PERSONAL DATA PROTECTION POLICY

This Personal Data Protection Policy (also known as the Privacy Policy) (the “Policy”) sets forth the methods by which we process Personal Data (including but not limited to the collection, processing, transfer, and storage) and perform other activities impacting the Personal Data of the Data Subject arising during the operation and business of Syrena Joint Stock Company, having its head office at No. 51 Xuan Dieu Street, Tay Ho Ward, Hanoi, Vietnam and the official website at syrena.vn (the “Company”).

The Company commits to protecting the privacy and security of the Data Subject’s Personal Data in accordance with this Policy and current legal regulations.

This Policy includes contents as below:

1. DEFINITIONS

Unless otherwise provided in this Policy, terms and abbreviations used in this Policy shall have the following meanings:

a) “Data Subject” means an individual to whom the Personal Data reflects, including but not limited to the Valued Customers who are potential customers, subscribers, users, or persons with needs to use products, utilities, services (including accommodation services, food and beverage services and/or other services) of the Company; individuals having transactions, cooperation, interactions, and/or legal relationships with the Company; and Related Persons of the Data Subject;

b) “Company” means Syrena Joint Stock Company, operating under Business Registration Certificate No. 0100112525 first issued by the Hanoi Department of Finance on November 15^th, 2011, as amended from time to time (if any);

c) “Competent State Authority” means a state agency authorized and assigned responsibilities by law, having the authority as prescribed by law to decide on matters arising from and related to the Company, the Data Subject as well as the Signed Documents;

d) “Personal Data” or “PD” means the personal data of the Data Subject, including information in the form of symbols, letters, numbers, images, sounds, or similar forms in the electronic environment which is associated with a specific person or helps identify a specific person, including basic personal data and sensitive personal data;

e) “Signed Documents” means contracts, agreements and/or other documents signed between the Data Subject and the Company in any form in accordance with the provisions of law, including appendices, amendments, supplements and extensions (if any);

f) “Personal Data Processing” or “PD Processing” means an activity impacting Personal Data, including one or more of the following activities: collection, recording, analysis, synthesis, confirmation, storage, correction, disclosure, combination, access, retrieval, recovery, encryption, decryption, de-identification, copying, sharing, transmission, provision, transfer, deletion, destruction of Personal Data or other relevant actions in accordance with the law;

g) “Personal Data Controller and Processor” means an organization or individual that simultaneously decides the purposes and means and directly performs Personal Data Processing; in this case, the Personal Data Controller and Processor is the Company;

h) “Personal Data Processor” or “PD Processor” means a party that performs Personal Data Processing on behalf of the Personal Data Controller and Processor through a contract or agreement with the Personal Data Controller and Processor;

i) “Permitted Purposes” means the purposes specified in Section 4 of this Policy;

j) “Related Persons of the Data Subject” include co-owners, co-users, dependents, related persons as prescribed by law, spouse, children, and/or parents and/or guardians, beneficiaries, authorized persons, designated representatives, emergency contacts, or other individuals of the Data Subject;

k) Terms not defined in this Section shall be interpreted in accordance with the Signed Documents and current provisions of law.

2. PROCESSED PERSONAL DATA

From time to time and for the Permitted Purposes, the Personal Data Controller and Processor may collect and process the following Personal Data of the Data Subject and the Related Persons of the Data Subject:

a) Basic Personal Data:

(i) Surname, middle name, and given name; date, month, and year of birth; gender; nationality; identity card number/citizen identification card number/passport number, date of issuance, and place of issuance; personal identification number; visa information; personal tax identification number;

(ii) Temporary residence, current residence, contact address;

(iii) Contact telephone number; email;

(iv) Images, audio recordings, and video recordings of the Data Subject (including information obtained from security systems, including recordings of the Data Subject on camcorder systems and surveillance cameras at the Company’s business/transaction locations);

(v) Feedback and opinions of the Data Subject according to the Company’s survey programs;

