PERSONAL DATA PROTECTION POLICY

 

This Personal Data Protection Policy (“Policy”) is an official document issued by GG Industries Joint Stock Company (“GGI”, “Company” or “We”) to inform how GGI collects, processes, shares and retains information of all individuals who have provided information to GGI during the use of GGI’s products and services (“Customers”). GGI respects and commits to protecting the personal information of all Customers who have used and are using GGI’s products and services.

This Policy does not apply to any products, services, websites or content provided by third parties or that use separate privacy policies.

By agreeing to this Policy, Customers allows GGI to use the personal data provided for the purposes mentioned below. In case the Customers do not agree or have any other comments regarding the purpose of processing personal data or other details of the Policy, please inform GGI in the Contact Us section.

I.PURPOSE

Personal Data” means data that identifies or helps to identify a specific individual.

Customer Personal Data may be collected and used for all purposes directly or indirectly related to Customer’s transaction with GGI (“Purposes”), including:

  1. Providing products and services. We may use Customer Personal Data to operate, provide GGI products and services, as well as process related contracts, including but not limited to registration, loyalty programs, surveys, purchases, participation in incentive programs, payments and after-sales operations, warranty, maintenance, recycling, etc. Processing this information is necessary to enter into contracts with Customers or legal entities that Customers represent, to perform our contractual obligations, provide products and services, respond to customer requests, or support Customers.
  2. To comply with Vietnamese laws such as tax, competition and consumer protection. In certain cases, GGI has a legal obligation to collect, use or store personal information of Customers, or needs to process certain types of personal information to ensure compliance with the law. The processing of this information is necessary for us to comply with relevant legal obligations or for our legitimate interests in security and data collection in compliance with applicable laws.
  3. Communicating with Customers. To respond to correspondence, contact Customers on matters directly and indirectly related to GGI’s products and services, provide other relevant information, or request information or feedback, GGI may use Customers’ personal data to send important notices related to our products and services.
  4. Marketing. GGI may use Customer Personal Data to promote products and services in accordance with Vietnamese law. We may advertise products and services based on Customer’s information. The processing of this information is based on (i) GGI’s legitimate interest in promoting products and services and (ii) Customer’s consent as required by applicable law.
  5. Security, confidentiality, fraud prevention, business continuity and other legitimate interests of the Company. We may use Customer Personal Data to prevent and detect fraud and abuse in order to protect Customers, GGI and others. We may also use scoring methods to assess and manage credit risk. The processing of this information (i) is necessary to comply with relevant legal obligations regarding fraud prevention and (ii) is based on GGI’s legitimate interest in preventing fraud and abuse and managing credit risk.
  6. Compliance with laws. To comply with applicable laws, such as tax or reporting obligations, or to comply with lawful requests from competent Vietnamese government authorities.

II.PERSONAL DATA COLLECTED BY GGI

1.Customer Personal Data

To meet the above Purposes, GGI may collect personal data, including basic personal data and sensitive personal data of Customers, as follows:

Basic personal data includes:

  1. Last name, middle name and first name;
  2. Date of birth;
  3. Gender;
  4. Place of birth, place of birth registration, permanent residence, temporary residence, current residence, hometown, contact address;
  5. Nationality;
  6. Video, voice, images;
  7. Phone number, ID card number, personal identification number, passport number, email;

Basic personal data is collected to identify the Customer’s identity when establishing a commercial relationship with GGI and to provide information to competent state agencies such as tax authorities and inspectors upon request.

Sensitive personal data includes:

  1. Financial information: such as bank account number, account name, bank name and billing address, source of income, source of finance, other financial information;
  2. Payment Information: Credit card, payment method (cash/bank transfer/installment), payer and other payment information;
  3. Location data is determined through location services.

 2.Sources of Personal Data Collection

GGI collects Customer Personal Data either directly from Customers or the Company indirectly collects it from other information sources.

2.1. Customers proactively provide

GGI may collect and process any Personal Data from Customer interactions with GGI, including but not limited to Customer providing information through working with GGI or GGI’s distributors/agents; accessing, using, providing information or downloading documents from GGI’s website; contacting via email or phone; using GGI’s products and services or participating in other programs or events organized by us (such as contests, games, promotions, events, fairs and exhibitions, from Customer interactions with GGI via social networks, answering survey questions, registering to attend events and/or receiving prizes).

