Privacy Policy

PERSONAL DATA PROTECTION POLICY

AN PHAT HOLDINGS JOINT STOCK COMPANY

This personal data protection policy describes how An Phat Holdings Joint Stock Company (hereinafter referred to as “the Company”) collects, uses and processes personal data arising in the course of the Company’s business operations.

1. GENERAL PROVISIONS

1.1. Personal data: means digital data or information in other forms that identify or help identify a specific person. Personal data includes basic personal data and sensitive personal data.

1.2. Personal data subject: means the person reflected by personal data, including all individual customers who are using the Company’s products and services, employees of the Company, shareholders/managers of the Company, related persons of shareholders/managers of the Company and/or other individuals who have legal relations with Company.

1.3. Processing of personal data: means one or more activities affecting personal data in accordance with the provisions of current law.

1.4. This Policy may be updated, amended, supplemented or replaced by the Company from time to time to ensure compliance with current legal regulations and/or changes in the Company’s operations. Any changes will be posted by the Company on the Company’s official website and/or notified to the Data Subject in an appropriate manner.

1.5. The Company undertakes to comply with the following principles when processing personal data:

  1. The Company processes and protects personal data in accordance with the provisions of Vietnamese law;
  2. The Company collects personal data for specific, clear and lawful purposes in accordance with the provisions of Vietnamese law;
  3. The Company always applies and updates technical measures in accordance with the provisions of Vietnamese law to ensure the security of personal data, including protection measures from unauthorized access and/or destruction, loss or damage to personal data;
  4. The Company stores personal data appropriately and to the extent necessary for processing in accordance with the provisions of Vietnamese law;
  5. The Company does not collect personal data of children as customers or service users, except where the data of the Employee’s child is processed for welfare purposes, or information about the relevant person of the business manager, legal representatives, members of the Control Board as prescribed by law.

2. PERSONAL DATA PROCESSED

2.1. Basic personal data includes:

  1. Surname, middle name, and given name at birth; other names (if any);
  2. Date of birth; date of death or missing;
  3. Gender;
  4. Place of birth; place of birth registration; place of permanent residence registration; place of temporary residence registration; current place of residence; hometown; contact address;
  5. Nationality;
  6. Images of the individual;
  7. Phone number; personal identification number; passport number; driver’s license number; vehicle registration plate number;
  8. Marital status;
  9. Information on family relationships (parents, children, spouse);
  10. Information on the individual’s digital accounts;
  11. Other information associated with a specific individual or capable of identifying a specific individual, other than the information Section 2.2 below.

2.2. Sensitive personal data includes the following main data:

  1. Data revealing racial origin or ethnic origin;
  2. Opinions on politics, religion, and belief;
  3. Information on private life, personal secrets, and family secrets;
  4. Health status;
  5. Biometric data and genetic characteristics;
  6. Data revealing an individual’s sexual life or sexual orientation;
  7. Data on crimes and violations of law collected and stored by law enforcement agencies;
  8. Location data of individuals determined through positioning services;
  9. Login names and passwords for access to individuals’ electronic identification accounts; images of ID cards, citizen ID cards, or 9-digit ID cards;
  10. Login names and passwords for access to bank accounts; bank card information; data on transaction history of bank accounts; financial and credit information and other information relating to financial activities and transaction history, securities, and insurance of clients at credit institutions, foreign bank branches, intermediary payment service providers, securities institutions, insurers, and other authorized organizations;
  11. Data monitoring behavior and activities related to the use of telecommunications services, social networks, online communication services, and other services in cyberspace;;

3. PURPOSE OF PROCESSING PERSONAL DATA

Personal data may be processed for one or more of the following purposes:

3.1. Assessing the ability to provide goods, services or/and entering into contracts with personal data subjects, including but not limited to the following purposes:

  1. Identify and verify information about personal data subjects;
  2. Evaluate, appraise and approve the provision of goods and services according to registration documents, applications and contracts of personal data subjects;
  3. Consider providing or continuing to provide any of the Company’s goods or services to the personal data subject;

3.2. Fulfilling obligations in contracts, agreements, terms, conditions and other documents between the Company and personal data subjects, customer support including but not limited to the following purposes:

  1. Fulfilling obligations under contracts, agreements and providing goods and services to personal data subjects;
  2. Maintaining, updating and processing information of personal data subjects;
  3. Take care of and settle complaints and lawsuits of personal data subjects;
  4. Use and transfer to partners personal data and related information to identify and troubleshoot problems of products and services;
  5. Contact and notify personal data subjects;

3.3. Improving the quality of the Company’s goods and services, including but not limited to:

  1. Provide information that the client has requested or the Company finds useful to the client;
  2. Manage customer accounts;
  3. Statistics and data analysis for research, construction, development and improvement of goods and services;
  4. Introduce new products and services offered by APH.

