Privacy Policy

In this Policy, the following terms are defined in accordance with the Personal Data Protection Law No. 91/2025/QH15:

• BANA: Acts as the Data Controller for account data on the BANA platform. For data entered by providers (customer and employee information), BANA acts as a Data Processor under a Data Processing Agreement (DPA) with the provider.
• Personal data: Digital data or information in other forms that identifies or helps identify a specific person (Article 2, Law 91/2025/QH15).
• Sensitive personal data: Personal data associated with the privacy of individuals which, when infringed upon, will directly affect lawful rights and interests — including financial information, biometric identifiers, health data, location data, and data relating to children.
• Data subject: A person who is reflected by personal data.
• Data controller: An agency, organisation, or individual that decides the purpose and means of personal data processing.
• Data processor: An agency, organisation, or individual that processes data at the request of the Data Controller.

We collect personal data that you provide directly when you create an account, configure your business, or interact with our services. This includes:

• Identity information: Full name, email address, phone number, and profile photograph (optional).
• Business information: Business name, business registration number, tax identification number (MST), business address, and industry category.
• Payment information: Billing address, bank account details for payouts, and payment method information. Note: full card numbers are never stored on our servers — payment card processing is handled by certified third-party payment processors.
• Employee data: Names, roles, contact details, and access permissions of employees you add to your BANA account.
• Customer data: Information about your customers that you choose to store in BANA, such as names, phone numbers, purchase history, and loyalty programme participation.

Sensitive personal data — under Decree No. 356/2025/ND-CP, financial information is classified as sensitive data and we apply enhanced protections:

• Payment information: Connected bank accounts, financial transaction history.
• Enhanced protections: AES-256 encryption, strict access controls, mandatory multi-factor authentication, no full card numbers stored on BANA servers.

You are responsible for ensuring that any personal data of third parties (employees, customers) that you input into BANA has been collected with appropriate consent and in compliance with applicable law.

When you access or use the BANA platform, we automatically collect certain technical and usage information, including:

• Device information: Device type, operating system, browser type and version, screen resolution, and device identifiers.
• Network information: IP address, internet service provider, and general geographic location (city or region level).
• Usage data: Pages visited, features used, click patterns, session duration, timestamps of access, and navigation paths within the platform.
• Performance data: Page load times, error logs, and crash reports that help us identify and resolve technical issues.

This data is collected through server logs, cookies, and similar technologies (see the Cookies & Tracking Technologies section below). It is used in aggregated or pseudonymised form to improve platform performance, security, and user experience.

Under the Personal Data Protection Law No. 91/2025/QH15, we process your personal data based on one or more of the following legal grounds:

• Consent (Article 9, Law 91/2025/QH15): Where you have given clear, voluntary, and informed consent for a specific processing purpose — for example, when you create an account or opt in to marketing communications. You may withdraw consent at any time per Article 10; withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
• Contractual necessity: Where processing is necessary to perform the Terms of Service between BANA and you — creating and managing accounts, processing payment transactions, providing technical support.
• Legal obligation: Retaining financial records as required by the Law on Tax Administration No. 38/2019/QH14; providing information pursuant to lawful requests from competent state authorities.
• Legitimate interest: Processing for our legitimate interests such as fraud prevention, platform security, and service quality improvement — provided these interests do not override your rights and lawful interests.

We use the personal data we collect for the following purposes:

• Service delivery: To create and manage your account, provide the BANA platform features, process sales transactions, manage inventory, and generate business reports.
• Payment processing: To facilitate billing, process subscription payments, issue invoices, and coordinate payouts through our payment processor partners.
• Communications: To send you essential service notifications (account alerts, billing reminders, security notices), and — with your consent — promotional communications about new features or offers.
• Platform improvement: To analyse usage patterns, conduct A/B testing, develop new features, and optimise platform performance and user experience.
• Fraud prevention & security: To detect, investigate, and prevent fraudulent transactions, unauthorised access, and other harmful activities on the platform.
• Legal compliance: To comply with applicable laws, regulations, and legal processes, including tax reporting obligations, audit requirements, and lawful government requests.
• Customer support: To respond to your enquiries, troubleshoot issues, and provide technical assistance.

