Security Policy

This Policy provides detailed information regarding the activities of collection, processing, use, protection, and sharing of personal data of users (“User” or “Users”), conducted by GS 25 VIETNAM COMPANY LIMITED ("We", "Us", or "Our") when the User uses the website with the domain name https://gs25.com.vn/ (“Website”) and/or the GS25VN application, downloaded from the Apple App Store or Google Play Store, on mobile devices (hereinafter collectively referred to as the “Platform”) and/or when the User enters, exits, or shops at Our premises, including but not limited to headquarters, branches, offices, stores, and booths (“Premises”). Unless otherwise agreed in writing, this current Policy shall apply to all information and data related to the User and the User's account that We may collect and store via the Website/Platform and/or CCTV at the Premises, including but not limited to personal data and any other data provided by the User and/or obtained from CCTV at the Premises.

We understand that Users are concerned about their personal data, as well as how such data is collected, used, shared, and stored. We are committed to only collecting and processing the User's personal data for the purposes declared in this Policy and in compliance with applicable laws. It is the User's responsibility to read, understand, and agree to this Policy before accessing and using any features on Our Website/Platform and/or before deciding to enter Our Premises.

1. “Personal Data” refers to information in the form of symbols, letters, numbers, images, sounds, or similar forms on an electronic environment that identifies or helps to identify a specific individual, including Basic Personal Data and Sensitive Personal Data. Personal Data, once de-identified, is no longer considered Personal Data.
2. “Basic Personal Data” refers to Personal Data reflecting the identity and common background of an individual, frequently used in transactions and social relations, including:
   1. Surname, middle name, and birth name, other names (if any);
   2. Date of birth; date of death or missing;
   3. Gender;
   4. Place of birth, place of birth registration, place of permanent residence, place of temporary residence, current place of residence, hometown, contact address;
   5. Nationality;
   6. Personal image;
   7. Phone number, Identity Card number, Personal Identification number, Passport number, Driver’s License number, License Plate number, Personal Tax Identification number, Social Insurance number, Health Insurance card number;
   8. Marital status;
   9. Information regarding family relationships (parents, children); and
   10. Information regarding the individual’s digital account; Personal Data reflecting activities and activity history in cyberspace.
3. “Sensitive Personal Data” refers to Personal Data associated with the privacy of an individual which, if violated, will directly affect the legitimate rights and interests of the agency, organization, or individual, including:
   1. Political views, religious views;
   2. Health status and private life recorded in medical records, excluding information on blood type;
   3. Information relating to racial or ethnic origin;
   4. Information on inherited or acquired genetic characteristics of the individual;
   5. Information on physical attributes and unique biological characteristics of the individual;
   6. Information on the individual’s sex life and sexual orientation;
   7. Data on crimes and criminal acts collected and stored by law enforcement agencies;
   8. Information of customers of credit institutions, foreign bank branches, intermediary payment service providers, and other permitted organizations, including: customer identification information as prescribed by law, account information, deposit information, deposited asset information, transaction information, information on organizations and individuals who are guarantors at credit institutions, bank branches, and intermediary payment service providers;
   9. Data on the individual’s location identified via location services; and
   10. Other Personal Data strictly prescribed by law requiring necessary security measures.
4. “Processing” (or “processed”, “has processed”, or “will process”) Personal Data means one or more activities impacting Personal Data, including collection, recording, analysis, consolidation, storage, modification, disclosure, combining, access, retrieval, recovery, encryption, decryption, copying, sharing, transmission, provision, transfer, deletion, destruction of Personal Data, or other relevant actions.
5. “Data Subject” refers to the individual to whom the Personal Data relates.