Customers are responsible for ensuring that the data provided is complete, accurate and always updated to ensure the Customers’ rights according to the regulations of the use of the corresponding service. GGI is not responsible in case the Customers provide inaccurate, outdated, or incomplete data.

In the event that Customers provide GGI with Personal Data of a third party, Customers represent and warrant that Customers have and have obtained full consent and approval from that third party for Customers to provide their Personal Data to GGI and for GGI to use such Personal Data in the manner and as provided in this Policy.

Customers also warrant and undertake that the information provided by Customers to GGI will not be any of the following types of information: (i) state secrets, (ii) business secrets; and (iii) any other information that Customers are not permitted to provide under the provisions of law or confidentiality agreements.

GGI may collect Customer Personal Data from other sources, including but not limited to service providers (such as installments, credit…), partners, referral programs, publicly available sources; and/or when another user provides Customer Personal Data to GGI with the Customers’ authorization and/or consent in surveys, investigations, promotional programs, information documents, etc. When GGI collects Customer Personal Data from other sources, GGI ensures that such Personal Data is transferred to us in accordance with the provisions of applicable laws.

2.2. Automatic data collection

During the Customer’s interaction with GGI, certain types of Customers information are automatically collected by us and the data is in a form that does not allow the identification of a specific individual, such as information from the devices (computers, tablets, smartphones, etc.) that the Customer uses to connect to GGI’s website(s) or that the Customers use to host or access GGI’s applications (e.g., serial numbers, device identifiers, device MAC addresses, browser type, Internet service provider, hardware version, operating system, connection information, and application version); when the Customers use and/or interacts with GGI’s website(s) or applications, we may also record certain information and store it in log files. This information may include source and end-visit pages, date and time stamps, search terms, and data about the sequence of pages accessed.

We may collect, use, transfer, and disclose information that is not Personal Data for any purpose. If we combine information that is not Personal Data with Personal Data, the combined information will be managed and used by us as Personal Data.

 

III. PERSONAL DATA AND INTERNET BROWSING

1.Cookie

GGI uses cookies and other similar technologies (collectively, “cookies”) for a variety of purposes. Cookies are small text files stored on computers or devices connected to or accessing the Internet that help websites and applications recognize a user’s browser. We use cookies to recognize a Customer’s browser or device, learn more about a Customer’s preferences, provide essential features and services to Customers, and for other additional purposes, including:

  • Recognize Customers when Customers log into the website or application. This allows us to provide Customers with recommendations, display personalized content, and provide other customized features and services.
  • Being mindful of Customers preferences allows us to respect Customers likes and dislikes, such as the language and configuration that Customers choose.
  • Conduct research and analysis to improve GGI’s products and services.
  • Comply with legal obligations as part of GGI’s general business operations.
  • Prevent fraudulent behavior and situations that pose a potential threat to anyone’s safety or property.
  • Secure Customers information and our services from unauthorized access, loss and misuse.
  • Improve safety.
  • Provide content, including advertising, relevant to Customer interests on our websites and third-party websites.
  • Evaluate the quality of GGI’s products and services.

Cookies allow Customers to take advantage of some essential features of GGI. For example, if Customers block or reject our cookies, Customers will not be able to use certain services that require login information, or Customers may have to adjust some preferences or language settings each time they visit GGI websites.

Approved third parties may also collect information via cookies when Customers interact with GGI websites. These third parties typically include search engines, measurement and analytics providers, social networks, and advertising companies. Third parties use cookies and other technologies such as web beacons or GIFs to deliver content, including ads relevant to Customers’ interests, to measure the effectiveness of ads, and to perform certain services on our behalf. The use of these technologies and any information about Customers that We provide to third parties is governed by each third party’s specific privacy policy, not this Policy.

Customers can manage their browser cookies through their browser settings. The ‘Help’ feature on most browsers will tell them how to prevent their browser from accepting new cookies, how to notify them when they receive a new cookie, how to disable cookies, and when cookies expire. If they disable all cookies on their browser, neither they nor third parties will be able to transfer cookies to their browser. However, if they do this, they may have to manually adjust some preferences each time they visit the website, and some features and services may not work.