3.4. Serving the Company’s business and operation activities including but not limited to the performance of reporting, financial, accounting and tax obligations, activities for the purpose of auditing, compliance and other activities serving the Company’s legitimate business in cases that the Company deems necessary.

3.5. Prevention, combat, prevention, investigation and detection of crimes.

3.6. Protecting social order and safety, protecting the legitimate rights and interests of personal data subjects, the Company and other related parties.

3.7. To comply with the provisions of law and international treaties to which Vietnam is a signatory including but not limited to: To provide competent state agencies in accordance with the provisions of law; To perform obligations in accordance with the provisions of law and international treaties that the Company must comply with (if any).

3.8. Other purposes with the consent of the personal data subject.

3.9. Data processing without the consent of the data subject The Company reserves the right to process personal data without the consent of the data subject in cases where

  1. In case of emergency, it is necessary to immediately process the relevant personal data to protect the life and health of the data subject or other persons.
  2. The disclosure of personal data in accordance with the law.
  3. The processing of data by competent state agencies in case of emergencies on national defense, national security, social order and safety, natural disasters and dangerous disasters.
  4. To fulfill the contractual obligations of the data subject with relevant agencies, organizations and individuals in accordance with the law.
  5. Serving the activities of state agencies that have been prescribed by specialized laws.

4. HOW PERSONAL DATA IS COLLECTED AND PROCESSED

4.1. Method of collection

  1. The personal data collected is as follows:
  2. From the Company’s websites and affiliated applications.
  3. From the provision of products and services, the fulfillment of obligations under contracts and agreements of the Company.
  4. From exchanges and communications with personal data subjects.
  5. From social networks: means the Company’s social networks and/or social networks that the Company cooperates with partners.
  6. From audio and video recording devices.
  7. From interactions or automated data collection technologies: The Company may collect automatically recorded information from the connection: Cookies, pixel tags and other similar technologies; Any technology capable of tracking personal activity on devices or websites; Other data information provided by a device.
  8. Other means: The Company may collect personal data through public, official sources of information or through the receipt of internal data sharing within the Group.

4.2. How to store

Personal data is stored in Vietnam in the Company’s database system. The retention period of personal data is determined based on the purpose of use and in accordance with the law.

4.3. Manner of data transfer/sharing

  1. The Company will not sell personal data to any party. The Company uses the necessary security measures to ensure the secure transfer/sharing of personal data. Personal data is shared by the company with (i) In the An Phat Holdings system; (ii) individuals/organizations involved in the processing of personal data; or (iii) competent state agencies or other cases in accordance with the provisions of law.
  2. If the recipient of personal data is headquartered outside the territory of Vietnam, when providing/transferring personal data abroad (including but not limited to the use of cyberspace, devices, electronic means or other forms to transfer personal data outside the territory of Vietnam), The Company will require the recipient to ensure the safety and confidentiality of the personal data provided/transferred.
  3. The company is committed to fully complying with the regulations and compliance requirements of Vietnamese law to protect the safety of personal data.

5. UNINTENDED CONSEQUENCES AND DAMAGES THAT ARE LIKELY TO OCCUR

5.1. The Company uses various information security technologies to protect and prevent unauthorized access, use or sharing of personal data. However, the Company cannot commit to ensuring the absolute security of personal data in some cases such as:

  1. Hardware and software errors in the process of data processing that cause data loss of personal data subjects;
  2. Security vulnerabilities are beyond the Company’s control, the system is attacked by hackers, causing data leakage and leakage.

5.2. The personal data subject should be aware that at any time when the personal data subject discloses and makes his/her personal data public, it may be collected and used by others for purposes beyond the control of the personal data subject and the Company.

5.3. In case the data storage server is attacked, resulting in the loss, disclosure or leakage of personal data, the Company shall be responsible for notifying the case to the investigating authorities for timely handling and notifying the subject of personal data in accordance with the law.

6. TIME OF COMMENCEMENT AND END OF PROCESSING OF PERSONAL DATA

6.1. Personal data is processed from the moment the Company lawfully receives the personal data and the Company has an appropriate legal basis to process the data in accordance with the law.