(vi) Other personal data of the Data Subject that the Company deems necessary for the implementation of Permitted Purposes as specified in this Policy;

(vii) Other personal data of the Data Subject that the Company needs to collect to ensure compliance with legal regulations and/or at the request of Competent State Authorities;

(viii) Other basic personal data that the Data Subject has consented to provide or already provided to Company.

b) Sensitive Personal Data:

Sensitive personal data of the Data Subject as prescribed by law that may be collected and processed by the Company from time to time to perform the Permitted Purposes, including:

(i) Images of identity cards, citizen identification cards, and people’s identity cards; passport images;

(ii) Biometric data, face ID;

(iii) Health status, physical characteristics, or allergies (including but not limited to food allergies, mobility restrictions, pregnancy status, or other health conditions) voluntarily provided by the Data Subject for the purpose of ensuring safety and service quality.

3. METHODS OF COLLECTING PERSONAL DATA

The Company may collect Personal Data from all sources, channels, and domains of the Company when the Data Subject and/or the Related Persons of the Data Subject initially provide or update/supplement the same to the Company from time to time, including but not limited to:

a) When the Data Subject directly contacts the Company at its head office address/representative offices/branches or at the Company’s transaction locations; accesses, contacts, and interacts through the Company’s websites, applications, social networks, call centers, or through other official contact/information channels of the Company;

b) When the Data Subject registers to participate or participates in the Company’s programs, events, and trade promotion programs;

c) When the Data Subject registers, uses, or is registered to use products, services, or utilities provided by the Company, or registers to participate in customer care programs, promotional programs, or other programs organized directly by the Company or through organizations, enterprises, or partners collaborating with the Company;

d) When the Data Subject provides Personal Data to the Company through transactions, interactions, and/or other forms of information provision, and other legal sources and methods;

e) Through receiving/sharing necessary Personal Data from the parent company, subsidiaries, affiliates, or partners/cooperating entities of the Company during the course of cooperation with the Company in accordance with legal regulations. In this case, the data will be processed according to the respective policies of the relevant partners/cooperating entities before being transferred to the Company. The Data Subject should refer to the corresponding policies of the relevant partners/cooperating entities to understand how their Personal Data is protected before being transferred to the Company’s systems.

4. PERSONAL DATA PROCESSING PURPOSES

The Company may process Personal Data for the following purposes:

a) To receive information for consulting, introducing products, services, and evaluating the ability to provide products, services, utilities, and/or entering into contracts with the Data Subject, including:

(i) Identifying and verifying information about the Data Subject;

(ii) Consulting, reviewing, and evaluating the ability to provide products and services according to registration documents, applications, or other documents of the Data Subject and/or Related Persons of the Data Subject; signing contracts/agreements with the Data Subject and/or Related Persons of the Data Subject;

(iii) Considering the provision or continued provision of any products, services, or utilities of the Company to the Data Subject;

b) To exercise the rights and fulfill the obligations under the Signed Documents and/or agreements, terms, conditions, and other instruments between the Company and the Data Subject, including:

(i) Identifying, authenticating, and verifying the information of the Data Subject, and recording the Data Subject’s information for transactions under the Signed Documents;

(ii) Notifying/maintaining communication and contact with the Data Subject;

(iii) Assisting the Data Subject in consulting and addressing information, inquiries, claims, and complaints, and resolving issues arising in relation to transactions under the Signed Documents;

(iv) Making payments/requesting payments or receiving payments;

(v) Managing customer information, including but not limited to transaction information, history of using products, services, and utilities, booking information, registration, accommodation, and other information arising during the process of the Data Subject transacting, registering, or using the Company’s products, services, or utilities;

(vi) Performing customer care and support activities;

(vii) Implementing cooperation programs with organizations, enterprises, and partners of the Company, including the provision of products, services, utilities, incentives, benefits, or other content to employees of organizations, enterprises, or individuals entitled to benefits under the cooperation programs;

