This Privacy Policy describes how Go Pass Vietnam collects, uses, and protects your personal data in compliance with Vietnam's Law on Personal Data Protection (PDPL) No. 91/2025/QH15, Decree 356/2025/ND-CP, and the Cybersecurity Law No. 116/2025/QH15.
1. Data Controller
Go Pass Vietnam (GPV) is the data controller for your personal data. You can contact us at: support@gopassvietnam.com. We are a company registered in Vietnam and comply with the Law on Personal Data Protection (PDPL) No. 91/2025/QH15.
2. Personal Data We Collect
We collect the following categories of personal data:
• Identity data: full name, email address, phone number
• Account data: username, password (encrypted), role (member/merchant)
• Usage data: QR scans, discount redemptions, merchant visits
• Technical data: IP address, device type, browser information
• Location data (sensitive): GPS coordinates when you use the nearby merchant feature
3. Purposes of Processing
Your data is processed for the following purposes:
• To create and manage your account
• To provide discount passes and merchant recommendations
• To display nearby merchants based on your location (with explicit consent)
• To communicate important updates about your subscription
• To improve our services through analytics
• To comply with legal obligations under Vietnamese law
4. Legal Basis for Processing
We process your personal data based on:
• Your explicit consent (Art. 5 PDPL) — obtained at account creation
• Contractual necessity — to provide our discount pass service
• Legal obligation — to comply with Vietnamese laws
• Your separate explicit consent — for geolocation data (sensitive data under Art. 2 PDPL)
5. Data Retention
We retain your personal data only as long as necessary:
• Account data: until you delete your account or withdraw consent
• Usage data: 24 months for analytics purposes
• Location data: not stored — processed in real-time only
• Transaction data: 5 years (tax/legal obligations)
After the retention period, your data is securely deleted or anonymized.
6. Your Rights (PDPL Art. 9-17)
Under the PDPL, you have the following rights:
• Right to be informed — you are reading this notice
• Right to access — request a copy of your data
• Right to rectification — correct inaccurate data
• Right to deletion — request deletion of your data
• Right to restrict processing — limit how we use your data
• Right to data portability — receive your data in a structured format
• Right to object — object to marketing or profiling
• Right to withdraw consent — at any time, without affecting the lawfulness of prior processing
To exercise these rights, go to your Profile page or contact us at support@gopassvietnam.com. We will respond within 2 business days as required by law.
7. Geolocation (Sensitive Data)
Your GPS location is classified as sensitive personal data under Art. 2 PDPL. We only collect it when:
• You explicitly opt-in via the location permission prompt
• You actively use the "Nearby Merchants" feature
You can withdraw your consent at any time via your device settings or the app settings page.
8. Data Sharing and Transfers
We do not sell your personal data. We may share data with:
• Supabase Inc. (USA) — cloud hosting and authentication
• Stripe Inc. (USA) — payment processing (future)
International data transfers are governed by Standard Contractual Clauses (SCCs) as required by Art. 28 PDPL. A copy of the SCCs is available upon request by contacting us at support@gopassvietnam.com.
9. International Data Transfers (SCCs)
Your personal data may be transferred to and processed in the United States, where our cloud infrastructure providers (Supabase, Stripe) are located.
We have entered into Standard Contractual Clauses (SCCs) with these providers, as approved by the European Commission and recognized by Art. 28 PDPL. These clauses ensure that your data is protected with the same level of protection as required under Vietnamese law.
Specifically:
• Supabase Inc.: SCCs for transfers to the USA, covering all user account data, authentication data, and usage data
• Stripe Inc.: SCCs for payment processing data (when activated)
You have the right to request a copy of the relevant SCCs by contacting us at support@gopassvietnam.com.
10. Data Security
We implement appropriate technical and organizational measures:
• Encryption in transit (TLS 1.3)
• Password hashing via Supabase Auth (bcrypt)
• Row-Level Security (RLS) on all database tables
• Regular security audits
• Access controls — only authenticated users can access their own data
In the event of a data breach, we will notify the competent authority within 72 hours as required by Art. 34 PDPL.
11. Data Subject Requests
You can exercise your PDPL rights by:
1. Using the self-service tools in your Profile page:
• Download your data (JSON export)
• Edit your name and phone number
• Withdraw consent
• Request account deletion
2. Contacting us directly at support@gopassvietnam.com
We will respond to your request within 2 business days as required by law (Decree 356/2025/ND-CP, Art. 18). If we cannot fulfill your request within that timeframe, we will inform you of the reason and the expected resolution date.
For complex requests, we may extend the response time by up to 30 days, with prior notice.
12. Updates to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the app. The latest version will always be available at this URL.
Last updated: June 7, 2026.