We do not sell, rent, or trade your personal data to any third party. We share your information only in the following limited circumstances and with appropriate safeguards:

• Payment processors: We share transaction data with certified payment processors (such as VNPAY, Momo, ZaloPay) strictly as necessary to process your payments. These processors are bound by their own data protection obligations and PCI DSS compliance requirements.
• Cloud hosting & infrastructure: Your data is hosted on cloud infrastructure providers operating within Vietnam. These providers are contractually obligated to maintain appropriate security measures and process data only on our instructions.
• Analytics providers: We use analytics services to understand platform usage patterns. Where possible, data shared with analytics providers is anonymised or pseudonymised.
• Customer support tools: We may use third-party tools to manage support tickets and communications, sharing only the information necessary to resolve your enquiry.

Legal disclosure: We may disclose personal data when required by lawful request from a competent state authority in accordance with legal procedures. Where legally permitted, we will notify you of such disclosure.

Providers using BANA: Providers may access customer and employee data they have entered into BANA in their capacity as Data Controllers. BANA is not responsible for providers' independent data processing activities outside the platform. We enter into Data Processing Agreements (DPA) with all third parties processing data on BANA's behalf.

All personal data of Vietnamese users is stored on servers located within the territory of Vietnam, in compliance with Article 26(3) of the Cybersecurity Law No. 24/2018/QH14.

In limited circumstances, your data may be processed outside of Vietnam — for example, when a third-party service provider with international infrastructure is involved in payment processing or technical support. In such cases, we fully comply with Article 20 of Law 91/2025/QH15 and Decree No. 356/2025/ND-CP, including:

• Preparing and submitting a Cross-border Transfer Impact Assessment (CTIA) to the data protection authority (Ministry of Public Security) within 60 days of the first transfer.
• Executing data transfer agreements with recipients ensuring protection standards equivalent to Vietnamese law.
• Updating the assessment within 6 months when there are changes to partners, data types, or transfer purposes.
• Notifying you and obtaining your consent where legally required.

You will be informed if any material change in data transfer practices occurs, and where legally required, your consent will be obtained before transferring personal data to a new jurisdiction.

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our retention periods are as follows:

• Active account data: Retained for the duration of your active subscription and account.
• Post-termination: Upon account cancellation or termination, your data is retained for 30 days to allow you to export your information or reactivate your account. After this period, personal data is permanently deleted from our active systems.
• Financial and tax records: Transaction records, invoices, and related financial data are retained for 10 years as required by Vietnamese tax legislation (Law on Tax Administration No. 38/2019/QH14).
• Audit and security logs: System access logs and security event records are retained for 2 years for security monitoring and incident investigation purposes.
• Anonymised data: Aggregated, anonymised data that cannot be used to identify individuals may be retained indefinitely for statistical and analytical purposes.

When personal data is no longer required, it is securely deleted or irreversibly anonymised using industry-standard methods.

In compliance with Article 25 of Law 91/2025/QH15 and Article 17(2) of the Cybersecurity Law No. 24/2018/QH14, we implement comprehensive technical and organisational measures to protect your personal data:

Technical measures:

• TLS 1.3 encryption for all data in transit.
• AES-256 encryption for sensitive data at rest.
• Multi-factor authentication for administrative and production system access.
• Role-based access controls with the principle of least privilege.
• Regular security assessments, penetration testing, and vulnerability scanning.
• Regular encrypted data backups.

• Regular employee training on personal data protection.
• Data access controls based on role and function.
• Annual security assessments and penetration testing.
• Clear data incident handling policies with escalation procedures.

For a detailed overview of our security practices, architecture, and certifications, please visit our Security page.

