function and do not require consent. Analytics and marketing cookies (including Google Analytics and Google Tag Manager) are set only with your consent, which you may withdraw at any time through your browser settings or our cookie banner where available.

7. Cloud Infrastructure and Data Location

Some of our services utilise cloud infrastructure provided by third-party providers (such as Google Cloud Platform and Vercel) with data centres located in Singapore. These providers act as data processors under our instruction and are contractually restricted from accessing or using your personal data for their own purposes.

We rely on Thai PDPA s.28(3) as the legal basis for this arrangement, as the use of cloud infrastructure is necessary for the performance of our contracted services to you. Our cloud providers maintain industry-standard certifications (including ISO 27001 and SOC 2) to ensure appropriate data protection.

We do not transfer your personal data to any country other than Thailand and Singapore in the ordinary course of our services.

8. Google API Services — Limited Use Disclosure

Goodwill develops business ERP applications — including ONE-PMIS, HOOK Architects ERP, the Defect Inspection System, and related services — used by various organisations to manage projects, HR, and team coordination. We use the Google Calendar API (OAuth scope: calendar.events) solely to create, update, and delete appointment events on users' primary Google Calendars when they take direct actions in our applications. Supported use cases include site visits, client meetings, project deadlines, job interviews, and contractor coordination. This section explains how Goodwill of Work handles data obtained through Google APIs in accordance with the Google API Services User Data Policy.

We chose calendar.events because calendar.readonly cannot create events, while the full calendar scope grants permissions we do not need. calendar.events is the minimum scope required for our use case.

We only access events our applications created, identified by event IDs stored in our database. We never read, store, or analyse other calendar events on users' calendars. All Google Calendar API calls are triggered exclusively by direct user actions within our applications. OAuth tokens are encrypted at rest and transmitted via HTTPS (TLS).

Goodwill of Work's use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements (https://developers.google.com/terms/api-services-user-data-policy).

Specifically:

Goodwill of Work will use data obtained from Google APIs only to provide and improve the user-facing calendar integration features across our ERP applications, and for no other purpose.
Goodwill of Work will not use Google API data to serve advertisements of any kind.
Goodwill of Work will not allow humans to read Google Calendar data obtained via the API, except: (i) where you have given your explicit, informed consent to do so; (ii) for security purposes, such as investigating abuse or a reported security incident; (iii) to comply with applicable law; or (iv) where data is aggregated and anonymised such that individual users cannot be identified.
Goodwill of Work will not transfer or sell Google API data to third parties, except as necessary to provide the calendar integration feature to you, to comply with applicable law, or in connection with a merger, acquisition, or sale of assets (with prior notice to you and subject to the same use restrictions).

You may revoke Goodwill of Work's access to your Google Calendar at any time by visiting https://myaccount.google.com/permissions and removing the relevant application authorisation. Revoking access will disable the Google Calendar integration feature only and will not affect your other data held by Goodwill of Work.

9. Data Retention

In accordance with the retention limitation principle under the Thai PDPA, we retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements.

Indicative retention periods are: enquiry and marketing data — up to 2 years from last interaction; customer account and contract data — for the duration of the contract and up to 10 years thereafter to comply with Thai tax and accounting laws; server and security logs — typically up to 12 months.

When personal data is no longer required, we securely delete, anonymise, or destroy it.

10. Data Security

We implement appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include encryption in transit (TLS), encryption at rest where appropriate, access controls based on the principle of least privilege, multi-factor authentication for administrative access, regular backups, vulnerability scanning, and staff training.

No method of transmission or storage is fully secure. In the event of a personal data breach that is likely to affect the rights and freedoms of data subjects, we will notify the Office of the Personal Data Protection Committee of Thailand within 72 hours of becoming aware of the breach, as required by Thai PDPA s.37(4), and, where required, notify affected data subjects without undue delay.

11. Your Rights

Subject to applicable law and any statutory exemptions, you have the following rights in relation to your personal data under the Thai PDPA:

Right of access — to request confirmation of, and a copy of, the personal data we hold about you (Thai PDPA s.30);
Right to rectification — to ask us to correct inaccurate or incomplete personal data (Thai PDPA s.35);
Right to erasure — to request deletion of your personal data where it is no longer necessary or where you have withdrawn consent (Thai PDPA s.33);
Right to restrict processing — to ask us to limit how we use your personal data in certain circumstances (Thai PDPA s.34);
Right to data portability — to receive your personal data in a structured, commonly used, machine-readable format (Thai PDPA s.31);
Right to object — to object to processing based on legitimate interests or for direct marketing (Thai PDPA s.32);
Right to withdraw consent — at any time, without affecting the lawfulness of processing prior to withdrawal (Thai PDPA s.19);
Right to lodge a complaint — with the Office of the Personal Data Protection Committee (PDPC) of Thailand under Thai PDPA s.73.

To exercise any of these rights, please contact us using the details in Section 15. We will respond within 30 days of receiving a verified request, or such longer period as permitted by law. We may need to verify your identity before acting on a request.

12. Children's Privacy

Our website and products are designed for business use and are not directed to children. We do not knowingly collect personal data from individuals under 20 years of age (minors under Thai law) without appropriate parental or guardian consent, in accordance with Thai PDPA s.20. If you believe a child has provided us with personal data, please contact us at support@goodwill.work so we can take appropriate action.

13. Third-Party Links

Our website may contain links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party services and are not responsible for their privacy practices. We encourage you to read the privacy policy of every website you visit.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. The "Last updated" date at the top of this Policy indicates when it was most recently revised. Material changes will be communicated through a prominent notice on our website or by email where appropriate. Your continued use of our website or services after the effective date constitutes acceptance of the updated Policy.

15. How to Contact Us

For any questions, requests, or complaints relating to this Privacy Policy or to exercise your rights, please contact our Data Protection Officer:

Goodwill of Work Company Limited — Data Protection Officer
106 Soi Ramkhamhaeng 26/1, Ramkhamhaeng Road, Huamark, Bangkapi, Bangkok 10240, Thailand
Email: support@goodwill.work
Telephone: +66 2 118 6324

If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Personal Data Protection Committee (PDPC) of Thailand at https://www.pdpc.or.th under Thai PDPA s.73.