(viii) To ensure the safety, health, and life of the Data Subject during the use of services: Using information on health status, allergies, or physical restrictions to adjust menus, arrange suitable accommodation, and prepare necessary support/rescue plans in cases of emergency;

(ix) To receive and store information and implement procedures to support the return of lost property to the Data Subject;

(x) Exercising other rights and fulfilling other obligations under the Signed Documents;

c) To notify and organize the implementation of policies, programs/events, promotions, advertisements, and other trade promotion activities of the Company and/or partners/cooperating entities of the Company:

d) To consult and introduce products and services of the Company and/or trusted partners who have signed cooperation and personal data confidentiality agreements with the Company;

e) To serve the fulfillment of needs and enhancement of the experience of the Data Subject and Related Persons of the Data Subject; to ensure the quality of services, products, and goods provided to the Data Subject and perform transactions, contracts/agreements signed with the Data Subject, as well as for requirements of governance, administration, operation of activities, and business of the Company in accordance with the law (including but not limited to the performance of reporting, financial, accounting, and tax obligations, activities for auditing and compliance purposes, and other activities serving the lawful business of the Company in cases where the Company deems necessary); to introduce and provide promotional programs and incentives for products and services of the Company and those of the Company in cooperation with partners; to suggest products and services that the Data Subject may be interested in through identifying the Data Subject’s preferences; to market and promote products and services, including building campaigns based on the Data Subject’s preferences;

f) To restructure, transfer a project/business: In the course of business, the Company may sell or buy businesses, restructure businesses, or transfer projects or other services in accordance with the law. Accordingly, Personal Data and the right to use information in general are among the transferred assets. In all cases, the transfer and processing of data shall be performed by the parties in accordance with the law and this Policy;

g) To collect statistics or analyze data for researching, building, developing, and improving products, service quality, and enhancing the experience of the Data Subject and Related Persons of the Data Subject; to carry out market research and analysis;

h) To resolve issues arising related to the use of websites/applications, and official contact/information channels of the Company;

i) To manage, monitor, and control the entire process of providing products and services of the Company under the Signed Documents, including verification, review, assessment, and resolution of relevant complaints and disputes;

j) To comply with the law and meet the requirements of Competent State Authorities, including but not limited to the performance of obligations regarding information disclosure, reporting, declaration, registration, provision of information, record storage, inspection, and examination in accordance with legal regulations on promotion, accommodation, security and order, fire prevention and fighting, finance, accounting, tax, and other legal regulations relevant to the Company’s business activities, etc.;

k) To archive, manage and reserve for disaster recovery or for similar purposes;

l) Other purposes consented to by the Data Subject on the basis of compliance with legal regulations or as required/permitted by law or Competent State Authorities, and other purposes stated in this Policy.

(The purposes stated in Section 4 of this Policy are collectively referred to as the “Permitted Purposes”).

5. METHODS OF PROCESSING PERSONAL DATA

From time to time and depending on each Permitted Purpose, the Company will perform one or more activities affecting Personal Data, including Personal Data Processing activities. Personal Data Processing activities may be performed by the Company in automated or non-automated manners, by electronic means or manual methods or any other appropriate methods not prohibited by law, including:

a) Methods of collecting Personal Data including but not limited to collecting from: websites, applications; from the provision of products, services, and the performance of obligations under contracts and agreements of the Company; exchanges and communications with the Data Subject; social networks; audio and video recording devices; from interactions or automated data collection technologies and other means not prohibited by law;

b) Methods of storage: In accordance with the Permitted Purposes and in compliance with the provisions of law;

c) Methods of transferring/sharing Personal Data: In accordance with the Permitted Purposes and in compliance with the provisions of law;

d) Methods of analysis and encryption: In accordance with the internal procedures of the Company and the provisions of law;

e) Methods of data deletion: In compliance with the provisions of law and internal regulations of the Company.

