The terms and conditions of the Personal Data Protection Policy displayed below (hereinafter referred to as the "Data Protection Policy" or “Policy”) set out the terms and conditions agreed upon by and between Best Way Corporation (hereinafter referred to as "FINFAN", the “Company") and the Payment Accepting Unit (hereinafter referred to as the "PAU") regarding the use of the services provided by the Company (hereinafter referred to as the "Service" or “Services”). This Data Protection Policy is as binding as a signed agreement between FinFan and the PAU with corresponding terms. By clicking the consent checkbox when creating an account, the PAU has agreed to all contents of the Data Protection Policy, has read, understood, and fully agrees with the contents of the Policy as follows:
Service is understood as the data collection and processing support service provided by FinFan to the PAU for payment support purposes and under the authorization of the PAU.
Website/app means the electronic information page and other electronic information pages used by FinFan to maintain, provide, and operate the Service, or related to the Service provided to the PAU.
Partner is understood as a unit that cooperates with FinFan in providing the Service.
Personal Data is information in the form of symbols, text, numbers, images, sounds, or similar forms in an electronic environment associated with a specific person or helping to identify a specific person. Personal Data includes basic personal data and sensitive personal data.
Personal Data Processing means one or more activities affecting Personal Data, such as collecting, recording, analyzing, confirming, storing, editing, disclosing, combining, accessing, retrieving, revoking, encrypting, decrypting, copying, sharing, transmitting, providing, transferring, deleting, destroying Personal Data, or other related actions.
PAU is the payment accepting unit. The "PAU" includes individuals, organizations, individual business households, and enterprises established in accordance with business law that access and use FinFan's Services through FinFan's Website/app, email, social networks, or other methods.
FinFan, the Company is Best Way Corporation.
This Policy aims to ensure that FinFan fully fulfills its responsibility to protect the personal data of PAUs, provided by PAUs, Partners, and employees in accordance with the law, specifically Decree 13/2023/ND-CP on personal data protection. The objectives include:
• Ensuring the confidentiality, integrity, and availability of personal data.
• Ensuring that the collection, processing, storage, and sharing of data are carried out in a transparent, lawful, and responsible manner.
FinFan collects and processes the PAU's Personal Data to provide the best Service, as well as to maintain and improve the quality and security of the Service, in order to best protect the interests of both the Company and the PAU. The information that the Company receives and collects from customers will play an important role in improving the Service and website, as well as providing the Company with a source of information and customer concerns so that FinFan can develop and update features and utilities suitable for the needs of the PAU and/or to comply with legal obligations, including but not limited to, law on Anti-Money Laundering, Counter-Terrorist Financing, and reporting requirements to competent authorities.
This Policy applies to all PAUs, the personal data of PAUs, and all officials, employees, Partners, and related parties of FinFan.
FinFan acts, depending on the context, as the Personal Data Controller, Personal Data Processor, Personal Data Controller and Processor, and/or a Third Party with respect to the personal data that FinFan collects from the PAU or collects during the course of FinFan providing the Service.
This Policy applies to:
• The types of data, information, and methods by which FinFan collects them.
• All activities of collecting, processing, storing, transmitting, using, and other information performed by FinFan during the PAU's access and use of the Service that involves sharing personal data related to the PAU, employees, and related parties.
FINFAN is committed to adhering to the following fundamental principles:
• Lawfulness, Fairness, and Transparency:
- The collection and processing of personal data must have a legal basis or the valid consent of the data subject. Information regarding the purpose of data use must be clearly communicated.
• Purpose Limitation:
- Data shall only be collected, processed, and used for the purposes that have been identified and communicated to the data subject in advance. Any use outside the original purpose must be notified and receive consent from the data subject.
• Data Minimization:
- Only personal data necessary for the stated purpose shall be collected and not stored for longer than necessary as required by law.
• Data Accuracy:
- Ensure that personal data is updated and accurate. Data subjects have the right to request correction or updating of their information.
• Data Security and Integrity:
-Apply appropriate technical and organizational measures to protect personal data from unauthorized access, loss, alteration, disclosure, or destruction.
• Accountability:
- FINFAN is responsible for complying with personal data protection regulations and has internal monitoring and inspection mechanisms to ensure the implementation of this Policy.
• Full name, middle name, and birth name, other names (if any);
• Date of birth;
• Gender;
• Place of birth, place of birth registration, permanent residence, temporary residence, current residence, hometown, contact address;
• Nationality;
• Image of the individual;
• Phone number, identity card number, personal identification number, passport number, driver's license number, vehicle registration number, personal tax identification number, social insurance number, health insurance card number;
• Marital status;
• Information about family relationships (parents, children);
• Information about the individual's digital account;
• Other information associated with a specific person or helping to identify a specific person not covered by this section.
• Financial and banking data;
• Biometric data (if any);
• Data on political views, religion, or other information as prescribed by law;
• Health status and private life recorded in medical records, excluding information about blood type;
• Information related to racial or ethnic origin;
• Information about the inherited or acquired genetic characteristics of an individual;
• Information about the unique physical attributes and biological characteristics of an individual;
• Information about the sexual life or sexual orientation of an individual;
• Data on crimes and criminal offenses collected and stored by law enforcement agencies;
• Data on the location of an individual determined through location services;
• Other personal data specified by law as specific and requiring necessary security measures.
