[2] Privacy Policy

                                                                         Personal Data Privacy Policy

This Personal Data Privacy Policy (“Policy”) is implemented by FPT Information System Corporation (“FIS”, “Company”), describing the activities related to the processing of Customer's Personal Data, so that the Customer can have a better understanding of the purposes, scopes of information processed by FIS, and measures applied by FIS to protect Customer’s information and privacy rights.

This Policy is an integral part of the contracts, agreements, terms, and conditions binding the relationship between FIS and the Customer.

Article 1. Subjects and scope of application

This Policy governs the way in which FIS collects, processes, and stores Personal Data of Customer using or interacting with FIS products, websites, or services and/or related persons of the Customer according to the relationships required by law to collect; and/or co-own and use FIS's products/services.

For the avoidance of doubt, this Data Privacy Policy applies only to individual Customer. FIS encourages Customers to read this Policy carefully and regularly check the website for any changes that FIS may make to the terms of the Policy.

Article 2. Interpretation of terms

1. “Customer” means an individual who approaches, learns, registers, uses or is involved in the operation and provision of FIS products and services.
2. “FIS” includes FPT Information System Corporation and FPT Information System Corporation's Affiliates.
3. “FPT Corporation” includes FPT Corporation and FPT Corporation’s Affiliates in accordance with governance standards.
4. “Personal Data” means information in the form of symbols, letters, numbers, images, sounds or the like on an electronic medium that is associated with a particular person or helps identify a particular person.
5. Personal Data protection: is the activity of preventing, detecting, stopping, and handling violations related to Personal Data in accordance with the law.
6. Personal Data processing: is one or more activities affecting Personal Data, such as: collection, recording, analysis, confirmation, storage, correction, disclosure, association, access, tracking, recover, encrypt, decrypt, copy, share, transmit, provide, transfer, delete, destroy Personal Data or other related actions.
7. Third party: is an organization or individual other than FIS and the Customer who has been explained in accordance with this Policy.

For further clarification, any terms not explained in this Article shall be construed and applied in accordance with the laws of Vietnam.

Article 3. Purpose of processing Customer's Personal Data

3.1. FIS may process Customer’s Personal Data for one or more of the following purposes:

(a) Respond to Customer’s service requests and support needs

(b) Verify the identity and ensure the confidentiality of the Client’s personal information;

(c) Provide Customer with requested Company products or services; products and services of partners/suppliers that FIS acts as an agent/cooperator to provide;

(d) Adjust, update, secure and improve products, services, applications and devices provided by FIS or FPT Corporation to Customer;

(e) Notify Customer of changes to policies and promotions of products and services provided by FIS or FPT Corporation;

(f) Measurement, analysis of internal data and other processing to develop, improve, improve the quality of services/products of the Company or members of FIS or perform other activities of marketing, communications;

(g) Prevention and prevention of fraud, identity theft and other illegal activities;

(h) To have a basis for establishing, exercising the legal rights or defending the legal claims of FIS, the Customer or any individual. These purposes may include exchanging data with other companies and organizations for fraud prevention and detection, credit risk reduction;

(i) Comply with applicable laws, relevant industry standards and other applicable Company policies;

(j) Any other purpose exclusively for the operation of the Company; and

3.2. FIS will request the Customer's permission before using the Customer's Personal Data for any purpose other than the purposes stated in Article 3.1 above, at the time of collecting Customer's Personal Data or before commencing related processing or as otherwise required or permitted by applicable law.

Article 4. Confidentiality of Customer's Personal Data

4.1. Customer's Personal Data is committed to maximum confidentiality in accordance with FIS's regulations and the law. The processing of Personal Data of each Customer is carried out only with the consent of the Customer, unless otherwise provided for by law.

4.2. FIS shall not use, transfer, provide or share to any third-party Customer's Personal Data without the Customer's consent, unless otherwise provided by law.

4.3. FIS will comply with other Personal Data privacy principles in accordance with applicable laws.

Article 5. Types of Personal Data collected and processesd by FIS

In order for FIS to be able to provide products and services to Customer and/or process Customer's requests, FIS is entitled to collect and/or request to collect the following types of Personal Data:

5.1. Basic Personal Data of the Customer and its related individuals; and,

(a) Full name, middle name and birth name, other name (if any);

(b) Date, month and year of birth; day, month, year of death or missing;

(c) Gender;

(d) Place of birth, place of birth registration, place of permanent residence, place of temporary residence, current place of residence, hometown, contact address;

(e) Nationality;

(f) Image of the individual;

(g) Phone number, identity card number, personal identification number, passport number, driver's license number, license plate number, personal tax identification number, social insurance number, insurance card number medical insurance;

(h) Marital status;

(i) Information on family relationships (parents, children);

(j) Information about the individual's digital account; personal data reflecting activities, history of activities on cyberspace;

(k) Other information that is tied to a particular person or helps to identify a specific person is not part of Sensitive Personal Data.