6.2. Personal data will be processed until the purposes for which the data processing has been completed.

6.3. The Company may have to store personal data even if the contract between the parties has been terminated in order to fulfill its obligations in accordance with the law and/or the requirements of competent state agencies.

7. ORGANIZATIONS AND INDIVIDUALS PARTICIPATING IN THE PROCESS OF PROCESSING PERSONAL DATA

7.1. As the case may be, the Company may be the controller of personal data or the controller and processor of personal data.

7.2. To the extent permitted by law, the personal data subject understands that the Company may share personal data for the purposes specified in this policy with the following organizations and individuals:

  1. Internally, An Phat Holdings;
  2. Organizations and individuals providing services and/or cooperating with the Company, including but not limited to: agents, auditors, lawyers, business cooperation partners, providing information technology solutions, software, applications, operation, management, troubleshooting services, etc. infrastructure development;
  3. Any individual or organization that is the representative or authorized party of the personal data subject, acting on behalf of the personal data subject;
  4. The data sharing will be carried out in accordance with the order, method and current legal regulations. Parties receiving personal data are obliged to keep personal data confidential in accordance with this Policy, the Company’s internal regulations, standards for personal data protection and applicable laws.

7.3. The Company may be required to share personal data with competent state authorities in accordance with the law.

8. RIGHTS OF PERSONAL DATA SUBJECTS

8.1. The right to know about the processing of their personal data, unless otherwise provided for by law.

8.2. The right to consent or disagree to the processing of his/her personal data, unless otherwise provided for by law.

8.3. The right to access to view, correct or request correction of his/her personal data, unless otherwise provided for by law.

8.4. Right to withdraw consent.

8.5. Right to erasure of data.

8.6. The right to restrict the processing of their personal data in accordance with the law.

8.7. The right to request the provision of his/her own personal data, unless otherwise provided for by law.

8.8. Right to object to data processing.

8.9. The right to complain, denounce and initiate lawsuits.

8.10. Right to claim compensation for damages.

8.11. Right to Self-Defense.

The personal data subject may exercise these rights by making a request to the Company. The request form must be sent to the Company and contain basic contents such as information of the requester, detailed content of the request, reason, purpose when making the request, etc. The Company makes a lawful and valid request from the personal data subject within the time prescribed by law.

The Company reserves the right to refuse to comply with the requests of the personal data subject in certain cases, including but not limited to: (i) the personal data subject does not comply with the order and procedures instructed by the Company in which the content of the request is lacking information or is invalid; or (ii) the fulfillment of the request may infringe upon the life, health, or property of others; or (iii) the data subject fails to properly implement the identity verification process; or (iv) the provisions of the law do not permit the fulfillment of the request of the personal data subject.

9. OBLIGATIONS OF PERSONAL DATA SUBJECTS

9.1. Self-protection of your personal data;

9.2. Respect and protect the personal data of others.

9.3. Fully and accurately provide personal data when consenting to the processing of personal data. If there is any false information, the personal data subject shall bear at his/her own expense in the event that such information affects or restricts the rights of the personal data subject. Note that the withdrawal of consent, the request for data deletion or the restriction of data processing may result in the Company not being able to continue to provide products and services or perform a contract with the data subject. In this case, the Company is not responsible for any losses incurred and the Company’s legal rights are reserved.

9.4. Comply with the law on personal data protection and participate in the prevention and control of violations of regulations on personal data protection.

9.5. Other responsibilities as prescribed by law.

10. MISCELLANEOUS

10.1. The personal data subject confirms that, by accepting this policy, the personal data subject has consented to the personal data being processed by the Company, organizations and individuals participating in the processing of personal data as stated in this policy, clearly know the type of data being processed, the purpose of data processing, organizations and individuals entitled to process personal data, and their rights and obligations related to personal data. The subject of personal data has been notified by the Company, has known and agreed to all the contents that need to be notified before personal data is processed by the Company, organizations and individuals participating in the process of processing personal data. The personal data subject agrees that the company, organization or individual participating in the process of processing personal data does not need to notify again before processing personal data.

10.2. If you have any questions about the protection of the Company’s personal data, please contact us and we will respond in accordance with the provisions of the law. You can also contact us at the address below:

Contact address: An Phat Holdings Group Joint Stock Company

Email Address: info@anphatholdings.vn

Phone: 024 3206 1119

10.3. This policy applies from January 1, 2026.