PERSONAL DATA PROTECTION POLICY
This Personal Data Protection Policy describes how to collect, use and process personal data arising in the course of operation and business of VinRobotics Robot Application and Research Development Joint Stock Company (hereinafter referred to as the “Company”) located Symphony Office Building, Chu Huy Man Street, Vinhomes Riverside Urban Area, Phuc Loi Ward, Hanoi City, and the official website is https://vinrobotics.net/.
1. GENERAL PROVISIONS
1.1. Personal Data: means information in the form of symbols, letters, digits, images, sounds, or similar forms in the electronic environment that are associated with a specific natural person or help identify a specific natural person. Personal Data includes basic Personal Data and sensitive Personal Data.
1.2. Personal Data Subject: means the individual reflected by the Personal Data, including all individual customers who are using the Company’s products and services, the Company’s employees, shareholders and/or other individuals who have a legal relationship with the Company.
1.3. Personal Data Processing: means one or more activities affecting Personal Data, such as: collection, recording, analysis, confirmation, storage, correction, disclosure, combination, access, retrieval, recalling, encryption, decryption, copying, sharing, transmission, provision, transfer, deletion, destruction of Personal Data or other related actions.
1.4. Whenever the Personal Data of any related person of the Personal Data Subject (including but not limited to information of dependents, related persons in accordance with the law, spouse, children and/or parents and/or guardians, friends, beneficiaries, authorized persons, partners, emergency contacts or other individuals of the Personal Data Subject) is provided to the Company, the Personal Data Subject and the related persons of the Personal Data Subject represent, warrant and take responsibility that the information has been fully provided and has been legally agreed/approved by the Personal Data Subject to be processed for the purposes set out in this Policy. The Personal Data Subject and the related persons of the Personal Data Subject agree that the Company is not responsible for verifying the legality and validity of this consent/approval and the storage of evidence proving that is the responsibility of the related persons of the Personal Data Subject and the Personal Data Subject. The Company is exempt from liability and entitled to request compensation for related damages and expenses when the Personal Data Subject or/and related persons of the Personal Data Subject fail to comply with the contents specified herein.
1.5. By registering, using the Company’s products and services, entering into contracts and/or allowing the Company to conduct Personal Data Processing, the Personal Data Subject accepts in full and without any conditions to the policies mentioned herein and the changes (if any) from time to time.
1.6. This Policy may be updated, modified, supplemented or replaced by the Company from time to time and posted by the Company on the Company’s official website. You should access and check our official website regularly for the latest changes.
1.7. The Company undertakes to comply with the following principles when conducting Personal Data Processing:
(i) The Company processes and protects Personal Data in accordance with the provisions of Vietnamese laws; fully complies with contracts, agreements, and other documents established with the Personal Data Subject;
(ii) The Company collects Personal Data for specific, explicit and lawful purposes, within the scope of the purposes stated in Section 3 of this Policy and in accordance with the provisions of Vietnamese laws;
(iii) The Company always applies and updates technical measures in accordance with the provisions of Vietnamese laws to ensure the safety of Personal Data, including measures to protect against unauthorized access and/or destruction, loss or damage to Personal Data;
(iv) The Company stores Personal Data appropriately and to the extent necessary for processing in accordance with the provisions of Vietnamese laws;
(v) The Company undertakes to comply with provisions related to the protection of children’s data.
2. PROCESSED PERSONAL DATA
In order to conduct Personal Data Processing for the purposes set out in Section 3 of this Policy, the Company may process the following types of Personal Data:
2.1. Basic Personal Data includes:
(i) Family name, middle name and last name, other names (if any);
(ii) Date of birth; date of death or disappearance;
(iii) Gender;
(iv) Place of birth, place of birth registration, place of permanent residence, place of temporary residence, current place of residence, hometown, contact address;
(v) Nationality;
(vi) Individual image; information obtained from security systems, including video recordings of the Personal Data Subject captured by the camera systems and surveillance cameras at the Company’s business/transaction locations;
(vii) Telephone number, identity card number, citizen identification number, personal identification number, passport number, driver’s license number, license plate number, personal tax identification number, social insurance number, health insurance card number;
(viii) Occupation and workplace;
(ix) Marital status;
(x) Information about family relationships (parents, children);
(xi) Information about the individual’s digital account; Personal Data that reflects interests and history of activities in cyberspace;
(xii) Other information that is associated with a specific natural person or helps to identify a specific natural person not falling within the scope of sensitive Personal Data as set out in Section 2.2 below.
