PERSONAL DATA PROTECTION POLICY

1.1 Data Collection Sources

Personal data is collected from the following sources:

• (i) Directly from you: When you register an account, book tickets, purchase products, or contact us
• (ii) From third parties: From partner companies, payment companies, shipping companies
• (iii) From other companies: From companies that are our customers who provide information about you
• (iv) From camera data: From surveillance cameras at our facilities
• (v) From public sources: From social media pages and publicly available websites

1.2 Types of Information Collected

1.3 Sensitive Data

In some cases, we may need to collect sensitive data to provide services or as required by law:

• Financial information (account number, payment information)
• Actual geographic location
• Health information (to advise on suitable tours)
• Marital and family status
• Information about family members

We will request explicit consent before collecting sensitive data.

1.4 Responsibility for Data Accuracy

You must ensure the accuracy, completeness and legality of the data you provide. We are not responsible if the information provided is inaccurate, outdated or incomplete. You are responsible for updating information promptly when changes occur.

1.5 Minors

If you are under 16 years of age, you must obtain explicit consent from your parent or legal guardian before providing any personal information. Parents/guardians have the right to request or withdraw consent at any time.

2.1 What are Cookies?

Cookies are small files stored on your device containing information about your website activities. We use cookies to improve user experience, recognize you, save preferences, conduct research, prevent fraud and provide personalized content.

2.2 Types of Cookies Used

2.3 Cookie Management

You can manage cookies through your web browser settings. Most browsers allow you to reject or delete cookies. However, disabling cookies may affect website functionality. Third parties may also set cookies when you interact with their services.

2.4 Similar Technologies

In addition to cookies, we may use similar technologies such as web beacons, pixel tracking, and local storage to collect information about your activities.

3.1 Providing Products and Services

• Providing, operating and improving travel, hotel, restaurant and related products and services
• Processing orders, payments and transactions
• Managing customer accounts and membership program information
• Verifying identity and authenticating users
• Providing customer support, answering questions, handling complaints
• Sending order notifications, invoices and receipts

3.2 Service Improvement

• Measuring website, mobile application and service performance
• Analyzing user behavioral data to understand needs
• Recording customer support calls to improve quality
• Conducting surveys and market research
• Monitoring social media feedback and customer comments
• Developing new features and products

3.3 Marketing and Advertising

• Sending advertising emails for products and services suited to your interests
• Advertising travel tours and new products on social media
• Managing promotion programs, offers and discount codes
• Marketing according to legal regulations (you may opt out at any time)
• Personalized targeting to provide relevant advertising

3.4 Security and Fraud Prevention

• Security authentication and user identity verification
• Protecting against fraud, identity theft and unauthorized use
• Protecting system, website and application integrity
• Ensuring safety for customers, employees and assets
• Detecting and preventing illegal activities and violations

3.5 Legal Compliance

• Detecting and verifying compliance with internal policies and regulations
• Providing information as requested by government agencies, police and tax authorities
• Resolving legal disputes and complaints
• Fulfilling legal obligations and requirements

3.6 Other Purposes

Other purposes that are notified to you in advance or permitted by law.

4.1 Storage Period

We store personal data for the time necessary to:

• Provide services as requested
• Comply with legal requirements, tax and customs regulations
• Resolve disputes and complaints
• Protect the legal rights of us and you
• Fulfill the purposes disclosed to you

After the storage purpose ends, data will be deleted or anonymized (if possible) according to legal requirements.

4.2 Cases Where Data is Not Deleted

We do not delete data in the following cases:

• Law does not permit deletion (e.g., invoices and receipts must be kept for 5 years)
• Data is being processed by police, courts or government agencies
• Data is publicly disclosed by law
• Data relates to unresolved legal disputes or complaints
• Emergency or danger to national security or public safety
• You request to keep the data

4.3 Data Deletion Request

You have the right to request data deletion at any time (except in the cases mentioned above). We will process your request within 7-15 business days. However, data deletion may affect our ability to provide services.

5.1 Sharing with Service Providers

We work with service providers, including:

• Payment companies, banks, electronic payment gateways
• Shipping and delivery companies
• Cloud storage companies
• Data analytics and advertising companies
• Customer support and call centers
• Travel, hotel and restaurant partners

Service providers may only use data for providing services and must comply with similar security requirements.

5.2 Sharing Due to Business Transfer

In case we sell, merge, restructure, go bankrupt, or transfer part of our business, your personal data may be transferred to the buyer. The buyer will continue to comply with this Policy.

