Privacy Policy

PERSONAL DATA PROTECTION AND PROCESSING POLICY

(Issued together with Decision No. 065/2023/QĐ-IQ8-HN dated July 1, 2023)

ARTICLE 1: INTERPRETATION OF TERMS AND ABBREVIATIONS

1.1. IQ8 is Idemitsu Q8 Petroleum Limited Liability Company
1.2. Individual means the individual whose personal data is reflected, including:
a. Employee: An individual who applies for recruitment positions, signs probation contracts, or labor contracts with IQ8 in accordance with labor law;
b. Related person: A person identified as a related party of IQ8 under the law;
c. Customer: An individual or a lawful representative of an individual who engages in purchasing goods, conducting other transactions with IQ8;
1.3. Goods are products that IQ8 is allowed to sell at its business locations according to Vietnamese law.

ARTICLE 2: HANDLING OF PERSONAL DATA

2.1. Collection Cases:
a. Employees in the process of applying, negotiating, signing, or performing labor contracts;
b. Individuals related to IQ8 as per current law;
c. Customers or lawful representatives of Customers contacting IQ8 to purchase goods;
d. Customers signing goods purchase contracts with IQ8;
e. When Customers agree to provide personal data to IQ8 through public sources such as meetings, events, seminars, conferences, social networks, or dialogue programs sponsored or attended by IQ8, and/or from cookies recorded on IQ8’s website;
f. When customers of an organization or business allow that organization or business to share the customer's personal data with IQ8;
g. Customers of an organization or business cooperating with IQ8 to provide products or services.
h. When required by competent state agencies.
i. When IQ8 performs tasks for the purposes stated in Article 3 of this Policy.
j. Other cases as prescribed by law.

2.2. Collected Data:
2.2.1. Basic Information:
a. Full name, other names (if any);
b. Date of birth;
c. Gender;
d. Place of birth, place of birth registration, permanent residence, temporary residence, current residence, hometown, contact address;
e. Nationality;
f. Individual’s image;
g. Phone number, ID card number, personal identification number, passport number, driver's license number, vehicle registration number, personal tax code, social insurance number, health insurance card number;
h. Marital status;
i. Family relationship information (parents, children);
j. Information about the individual's account number; data reflecting online activity and history;
k. Other information associated with a specific individual or helping to identify a specific individual not classified as sensitive personal data in clause 1.2 of this Article.

2.2.2. Sensitive Information:
a. Political views, religious beliefs;
b. Health status and private life recorded in medical records, excluding blood group information;
c. Information related to racial or ethnic origin;
d. Information about inherited or acquired genetic characteristics;
e. Information about physical attributes or unique biological features of the individual;
f. Information about the individual's sexual life and orientation;
g. Criminal data and violations collected and stored by law enforcement agencies;
h. Location data of individuals determined through location services;
i. Other personal data as prescribed by law requiring specific and necessary security measures.

2.3. IQ8 will notify Individuals of the mandatory or optional personal data required at the time of contact, exchange, or contract signing with IQ8. Mandatory personal data is understood as the data IQ8 needs to collect from Individuals as prescribed by law or essential data to serve part or all of the tasks to establish transactional relationships between IQ8 and the Individual.

2.4. If the mandatory personal data is not provided as required by IQ8, the Individual will not be able to carry out part or all of the tasks to establish a transactional relationship with IQ8. In this case, IQ8 may refuse to establish a transactional relationship with the Individual without bearing any compensation and/or penalty (except for cases caused by IQ8’s fault).

2.5. At any time, Individuals may voluntarily provide IQ8 with personal data beyond IQ8’s requirements. Providing such data means the Individual allows IQ8 to process their data for the purposes stated in this Policy or specified at the time the Customer provides such data. Additionally, when voluntarily providing information beyond IQ8's requirements, Individuals should not provide sensitive personal data as prescribed by law at any given time. IQ8 will not process and will not bear any legal responsibility for sensitive personal data voluntarily provided by Individuals beyond IQ8’s requirements.