(l) Other data as required by applicable law

5.2. Additional Personal Data relevant to Customer’s privacy includes:

(a) Information about inherited or acquired genetic characteristics of the individual;

(b) Information about the individual's physical attributes and biological characteristics;

(c) Information about an individual's sex life and sexual orientation;

(d) Data on crimes and offenses collected and stored by law enforcement agencies;

(e) Customer information of credit institutions, foreign bank branches, payment intermediary service providers, and other authorized organizations, including: customer identification information as prescribed by law, information about accounts, information about deposits, information about deposited assets, information about transactions, information about organizations and individuals as guarantors at credit institutions, bank branches, payment intermediary service providers;

(f) Personal location data identified through location services;

(g) Other Personal Data regulated by law as special and require necessary security measures.

(h) FIS absolutely do not collect Personal Data related to Customer’s religion or political opinions.

5.3. Data related to websites or applications: technical data (as stated above, including device type, operating system, browser type, browser settings, IP address), language settings, website connection date and time, app usage statistics, app settings, app connection date and time, location data, and other technical contact information); secure login details; usage data, etc.

5.4. Marketing data: advertising interests; cookie data; clickstream data; browsing history; response to direct marketing; and option of out of direct marketing.

Article 6. Personal Data collection methods

FIS collects Personal Data from Customer in the following ways:

6.1. Directly from the Customer by various means:

(a) When Customer enters into contract, purchases or uses any third-party services through FIS or FIS's locations and business establishments.

(b) When the Customer submits a registration request or any other form related to the products and services of FIS;

(c) When the Customer interacts with the Company's customer service staff, for example through phone calls, letters, face-to-face meetings, emailing or social media interactions;

(d) When Customer uses certain services of FIS, such as websites and applications including setting up online accounts with FIS;

(e) When the Customer is contacted and responded to by marketing representatives and customer service personnel of FIS;

(f) When the Client submits his/her personal information to the Company for any other reason, including when the Client signs up for a free trial of any products and services or when the Client can are currently interested in any of the Company's products and services.

(g) When the Customer purchases or uses third-party services through FIS or at transaction points and business establishments of FIS;

6.2. From other third parties:

(a) If the Client interacts with third-party content or advertising on the website or in the application, the Company may receive the Client's personal information from the relevant third party, according to that third party's legally applicable privacy policy.

(b) If Customer chooses to pay electronically directly to FIS or through a website or application, FIS may receive Customer's Personal Data from third parties, such as suppliers. payment service, for that purpose.

(c) In order to comply with its obligations under applicable law, FIS may receive Personal Data about the Customer from legal authorities and public authorities in accordance with the law.

(d) FIS may receive Personal Data about the Customer from public sources (such as telephone directories, advertising information/brochures, information publicly available on websites, etc.

Whenever such Personal Data is collected, FIS will ensure that it receives the data from relevant third parties in lawful ways and holds those third parties responsible for compliance with the law legislation on the protection of Personal Data.

Article 7. Personal Data Processing Methods

FIS shall apply one or serveral actions affecting Personal Data such as: collect, record, analyze, confirm, store, edit, publish, combine, access, retrieve, retrieve, encode, decode, copy, share, transmit, make available, transfer, delete, destroy or other related actions.

Article 8. Organizations Processed Personal Data

8.1. FIS (FPT Information System Corporation).

8.2. FIS will share or jointly process Personal Data with the following organizations and individuals:

(a) FPT Corporation and its affiliate companies that FPT Corporation directly or indirectly owns;

(b) FPT Information System Corporation’s affiliate companies that FIS directly or indirectly owns;

(c) Contractors, agents, partners, and operating service providers of FIS;

(d) Branches, business units and employees working at branches, business units, agents of FIS;

(e) Telecom businesses in case the Customer violates the obligation to pay service charges;

(f) Commercial stores and retailers related to the implementation of promotional programs of FIS;

(g) Professional advisors of FIS such as auditors, lawyers, etc. in accordance with the law;

(h) Courts, competent state agencies in accordance with the provisions of law and/or as required and permitted by law.

8.3. FIS commits that the sharing or co-processing of Personal Data is done only in cases where it is necessary to fulfill the Processing Purposes stated in this Policy or as required by law. Organizations and individuals that receive Customer's Personal Data will have to comply with the content specified in this Policy and relevant laws on Personal Data protection.

Although FIS will make every effort to ensure that Customer information is anonymized/encrypted, the risk that such data may be disclosed in the event of force majeure cannot be completely excluded.