• Notification and Consent: Before collection, FinFan will clearly inform about the purpose, scope, and method of data processing, and ensure the consent of the data subject is obtained (unless otherwise provided by law).
• Collection Methods: Data may be collected through online channels, telephone, in person, or through authorized Partners.
• Processing: Personal data will only be used for the stated purpose and the processing purpose will not be changed without the additional consent of the data subject.
• Storage: Personal data is stored on a secure system with technical measures to prevent unauthorized access, ensuring integrity and confidentiality.
• Storage Period: Data is only stored for the period necessary for the processing purpose or as required by law.
• Internally: Data is only shared with relevant and authorized individuals and departments.
• With Third Parties: The transfer of data to partners or third parties must be carried out in accordance with the law and ensure there is a clear contract and data transfer record, protecting the rights of the data subject.
• International Transfer: If there is a transfer of data abroad, FinFan must ensure legal requirements and equivalent protection measures are in place as stipulated in Decree 13/2023/ND-CP.
FINFAN ensures and facilitates data subjects to exercise their rights in accordance with the law, including:
• Right to be Informed: The data subject has the right to be informed about information related to the collection and processing of their data.
• Right of Access: The subject can request to review their personal data.
• Right to Rectification: Request to update or correct data if the information is found to be inaccurate or incomplete.
• Right to Erasure: In cases where the data is no longer necessary for the notified purpose or when the subject withdraws consent.
• Right to Object: The subject may object to the processing of their data if they feel it is not in accordance with legal regulations or the notified purpose.
• Use of encryption technologies, firewalls, and monitoring systems to protect data.
• Regularly update and patch the system to ensure data safety.
• Control data access according to the role and responsibility of each individual.
• Train and raise awareness for employees about personal data protection.
• Establish internal processes and procedures to monitor the collection, processing, and storage of data.
• Identify and appoint a Data Protection Officer responsible for monitoring the implementation of the Policy.
• Incident Detection and Handling Process: FinFan establishes a process for controlling, detecting, and handling incidents related to data security, including leakage, loss, or unauthorized access.
• Breach Reporting: In the event of a data breach, relevant officials must immediately report to the information security department and implement timely remedial measures.
• Notification to Regulatory Authorities: If the incident affects the rights of the data subject, FINFAN will notify the competent authorities in accordance with the law.
• Periodic Review: FinFan will periodically review the effectiveness of personal data protection measures and make improvements as necessary.
• Monitoring and Inspection: The collection, processing, and storage of data will be periodically internally audited to ensure compliance with this Policy.
• Policy Updates: The Policy will be updated when there are changes in legal regulations or when FinFan adjusts its operations related to personal data.
When the PAU's personal data is no longer necessary for the purposes of this Policy, or FinFan no longer has a legal basis to retain the PAU's personal data, or when the PAU withdraws authorization, FinFan will take steps to delete, destroy, anonymize, or prevent access to or use of the personal data for any purpose other than to comply with this Policy, or for safety, security, detection, and prevention of fraud, in accordance with applicable law.
The deletion of data will not apply upon the request of the PAU in the following cases:
• The law does not allow for the deletion of data;
• Personal data is processed by a competent authority for the purpose of serving the activities of the state agency in accordance with the law;
• Personal data has been made public in accordance with the law;
• Personal data is processed for legal requirements, scientific research, and statistics in accordance with the law;
• In the event of a national defense or security emergency, but not yet at the level of declaring a state of emergency: prevention of riots, terrorism, crime prevention, and law violations;
• Board of Directors: Responsible for issuing, supervising, and directing the implementation of the Data Protection Policy throughout the organization.
• Data Protection Officer: Responsible for monitoring and evaluating the implementation of the Policy, advising, and assisting relevant departments on data protection issues.
• Relevant Departments: Each department is responsible for ensuring that its activities of collecting, processing, and storing personal data comply with the Policy and law.
• Employees: Each individual must comply with the regulations and procedures set out in this Policy and report immediately upon detecting any violations.
• Internal Violation Handling: Violations of personal data protection will be handled in accordance with the labor regulations and current rules and regulations of FinFan.
• Legal Violation Handling: In case of a violation of the law on data protection, FinFan will coordinate with the competent authorities to handle it in accordance with the law.
• Dispute resolution: Any dispute or disagreement under this Policy shall first be resolved through amicable negotiation. If an agreement cannot be reached through amicable negotiation, either party has the right to bring the dispute to the competent authority for resolution.
• Disputes between the PAU and a third party: FinFan has no related responsibility but will only play a supporting role for the PAU, providing necessary information for the PAU and the relevant third party to resolve together. The PAU and the third party must directly resolve all issues related to the transactions of the PAU and the third party.
Any amendments, supplements, or replacements to this Data Protection Policy will be notified by FinFan on FinFan's website or the FinFan application or through the PAU's registered email. When FinFan makes changes or additions to this Policy, FinFan will amend the "Last Updated" date of the privacy policy. Unless otherwise specified, the PAU is deemed to have accepted all of FinFan's amended contents as notified if the PAU continues to use FinFan's Service.
This Policy is governed by and construed in accordance with the laws of Vietnam. If any provision of this Policy is deemed unlawful, void, or for any reason unenforceable by a competent court or regulatory authority, then that provision shall be deemed severable from this Policy and shall not affect the validity and enforceability of any remaining provisions of this Policy.