ARTICLE 3: PURPOSES OF COLLECTING, STORING, AND USING PERSONAL INFORMATION

Except as specified in Article 14 of this Policy, IQ8 must notify and obtain consent from Individuals before processing their personal data. The personal data collected, updated, and supplemented must be appropriate and limited to the necessary scope and purposes specified in this Policy. Customers' personal data will only be processed for one or more of the following purposes ("Purposes"):

3.1. Determine that Employees are eligible for civil capacity to apply, negotiate, sign, and perform labor contracts;
3.2. Manage personnel, administration; sign and perform labor contracts in accordance with relevant legal regulations;
3.3. Implement policies/procedures to maintain and develop employees' capabilities/motivation to meet the company's operational needs;
3.4. Sign and perform contracts, agreements, documents with partners, service providers, or other entities;
3.5. Perform tasks and procedures for the benefit of Individuals;
3.6. Store records, statistics, manage, report;
3.7. Serve tax, accounting, auditing, risk control, and internal control requirements;
3.8. Resolve complaints and disputes;
3.9. Apply for licenses and procedures as prescribed by law and requests from competent authorities;
3.10. Verify the accuracy and completeness of the information provided by Customers; identify or authenticate Customers' identity and perform authentication processes;
3.11. Appraise records and eligibility of Customers for establishing transactions with IQ8. IQ8 may use scoring methods, and check the transaction history of Customers with IQ8 to assess and manage credit risk, ensuring payment ability and related obligations during the transaction process between IQ8 and Customers;
3.12. Manage and evaluate business activities including designing, improving, and enhancing the quality of IQ8's business activities, or conducting marketing communications; conduct market research, surveys, and data analysis related to IQ8's products and services; research and develop new products, services, and supply models to meet Customer needs;
3.13. Provide services to Customers, contact Customers to consult, exchange information, resolve requests, complaints, deliver invoices, statements, reports, or other documents related to IQ8's products and services through various channels (e.g., email, chat) and respond to Customers' requests. Contact Customers (or parties designated or requested by Customers) to notify them of transaction-related information.
3.14. Advertise and market based on Customers' transaction history: IQ8 may use personal data to advertise and market to Customers about promotional programs, research, surveys, news, updates, events, contests, related rewards, and related advertisements and content about IQ8's products and services or those of IQ8's partners.
3.15. If Customers do not wish to receive emails, messages, and/or periodic newsletters for IQ8's advertising and marketing purposes with frequency depending on IQ8's policy from time to time and in accordance with the law, Customers can opt-out as instructed by IQ8;
3.16. Prepare financial reports, activity reports, or other related reports as prescribed by law;
3.17. Comply with legal obligations as prescribed by law;
3.18. Prevent fraud or reduce threats to the lives, health of others, and public interest: IQ8 may use Customers' personal information to prevent and detect fraud and abuse to protect Customers, IQ8, and related entities;
3.19. Internal management;
3.20. IQ8 does not engage in the buying or selling of personal data in any form.

ARTICLE 4: ORGANIZATIONS AND INDIVIDUALS AUTHORIZED TO COLLECT, MANAGE, AND USE PERSONAL INFORMATION

Individuals agree that the collection, management, and use of their personal information provided will be carried out by (i) IQ8; and/or (ii) other organizations or individuals cooperating/associated with IQ8 to use this information to support IQ8's business activities.

ARTICLE 5: METHODS OF COLLECTING, STORING, AND USING PERSONAL INFORMATION

IQ8 applies one or more activities affecting personal data including but not limited to collecting, recording, confirming, storing, modifying, combining, accessing, retrieving, recovering, encrypting, decrypting, copying, sharing, transmitting, providing, transferring using cyberspace, devices, electronic means, or other forms to transfer personal information domestically and/or internationally, deleting, destroying, and other related actions.

ARTICLE 6: START AND END TIME OF COLLECTING, STORING, AND USING PERSONAL INFORMATION

6.1. Data Processing Start Time
From the time the Purposes specified in Article 3 of this Policy arise.

6.2. Data Processing End Time
IQ8 ceases processing personal data when the Purposes specified in this Policy are completed, except as otherwise prescribed by law or when the Individual withdraws consent for data processing, or when a competent state agency requests in writing.

The withdrawal of consent by Individuals in this case does not affect the legality of the collection, storage, and use of personal information provided to IQ8 prior to that time.