1. When the User accesses the Website/Platform and uses utilities on the Website/Platform
   1. We collect and process Personal Data for the following purposes when the User accesses the Website/Platform and uses utilities on the Website/Platform, including:
      1. Operating the Website/Platform and enabling the User to use the features of the Website/Platform:
         • Supporting the User in accessing and using utilities and features on the Website/Platform;
         • Compiling statistics and maintaining internal records;
         • Preventing, investigating, and handling violations of Our regulations/Policies, fraudulent acts, and violations of the law;
         • Operating, evaluating, and improving Our business operations, researching, developing new products, and enhancing service quality;
         • Storing and backing up data to comply with legal requirements, regulations of competent state agencies, and internal compliance requirements;
         • Storing and backing up Personal Data for disaster recovery or other purposes;
         • Performing data analysis and processing to understand customers (such as market and consumer research, shopping trend analysis); and
         • System administration for the Website/Platform, ensuring network security and information safety.
      2. Supporting the User in accessing, registering, and managing user accounts on the Website/Platform:
         • Creating and managing the User's user account on the Website/Platform;
         • Verifying user identity;
         • Providing access to features and utilities related to the loyalty program on the Website/Platform; and
         • Notifying promotions and offers related to the loyalty program.
      3. Supporting the User in online shopping on the Website/Platform:
         • Allowing the User to place orders, purchase goods, and make online payments;
         • Processing and verifying requests for exchange, return of goods, and refunds;
         • Executing delivery and receiving returned goods in case of exchange or return by the User;
         • Authenticating and processing point accumulation and redemption transactions from the loyalty program;
         • Answering inquiries, resolving issues, and providing support related to orders; and
         • Providing information on stores near the User.
      4. Any other specific purpose notified by Us to the User at the time the User agrees to provide Personal Data to Us.
   2. Depending on how the User uses the Website/Platform and features on the Website/Platform, We may collect or request the User to provide certain Personal Data. Personal Data (and certain data that may be considered Sensitive Personal Data as defined in Section B or by law) that the User may choose to provide includes:
      1. The User's Personal Data, including:
         • Full name;
         • Date of birth;
         • Gender;
         • Phone number;
         • Email address; and
         • Contact address, delivery address, billing address.
      2. Information to verify and process the User's requests or complaints, including information and payment methods used by the User (such as credit card numbers).
      3. Information regarding the use of the Website/Platform, including:
         • Order transaction history, purchase history, and payment history;
         • Links of partners managed by Us that the User accesses;
         • Advertising links the User accesses;
         • Features and content the User accesses;
         • Transactions, User requests, and interaction content on the Website/Platform;
         • Products the User views and orders;
         • Other relevant utilities and services used by the User;
         • Location data collected from GPS when the User agrees to share: including GPS coordinates, time and date of collection, etc.; and
         • Any other information provided by the User when accessing and using services, utilities, and features on Our Website/Platform.
2. When the User wishes to issue a purchase invoice on the Website/Platform:
   1. When the User submits a request to issue a purchase invoice for online orders or for purchases made at Our stores, We collect and process the User's Personal Data to contact the User and support invoice issuance.
   2. Types of Personal Data collected for the aforementioned purpose include:
      1. Full name; and
      2. Phone number, email address for invoice issuance.
3. When the User applies for a job position at GS 25 on the Website/Platform:
   1. We collect and process Personal Data to manage the User's job application activities on Our Website/Platform, including:
      1. Receiving application dossiers;
      2. Analyzing and evaluating the User's application dossier, verifying the User's labor conditions;
      3. Communicating with the User, scheduling interviews, and answering the User's inquiries and issues;
      4. Checking and verifying the User's information and background. This includes contacting the User's former or current company and colleagues to verify information; and
      5. Notifying the User of the application results.
   2. If the User provides contact information of former or current colleagues for checking and verification purposes, the User undertakes to ensure that they have obtained the consent of such individuals before providing the information, and accepts full responsibility for the legality of using this information for the aforementioned purpose.
   3. Types of Personal Data collected for the aforementioned purpose include:
      1. Full name, date of birth;
      2. Gender, height, weight;
      3. Phone number, email address;
      4. Identity Card number, Personal Identification number, Passport number;
      5. Contact address, including permanent and temporary residence address;
      6. Personal image;
      7. Information on education level, skills, degrees, certificates;
      8. Reference person information;
      9. Employment history, activities; and
      10. Other information self-listed and provided by the candidate in the application dossier.
4. When the User registers for franchising with the GS 25 brand on the Website/Platform:
   1. We collect and process Personal Data to manage the franchise registration for the GS 25 brand on Our Website/Platform, including:
      1. Verifying and assessing suitability for franchising; and
      2. Communicating with the User, consulting, answering inquiries, resolving issues, and providing support related to franchising.
   2. Types of Personal Data collected for the aforementioned purpose include:
      1. Full name, date of birth;
      2. Phone number, email address, contact address;
      3. Nationality;
      4. Occupation; and
      5. Information on available capital and financial sources.
5. When the User enters Our Premises
   1. We collect and process Personal Data through the Website/Platform and the operation of the CCTV system installed at the Premises for the purposes of ensuring security, managing business operations, and improving customer experience, including:
      1. Analyzing and evaluating customer behavior and traffic to improve operational quality;
      2. Investigating and handling security incidents or upon lawful request from competent authorities.
   2. Types of Personal Data collected for the aforementioned purpose include:
      1. Full name;
      2. Phone number;
      3. Citizen Identity Card number;
      4. Images, videos recording the User's behavior;
      5. Time and location of image/video recording.
6. Processing Personal Data without the User's consent

   According to legal regulations, We may process Personal Data without the User's consent in the following cases:

