Privacy Policy

PRIVACY POLICY (SECURITY POLICY) Effective date: 01/01/2026 Last updated: 01/02/2026 This Privacy Policy ("Policy") is issued by Fintech AI Joint Stock Company (FinAlpha) to provide transparent, easy-to-understand information about how we collect, process, store, share, and protect the personal data of Users when accessing our website, using our products/services, participating in events/marketing, applying for jobs, or working with us under contract. This Policy is an integral part of our Terms of Service. By accessing and using the Service, you confirm that you have read and understood this Policy. If you do not agree, please stop using the Service. Key terms used in this Policy: • "Personal data" means information in the form of symbols, letters, numbers, images, sounds, or similar, in electronic form, associated with a specific person or helping to identify a specific person, including: basic personal data and sensitive personal data. • "Basic personal data" includes: full name, date of birth, gender, nationality, address, phone number, email, ID/CCCD/passport number, marital status, profile photo. • "Sensitive personal data" includes: biometric data (facial recognition, fingerprint), financial data (bank account, transaction history, balance), health data (if collected for verification), precise location data, social media account login data, data of minors, other sensitive information as defined by law. • "Processing" means any operation on personal data such as: collecting, recording, analyzing, storing, modifying, disclosing, combining, accessing, retrieving, encrypting, decrypting, copying, sharing, transmitting, providing, transferring, deleting, destroying, or other related actions. 1. Data we collect 1.1. Data you provide directly: Registration information (name, email, phone, ID/CCCD); KYC/KYB verification (biometric photo/selfie, ID documents, business registration); financial information (bank account, linked brokerage); and contact/feedback information (messages, calls, emails, survey responses). 1.2. Data collected automatically: Device information (IP, device type, OS, browser, device ID); usage data (pages visited, features used, session time, click patterns); technical logs (API calls, error logs, system events); cookies and similar technologies (session, preferences, analytics, advertising); and location (approximate via IP or precise if permitted). 1.3. Data from third parties: Social login (Google, Facebook, Apple); payment/banking partners (transaction confirmation, verification results); identity verification partners (biometric matching results, document verification); and advertising/analytics partners (demographic, interest data, per privacy controls). 2. Purpose of processing We process personal data for the following purposes: • Service provision: Account creation, user authentication, service delivery, customer support • Identity verification: KYC/KYB compliance, fraud prevention, AML/CFT obligations • Payment processing: Subscription billing, refunds, invoicing, financial reconciliation • Service improvement: Analytics, A/B testing, user experience optimization, feature development • Communication: Service notifications, security alerts, marketing (with consent), policy updates • Legal compliance: Regulatory reporting, audit requirements, dispute resolution, law enforcement cooperation • Security: Fraud detection, system protection, vulnerability assessment, incident response 3. Legal basis for processing We process personal data based on one or more of the following legal grounds: your consent (explicit or implied through service usage); performance of a contract; compliance with legal obligations (tax, AML, KYC/KYB, data reporting); and legitimate interests (security, fraud prevention, service improvement) balanced against your rights. 4. Data sharing and disclosure 4.1. Categories of recipients: Service providers (cloud hosting, payment processing, email delivery); identity verification providers; analytics and marketing tools; legal and financial advisors; and government/regulatory authorities (upon lawful request). 4.2. We do NOT sell personal data to third parties for advertising. We do NOT share sensitive data (biometrics, financial details) except for verification purposes with specialized providers under strict confidentiality agreements. 4.3. Cross-border transfer: Some data may be processed outside Vietnam (e.g., cloud servers, SaaS tools). In such cases, we ensure appropriate safeguards through contractual agreements and security measures in compliance with Vietnamese law. 5. Data security 5.1. Technical measures: Data encryption in transit (TLS 1.2+) and at rest (AES-256); multi-factor authentication for internal systems; regular vulnerability scanning and penetration testing; access control and role-based permissions; real-time monitoring and intrusion detection; and automated backup systems. 5.2. Organizational measures: Security awareness training for all staff; background checks for personnel with data access; data handling and classification policies; incident response procedures and business continuity planning; regular compliance and security audits; and privacy-by-design approach. 5.3. Incident response: In the event of a personal data breach, we will: assess scope and severity within 24 hours; notify affected users within 72 hours (or as required by law); report to authorities as legally required; implement remedial measures; and document the incident and review procedures. 6. Data retention We retain personal data for as long as necessary for the stated purposes, subject to legal requirements: • Active accounts: Data retained while account is active plus 3 years after deletion • KYC/KYB records: Minimum 5 years after account closure (as required by AML regulations) • Transaction records: Minimum 10 years (as required by tax and financial regulations) • Marketing data: Until consent withdrawal plus reasonable processing period • System logs: 12 months rolling retention • Backup data: Retained for maximum 90 days after primary data deletion After the retention period, data is permanently deleted or anonymized. 7. Your rights Under Vietnamese data protection law and our commitment to transparency, you have the following rights: • Right to be informed: Know what data we collect, why, and how it is used • Right of access: Request a copy of your personal data held by us • Right to rectification: Request correction of inaccurate or incomplete data • Right to deletion: Request removal of your data (subject to legal obligations) • Right to restrict processing: Request limitation of data processing • Right to data portability: Receive your data in a commonly used, machine-readable format • Right to withdraw consent: Withdraw previously given consent at any time • Right to object: Object to processing based on legitimate interests • Right to complain: File a complaint with the competent data protection authority To exercise these rights, contact us at: privacy@finalpha.ai. We will respond within 30 days. 8. Cookies and similar technologies 8.1. Types of cookies we use: Essential cookies (required for site operation, cannot be disabled); functional cookies (remember preferences, improve experience); analytics cookies (usage statistics via Google Analytics, Vercel Analytics); and marketing cookies (ad personalization, social media integration). 8.2. Cookie management: You can manage cookies through browser settings. Disabling non-essential cookies may affect certain features. 8.3. We honor Do Not Track (DNT) signals where technically feasible. 9. Children's privacy Our services are not intended for persons under 18 years of age. We do not knowingly collect personal data from children. If we discover data from a minor, we will delete it promptly and take measures to prevent further collection. 10. Changes to this Policy We may update this Policy periodically. Material changes will be notified via email or in-app notification at least 14 days before taking effect. Continued use of the Service after changes constitutes acceptance of the updated Policy. 11. Contact For privacy-related inquiries or to exercise your data rights: • Email: privacy@finalpha.ai • Data Protection Officer: legal@finalpha.ai • Address: Da Nang City, Vietnam • Hotline: 0967915569 We are committed to responding to all privacy requests within 30 business days.