ARTICLE 7: SHARING PERSONAL DATA

Except as specified in Article 14 of this Policy, IQ8 must obtain consent from Individuals when sharing personal data of Employees, related persons of IQ8, Customers to the organizations and individuals listed below to carry out the Purposes specified in this Policy, specifically:

In addition to the Company, personal data provided may be processed by the following organizations and individuals in accordance with the purposes agreed upon by the Data Subject:
7.1. IQ8 affiliates, including parties directly or indirectly involved in the management, control, capital contribution, or investment in IQ8, and parties that, along with IQ8, are managed (directly or indirectly), controlled, invested in by a third party. Examples include parent companies and subsidiaries of IQ8;
7.2. Third-party service providers or partners in business cooperation contracts (with or without profit-sharing): IQ8 utilizes and/or cooperates with other companies and individuals to perform certain tasks, use services, and/or implement programs, including but not limited to services, welfare regimes for Employees, related persons, promotional programs for Customers, market research, product analysis and development, strategic consulting, providing fee collection services. These third-party service providers and/or partners have the right to access, collect, use, and process Customers' personal data within the scope permitted by IQ8 to perform their functions and must comply with legal regulations on personal data protection as Data Processors;
Third parties have signed confidentiality agreements with IQ8 or must comply with professional confidentiality obligations, such as financial consultants, auditing firms, legal consultants, and management consultants.

7.3. Business restructuring: In the course of business development, IQ8 may sell or buy businesses or restructure businesses in accordance with the law and business needs. In such transactions, personal data will be transferred, and the transferee must still comply with the provisions of this Policy;
7.4. IQ8 may disclose personal data as required by law or upon request by competent state regulatory agencies;
7.5. IQ8 may disclose personal data to companies providing electronic invoice software, social insurance software to serve the issuance of invoices, invoice declaration, and performance of obligations related to social insurance as prescribed by law.

ARTICLE 8: RIGHTS AND OBLIGATIONS OF INDIVIDUALS PROVIDING DATA

8.1. Rights of Individuals providing data

8.1.1. Right to Know and Right to Consent
With this Policy, IQ8 notifies Individuals of the personal data processing activities before implementing the data processing. At the same time, Individuals have the right to agree or disagree with the terms and conditions of this Policy as instructed by IQ8 through channels, means such as email, SMS messages, calls, or contact with IQ8's customer service hotline. IQ8 only processes personal data with Customer consent.

8.1.2. Right to Access and Request Personal Data
Individuals have the right to directly contact IQ8 to view and extract the personal data they have provided to IQ8 to serve the Purposes specified in this Policy.

8.1.3. Right to Amend
Individuals have the right to amend their personal data provided that the amendment does not violate legal regulations. If Individuals cannot amend or face difficulties in amending their personal data, Customers can contact IQ8 for assistance.

8.1.4. Right to Object, Restrict, Withdraw Consent for Data Processing
a. Individuals have the right to object, request to restrict data processing, or withdraw consent for data processing. However, objecting, restricting, or withdrawing consent for data processing may result in IQ8 being unable to transact with Individuals, meaning IQ8 may unilaterally terminate the contract without compensation to the Individual due to changed conditions for contract performance (except for cases caused by IQ8’s fault). Therefore, IQ8 recommends Individuals carefully consider before objecting, restricting, or withdrawing consent for data processing.
b. If Individuals wish to limit receiving marketing and promotional content from IQ8 and wish to withdraw previous consent (if any) and/or object to the continued use of their personal information for related purposes specified in Article 3 of this Policy, Individuals are requested to follow IQ8's instructions at the time of personal data collection or contact IQ8 using the information provided in this Policy.

8.1.5. Right to Delete Personal Data
Individuals have the right to request IQ8 to delete their personal data provided the request complies with legal regulations. However, requesting to delete personal data may result in IQ8 being unable to transact with Individuals, meaning IQ8 may unilaterally terminate the contract without compensation to the Individual due to changed conditions for contract performance (except for cases caused by IQ8’s fault). Therefore, IQ8 recommends Individuals carefully consider before requesting IQ8 to delete personal data.