2.2. Sensitive Personal Data includes the following key data:
(i) Political views, religious views;
(ii) Health status and private life recorded in medical records, excluding information about blood type;
(iii) Information related to racial origin, ethnic origin;
(iv) Information about an individual’s inherited or acquired genetic characteristics;
(v) Information about distinctive physical attributes, biological characteristics of individuals;
(vi) Data on crimes and criminal acts collected and stored by law enforcement agencies;
(vii) Information about the bank account of the Personal Data Subject;
(viii) Data about the Customer’s location determined through the location service;
(ix) Other Personal Data that is specified by law as specific and requires necessary security measures.
3. PURPOSES OF PERSONAL DATA PROCESSING
Personal Data may be processed for one or more of the following purposes:
3.1. Evaluating the capability to provide products, services and/or enter into contract with the Personal Data Subject, including but not limited to the purposes as follows:
(i) Identifying and verifying information of the Personal Data Subject;
(ii) Evaluating, reviewing and approving the provision of products and services according to the registration documents, applications, contracts of the Personal Data Subject and/or related persons of the Personal Data Subject;
(iii) Considering providing or continuing to provide any of the Company’s products and services to the Personal Data Subject.
3.2. Fulfilling obligations in contracts, agreements, terms, conditions and other documents between theCompany and the Personal Data Subject, supporting customers including but not limited to the purposes as follows:
(i) Performing obligations under contracts, agreements and providing products and services to Personal Data Subjects;
(ii) Updating and processing information of Personal Data Subjects;
(iii) Taking care of and settling complaints and lawsuits of Personal Data Subjects;
(iv) Using and transferring to partners Personal Data and relevant information to identify and fix problems of products and services; repairing products;
(v) Contacting and notifying the Personal Data Subject;
(vi) Implementing promotional programs, exchanging gifts, awarding, delivering gifts;
(vii) Performing other customer care and support activities.
3.3. Improving the quality of the Company’s products and services, including but not limited to:
(i) Providing information that the customer has requested or that the Company finds useful to the customer;
(ii) Improving technology, interface of websites, social networks, and applications to ensure convenience for customers;
(iii) Managing customer accounts and loyalty programs;
(iv) Statistics and data analysis for research, creation, development and improvement of products and services; improving customer experience;
(v) Developing and providing new products and services that are personalized according to the actual needs and conditions of customers;
(vi) Introducing and providing promotions and incentives for products and services of the Company and of the Company in cooperation with partners;
(vii) Proposing products and services that customers may be interested in through identifying customer preferences.
3.4. Serving the Company’s business and operation activities including but not limited to the fulfillment of reporting, financial, accounting and tax obligations, auditing, compliance activities and other activities serving the Company’s legitimate business in cases that the Company deems necessary.
3.5. Restructuring and transfer of projects/enterprises:
In the course of business, the Company may sell or acquire enterprises or restructure corporate entities or transfer other projects or services in accordance with the provisions of law. Accordingly, Personal Data and the right to use information in general are among the transferred assets. In all cases, the transfer and processing of data will be carried out by the parties in accordance with the provisions of the law and this Policy.
3.6. Marketing: Building marketing campaigns, promoting products and services, including building campaigns based on customer preferences.
3.7. Prevention, combating, investigation and detection of crimes.
3.8. Protecting social order and safety, protecting the legitimate rights and interests of Personal Data Subjects, the Company and other related parties.
3.9. Compliance with the provisions of law and international treaties to which Vietnam is a party, including but not limited to:
(i) To provide to competent state agencies in accordance with law;
(ii) In order to fulfill its obligations in accordance with the provisions of law, international treaties that the Company must comply with (if any).
3.10. Other purposes subject to the consent of the Personal Data Subject.
4. METHODS OF PERSONAL DATA PROCESSING
4.1 Collection methods
Personal Data is collected as follows:
(i) From the Company’s websites and applications: Personal Data is collected when the Personal Data Subject fills in the forms posted on the Company’s websites and applications.
