Personal Data Protection Policy

PERSONAL DATA PROTECTION POLICY

This Personal Data Protection Policy was last updated on 02/02/2026.

FPT International Telecom Company Limited (“FTI”) is incorporated under Vietnamese law, with its head office at Lot L.29B-31B-33B Tan Thuan Road, Tan Thuan Export Processing Zone, Tan Thuan Ward, Ho Chi Minh City, Vietnam.

To comply with applicable personal data protection laws, FTI issues this Policy to transparently describe how FTI collects, controls, processes, and protects customers’ personal data.

ARTICLE 1. DEFINITIONS

• FTI: FPT International Telecom Company Limited.
• Policy: This Personal Data Protection Policy.
• Personal Data: Digital data or other information that identifies or helps identify a specific individual, including basic personal data and sensitive personal data under applicable law.
• Basic Personal Data: Includes full name, date of birth, gender, contact address, nationality, personal image, phone number, personal identification number, and other data that can identify an individual.
• Sensitive Personal Data: Personal data related to privacy that may directly affect lawful rights and interests of an individual if compromised (for example: financial, health, biometric, location, and online behavior data).
• Data Subject: The individual to whom personal data relates.
• Personal Data Processing: One or more actions on personal data, such as collection, analysis, encryption, storage, modification, deletion, disclosure, transfer, and related activities.
• Personal Data Controller/Processor/Controller and Processor: As defined under applicable law.
• Providing Party: The party providing personal data of a Data Subject to the other party during preparation, performance of transactions, contracts, agreements, or interactions.
• Transaction Channels: Channels between FTI and the other party, including contracts, websites, applications, and other lawful channels provided by FTI from time to time.

ARTICLE 2. DATA SOURCES AND TYPES OF PERSONAL DATA COLLECTED, CONTROLLED, AND PROCESSED

1. Sources of personal data collection

• Directly from the Providing Party through contract execution, service registration/use, and information exchange through lawful channels, including cloudconnect.vn.
• From data generated during service delivery/use on systems, platforms, and technical infrastructure managed or operated by one of the parties.
• From third parties (affiliates, partners, service providers, etc.) where the Data Subject has consented or law permits.
• From competent authorities or government agencies in accordance with law.

2. Types of personal data collected, controlled, and processed

• Identity and contact data: full name, date of birth, gender, address, email, phone number, personal identification number.
• Personal images (including images provided at service registration or uploaded on FTI website/application).
• Bank card/account information.
• Call, SMS, and call recording data generated when using FTI voice/SMS/contact-center services.
• Image/audio/video data generated when using services with storage functions.
• Data uploaded, stored, or generated by the Providing Party on cloud service platforms.
• Online activity history data and telecom consumption behavior data (call, sms, data, vas).

ARTICLE 3. COMMITMENT TO PERSONAL DATA PROTECTION

• Personal data is collected, processed, and stored lawfully, for proper purposes, and within stated scope.
• Data processing is based on information provided by the Providing Party; inaccurate or outdated data will be amended/deleted in accordance with law.
• The parties proactively prevent, detect, and handle violations of personal data protection laws.
• Each party is responsible for ensuring its own partners also comply with personal data protection requirements.

ARTICLE 4. PURPOSES OF CONTROLLING AND PROCESSING PERSONAL DATA

The Providing Party agrees that FTI may process and/or participate in processing personal data for the following purposes:

• Supporting and updating customer information for products/services provided by FTI and/or third parties via FTI.
• Providing third-party services (including account/resource/brandname/hotline registration and management, warranty support, and forwarding information to service providers).
• Marketing, trade promotion, and market research activities.
• Service innovation, internal analytics, and quality improvement.
• Handling customer inquiries and complaints.
• Identity verification, fraud prevention, and information security.
• Compliance with laws, industry standards, record retention obligations, and tax obligations.
• Other lawful operational purposes notified by FTI at collection time or before processing.

ARTICLE 5. PERSONAL DATA RETENTION AND PROCESSING PERIOD

Each party stores and processes personal data within the necessary scope for service delivery/use, contract performance, legal compliance, and dispute resolution (if any), unless the Data Subject submits a written request to withdraw consent or restrict processing as permitted by law.

ARTICLE 6. ORGANIZATIONS RELATED TO PERSONAL DATA PROCESSING

1. Data recipients

To the extent necessary and lawful, FTI may transfer/disclose personal data to:

• FPT Group and member companies; telecom operators, carriers, contractors, agents, business partners, and service/goods providers participating in data processing by agreement.
• FTI branches, business units, agents, officers, and employees within assigned duties.
• Related organizations/individuals such as auditors, inspectors, lawyers, arbitrators, courts, and competent authorities as required by law.

2. Cross-border data transfer

FTI may transfer personal data abroad for processing/storage for the purposes in Article 4, in compliance with Vietnamese law.

ARTICLE 7. PERSONAL DATA PROCESSING IN SPECIAL CASES

• CCTV footage may be used for quality assurance, public safety, occupational safety, preventing unauthorized use, detecting violations, and incident investigation.
• For children’s data, in addition to legal protections, the processing party verifies age and obtains required consent from children and/or parents/guardians under law.
• For personal data of missing or deceased individuals, processing is performed only with consent of relevant persons in accordance with law.

ARTICLE 8. DATA SUBJECT RIGHTS AND OBLIGATIONS

1. Data Subject rights

• Right to be informed and right to consent regarding personal data processing.
• Right to access, correct, and request correction of personal data.
• Right to request deletion in cases prescribed by law.
• Right to request restriction/object to one or more processing activities subject to legal conditions.
• Right to withdraw consent at any time in writing (without affecting lawfulness of prior processing).
• Right to complain, denounce, litigate, and claim actual damages as prescribed by law.

2. Providing Party obligations

• Ensure legal basis and required consent when providing personal data of related individuals.
• Provide complete and accurate personal data according to contracts/agreements and legal requirements.
• Comply with laws and FTI guidance related to personal data processing.
• Take responsibility where data leakage/infringement is caused by its own fault.
• Regularly update FTI personal data protection rules/policies notified through FTI transaction channels.

ARTICLE 9. POTENTIAL UNINTENDED CONSEQUENCES AND DAMAGES

Although FTI applies multiple security technologies, no system is 100% secure. Potential risks may include:

• Hardware/software failures causing data loss.
• Security vulnerabilities outside FTI control leading to breaches.
• Data Subject disclosure due to carelessness or fraud (accessing malicious websites/apps).

FTI recommends safeguarding passwords and OTPs, avoiding credential sharing, and logging out when not using services. If a breach causing data loss occurs, FTI will notify competent authorities and affected customers in accordance with law.

ARTICLE 10. GENERAL TERMS

• This Policy may be updated, amended, or supplemented in accordance with law without prior notice, except where law requires separate consent from the Providing Party.
• Continued use of FTI products/services after notification period means acceptance of updated terms.
• This Policy is governed by and interpreted under Vietnamese law.
• This Policy represents the entire agreement on personal data protection between the parties and forms an inseparable part of referenced contracts/agreements.
• If any provision is declared invalid by a competent court, remaining provisions remain fully effective.
• This Policy is publicly published on the website for transparency and compliance.