8.1.6. Right to Complain, Denounce, Sue
Individuals have the right to complain, denounce, or sue as prescribed by law.

8.1.7. Right to Claim Compensation for Damages
Individuals have the right to claim compensation from IQ8 for damages as prescribed by law when a violation of personal data protection regulations occurs, provided the following conditions are met:

• There is a violation of personal data protection law by IQ8;
• The above violation leads to actual damage to Individuals;
• Individuals have fully performed their obligations regarding personal data protection as prescribed by law, this Policy, and other agreements between IQ8 and Individuals.

8.1.8. Right to Self-Protection
Individuals have the right to self-protection as prescribed by the Civil Code, other relevant laws, and Decree 13/2023/NĐ-CP on personal data protection (and accompanying amendments), or request competent authorities to implement civil rights protection measures as prescribed in Article 11 of the Civil Code.

8.2. Obligations of Individuals
8.2.1. Proactively implement measures to protect, manage, and safely use accounts and personal technology devices (including devices such as smartphones, computers, tablets, laptops) by logging out of accounts after use, setting strong and hard-to-guess passwords, and keeping login information and passwords confidential. These safety measures help prevent unauthorized access to accounts. IQ8 is exempt from liability for Individuals' damages in cases where passwords are lost/stolen, leading to unauthorized account access, or any activities on the account using lost/stolen devices, or if IQ8's system is illegally breached by third parties despite IQ8 having taken all measures to protect the system;

8.2.2. Upon agreeing to all terms and conditions of this Policy, Individuals are responsible for providing full and accurate personal data as required by IQ8 and must notify IQ8 immediately upon detecting any violations of personal data protection regulations. Individuals may voluntarily provide personal data beyond IQ8's requirements, provided they comply with Article 2 of this Policy;

8.2.3. Individuals are responsible for respecting the personal data of other subjects and adhering to personal data protection laws, participating in preventing violations of personal data protection regulations.

ARTICLE 9: COMMITMENTS REGARDING COLLECTION, STORAGE, AND USE OF PERSONAL INFORMATION

9.1. IQ8 will protect the personal information provided by Individuals following Vietnamese law; fully comply with the personal data protection and processing policy and other contracts, agreements, and documents established with Individuals.

9.2. IQ8 collects, stores, and uses personal information provided by Individuals for specific, clear, lawful purposes within the scope of the purposes stated in the personal data protection and processing regulations, this document, and in accordance with Vietnamese law.

9.3. Location of Personal Data Storage
Within the legal framework, IQ8 may store Customers' personal data in Vietnam and abroad, including on cloud storage solutions. IQ8 applies data security standards in accordance with current legal regulations.

9.4. Duration of Personal Data Storage
IQ8 only stores Individuals' personal data for an appropriate period to complete the Purposes specified in this Policy. However, if current law prescribes a different personal data storage period, IQ8 is obliged to comply with the law.

ARTICLE 10: IQ8’S OBLIGATIONS

10.1. Individuals' personal data is committed to being protected according to legal regulations, IQ8's personal data protection policy.

10.2. IQ8 strives to ensure Individuals' personal data is protected from violations of personal data protection regulations and loss, destruction, or harm due to incidents, using technical measures. IQ8 maintains personal data security commitments by applying physical, electronic, and managerial measures to protect personal data, including:
a. IQ8's official website servers and information systems containing personal data are protected by security measures, such as firewalls, encryption, anti-intrusion; establishing human control measures, procedures for inspection, evaluation, review to prevent violations of personal data protection regulations.
b. IQ8 will take all appropriate measures to ensure that Customers' personal data is processed correctly for the notified Purposes. IQ8 will always comply with legal requirements related to personal data storage.

10.3. Fulfill Individuals' requests related to their personal data, provided the requests comply with legal regulations.

10.4. Other obligations as prescribed by law and this Policy.

ARTICLE 11: TRANSFER OF DATA TO THIRD PARTIES

In cases where personal data is transferred by IQ8 to other third parties, including but not limited to service providers to achieve the approved purposes in this policy, to ensure that information confidentiality and personal data processing obligations are fully implemented according to the provisions in the personal data protection and processing policy, IQ8 must perform the following tasks:

11.1 Ensure all service providers sign a confidentiality agreement before starting cooperation. This agreement must detail confidentiality and personal data processing obligations.
11.2 Regularly review and update the confidentiality agreement to comply with changes in legal regulations and IQ8's personal data protection policy.
11.3 Provide the service provider with a copy of IQ8's personal data protection policy, along with specific instructions and requirements on data confidentiality.
11.4 Provide training (if necessary) to service providers on personal data protection requirements and necessary protective measures.
11.5 Conduct periodic inspections and evaluations to ensure service providers comply with information confidentiality and personal data processing obligations.