5.3 Disclosure by Legal Requirement

We may disclose personal information when:

• Requested by police, courts or government agencies
• Protecting our or your rights, property and security
• Detecting, preventing fraud and illegal activities
• Protecting personal safety, public health and public interest

5.4 International Transfer

We may transfer your personal data to other countries to provide services. When transferring data internationally, we ensure appropriate protection levels and comply with legal requirements.

5.5 We Do Not Sell Your Data

We commit to NOT selling, buying, renting or exchanging your personal data with any company for marketing or advertising purposes unless you explicitly consent.

6.1 Technical Security Measures

We apply advanced technical security measures:

• SSL/TLS encryption (HTTPS) for all online communications
• Firewalls to protect servers
• Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)
• Role-based access control (RBAC)
• Regular data backups
• Antivirus and anti-malware software
• Regular security scans and security audits

6.2 Administrative Security Measures

• Employee training on personal data protection
• Signed security agreements with employees and service providers
• Controlling employee access (only necessary personnel can access data)
• Secure data deletion (irrecoverable)

6.3 Payment Security

Payment information (credit cards, bank accounts) is protected according to international PCI DSS (Payment Card Industry Data Security Standard). We do not record full PAN (primary account number) or PIN/CVV codes.

6.4 Internet Security Limitations

Although we apply best security practices, the Internet is not completely safe. No security system is 100% secure. You should:

• Use safe computer systems and phones with firewalls
• Keep passwords secret and do not share
• Update software and operating systems regularly
• Avoid using unsecured public WiFi networks
• Log out after using your account

6.5 Security Incidents

If a security incident occurs (data breach, cyberattack), we will:

• Investigate and assess the severity
• Notify affected users within 15 days
• Notify relevant authorities as required by law
• Implement corrective measures to prevent recurrence

7.1 Marketing Emails

We may send marketing emails about new products and services. You have the right to opt out at any time by:

• Clicking the "Unsubscribe" link in the email
• Sending a request to support@vebanahill.vn
• Contacting us directly by phone

7.2 Personalized Advertising

We use behavioral data (cookies, pixel tracking) to provide personalized ads on social networks (Facebook, Google, TikTok) and other websites. You have the right to:

• Disable personalized ads through browser settings
• Use opt-out tools from Facebook and Google
• Request not to receive personalized ads

7.3 SMS and Message Advertising

We may send SMS or message advertising with your consent. You have the right to opt out at any time.

8.1 Basic Rights

You have the following rights under law:

• Right to Know: Be informed about data being processed
• Right to Consent: Refuse or withdraw consent at any time
• Right to Access: Access and view all your personal data
• Right to Correct: Request correction of inaccurate data
• Right to Delete: Request deletion of unnecessary data
• Right to Restrict: Restrict data processing in certain cases
• Right to Data Portability: Receive data in structured, portable format
• Right to Object: Object to data processing for marketing purposes
• Right to Complain: File complaints with authorities about violations
• Right to Compensation: Claim compensation for damages

8.2 How to Exercise Your Rights

You can exercise these rights through:

We will process your request within 7-15 business days (or as required by law).

8.3 Written Requests

You have the right to send written requests (letter, email) to exercise these rights. Your request must include:

• Your full name and address
• Detailed description of your request
• Copy of your ID card/passport (for verification)
• Your signature or fingerprint (for written documents)

8.4 Complaint Mechanism for Misuse of Personal Data

You have the right to complain if your personal data is misused or processed beyond the disclosed scope. We are committed to receiving, considering and resolving complaints fairly and promptly.

Note: Complaints must be submitted within 12 months of discovery. Late complaints may not be considered.

11.1 Minors

If you are under 18 years old, you must obtain explicit written consent from your parent or legal guardian before entering into contracts or transactions with us. Parents/guardians are legally responsible for minors' transactions.

11.2 Policy Changes

We have the right to change, add or modify this Policy at any time. Changes will be posted on our website or directly notified to you via email. Continued use of services after changes means you agree to them. Please review this Policy regularly for updates.

11.3 Acknowledgment of Agreement

By using our services, you acknowledge that you have read, understood, accepted and agreed with the entire contents of this Personal Data Protection Policy.

11.4 Governing Law and Dispute Resolution

This Policy is governed and interpreted under Vietnamese law. If disputes arise, both parties agree to negotiate and resolve. If no agreement is reached within 3 months of dispute, either party may request court resolution by the competent People's Court.