(ii) From the provision of products and services, the performance of obligations under contracts and agreements of the Company: Personal Data is collected when the Personal Data Subject purchases, registers to use, uses any products and services, signs a contract with the Company.
(iii) From communications with the Personal Data Subject: Personal Data is collected through interaction between the Company and the Personal Data Subject (in-person meeting, by mail, telephone, online, call center system, electronic communication or any other means) including surveys.
(iv) From social networks: The Company’s social networks and/or social networks that the Company cooperates with partners.
(v) From audio and video recording devices: located at stores, business locations or places where part or all of the Company’s business activities are carried out that the Personal Data Subject meets, appears or interacts with the Company;
(vi) From interactions or automated data collection technologies: The Company may collect automatically recorded information from the connection:
Cookies, pixel tags, and other similar technologies;
Any technology capable of tracking personal activity on devices or websites;
Other data or information provided by a device.
(vii) Other means
The Company may collect Personal Data through public and official sources of information or through the receiving necessary data shared from the parent company, subsidiaries, affiliates, and partners in the process of cooperating with the Company in accordance with the applicable provisions of law.
4.2. Storage methods
Personal Data is stored in Vietnam at the Company’s database system or wherever we or our branches, subsidiaries, affiliates, partners or service providers have facilities.
The storage period of personal data is determined based on the purpose of use as stated in this Policy and in accordance with the applicable provisions of law.
4.3. Data transfer/share methods
The Company will not sell Personal Data to any party. The Company uses the necessary security measures to ensure that the transfer/sharing of Personal Data is secure. The Company will share Personal Data to (i) the Company’s parent company, subsidiaries, affiliates; (ii) individuals/organizations involved in the Personal Data Processing as set out in this Policy; or (iii) competent state agencies or other cases in accordance with the applicable provisions of law.
If the recipient of Personal Data is headquartered outside the territory of Vietnam, when providing/transferring Personal Data abroad (including but not limited to the use of cyberspace, equipment, electronic means or other forms to transfer Personal Data outside the territory of Vietnam), the Company will require the receiving party to ensure the safety and security of the Personal Data provided/transferred. The Company undertakes to fully comply with the regulations and compliance requirements of Vietnamese law to protect the safety of Personal Data.
4.4. Analysis methods
Personal Data is analyzed based on the Company’s internal processes, data security principles and information security for information technology systems.
4.5. Data encryption methods
When necessary, collected Personal Data is encrypted in accordance with appropriate encryption standards during data storage or transfer and processing to ensure that the data is protected at all times.
4.6. Data deletion methods
In accordance with the law or upon a valid request from the Personal Data Subject, the Company will delete the stored Personal Data, except for the following cases:
(i) The law does not allow data deletion or requires mandatory data storage;
(ii) Personal Data is processed by competent state agencies for the purpose of serving the activities of state agencies in accordance with the provisions of law;
(iii) Personal Data has been disclosed in accordance with the provisions of law;
(iv) Personal Data is processed to serve legal requirements, scientific research and statistics in accordance with the provisions of law;
(v) In case of national defense and security emergencies, social order and safety, major disasters, dangerous epidemics; when there is a risk of threatening national security and defense but not to the extent of declaring a state of emergency; prevention and combat of riots, terrorism, crime and law violations;
(vi) Responding to an emergency situation that threatens the life, health, or safety of the Personal Data Subject or other individuals.
Throughout the Personal Data Processing, security is the highest priority of the Company. The Company takes appropriate technical measures to prevent unauthorized access to and use of Personal Data. We also regularly collaborate with security experts to update the latest cybersecurity techniques to ensure the safety of Personal Data. Your payment card data issued by financial institutions is protected by the Company on the principle that important payment card data (card number, full name, CVV number) is not recorded on our system. Your payment transaction is made on the system of the relevant bank.
5. CHILDREN’S PERSONAL DATA PROCESSING
5.1. The Company will conduct Children’s Personal Data Processing in accordance with the principle of protecting the rights and best interests of children and in accordance with the provisions of the law.