11.6. Require the service provider to send reports on the implementation of data protection measures and information processing when necessary.
11.7. Establish a procedure for handling discovered violations of personal data protection regulations. This includes notifying the service provider, requesting corrective measures, and taking necessary actions to prevent further violations.
11.8. Propose and monitor the implementation of corrective measures for violations, including adjusting security procedures and retraining if necessary.
11.9. Provide a mechanism for the data subject to file complaints or requests related to personal data protection and handle these requests promptly and fairly.
11.10. Ensure notification to the data subject of their rights and closely coordinate with relevant authorities if necessary to protect their rights.

In addition to the above tasks, IQ8 may apply any measures or actions within the legal framework to ensure that service providers fully comply with information confidentiality obligations and personal data processing regulations, while effectively protecting personal data and adhering to the law.

ARTICLE 12: POTENTIAL UNWANTED CONSEQUENCES AND DAMAGES

12.1. IQ8 uses various information security measures and technologies to protect Individuals' personal data from unintended use or sharing. IQ8 commits to maximum confidentiality of Individuals' personal data. Some potential unwanted consequences and damages include:
a. Hardware or software errors during personal data processing causing unintended effects (errors, damage, loss) to Individuals' personal data;
b. Security vulnerabilities beyond IQ8's control, with the system being hacked leading to personal data leaks;
c. Customers themselves leaking their personal data due to: carelessness or fraud; accessing websites/downloading applications containing malware; voluntarily sharing information with others.

12.2. IQ8 advises Individuals to strictly implement responsibilities for personal data protection as provided in Article 8 of this Policy and according to the law.

12.3. In the event of hardware or software errors during personal data processing as specified in Point a, Clause 1 of this Article, IQ8 is responsible for compensating direct damages to Individuals according to the contract, general terms, and law. In the event that data storage servers are hacked leading to the loss of Individuals' personal data or Individuals themselves leaking personal data as specified in Points b and c, Clause 1 of this Article, IQ8 is responsible for notifying the competent authorities for timely investigation and handling and informing Individuals.

ARTICLE 13: INTERNET ADVERTISING AND THIRD PARTIES

If IQ8's websites/applications may include third-party advertisements and links to other websites/applications. Third-party advertising partners may collect information about Individuals when they interact with their content, advertisements, or services. Any access and use of third-party links or websites are not governed by this Policy but are instead governed by the privacy policies of those third parties. IQ8 is not responsible for the content in the privacy policies of these third parties.

ARTICLE 14: PERSONAL DATA PROCESSING WITHOUT THE CONSENT OF THE DATA SUBJECT

IQ8 may process personal data without the data subject's consent in the following cases:
14.1. In emergencies, where immediate processing of personal data is necessary to protect the life, health of the data subject, or others;
14.2. Disclosure of personal data as required by law;
14.3. Data processing by competent state agencies in cases of national defense, national security, social order and safety emergencies, major disasters, dangerous epidemics; when there are threats to security, defense but not yet to the extent of declaring a state of emergency; prevention, combating riots, terrorism, crime, and law violations as prescribed by law;
14.4. To fulfill contractual obligations of the data subject with relevant agencies, organizations, individuals as prescribed by law;
14.5. To serve the activities of state agencies as prescribed by specialized laws.

ARTICLE 15: CONTACT INFORMATION

If Individuals have any questions about this Policy or wish to exercise their rights related to personal data, please contact IQ8 through the following methods and information:
15.1.  Send a written document to the following address:
Idemitsu Q8 Petroleum Limited Liability Company
Address: Room CP2.08.03, 8th Floor, Tower 2, Capital Place Building, No. 29 Lieu Giai, Ngoc Khanh Ward, Ba Dinh District, Hanoi, Vietnam
Phone: 024 3633 2082
15.2. Other contact methods such as customer care email provided to Customers at all times./