Throughout the process of Personal Data Processing, security is the Company’s highest priority. The Company has appropriate technical measures to prevent unauthorized access to or use of Personal Data. The Company commits to Processing Personal Data under careful control and implementing reasonable and necessary measures to protect the Personal Data of the Data Subject.

6. PROCESSING OF CHILDREN’S PERSONAL DATA

a) The Company will process Personal Data of children based on the principle of protecting the rights and for the best interests of children and in accordance with the provisions of law;

b) The Company only Processes Personal Data of children and provides products and services to children if the parents or guardians consent to the children using the Company’s products and services, consent to the Company’s processing of the children’s Personal Data, agree to this Policy, and comply with relevant legal requirements. In case children aged 7 or older use the Company’s services and products, in addition to the requirements stated herein, the Company shall only process the Personal Data of children upon obtaining their consent. Parents or guardians are responsible for obtaining the children’s consent before providing the their Personal Data to the Company.

7. COMMENCEMENT AND TERMINATION OF PERSONAL DATA PROCESSING

The Company shall commence Personal Data Processing from the time of receipt of the Personal Data and shall continue processing in the period necessary to fulfill the Permitted Purposes and/or in the mandatory retention period as prescribed by law (whichever is longer), unless the Personal Data is deleted or destroyed upon a valid request from the Data Subject or in accordance with the provisions of law.

8. ORGANIZATIONS AND INDIVIDUALS RELATED TO PERSONAL DATA PROCESSING PURPOSES

a) The Data Subject clearly understands that the Company may transfer and share the Personal Data of the Data Subject with enterprises and organizations providing services, operations management, consulting, surveys, marketing, and advertising of products/services in which the Data Subject has a need to inquire or transact; organizations, enterprises, related units/departments, and employees of the Company, its parent company, subsidiaries, and affiliates, investors, owners, brokers, agents, and consulting units, experts, auditors, lawyers, cooperation and business partners, providers of information technology solutions, application software, operation services, incident management, and infrastructure development, and contractors supplying services and goods to serve the performance of transactions and contracts/agreements already signed or to be signed, the performance of legal procedures related to products/services, as well as for serving and enhancing the experience of the Data Subject and/or the Related Persons of the Data Subject during the period of using products/services, and for the governance, administration, operational, and business requirements of these entities in accordance with the provisions of law and for other Permitted Purposes under this Policy; any individual or organization being a representative or authorized party of the Data Subject, acting on behalf of the Data Subject. Parties receiving Personal Data are obligated to maintain the confidentiality of the Personal Data in accordance with the Company’s requirements and current provisions of law;

b) From time to time, the Company may have to share Personal Data with the Competent State Authority in accordance with legal regulations.

9. RIGHTS AND OBLIGATIONS OF THE DATA SUBJECT

a) Rights of the Data Subject

Unless otherwise provided by law, the Data Subject has the following rights:

(i) To be informed about the processing of their Personal Data, unless otherwise provided by law;

(ii) To consent, withhold consent, or withdraw consent to the Processing of their Personal Data, unless otherwise provided by law;

(iii) To access to view, correct, or request the correction of their Personal Data;

(iv) To delete or request the deletion of their Personal Data;

(v) To request restriction of or to object to the Processing of Personal Data;

(vi) To request the provision of their own Personal Data; and

(vii) Other rights as prescribed by law.

Please note:

(a.1) In certain cases, the Data Subject’s withholding of consent or withdrawal of consent to the Personal Data Processing; request for restriction of or objection to the Personal Data Processing; deletion or request for deletion of Personal Data may affect the Company’s ability to provide or maintain the provision of products, services, customer care services to the Data Subject and/or the Related Persons of the Data Subject, or to process the Data Subject’s complaints;

(a.2) Upon receipt of a request from the Data Subject regarding the exercise of right(s) related to Personal Data, the Company shall notify the Data Subject of the potential consequences when the Data Subject’s request is fulfilled;