5.2. The Company only processes the Personal Data of children and provides products and services to children, if the parent or guardian consents to the children using the Company’s products and services, consents to the children’s Personal Data Processing by the Company, agree to this Policy and comply with the requirements of relevant laws. In the event that a child aged 7 years or older uses the Company’s products and services, in addition to the requirements set forth herein, the Company willonly conduct Personal Data Processing of the childwith the consent of the child. The parent or guardian is responsible for obtaining the consent of the child before providing the child’s Personal Data to the Company.
6. POTENTIAL UNEXPECTED CONSEQUENCES AND DAMAGE
6.1. The Company uses many different information security technologies such as firewall systems, access control measures, encryption, etc. to protect and prevent unauthorized access, use or sharing of Personal Data. However, the Company can not undertake to ensure absolute security of Personal Data in certain cases such as:
(i) Hardware and software errors in the process of data processing that cause loss of data of the Personal Data Subject;
(ii) The security vulnerability is beyond the control of the Company, the system is attacked by hackers, causing data to be exposed and leaked.
6.2. The Company recommends that Personal Data Subjects keep confidential information related to account login passwords, OTP codes and do not share this content with any other person.
6.3. The Personal Data Subject needs to be aware that at any time when the Personal Data Subject discloses and makes public his/her Personal Data, such data may be collected and used by others for purposes beyond the control of the Personal Data Subject and the Company.
6.4. The Company recommends that Personal Data Subjects preserve personal devices (phones, tablets, personal computers, etc.) during use. The Personal Data Subject should log out of his or her account when not in use.
6.5. In case the data storage server is attacked, which leads to the loss, exposure or leakage of Personal Data, the Company will be responsible for notifying the case to the authorities for timely investigating and handling and notifying the Personal Data Subject in accordance with the provisions of law.
6.6. Cyberspace is not a secure environment, and the Company cannot absolutely guarantee that Personal Data shared over cyberspace will always be secure. When transmitting Personal Data over cyberspace, the Personal Data Subject should only use secure systems to access the website, application or device. The Personal Data Subject is responsible for keeping his/her access credentials for each website, application or device secure and confidential.
7. START TIME, END TIME OF PERSONAL DATA PROCESSING
7.1. Personal Data is processed from the moment the Company lawfully receives the Personal Data and the Company has an appropriate legal basis for processing the data in accordance with the provisions of law.
7.2. Personal Data will be processed until the purposes of the data processing have been completed.
7.3. The Company may be required to store Personal Data even if the contract between the parties has been terminated in order to perform its obligations in accordance with the provisions of law and/or the requirements of the competent state authorities.
8. ORGANIZATIONS AND INDIVIDUALS PARTICIPATING IN THE PROCESSING OF PERSONAL DATA
8.1. On a case by case basis, the Company may be the personal data controller or the personal data controller cum processor.
8.2. To the extent permitted by laws, the Personal Data Subject clearly understands that the Company may share Personal Data for the purposes stated in this Policy with the following organizations and individuals:
(i) Parent companies, subsidiaries and affiliates of the Company;
(ii) Organizations, individuals providing services and/or cooperating with the Company, including but not limited to: agents, auditors, lawyers, business partners, partners providing information technology solutions, software, applications, operation, management, troubleshooting services, etc. infrastructure development;
(iii) Any individual or organization that is a representative, authorized party of the Personal Data Subject, acting on behalf of the Personal Data Subject.
The sharing of data will be carried out in accordance with the procedure, manner and current provisions of law. The recipients of Personal Data are obligated to keep Personal Data secured inaccordance with this Policy, the Company’s internal regulations, standards for the protection of Personal Data and applicable provisions of law.
8.3. The Company may be required to share Personal Data with competent state authorities in accordance with the law.
9. RIGHTS OF PERSONAL DATA SUBJECTS
9.1. Right to know about his/her Personal Data Processing activities, unless otherwise provided by law.
9.2. Right to consent or object to consent to his/her Personal Data Processing, unless otherwise provided by law.
9.3. Right to access in order to view, correct or request correction of his/her Personal Data, unless otherwise provided by the law.
