CUSTOMER PERSONAL DATA PROTECTION POLICY NOTICE

The Customer must ensure the accuracy and legality of the Personal Data. We are not responsible for and will not handle any complaints or claims relating to the Customer's rights and benefits in the event that the data provided by the Customer is inaccurate.

We use cameras and other similar technologies (collectively, cameras) to identify persons and vehicles entering and exiting business establishments and areas under Our management.

We may collect Personal Data from other sources including service providers, partners, relevant third parties and publicly available sources.

If the Customer provides Us with Personal Data of a third party, the Customer must ensure that he/she has obtained the permission, consent, approval or confirmation of that third party as required by law, and must explain to and ensure that such person understands how We will use his/her personal data. The Customer shall bear all responsibility and costs, losses (if any) arising from the act of providing such data, including but not limited to the resolution of disputes, complaints and claims by such third party against the Customer and Us; and shall indemnify Us for any direct and/or indirect damages relating to the above-mentioned complaints/claims/disputes.

If the Customer is under 16 years old, the Customer must ensure that the consent of his/her father, mother, guardian or legal representative as prescribed by law has been obtained before providing Personal Data to Us. The Customer's father, mother, guardian or legal representative shall be bound by this Notice and responsible for the Customer's acts. We reserve the right to refuse to provide Services to the Customer in the event there are grounds to believe the Customer is under 16 years old and has not obtained the consent of his/her father, mother, guardian or representative on this matter.

Providing and delivering products, goods, services and processing transactions relating to products, goods and services, including but not limited to registration, purchase, participation in advertising and promotional programs, and payment.

Managing and operating the Program: identifying members across the entire system, recording transactions at member and partner companies to calculate point accumulation, reviewing tier upgrades, withdrawing card tiers and providing corresponding priority privileges.

Measuring usage, analysing performance, fixing errors, providing support, improving and developing products, goods and services.

Proposing, advertising and sending information relating to products, goods and services that the Customer may be interested in, recognising preferences and personalising the Customer's experience with the products, goods and services.

Managing the content, promotion programs, surveys or other features of the electronic information sites, applications, devices or survey platforms.

Sending communications regarding the Customer's account management and the features of the electronic information sites, applications or devices.

Sending the Customer information related to transactions and needs of the Customer as prescribed by law.

Cases where it is required by competent State Authorities or compulsorily required to be provided under the law.

Verifying the identity of the account holder (if necessary) to ensure lawful and safe transactions.

Contacting the Customer regarding issues that may arise (if any) in connection with the products, goods and services.

Marketing and promoting products, services and goods in accordance with the law, including displaying advertising based on the Customer's interests.

Confirming technical and Personal Data security information of the Customer.

Inspecting, verifying, detecting, preventing and protecting against fraud, identity theft or other unlawful activities.

To establish and enforce lawful rights or to resolve and handle complaints of the Customer in order to improve the quality of goods and services; to protect Our lawful rights and interests; to provide to competent units and State Authorities (upon request) to serve investigation, inspection, examination, consultancy and audit processes.

Footage and images from surveillance cameras (which may use AI and other technologies) may, in specific cases, also be used for the following purposes: (i) for quality assurance purposes; (ii) for public security and labour safety purposes; (iii) detecting and preventing suspicious, inappropriate or unauthorised use of Our facilities, products, services and/or premises; (iv) detecting and preventing criminal conduct; and/or (v) conducting investigation of incidents at the request of State Authorities.

The purposes set out in Section 5 of this Notice.

Other reasonable purposes for the benefit of the Customer.

Any other purpose dedicated to Our business operations.

The notification to the Customer of the purpose and scope of collection, use and processing of personal data shall be performed in any other manner notified by Us to the Customer at the time of collection of the Customer's Personal Data, or before commencement of the relevant processing, or as otherwise required or permitted by applicable law.

The Customer's Personal Data will be kept confidential and stored on the server of the electronic information site or Our data storage system until there is a request for deletion or destruction of the data from the Customer or as required by law.