8.4. In the event of the participation of other Personal Data processing organizations mentioned in this Article, FIS will notify the Customer before implementation.

Article 9. Processing of Personal Data in some special cases

FIS ensures that the processing of Customer's Personal Data fully meets the requirements of the Law in the following special cases:

9.1. Surveillance camera (CCTV) footage, in particular cases, may also be used for the following purposes:

(a) for quality assurance purposes;

(b) for the purposes of public security and occupational safety;

(c) detect and prevent suspicious, inappropriate or unauthorized use of Company facilities, products, services and/or facilities;

(d) detecting and preventing criminal activity; and/or

(e) Investigate of incidents.

9.2. FIS always respects and protects children's Personal Data. In addition to the Personal Data protection measures prescribed by law, before processing children's Personal Data, the Company will verify the children's age and require the consent of (i) children and/or (ii) their parents or guardians as required by law.

9.3. In addition to complying with other relevant legal regulations, for the processing of Personal Data related to the Personal Data of the person who is declared missing/deceased, the Company will have to obtain the consent of one of the relevant persons in accordance with current law.

Article 10. Rights and obligations of Customer related to Personal Data provided to FIS

10.1. Customer has the right to know about their Personal Data processing activities, unless otherwise provided by law.

(a) Customer may or may not consent to the processing of its Personal Data, unless otherwise provided by law.

(b) Customer is entitled to access to view, correct or request correction of their Personal Data in writing to FIS, unless otherwise provided for by law.

(c) Customer has the right to withdraw his/her consent in writing to FIS, unless otherwise provided for by law.

(d) Withdrawal of consent does not affect the legality of the data processing agreed by the Customer with FIS prior to the withdrawal of consent.

(e) Customer has the right to delete or request deletion of his/her Personal Data in writing to FIS, unless otherwise provided for by law.

(f) Customer is entitled to request restriction of processing of his/her Personal Data in writing to FIS, unless otherwise provided for by law.

(g) Customer is entitled to request FIS to provide themselves with their Personal Data in writing to FIS, unless otherwise provided for by law.

(h) Customer has the right to object to FIS, the Personal Data Processing Organization specified in this Policy from processing their personal data in writing to FIS in order to prevent or limit the disclosure of Personal Data or use Personal Data for advertising and marketing purposes, unless otherwise provided for by law.

(i) After receiving requests for Personal Data provision; request restriction of Personal Data processing; request to object to Personal Data processing; or request to delete Personal Data, FIS will respond within 72 hours after receiving the Data Subject's request depending on each case in accordance with the law.

(j) For requests to edit Personal Data, in case it cannot be done, FIS will notify the Customer after 72 hours of receiving the request.

(k) Customer has the right to complain, denounce or initiate lawsuits in accordance with the law.

(l) Customer has the right to claim compensation for actual damage in accordance with the law if FIS commits a violation of the regulations on the protection of its Personal Data, unless otherwise agreed by the parties or otherwise provided by law.

(m) Customer has the right to protect themselves according to the provisions of the Civil Code, other relevant laws, or request competent agencies or organizations to implement civil rights protection methods as prescribed in Clause 1 of this Article 11 of the Civil Code.

(n) Other rights as prescribed by applicable law.

10.2. Customer's Obligations

(a) Comply with laws, regulations and instructions of FIS regarding the handling of Customer's Personal Data.

(b) Provide fully, honestly and accurately Personal Data and other information as required by FIS when registering and using FIS's services and when there is a change in these information. FIS will proceed to secure Customer's Personal Data based on registered Customer information, so if there is any false information FIS will not be responsible in case such information affects or restrict the rights of the Customer. In case of failure to notify, if there is a risk or loss, the Customer is responsible for errors or acts of abuse or fraud when using the service due to its fault or failure to provide correct and complete, sufficient, accurate and timely information changes; including financial losses, costs incurred due to incorrect or inconsistent information.

(c) Coordinating with FIS, a competent state agency or a third party in case of problems affecting the security of Customer's Personal Data.

(d) Protect your own personal data; proactively apply measures to protect their Personal Data in the process of using FIS's services; promptly notify FIS when detecting errors, mistakes in their Personal Data or suspecting that their Personal Data is being infringed.

(e) To be solely responsible for the information, data and consents that they create and provide in the network environment; self-responsible in case personal data is leaked or infringed due to its fault.

(f) Regularly update FIS's Regulations and Policies from time to time, which are notified to Customer or posted on FIS's websites and or other transaction channels from time to time. Take actions according to FIS's instructions to clearly indicate approval or disapproval for the purposes of processing Personal Data that FIS informs the Customer from time to time.