(a.3) Upon receipt of a request for deletion of Personal Data from the Data Subject, prior to deleting the Personal Data (whether due to the Data Subject’s withdrawal of consent or request for deletion of Personal Data), the Company shall check whether there are any legitimate reasons, responsibilities, or legal obligations of the Company or any members of our corporate group related to the requirement to back up, continue to store, or being permitted to process the Personal Data of the Data Subject for the purpose of legal compliance;

(a.4) The Company will process the Data Subject’s requests in accordance with the provisions of law and considering the legitimate interests of the Data Subject. However, in the event that the Data Subject withdraws their consent, requests data deletion and/or exercises other related rights regarding any or all Personal Data which affects the ability to provide/maintain the Company’s products and services to the Data Subject or to maintain the contractual relationship, depending on the nature of the Data Subject’s request, the Company may consider and decide on not continuing to provide the Company’s products and services to the Data Subject or terminating the transaction/contractual relationship between the Company and the Data Subject. The acts performed by the Data Subject under this provision shall be deemed as a unilateral termination by the Data Subject of any relationship between the Data Subject and the Company and may fully lead to a breach of contractual obligations or commitments between the Data Subject and the Company, while the Company reserves its legal rights and remedies in such cases. Accordingly, the Company shall not be liable to the Data Subject for any losses arising and the Company’s legal rights shall be fully reserved. With reasonable efforts, the Company will fulfill legal and valid requests from the Data Subject within a period consistent with the provisions of law. However, for security purposes, the Company may require the Data Subject to verify their identity before processing the Data Subject’s request.

The Company has the right to refuse to fulfill the Data Subject’s requests in certain cases, including but not limited to: (i) the Data Subject fails to follow the sequence and procedures guided by the Company in which the request content lacks information or is invalid; (ii) the Data Subject fails to provide or to fully provides papers and documents to verify their identity; or (iii) in case the Company assesses that there are signs of fraud or violations of Personal Data protection; or (iv) the provisions of law do not permit the fulfillment of the Data Subject’s request.

The Data Subject may exercise their rights by contacting the Company according to the contact information detailed in Section 12 (d) – Contact information of this Policy.

b) Obligations of the Data Subject

(i) To self-protect their own Personal Data; to request other relevant organizations and individuals to protect their Personal Data. To promptly notify the Company upon discovering any errors, inaccuracies, or leakage of Personal Data or suspecting that Personal Data is being compromised;

(ii) To respect and protect the Personal Data of others;

(iii) To provide full and accurate Personal Data when consenting to the Processing of Personal Data. In the event of any inaccurate information, the Data Subject shall bear the consequences at their own expense if such information affects or restricts the rights and interests of the Data Subject;

(iv) To comply with legal regulations on personal data protection and participate in the prevention and combating of violations of personal data protection regulations;

(v) Other obligations as prescribed by law.

10. POTENTIAL UNEXPECTED CONSEQUENCES AND DAMAGES

a) The Company uses various information security technologies such as firewall systems, access control measures, encryption, etc., to protect and prevent Personal Data from being accessed, used, or shared unauthorizedly. However, in reality, the Company cannot completely eliminate security risks that may occur during the process of Personal Data Processing in certain cases such as: (i) system errors, hardware or software errors during the process of Personal Data Processing which may cause the loss of the Data Subject’s personal data; (ii) security vulnerabilities beyond the Company’s control, the system being attacked by hackers causing data leakage or exposure, or due to objective causes beyond the Company’s control which may cause unexpected consequences and damages to the Data Subject; (iii) telecommunications infrastructure incidents or data transmission interruptions due to the geographical characteristics of the business premises (bay areas or areas with poor signal density) leading to delays in updating or retrieving data.

b) The Company recommends:

(i) The Data Subject shall keep information related to account login passwords and OTPs confidential and shall not share this content with any other person.