   1. To protect the life, health, honor, dignity, rights, and legitimate interests of the User or others in emergency situations; to protect the legitimate rights or interests of Us, others, or the interests of the State, or agencies/organizations as necessary against the aforementioned infringements;
   2. To resolve emergency situations; risks threatening national security but not to the extent of declaring a state of emergency; prevention and combat of riots, terrorism, crimes, and violations of the law;
   3. To serve the activities of state agencies, state management activities as prescribed by law;
   4. To perform the User's agreement with Us or relevant agencies, organizations, and individuals as prescribed by law; and
   5. Other cases as prescribed by law.
7. At any given time, consistent with the utilities, features, and services We wish to provide to the User, We may request the User to provide additional information or Personal Data not listed in this Policy. We commit that the collection and processing of such information and Personal Data in this case shall only be carried out on a voluntary basis, with the User's consent, and in compliance with the provisions of this Policy and relevant laws.

1. We may provide and transfer the User's Personal Data to personal data processors, third parties, and/or Our affiliated companies and organizations for one or more purposes stated in this Policy.
2. These third parties and affiliates may be present within or outside the territory of Vietnam, including but not limited to:
   1. Our parent company, subsidiaries, and/or affiliated companies;
   2. Service providers or parties supporting Our business operations. These parties include, but are not limited to, banks, electronic payment companies, postal companies, logistics companies, telecommunications companies, cloud computing data processing and storage companies, advertising and media partners, information technology companies, consulting companies, and e-commerce organizations; or
   3. State agencies and competent regulatory authorities in accordance with legal regulations.
3. In some cases, We cooperate with online ordering and delivery platforms to process and fulfill the User's orders. When the User places an order via the website/application of these partners, We do not process any Personal Data of the User such as name, email address, or phone number related to these orders. We only process necessary order details to fulfill and invoice accurately. These partners process the User's information independently from Us. In this case, please refer to the privacy policy of the partners with whom the User places the order. The User agrees that any inquiries or complaints related to the User's acceptance or use of services of these partners or affiliates of these partners shall be directly resolved by the platforms of these partners.
4. Cross-border Transfer of Personal Data
   We may transfer or permit the transfer of the User's Personal Data outside the territory of Vietnam for the purposes specified in this Policy. We are committed to fully implementing appropriate security measures as required by applicable laws or other regulations, and shall transfer the User's Personal Data in accordance with applicable laws.
5. We commit not to disclose or transfer the User's Personal Data to any third party for use in their direct marketing and advertising activities.
6. The Website/Platform may contain links to third-party websites for the purpose of providing additional information or functionality. Clicking on these links may direct the User to websites operated by organizations or individuals independent of Us. We are not responsible for the security practices of these websites and encourage the User to read their Privacy Policies carefully before providing any personal information.

1. We store the User's Personal Data for the period necessary to fulfill the data collection purposes stated in this Policy, or purposes at the time the User agrees to provide Personal Data, or in accordance with applicable legal regulations.

   Type of Data	Time of Data Collection Commencement	Time of Data Storage Termination
   Information on user accounts and activities on the Website/Platform	When the User accesses the Website/Platform and/or registers an account.	Within 30 days from the time the User submits a request to delete or cancel the account.
   Franchise registration information	When the User enters information.	Within 180 days from the time the User enters information.
   Invoice issuance request information	When the User enters an invoice issuance request.	Maximum 10 years as required by accounting laws.
   Job applicant information	When the candidate enters information and/or submits a dossier.	Information of officially hired candidates will be stored according to labor laws and company policy. Information of candidates not hired will be deleted immediately after the recruitment activity ends.
   Information to verify, process requests or complaints of the User	When the User sends a valid request or complaint to Us.	Within 180 days from the completion of processing the User's request or complaint.
   Information on User activity at the store	From the time the User is present at Our store area.	Within 15 days from the date the User is present at Our store area.

2. We process the User's Personal Data from the time We collect it, and shall delete and permanently destroy without recovery:
   1. Immediately when there are reasonable grounds to believe that: (i) the retention of such Personal Data no longer serves the purpose of data collection, and (ii) retention is no longer necessary for Our business or legal purposes;
   2. Upon receipt of a data deletion request from the User and the User accepts the potential risks and damages to themselves, except for cases under Article E.4 below;
   3. Upon expiration of the storage period as prescribed by law;
   4. To comply with a decision of a competent state agency;
   5. To comply with an agreement; or
   6. As prescribed by law.
3. We reserve the right to refuse to delete or destroy data in cases where (i) Processing of Personal Data does not require the User's consent under applicable laws, or (ii) the User cannot provide sufficient documents to prove their status as the data subject, or (iii) the deletion or destruction of Personal Data violates the principles of exercising the rights and obligations of the Personal Data subject under applicable laws. If the request to delete or destroy Personal Data cannot be fulfilled, We shall notify the User.