9.4. Right to withdraw consent.
9.5. Right to delete data.
9.6. Right to restrict his/her Personal Data Processing in accordance with the provisions of law.
9.7. Right to request the provision of his/her Personal Data to him/her, unless otherwise provided by the law.
9.8. Right to object to data processing.
9.9. Right to complain, denounce and initiate lawsuits.
9.10. Right to claim damages.
9.11. Right to self-protect.
The Personal Data Subject may exercise these rights by making a request to the Company. The request form must be sent to the Company and includes basic contents such as the requester’s information, detailed request content [e.g. type of data to be provided or to be deleted,… name of document , record (if any)], reason and purpose when making the request, relevant information depending on the specifics of therequest (e.g. whether the requested document needs to be provided in the form of a file or paper format, the address for receiving documents, etc.). All costs (if any) arising from the fulfillment of the requests stated herein including but not limited to the cost of printing, photocopying, postage, courier fees for sending the data shall be borne by the requester and must be paid no later than upon receipt of the data or a period set by the Company.
The Company will process the requests of the Personal Data Subject in accordance with the provisions of law and consider the legitimate interests of the Personal Data Subject. However, in the event that the Personal Data Subject withdraws his/her consent, requests the deletion of the data and/or exercises other relevant rights with respect to any or all of the Personal Data that affects the Company’s ability to provide/maintain its products, services to the Personal Data Subject or to maintain the contractual relationship, depending on the nature of the Personal Data Subject’s request, the Company may consider and decide not to continue to provide the Company’s products and services to the Personal Data Subject or terminate the contractual relationship between the Company and the Personal Data Subject. Acts carried out by the Personal Data Subject under this provision shall be deemed to be a unilateral termination by the Personal Data Subject of any relationship between the Personal Data Subject and the Company, which may lead to a breach of obligations or contractual commitments between the Personal Data Subject and the Company, and the Company reserves its legal rights and remedies in such cases. Accordingly, the Company will not be liable to the Personal Data Subject for any losses incurred and the Company’s legal rights will be fully reserved. With reasonable efforts, the Company will implement the lawful and valid request from the Personal Data Subject within a reasonable time in accordance with the applicable provisions of law. However, for security purposes, the Company may require the Personal Data Subject to verify his/her identity before processing the Data Subject’s request.
The Company has the right to refuse to implement the requests of the Personal Data Subject in certain cases, including but not limited to: (i) The Personal Data Subject does not comply with the guidelines and procedures instructed by the Company in which the content of the request lacks of information or is invalid; (ii) The Personal Data Subject fails to provide or provides insufficient papers and documents for identity verification; or (iii) in case the Company assesses that there are signs of fraud or violation of Personal Data protection; or (iv) the applicable provisions of law do not allow the implementation of the request of the Personal Data Subject.
10. OBLIGATIONS OF THE DATA SUBJECT
10.1. To self-protect Personal Data; request other relevant organizations and individuals to protect their Personal Data. To promptly notify the Company when detecting any errors, mistakes, leaks of Personal Data or suspicion that Personal Data is being breached.
10.2. To respect and protect the personal data of others.
10.3. To provide complete and accurate Personal Data when giving consent to Personal Data Processing. If there is any false information, the Personal Data Subject shall bear the costs incurred in the event that such information affects or restricts the rights of the Personal Data Subject.
10.4. To comply with the provisions of law on personal data protection and participate in the prevention and combat of violations of regulations on personal data protection.
10.5. Other responsibilities as prescribed by the provisions of law.
11. MISCELLANEOUS
11.1. The Personal Data Subject confirms that, by accepting this Policy, the Personal Data Subject has consented to the processing of Personal Data by the Company, the organization or individual participating in the Personal Data Processing as set out in this Policy. The Personal Data Subject has clearly known the type of data to be processed, the purpose of the data processing, the individual and organization authorized to process the Personal Data, and his/her rights and obligations in relation tothe Personal Data. The Personal Data Subject has been notified by the Company, known and consented to all contents that need to be notified before the Personal Data is processed by the Company, organizations and individuals participating in the Personal Data Processing. The Personal Data Subject agrees that the Company, organizations and individuals involved in the Personal Data Processing do not need to provide further notifications before the Personal Data Processing.
11.2. If you have any questions about the Company's personal data protection, please contact us and we will try to answer your questions as soon as possible. You can also contact us at the address below:
Contact address: Technopark Building, Gia Lam Commune, Hanoi City, Vietnam
Email address: [email protected]
Phone: +84 24 3975669
11.3. This policy is effective from 15/07/2025.