2.Internet and Third-Party Advertising

2.1. GGI advertisements on the website may include third-party advertisements and links to other websites and applications.

Third-party advertising partners may collect information about Customers when Customers interact with their content, advertisements, or services. Any access to and use of third-party links or websites is not governed by this Policy, but is instead governed by the privacy policies of those third parties. GGI is not responsible for the information practices of third parties. To opt out of receiving interest-based advertising, please see the Cookies section above.

2.2. Social network plugin features

GGI uses social media plugins on our websites such as Facebook, YouTube, Instagram and LinkedIn. When a Customer views a website that contains a plugin, the Customer’s browser creates a direct link to a third-party server. These features may collect information about the Customer’s IP address and the pages the Customer visits on our website, and these platforms may set cookies or use other tracking technologies. Social media features and widgets may be set by a third party or set directly on our website.

If the Customer is logged into his/her social media account, the social media platform will record the visit to the Customer’s social media account. Please see the social media platform’s privacy policy for more information.

2.3. Access management and selection

Customers can view, update, and delete certain information about their account and interactions on GGI’s website or application. If Customers are unable to access or update their information themselves, Customers can always contact Us for assistance.

Customers have many choices about the collection and use of their personal information, as well as options about how the information is used. Customers can choose not to provide certain information, but then Customers may not be able to take advantage of all the functions offered on the browser.

  1. Account Information: If Customer wishes to add, update or delete information related to his/her account, please access Customer’s account on GGI’s website or application.
  2. Contact: If Customers do not want to receive promotional content from GGI and wish to withdraw their previous consent (if any) and/or object to the continued use of their personal information for marketing purposes, please choose to opt-out of receiving commercial communications from GGI at the time We collect Customers personal data, or send an opt-out of advertising services using the syntax instructed (or other methods as specified in the relevant contract with Customers) or contact us. If Customers do not want to receive notifications from our applications, please adjust the notification settings in your application or device.
  3. Browsers and devices: The Help feature on most browsers and devices will tell Customers how to prevent their browser or device from accepting new cookies, how to have the browser notify them when Customers receive a new cookie, or how to disable the cookie function altogether.

IV. PERSONAL DATA STORAGE

1.Personal Data Storage Location

GGI’s Customer Personal Data is currently stored in Vietnam.

2.Personal Data Storage Period

GGI stores Customer Personal Data during the time GGI conducts commercial relations with the Customer, including the time before and after signing the contract, the product maintenance process and providing after-sales services to Customers, ensuring the Customer’s ability to continuously and uninterruptedly use the products and services provided by GGI.

After Customers terminate its commercial relationship with GGI, GGI commits to delete the Customer’s Personal Data when the Customer sends a written request to Us, except in cases where GGI is required to store data to comply with legal obligations as prescribed by law and to prevent risks of disputes arising with the Customer (if any). After the statutory period of Personal Data storage expires and the risk of disputes arising with the Customer no longer exists, GGI commits to delete the Customer Personal Data in accordance with current legal regulations.

 V.CUSTOMER RIGHTS TO PERSONAL DATA

Customers have the following rights regarding Personal Data provided to GGI:

  1. Be informed about their Personal Data processing activities;
  2. Agree or disagree, request withdrawal of consent to the processing of Customer Personal Data;
  3. View, correct or request correction of Customer Personal Data;
  4. Request provision, deletion, restriction of processing; submit a request to object to the processing of Customer Personal Data;
  5. Complain, denounce, sue, and request compensation for damages when GGI violates its regulations on protecting Customer Personal Data as prescribed by law.
  6. Request competent authorities or agencies, organizations and individuals related to the processing of Customer Personal Data to implement measures and solutions to protect Customer Personal Data in accordance with the provisions of law.

 

VI.PERSONAL DATA SHARING METHOD

1.Implementation principles

GGI collects and processes personal data on the following principles:

  1. Data is collected at the minimum level necessary to fulfill the stated Purposes and is not processed outside the scope of those Purposes.
  2. Update the information to be consistent with the stated Purpose.
  3. Processing of Personal Data either manually (entering or manually retrieving information into/from the system) or in an automated, digitalized manner (automatically extracting data for drafting contracts for Customers, etc.) depending on the nature of the work and GGI’s available technology for the stated Purpose.