In the event that the Customer requests data deletion or withdraws consent to participate in the Program, all accumulated reward points and unused card tier privileges shall be automatically cancelled. The member's data shall be deleted from the common system, but may still be locally retained at each company for the purpose of compliance with specialised law (such as the Law on Accounting, the Law on Civil Aviation, the Law on Real Estate Business) in accordance with point (e) of Section 4.2 above.

In accordance with the provisions of Section 3 of this Notice.

We provide the Customer with services, software and content provided by third parties for use or through the products, goods and services.

We use and/or cooperate with other organisations and individuals to carry out certain tasks and programs, such as preferential programs, cross-selling, etc., for the Customer. To ensure a seamless experience for the Customer, personal data shall be transferred, synchronised and shared internally among SUN SIGNATURE LIMITED LIABILITY COMPANY and its member companies and ecosystem partners (the list of such Companies is regularly updated at the general terms and conditions of the Program).

In the course of service provision (in particular in the aviation sector), the Customer's data may be transferred out of the territory of Vietnam to be stored on global distribution systems or cloud computing infrastructure. We undertake that any such data transfer activity will comply with the impact assessment conditions and security standards prescribed by law.

These third parties providing services have the right to access necessary personal data and/or are shared or transferred personal data by Us to perform their functions under their agreement with Us, but may not use it for any other purposes.

In the course of business development, We may sell or buy businesses, restructure businesses, sell or buy services, or sell or buy part of Our assets or business lines in accordance with the law. In such transactions, Personal Data may be transferred along with them, but the receiving party must continue to comply with the provisions of this Notice, or such transfer must be approved by the Customer if it differs from the provisions of this Notice.

We disclose Personal Data when We believe it is appropriate to comply with the law, to enforce or apply Our other terms and agreements, or to protect the rights, property or security of Ours, Our customers, or any other person. The above-mentioned activities may include the exchange of data with other companies and organisations to prevent and detect fraud and to reduce property and credit risks.

In addition to the above provisions, the Customer shall be notified when Personal Data about the Customer may be shared with third parties, and the Customer shall have the right to refuse or to withdraw consent for the sharing and transfer of data, except in cases that do not require consent in accordance with the law.

All partners receiving the data are bound by contracts/non-disclosure agreements and may only use the data for the purposes designated/agreed to by Us.

We undertake to use the Customer's Personal Data strictly in accordance with the provisions of this Notice.

We undertake to use appropriate managerial and technical measures to store and protect the data that We store and collect, and to comply with the standards and technical regulations on cyber data safety. In the event that the data is attacked by hackers leading to the destruction, disclosure or alteration of the Customer's Personal Data, We shall be responsible for promptly notifying the matter to the competent authorities for timely investigation and handling, and informing the Customer.

The Customer's bank account and payment card data issued by financial institutions are protected by Us in accordance with international standards, on the principle of not recording important payment card data (card number, full name, CVV number) on Our systems. The Customer's payment transactions are executed on the system of the relevant bank.

However, We also note to the Customer that the Internet is not an absolutely safe environment and We cannot absolutely guarantee that the Customer's Personal Data shared via the Internet will always be secure. When the Customer uses the Internet to transmit Personal Data, the Customer should only use safe systems to access the electronic information sites, applications or devices. The Customer is responsible for keeping his/her access credentials for each electronic information site, application and device safe and confidential. The Customer must immediately notify Us if he/she detects any misuse of login data and change the access password immediately.

The Customer agrees to release Us from liability in the event of force majeure events (if any) occurring beyond Our control which affect or cause loss of the Customer's Personal Data.

We undertake not to sell, share or exchange the Customer's Personal Data with any third party for commercial purposes without the express consent of the Customer. Any sharing or provision of information (if any) shall only be carried out strictly in accordance with the purposes set out in this Notice, or at the mandatory request of competent State Authorities in accordance with the law.

The Customer has all the rights of a personal data subject in accordance with the law in respect of his/her Personal Data.