(ii) The Data Subject should be well aware that at any time the Data Subject discloses and publicizes their Personal Data, such data may be collected and used by others for other purposes beyond the control of the Data Subject and the Company.

(iii) The Company recommends the Data Subject to preserve their personal devices (mobile phones, tablets, personal computers, etc.) during use. The Data Subject should log out of their account when not in use.

(iv) Cyberspace is not a secure environment and the Company cannot absolutely guarantee that Personal Data shared via cyberspace will always be kept confidential. When transmitting Personal Data via cyberspace, the Data Subject should only use secure systems to access websites, applications, or devices. The Data Subject is responsible for keeping their access credentials for each website, application, or device secure and confidential.

c) In the event of a security incident or risk during the processing of Personal Data, the Company will notify the Data Subject and simultaneously notify the personal data protection violation to the functional authorities in accordance with current legal regulations (if a violation is detected) and strive to implement remedial and preventive measures to minimize consequences;

d) The Data Subject confirms having understood the potential risks and damages to their Personal Data.

e) For Personal Data collected through partners/cooperating entities (including but not limited to online travel agencies, travel agencies, table booking applications, or other intermediary platforms), the Data Subject understands and agrees that such Personal Data shall be processed in accordance with the personal data protection policies of those partners/cooperating entities prior to being transferred to the Company. The Company disclaims all liability for any data processing activities, risks, or incidents occurring while the Personal Data is under the control or custody of such partners/cooperating entities.

11. CROSS-BORDER TRANSFER OF PERSONAL DATA

The cross-border transfer of Personal Data (if any) shall be carried out in accordance with the provisions of law.

12. OTHER PROVISIONS

a) When Personal Data of the Related Persons of the Data Subject is provided to the Company, the Data Subject and the Related Persons of the Data Subject represent, warrant, and take responsibility that the information has been fully provided and has been legally consented to/approved by the Data Subject and the Related Persons of the Data Subject to be processed in accordance with this Policy.

The Data Subject and the Related Persons of the Data Subject agree that the Company is not responsible for verifying the legality or validity of such consent/approval. The Company shall be held harmless and is entitled to compensation for related damages and costs in the event that the Data Subject and the Related Persons of the Data Subject fail to strictly comply with the provisions herein.

b) The Data Subject confirms that, by accepting this Policy, the Data Subject has consented to the Company and the parties involved in the Data Processing process processing Personal Data for each purpose of processing according to the Policy; is fully aware of the types of data processed, the purposes of data processing, the organizations and individuals permitted to Process Personal Data, and their rights and obligations related to Personal Data. The Data Subject has been notified by the Company, is aware of, and agrees to all contents required to be notified before Personal Data is processed by the Company and/or organizations and individuals involved in the Personal Data Processing process. The Data Subject agrees that the Company and the organizations and individuals involved in the Personal Data Processing process do not need to perform re-notification before Processing Personal Data in accordance with this Policy.

c) Amendments and Supplements to the Policy

The Data Subject agrees and confirms that the Company may amend and supplement this Policy from time to time in accordance with current legal regulations and publicly announce the same at the Company’s head office address and/or update it on the Company’s official website or by other appropriate methods (if any).

The Data Subject should regularly access the Company’s official website to check and update any changes/amendments/supplements (if any) to the Policy from time to time.

The Data Subject’s continued use of or interaction with the Company’s products, services, or applications shall be understood that the Data Subject has read and understood this Policy along with relevant amendments and supplements from time to time.

d) Contact information

In case of any questions and/or requests related to this Policy or the exercise of rights regarding their Personal Data, the Data Subject please send the request to the email address: bvdlcn@syrena.vn; or contact us at the following information:

Syrena Joint Stock Company

Transaction address: No. 51 Xuan Dieu Street, Tay Ho Ward, Hanoi, Vietnam

Telephone number: 02437197214

Working hours: (excluding holidays and Tet) Monday to Friday – From 8:30 to 17:30 and Saturday – From 8:30 to 12:00.