2.Parties with access to Personal Data

GGI may share Personal Data with its Affiliates, its legally authorized service providers, or other parties as requested/authorized by the Customers. GGI undertakes not to sell Customer Personal Data, not to share Personal Data with third parties for commercial purposes or other purposes not stated in this Policy.

  1. Affiliate(s). GGI may transfer Customer Personal Data to GGI’ Affiliates for storage and use for all purposes directly or indirectly related to the Customer’s commercial relationship with the Company. Affiliates have data protection policies with equal or greater levels of confidentiality and care than GGI. A GGI’ Affiliate is a company that GGI directly or indirectly through one or more intermediaries controls, is controlled by, or is under common control with. “Control” means directly or indirectly owning more than 50% of the shares or voting rights or having the right to control the appointment of a majority of the members of the Board of Directors of the relevant company.
  2. Service Providers. GGI may engage third parties to act as service providers and perform specific tasks on behalf of the Company, such as processing or storing data—including Personal Data—in connection with payment processing services, customer care services, credit risk assessment and compliance, interest rate subsidy programs, data analytics services, marketing and sales support (including advertising and event management), customer relationship management services, and training. These third-party service providers have access to personal information needed to perform their functions but may not use it for other purposes. GGI’s service providers are obligated to handle Personal Data in accordance with its information security policies and guidelines with equal or greater levels of protection and care than GGI.
  3. Partner engaging in mergers or acquisitions of enterprises. In the course of business development, GGI may sell or buy businesses or restructure other businesses or services in accordance with the provisions of law. In such transactions, personal information, databases, and information usage rights are generally among the transferred contents, but the transferee must still comply with the provisions of this Policy. In addition, in the event that GGI or substantially all of its assets are acquired by another company, Customer information also becomes one of the transferred contents. We share personal information with third parties reasonably necessary to negotiate or complete a merger, acquisition or sale of all or a portion of GGI’s assets.
  4. Competent State Agencies . The Company may also disclose information about Customers if GGI determines that disclosure is necessary or appropriate for national security or law enforcement purposes.
  5. Other Third Parties . GGI may share Personal Data with other parties at the Customer’s request or authorization or with the Customer’s consent. In addition, Customers will receive notice when Customer Personal Data may be shared with third parties and Customers will have the right to choose whether or not to consent to the sharing of information.

 

VII. PERSONAL DATA PROTECTION METHOD

GGI commits, with maximum effort, to strictly secure and protect all Personal Data that Customers provide to GGI in accordance with the requirements and standards on information security, Personal Data protection under Vietnamese law and this Policy by the following methods:

  1. Establish appropriate technical and security measures to prevent unauthorized access to, or use of, personal information. However, no data protection measure can guarantee absolute security. Customers should proactively take measures to help prevent unauthorized access to passwords, phones and computers by logging out of their accounts after using shared computers, setting a strong and difficult-to-guess password and keeping their login information and password confidential. We are not responsible for any incidents such as lost, stolen or compromised passwords, or any activity on the Customer’s account using unauthorized passwords.
  2. Customer payment card information issued by financial institutions is protected by us according to international standards with the principle of not recording important payment card data (card number, full name, CVV number) on our system. Customer payment transactions are carried out on a third party system.

At the same time, GGI tries to minimize the consequences and unexpected damages that may arise due to technical problems as follows:

  1. If the Customer’s Personal Data is partially or completely lost and cannot be recovered but there is no risk of information leakage, GGI will notify the Customer of this incident. In this case, the Company will re-collect the Customer’s personal information to serve the Purpose.
  2. If there is a risk that the Customer’s Personal Data will be leaked to any third party, the Company will notify the Customer and take necessary and reasonable measures in accordance with the provisions of Vietnamese law and the Company’s procedures.

 

VIII. EFFECTIVENESS

This Policy was issued by GGI on Oct 01, 2025 and is effective from the date of issuance.

Customers can reach out via email at sales@ggp.vn for questions regarding the contents of the Policy, if needed.