Our electronic information sites and applications may include functionality that allows the Customer to choose how his/her data is being used. The Customer may choose not to provide Personal Data or not to agree with this Notice, but in that case, the Customer may not be able to use certain features of the electronic information site/application.

In addition to exercising the rights regarding Personal Data that may be pre-established on Our electronic information sites and electronic applications as set out in Section 8.2, for other rights, the Customer may send a request in writing to Our head office address or email address, specifying clearly the request. Upon receipt of the Customer's request, We will contact the Customer and notify the Customer to consider in advance the limitations, consequences and damages that may arise if the Customer's request is implemented, before implementing such request.

During the use of services, if the Customer has any complaints or reports relating to Personal Data being used for incorrect purposes, or any signs of violation of confidentiality regulations, the Customer is kindly requested to contact Us directly via the Hotline or Email set out in Section 8.6. Immediately upon receipt of the information, We will conduct verification and respond to the Customer at the earliest time, endeavouring to provide a resolution within forty-eight (48) working hours. We apply appropriate technical and managerial measures to prevent risks and to protect the lawful interests of the Customer, and closely coordinate with competent authorities when necessary to resolve the matter.

Comply with the provisions of the law, Our regulations and guidance in relation to his/her Personal Data.

Be personally responsible for the data and consents that he/she creates and provides on the network environment; be personally responsible in the event that Personal Data is leaked or infringed due to his/her own fault.

Provide his/her Personal Data fully and accurately in accordance with the law, the contract or when consenting to allow the processing of his/her Personal Data.

Comply with the provisions of the law on Personal Data protection and participate in preventing and combatting acts of infringement of Personal Data.

Potential undesired consequences: Personal Data may be disclosed to another subject without the Customer's consent; or a third party may access Personal Data and use it for other purposes without the Customer's consent.

Potential undesired damages: loss of property, or infringement of the Customer's honour and reputation.

Other consequences and damages that We cannot foresee due to objective causes.

By performing an action expressing consent on Our electronic information sites, electronic applications or devices, the Customer acknowledges that he/she has been clearly informed of and agrees with the entire content of this Notice. In the event that the Customer does not accept the terms, or withdraws consent in respect of the processing of the Customer's Personal Data for the purposes set out in this Notice, such withdrawal of consent may cause the provision of products, services, goods, and the features on Our electronic information sites, applications or devices to be limited, restricted, suspended, cancelled, prevented or prohibited, as the case may be. In this case, the Customer acknowledges that (i) he/she shall be personally responsible for any loss or damage arising from or relating to this decision of the Customer (including the loss of all Program member privileges); (ii) the Personal Data that has been processed prior to the time of consent withdrawal shall not be affected; (iii) the Customer shall defend and hold Us harmless from any disputes, complaints and damages relating to this decision; (iv) Our lawful rights shall be expressly reserved in respect of such limitation, restriction, suspension, cancellation, prevention or prohibition.

We reserve the right to change, amend, supplement or update this Notice at any time as necessary, and such changes will be dated so that the Customer can identify the latest version. The updated version shall be published on Our electronic information sites and/or by other communication means that We deem appropriate. We recommend that the Customer regularly monitor this Notice to be updated on changes regarding the manner in which We are protecting the Customer's Personal Data. The Customer's continued use of the electronic information sites, applications or devices shall be deemed to constitute continued use of Our services, goods and products and acceptance of this Notice together with relevant amendments and supplements.

This Notice shall be construed and governed by the laws of Vietnam.

If the Customer has any complaints relating to the collection, use or processing of Personal Data, the Customer is kindly requested to contact Us to discuss and resolve the matter on the basis of good faith and mutual respect for the rights and interests of both parties. If, within three (03) months from the date on which the Customer requests negotiation to resolve the dispute, or within a reasonably shorter period to promptly protect the Customer's Personal Data, the two parties have not reached an agreement, the Customer shall have the right to request a competent Court in Vietnam to settle the dispute.