Under Article 4(1) of the Personal Data Protection Law No. 91/2025/QH15, you have the following 7 rights as a data subject:

• 1. Right to be informed: To be informed about personal data processing activities — purposes, methods, parties involved, and retention periods.
• 2. Right to consent or refuse: To consent to or refuse data processing; to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
• 3. Right to access and rectification: To view all personal data we hold about you and to correct inaccurate or incomplete information. Many corrections can be made directly in your BANA Account Settings.
• 4. Right to erasure, restriction, and data provision: To request deletion of personal data (except data required to be retained by law); to request processing restriction; to receive your personal data in a readable format (CSV/JSON) for transfer to another service.
• 5. Right to object: To object to the processing of your personal data, particularly where processing is based on legitimate interest. We will review and respond in accordance with the law.
• 6. Right to complain, denounce, and claim compensation: To file complaints, denounce violations, initiate lawsuits, and claim damages if your rights are infringed. You may also file complaints with the data protection authority (Ministry of Public Security).
• 7. Right to request authority protection: To request competent authorities or relevant organisations to implement measures to protect your personal data in accordance with the law.

To exercise any of these rights, please contact us at support@bana.com.vn. We will acknowledge your request within 24 hours and provide a substantive response within 72 hours, as required by Vietnamese data protection law. In complex cases, we may extend this period by an additional 30 days, with prior notice to you.

BANA uses cookies and similar technologies to operate the platform, enhance your experience, and understand usage patterns. The cookies we use fall into the following categories:

• Essential cookies: Required for the platform to function correctly. These include session cookies that maintain your authenticated state and security tokens that protect against cross-site request forgery. These cookies cannot be disabled.
• Analytics cookies: Used to collect anonymised information about how users interact with the platform — including pages visited, features used, and navigation paths. This data helps us identify areas for improvement and measure the effectiveness of new features.
• Preference cookies: Used to remember your settings and preferences, such as language selection (Vietnamese or English), theme preference (light or dark mode), and dashboard layout configurations.

You can manage your cookie preferences through your browser settings. Please note that disabling essential cookies may prevent the platform from functioning correctly. We do not use cookies for third-party advertising purposes.

Under Article 24 of the Personal Data Protection Law No. 91/2025/QH15, data relating to children is classified as sensitive data and must comply with enhanced protections. BANA is a business-to-business (B2B) platform. We do not intentionally collect, store, or process personal data of individuals under the age of 16 for any purpose.

If we discover that we have inadvertently collected data from an individual under 16, we will promptly delete it upon confirmation. Parents or legal guardians may contact us at support@bana.com.vn.

Note per Article 24 of Law 91/2025/QH15: For children aged 7 and older, if platform usage involves processing data for the purpose of publishing or disclosing information about their private life, the consent of both the child and their legal representative is required.

In compliance with Article 23 of Law 91/2025/QH15 and Decree No. 356/2025/ND-CP, when a personal data breach occurs, we will:

• Notify the competent authority: Within 72 hours of detecting the breach, report to the data protection authority (Ministry of Public Security).
• Notify affected users: Promptly inform affected users via email and in-platform notification, providing details about the nature of the breach, the categories and estimated number of affected data subjects, the likely consequences, and the measures we have taken or propose to take to address the breach and mitigate its effects.
• Investigate and remediate: Immediately isolate affected systems, investigate root cause, and resolve the issue.
• Maintain incident records: Keep detailed records of all data breaches, including events, impacts, and corrective actions taken, regardless of whether reporting to authorities is required.

Our incident response procedures are designed to contain breaches swiftly and minimise impact. For more information, see our Security page.

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or business operations. For material changes — including changes to the categories of data collected, processing purposes, or third-party sharing practices — we will notify you by email at least 30 days before the changes take effect.

All updates will be indicated by a revised "Last updated" date at the top of this page. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data. Your continued use of the platform after the effective date of any update constitutes acceptance of the revised policy.

This policy is effective in both Vietnamese and English. In case of any conflict between the two versions, the Vietnamese version shall prevail.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us:

• Email: support@bana.com.vn
• Hotline: (+84) 326 205 555
• Responsible entity: Nexpando

We are committed to responding to all privacy-related enquiries within 72 hours.