(g) Respect and protect the personal data of others.

(h) Other responsibilities as prescribed by law.

Article 11. Storage of Personal Data

FIS commits to only storing Customer’s Personal Data in cases related to the purposes stated in this Policy. Data storage time will be decided by FIS to ensure the implementation of the above purposes.

Article 12. Undesirable consequences and damages

Currently, FIS has not seen any undesirable consequences or damages that may occur, FIS will make notifications when specific cases occur. During the processing of Personal Data, Personal Data may be exposed due to:

12.1. From the Customer's side: Customer reveal or leak Personal Data due to carelessness or fraud; Customer visit websites/download applications containing malware, etc.

(a) FIS recommends that Customer should keep confidential information related to the login password to their account and OTP code and not share this login password and OTP code with anyone else, including FIS employees.

(b) Customer should preserve electronic devices during use; Customer should lock, log out, or exit their accounts on FIS’s websites or applications when not in use; and implement other security measures when using the Company’s services.

12.2. From Company’s side: FIS commits to using information security technologies to protect Customer’s Personal Data. However, no data can be 100% secure. Hardware and software errors may occur during data processing, causing loss of Customer Personal Data; or there are security holes beyond the control of FIS, the relevant system is attacked by hackers, causing data leakage; etc.

Article 13. Processing of Personal Data with foreign factors

13.1. For the purposes of processing Personal Data in this Policy, FIS may be required to provide/share Customer's Personal Data to relevant third parties of FIS and these third parties may at Vietnam or any other place outside the territory of Vietnam.

13.2. When providing/sharing Personal Data outward, FIS will require the receiving party to ensure that the Customer's Personal Data transferred to them will be confidential and secure. FIS ensures compliance with legal and regulatory obligations related to the transfer of Customer's Personal Data.

13.3. Customer in the European Union (EU): Customer's Personal Data may be accessed, transferred and/or stored outside the European Economic Area (EEA), including countries may have a lower level of data protection under EU data protection law. FIS must follow specific rules when transferring Personal Data from within the EEA to outside the EEA. FIS will then use appropriate safeguards to protect any Personal Data transferred.

Article 14. Personal Data processing contact information

In case the Customer has any questions regarding this Policy or issues related to the data subject's rights or the handling of Customer's Personal Data, the Customer may use the following forms: contact listed below:

14.1. Send a letter to the Company at the address: [email protected]

14.2. Send an email to the email box corresponding to each type of service or product listed below: Unit's Products and Service contact mail

14.3. Hotline: Unit's Products and Service contact numbers

Article 15. General Terms

15.1. This policy is effective from 1 July 2023. The Customer understands and agrees that this Policy may be amended from time to time and notified to the Customer through FIS's Transactional Channels before application. Changes and effective time will be updated and announced at FIS's transaction channels and other channels. The Customer's continued use of the service after the notice period on the revised and supplemented contents from time to time means that the Customer has accepted such modified and supplemented contents.

15.2. The Customer has fully understood and agreed that this Policy is also the Notice of Personal Data Processing specified in Article 13 of Decree 13/ND-CP/2023 and is amended and supplemented from time to time before FIS conduct Personal Data Processing. Accordingly, FIS does not need to take any other measures for the purpose of notifying the Processing of Personal Data to Customer.

15.3. Upon receiving a request to exercise the Customer's rights under Article 9.1 from the requester, FIS will take the necessary steps to confirm and identify the requester before implementing the rights that the requester wants to apply. In case of necessity, to verify the identity and ensure the confidentiality of the Customer's personal data, FIS may match the personal data provided by the requester when submitting a request to exercise rights with data that FIS has been storing.

15.4. In case FIS deletes, destroys, or limits the use of data at the request of the Customer, the Customer's rights under the contract or service agreement signed with FIS require the use of personal data. may be interrupted, changed, or terminated.

15.5. Customer commits to strictly comply with the provisions of this Policy. The issues have not been regulated, the Parties agree to comply with the provisions of the law, the guidance of the competent State agency and/or the amendments and supplements to this Policy notified by FIS to the Customer from time to time.

15.6. Customer may see advertising or other content on any website, application or device that may link to the websites or services of partners, advertisers, sponsors or other third parties.

15.7. FIS has no control over the content or links appearing on third-party websites or services and is not responsible and/or liable for the activities used by such third party’s websites or service linked to or from any website, application, or device. These websites and services may be subject to the privacy policies and terms of use of third parties.

15.8. This policy is entered into based on goodwill between FIS and the Customer. During the implementation process, if any disputes arise, the Parties will actively resolve it through negotiation and conciliation. In case of unsuccessful conciliation, the disputes will be brought to the competent People's Court for settlement in accordance with law.