1. Unless otherwise provided by law, the User has the right to:
   1. Be informed of the Personal Data Processing activities;
   2. Consent or decline consent, or request to withdraw consent for Personal Data Processing;
   3. Access, rectify, or request rectification of Personal Data. If there are legitimate reasons why Personal Data cannot be rectified upon the User's request, We shall notify the User;
   4. Request provision, deletion, or restriction of Personal Data Processing; submit an objection to Personal Data Processing;
   5. File complaints, denunciations, lawsuits, or request compensation for damages in accordance with the law;
   6. Request competent authorities or relevant agencies, organizations, and individuals involved in Personal Data Processing to implement measures and solutions to protect their Personal Data in accordance with the law.
2. If the User has any questions or concerns about how We process Personal Data, or if the User wishes to exercise their rights, please contact Us according to the information in Section J. Upon receiving the User's inquiries or requests, We may request the User to provide information and documents to validly verify the identity of the requesting individual. We shall respond to the User's inquiries and requests after completing identity verification, and in accordance with applicable laws. If circumstances cause any delay in Our response, We shall promptly notify the User and provide Our official response date.
3. We have the right to refuse to process the User's request if the User does not provide sufficient information to verify the validity of the request. In such a case, We shall notify the User of the reason and basis for refusing to process the User's request.
4. The User has the responsibility to:
   1. Provide Us with complete and accurate Personal Data to fulfill the purposes stated in Section C;
   2. Promptly update the Personal Data provided to Us in case of any changes to such data;
   3. Protect their own Personal Data and the Personal Data of others, as well as comply with other Personal Data protection obligations in accordance with applicable laws;
   4. Only provide Personal Data of others after obtaining their consent for Us to process it in accordance with this Policy;
   5. Ensure the completeness, accuracy, and legality of the Personal Data the User provides to Us. We are not responsible for the content of the Personal Data provided by the User; and
   6. Bear responsibility for damages, restrictions, or inconveniences (including but not limited to the inability to perform or use utilities on the Platform) when exercising the rights of the data subject.

1. We shall implement reasonable security measures to protect Personal Data We collect or that is under Our control from the outset and during the process of Personal Data Processing, to protect the User's Personal Data from access, collection, use, disclosure, processing, copying, modification, destruction, loss, misuse, unlawful rectification, or similar risks during the User's use of Our Platform. We have implemented appropriate administrative, physical, and technical measures, including but not limited to:
   1. Controlling and limiting access to Personal Data for individuals and departments requiring access;
   2. Maintaining technologies to prevent unauthorized access to Personal Data;
   3. Implementing mechanisms to delete, pseudonymize, or redact certain Personal Data on the Platform interface and/or internal interface;
   4. Deploying measures to control login to User accounts on the Platform, including applying 2-Factor Authentication technology and Anti-Brute Force Access policies (guessing every possible password until the correct one is found).
   5. conducting network security checks on systems, means, and equipment serving Personal Data Processing before processing Personal Data; and
   6. Implementing other protection measures as required by applicable laws.
2. Although We strive to protect the safety of the User's Personal Data and continuously review and enhance Our information security measures, We cannot completely prevent every third party, such as hackers, from unauthorized access to the User's Personal Data. In the event of a data breach, We shall comply with all reporting and remediation obligations in accordance with the law.

We respect and protect the Personal Data of children based on the principles of protecting the rights and best interests of children. We are committed to complying with requirements regarding the processing of children's Personal Data and implementing measures to protect children's Personal Data as prescribed by law.

1. To enhance the User's experience and provide the User with Our latest marketing information, promotions, and offers, We may use the User's email address, phone number, or other contact information to send the User news, updates, promotions, and targeted advertisements related to Our products and services. We may personalize these marketing and advertising communications based on preferences, browsing history, purchase history, and other information the User has shared with Us.
2. The User may refuse to receive marketing and advertising information at any time via the following methods:
   1. Email: Click on the "unsubscribe" link at the bottom of any marketing email the User receives from Us;
   2. Mail: Send a written request according to the contact information in Section J stating the User's desire to opt-out of receiving marketing information;
   3. App Settings: Select not to receive marketing notifications in the application settings; or
   4. SMS: Text according to the specific instructions in the notification.
3. Depending on the method the User has chosen, We may take a certain amount of time to process the User's request to opt-out of receiving marketing and advertising information.

If the User has any questions or complaints regarding Our Policy, or wishes to update, rectify, delete, or object to the processing of Personal Data, please contact Us according to the following information: