Privacy Policy

This Privacy Policy (“Policy”) explains how Inipod Company Limited (“Inipod”, “We”) collects, stores, and processes Customers’ information or data (“Information”, “Data”). This Policy is an integral part of the contracts, agreements, terms, and conditions that govern the relationship between Inipod and Customers.

Customers are deemed to have agreed to provide Information and accept the terms of this Policy when they access, register for, or use the platform and services provided by Inipod. We respect and are committed to safeguarding the privacy of Customers’ Information and using the collected data appropriately in accordance with the law. Therefore, please read the following details to better understand our guidelines and commitments to protecting Customers’ Information.

ARTICLE 1. INTERPRETATION OF TERMS

1.1 “Platform and Platform Services” refer to the Rebean platform packages.

1.2 “Customer” refers to organizations or individuals who wish to access, learn about, register an account, use, or are involved in the process of using the platform and platform services provided by Inipod.

1.3 “Personal data” refers to information in the form of symbols, written words, numbers, images, sounds, or similar electronic formats that are linked to a specific individual or that can be used to identify a specific individual. The personal data mentioned in this Policy refers to any personal data of data subjects obtained by Inipod from Customers, which may include personal data of the Customers themselves or personal data of other subjects that the Customers have lawfully collected and are permitted to transfer or provide to Inipod for the purpose of executing the tasks outlined in the contracts between Inipod and Customers.

1.4 “Data protection” refers to the activities of preventing, detecting, preventing, and handling violations related to the Customer's data in accordance with the law.

1.5 “Data processing” refers to one or more activities that impact the Customer's data, such as: collection, recording, analysis, verification, storage, modification, disclosure, combination, access, retrieval, recovery, encryption, decryption, copying, sharing, transmission, provision, transfer, deletion, destruction of data, or other related actions.

1.6 “Third party” refers to an organization or individual outside of Inipod and Customer, as explained in this Policy.

To gain a clearer understanding, any terms not defined in this Article will be interpreted and applied in accordance with the regulations of Vietnamese law.

ARTICLE 2. PRINCIPLES OF CUSTOMER DATA PRIVACY

2.1 Customer data is committed to being kept confidential to the highest degree in accordance with Inipod's policies and the law. Data processing for each Customer will only be carried out with the Customer's consent, except in exceptional cases as outlined in this Policy and/or other legal provisions.

2.2 Inipod does not use, transfer, provide, or share Customer data with any third party without the Customer's consent, except in exceptional cases as outlined in this Policy and/or other legal provisions.

2.3 Whenever Customer accesses the website rebean.ai provided by Inipod, it means the Customer agrees to the terms set by Inipod in this Policy (including any supplements or amendments made from time to time).

2.4 Inipod's legal obligations and responsibilities regarding the security of Customer Information are complete and effective only when the Customer has fully complied with the principles and provisions of this Policy.

2.5 Inipod will comply with the data protection principles for Customer Information as required by current laws. We employ a range of measures to ensure that Customer information is protected, including encryption and other security methods. We require our employees and any third parties performing work on our behalf to adhere to appropriate standards, including the obligation to protect any Information and implement suitable measures for the transfer of Information.

ARTICLE 3. PURPOSE OF PROCESSING THE CUSTOMER’S DATA

Customer agrees and acknowledges that their data will be processed by Inipod for one or more of the following purposes:

a) Authenticating and identifying the Customer, reviewing and/or processing requests/transactions between Customer and Inipod, evaluating and assessing for contract execution;

b) Supporting the Customer in updating information when registering an account and/or using the platform and platform services provided by Inipod and/or accessing Inipod's platform;

c) Contacting the Customer to exchange, inform, and provide information about the platform and platform services that Inipod is currently offering, selling, marketing, or promoting, whether these platforms or services are existing or will be created in the future, and providing customer care, support, and consultation services (through methods such as phone calls, emails, and other forms of interaction);

d) Researching, analyzing, and developing products, services, and platforms that Inipod is offering to Customers (including data analysis, reporting, building and/or developing platforms and platform services) to improve service quality, enhance Customer experience when using the service, and provide suitable platforms and platform services for Customers;

đ) Maintaining and administering software updates and/or developing new features and products to support hotel management solutions, payment solutions, financial solutions, as well as other utilities integrated on Inipod's platform;

e) Receiving and contacting to respond to inquiries, handle requests, and complaints;

g) Conducting risk control and management, preventing and investigating fraud, illegal activities, omissions, or misconduct, resolving disputes, and performing legal procedures;

h) Issuing invoices and documents as required by law;

i) Protecting or enforcing Inipod’s legal rights and interests, including the right to collect fees, recover, and handle debts owed by the Customer to Inipod;

k) Implementing regulations related to the protection of Inipod’s system security and safeguarding Customer data;

l) Auditing Inipod’s services or business activities;

m) Fulfilling obligations as required by law or at the request of competent state authorities;

n) Fulfilling obligations under the contracts or agreements between Inipod and Customer (if applicable);

o) Pursuing other purposes related to Inipod’s business activities, operations, management, and compliance in accordance with applicable laws from time to time.

Some purposes for collecting, using, disclosing, or processing Customer data may depend on the circumstances at the time of collection and therefore may not appear in the above list. However, Inipod will notify the Customer of these purposes at the time when Customer consent is required, unless data processing is allowed without the data subject's consent in accordance with the law.

ARTICLE 4. TYPES OF DATA COLLECTED AND PROCESSED

In order for Inipod to provide the platform and platform services to the Customer and/or process the Customer's requests and/or achieve the purposes specified in Article 3 of this Policy, Inipod needs to collect and process the Customer's data, including basic personal data, data related to business Customers, and data that may be updated, modified, or supplemented depending on the time and the Customer's relationship with Inipod:

a) Basic personal data of users

Includes information provided by the Customer/User when registering and using an account on the Platform, specifically: full name (including middle name, if any); email address; job title (if any); login account information and other account identification details.

b) Data Provided by Customers During Use of the Platform

Includes information related to the Customer’s business activities, brands, or products/services, voluntarily provided when using the Platform, such as brand name; brand website; product/service name; product/service website; and any other content, data, or materials uploaded or entered the Platform by the Customer.

c) Technical Data and Usage Data

Includes: login data, access time, and feature usage history; IP address, browser type, device, and operating system; system logs and other technical data necessary for operation, security, and improvement of the Platform.

d) Corporate Customer Data (if applicable)

Where the Customer is an organization or enterprise: company name; tax identification number; contact email; information of the representative or contact person (full name, title, email, phone number – if provided).

e) Sensitive Data Principles

Inipod does not proactively collect sensitive personal data as defined under Decree No. 13/2023/ND-CP. In cases where Customers voluntarily provide such data, they are responsible for ensuring that: They have obtained all necessary rights and lawful consent from the data subject; and the provision of such data complies with applicable laws.

f) Data Update Scope

The above types of data may be updated, amended, or supplemented by the Customer during the use of the Platform. Inipod processes data only within the scope necessary to provide and operate the Services.

ARTICLE 5. METHODS OF COLLECTING CUSTOMER DATA

Inipod collects data from Customer through the following methods:

5.1 Direct collection from Customer through various methods:

a) When the Customer registers and/or uses Inipod’s platform and platform services or third- party services through Inipod;

b) When the Customer submits a request to register an account or any other forms related to Inipod’s platform and platform services;

c) When the Customer enters into any agreement or provides other documents or information related to interactions between the Customer and Inipod's staff/representatives, including but not limited to: through phone calls, correspondence, face-to-face meetings, emails, or online interactions;

d) When the Customer provides feedback and submits complaints to Inipod;

đ) When the Customer grants permission on their device to share information with Inipod's platform;

e) When the Customer submits their information to Inipod for any other reason, including when the Customer registers for a free trial of any product or service, or when the Customer expresses interest in any of Inipod's products or services.

5.2 Indirect collection from other third parties:

a) If the Customer chooses electronic payment to Inipod or through an electronic website or application, Inipod may receive the Customer's data from third parties, such as payment service providers, for the purpose of that payment;

b) To comply with its obligations under current laws, Inipod may receive Customer data from authorized state agencies as stipulated by law;

c) Inipod may receive Customer data from public sources (such as advertising/information brochures, publicly available information on electronic websites, etc.) and/or from Inipod’s suppliers, service providers, partners, and other third parties;

d) Whenever such data is collected, Inipod will ensure that the data received from third parties is obtained in a lawful manner and will require those third parties to be responsible for complying with data protection laws.

ARTICLE 6. METHODS OF DATA PROCESSING

The Customer agrees that their data may be processed by any method in accordance with Inipod's policies at any given time, depending on the platform and platform services, as well as the specific purposes, including but not limited to: collection, recording, analysis, verification, storage, modification, combination, access, retrieval, recovery, encryption, decryption, copying, sharing, transmission, provision, transfer, use of cyberspace, devices, electronic media, or other means for data transfer both domestically and/or internationally, deletion, destruction, and other related actions.

ARTICLE 7. INFORMATION ABOUT ORGANIZATIONS AND INDIVIDUALS INVOLVED IN DATA PROCESSING PURPOSES

7.1 In order to fulfill the purposes specified in Article 3 of this Policy, the Customer agrees and allows Inipod to provide the Customer's personal data to any or simultaneously to the following entities:

a) Inipod's parent company, subsidiaries, and affiliated companies (if any);

b) Companies and/or organizations, individuals acting as service providers, contractors, partners, commercial banks, card switching organizations, intermediary payment companies collaborating with Inipod, and/or Inipod’s professional advisors or consultants;

c) Competent State authorities in Vietnam, organizations, or individuals requesting information disclosure in accordance with current legal regulations;

d) The transferee in the event of a merger, divestiture, restructuring, reorganization, dissolution, or sale or transfer of part or all of Inipod's assets, whether as an ongoing operation or part of bankruptcy, liquidation, or similar proceedings;

đ) Any individual or organization acting as a representative or authorized party of the Customer, acting on behalf of the Customer;

e) Any individual involved in the execution or maintenance of any rights or obligations under the agreement(s) between the Customer and Inipod;

g) Representatives, employees, shareholders, or investors of Inipod;

h) Other related parties deemed necessary by Inipod to facilitate the platform and services provided by Inipod, protect the legitimate rights and interests of Inipod or the Customer under agreement(s), or when Inipod considers there to be a legal basis for disclosing the Customer's data.

7.2 Inipod shall regard Customer data as private and confidential. Aside from the entities mentioned above, Inipod will not disclose Customer data to any other parties, except in the following cases:

a) With the Customer's consent;

b) When Inipod is required or permitted to disclose under applicable laws or by a competent State authority;

c) When Inipod transfers rights and obligations under the agreement(s) between the Customer and Inipod.

ARTICLE 8. TRANSFER OF DATA ABROAD

8.1 To fulfill Customer needs and achieve the purposes outlined in Article 3 of this Policy, Inipod may need to provide or share Customer data with its service providers located outside the territory of Vietnam when it is deemed necessary.

8.2 When transferring or sharing data abroad, Inipod shall require the recipient to ensure that the Customer data transferred to them is kept confidential and secure. Inipod commits to complying with all legal obligations and regulations related to the transfer of Customer data in accordance with applicable laws.

ARTICLE 9. RIGHTS AND OBLIGATIONS OF CUSTOMERS PROVIDING DATA TO INIPOD

9.1 Rights of Customers:

Pursuant to the provisions of applicable laws, Customers, as data subjects, are entitled to the following rights:

a) Customers have the right to be informed about the processing of their data, except as otherwise provided by law;

b) Customers have the right to consent or refuse consent for the processing of their data, except as otherwise provided by law;

c) Customers have the right to access, view, and request amendments to their data, except as otherwise provided by law;

d) Customers have the right to withdraw their consent to the processing of their data at any time. However, such withdrawal will not affect the legality of data processing based on the

Customer's consent prior to withdrawal. In cases where the Customer withdraws consent, Inipod may not be able to provide full services and quality as requested;

đ) Customers have the right to delete or request the deletion of their data, except as otherwise provided by law;

e) Customers have the right to request the restriction of the processing of their data, except as otherwise provided by law. Inipod shall restrict the processing of the requested data within 72 hours from the Customer's request, except as otherwise provided by law;

g) Customers have the right to request Inipod/Data Controller to provide them with their personal data, except as otherwise provided by law;

h) Customers have the right to object to Inipod's processing of their data to prevent or limit its disclosure or use for advertising or marketing purposes, except as otherwise provided by law;

i) Customers have the right to file complaints, denounce violations, or initiate lawsuits in accordance with the law;

k) Customers have the right to request compensation for actual damages as prescribed by law if Inipod violates regulations on data privacy, unless otherwise agreed by the parties or stipulated by law;

l) Customers have the right to self-protection as stipulated in the Civil Code and other relevant laws, or to request competent authorities or organizations to implement methods of protecting civil rights as provided in Article 11 of the Civil Code;

m) Customers have other rights as prescribed by current laws.

Within the scope permitted by law, Customers may exercise their rights by contacting Inipod using the contact details provided in Article 13 of this Policy. Inipod will address lawful and valid requests from Customers within the timeframe prescribed by law upon receiving a legitimate request.

9.2 Obligations of Customers:

a) Comply with the legal provisions, this Data Privacy Policy, and any regulations or guidelines of Inipod related to the security and processing of Customer data;

b) Provide complete, truthful, and accurate data and information as required by Inipod when registering an account and using the platform and services of Inipod. Inipod will protect Customer data based on the information provided by the Customer. Therefore, if there is any inaccurate information, Inipod will not be responsible for any impact or limitation of Customer rights arising from such inaccuracies. If changes in information are not communicated, and any risks or losses occur, the Customer will be liable for any mistakes, misuse, or fraud when using services due to their own fault or failure to provide timely, correct, and complete information. This includes financial losses and additional costs arising from incorrect or inconsistent information provided;

c) Cooperate with Inipod, relevant state authorities, or third parties in cases where issues affecting the Customer's data arise;

d) Take responsibility for protecting their own data; proactively apply measures to safeguard their data while accessing, registering, and using the platform and services of Inipod; promptly notify Inipod if they detect any errors, discrepancies in their data, or suspect that their data is being compromised;

đ) Be solely responsible for the information, data, and consents that they create or provide on the online platform; bear responsibility in case of data leakage or compromise due to their own fault;

e) Regularly update the regulations and Data Privacy Policies of Inipod and notify Customers periodically or publish them on Inipod's official website or application. Take actions according to Inipod's instructions to clearly express agreement in full, partial agreement, agreement with conditions, or disagreement regarding the purposes of data processing notified by Inipod to the Customer periodically;

g) Respect and protect the personal data of others;

h) In case of any disputes, complaints, or legal actions from the data subjects regarding the personal data provided by the Customer to Inipod, the Customer will protect Inipod from such disputes, complaints, or legal actions, and fully compensate Inipod for any damages, losses, costs, and expenses arising from these disputes, complaints, or legal actions. Any violation by the Customer that negatively impacts Inipod will be considered a breach of this Policy;

i) In the case where the Customer is the Data Controller or Data Controller and Processor, the Customer ensures:

- Customer has obtained clear consent in accordance with the law on personal data protection from the data subjects for all activities of data collection, use, and provision of information to Inipod;

- Customer has informed and obtained clear consent from the data subject regarding the processing of personal data outside their original country;

- Data subject is fully aware of and has agreed to all personal data processing activities as outlined in this Policy before consenting to Customer's collection of personal data, in compliance with this Policy and applicable laws;

- A data impact assessment has been conducted regarding the processing of personal data, including an assessment of the impact of transferring personal data abroad, in accordance with Decree No. 13/2023/ND-CP dated April 17, 2023, by the Government on personal data protection, and guidelines from the Ministry of Public Security in each period (if applicable);

- Customer stores evidence proving the consent of the data subject as required by this clause and provides such evidence upon request from Inipod and/or the competent state authority (if any).

k) Other obligations as required by law.

ARTICLE 10. START TIME AND END TIME OF DATA PROCESSING

10.1 The data processing activities for Customer will begin when Inipod receives the data provided by Customer and/or Inipod has the appropriate legal basis to process the data in accordance with the law.

10.2 Within the limits permitted by law, Customer data will be processed by Inipod until one of the following occurs:

a) The Contract with Customer expires;

b) Customer stops using Inipod's platform and platform services;

c) The purpose of data processing has been fulfilled or is no longer necessary;

d) Customer decides to withdraw consent after completing the procedures as required by law;

đ) Inipod receives a written request to terminate data processing from the competent state authority.

ARTICLE 11. DATA STORAGE, DELETION AND DISPOSAL

11.1 We will store the Customer's data in accordance with legal regulations. When the Customer's data is no longer necessary for fulfilling the purpose set out in this Policy, or Inipod no longer has a legal basis to retain the Customer's data, or when the Customer withdraws consent, Inipod will take steps to delete, dispose of, anonymize, or prevent access or use of the data for any purposes other than compliance with this Policy or for safety, security, fraud detection, and prevention, in accordance with current legal requirements.

11.2 After the data processing period ends, except in cases where requested by Customer or as required by law or this Policy, Inipod will:

a) Delete all Customer data;

b) Request third parties to delete all Customer data (if third-party involvement occurs).

11.3 Data deletion will not apply if Customer requests it in the following cases:

a) The law prohibits data deletion;

b) The Customer’s data is processed by a competent state authority for the purpose of serving state agency activities as required by law;

c) The Customer’s data has been made public in accordance with legal regulations;

d) The Customer’s data is processed to serve legal requirements, scientific research, or statistics as prescribed by law;

đ) In cases of national defense emergencies, national security, social order and safety, major disasters, dangerous epidemics; when there is a threat to security or national defense but not yet to the extent of declaring a state of emergency; riot control, terrorism prevention, crime and law violation prevention;

e) Responding to emergency situations that threaten the life, health, or safety of the data subject or another individual.

ARTICLE 12. POSSIBLE UNINTENDED CONSEQUENCES AND DAMAGES

12.1 The responsibility for the security of Customer data is a mandatory requirement set by Inipod for all employees. During the data processing process, Inipod and its related parties commit to applying necessary technical, security, and protective measures, to the best of their ability, to safeguard the Customer’s data in accordance with the law; fully comply with this Data Privacy Policy and (any) agreements with the Customer, and minimize any unexpected consequences or potential damages.

12.2 The Customer understands and acknowledges that no technical system or security measure is absolutely secure, and online transactions, cyberspace, and data processing activities always carry inherent risks, including but not limited to:

a) Hardware or software failures during data processing leading to the loss of Customer data;

b) Security vulnerabilities beyond Inipod's control, with the system being attacked by hackers leading to data exposure;

c) Customer inadvertently exposing their own data due to carelessness, being deceived, or accessing websites/downloading applications containing malicious software;

d) Force majeure events, natural disasters, etc.

In the event of an incident or detection of a violation involving the Customer's data, Inipod will immediately notify the competent state authority about the breach and make efforts to implement corrective actions and prevent further damage in accordance with the law.

ARTICLE 13. CONTACT INFORMATION FOR CUSTOMER DATA PROCESSING

If Customer has any questions or concerns related to this Policy, please contact us using the following information:

- Company Name: INIPOD COMPANY LIMITED

- Address: 209 Hoang Van Thu, Phu Nhuan Ward, Ho Chi Minh City, Vietnam

- Tel: 028 6686 3717

- Email: [email protected]

ARTICLE 14. AMENDMENT AND SUPPLEMENTATION OF THE PRIVACY POLICY

14.1 Inipod reserves the right to modify, update, or adjust the terms of this Privacy Policy to align with its business operations and applicable laws. Any changes will be publicly announced on the website or notified to Customers via email at least seven (07) working days prior to their effective date.

14.2. For changes related to the purposes of data processing, types of data collected, or third parties receiving the data, Inipod will require Customers to provide consent through direct interaction methods on the platform (such as confirmation buttons or checkboxes).

14.3. In the event that a Customer does not agree with the modified content, the Customer has the right to refuse in writing or through available features on the application. In such cases, Inipod reserves the right to partially restrict or terminate the provision of services if the lack of Customer consent prevents Inipod from fulfilling its contractual or legal obligations.

ARTICLE 15. GENERAL PROVISIONS

15.1 This Policy is effective from the date of 01/01/2026.

15.2 Customer acknowledges and agrees that this Policy also serves as the Personal Data Processing Notice as stipulated in Article 13 of Decree No. 13/2023/ND-CP dated April 17, 2023, by the Government on Personal Data Protection, as amended and supplemented from time to time, before Inipod proceeds with data processing. Accordingly, Inipod is not required to take any additional measures to notify the Customer about data processing.

15.3 Upon receiving a request to exercise the Customer's rights under Article 9.1 of this Policy, Inipod will take necessary steps to authenticate and identify the person making the request. If necessary, to verify the identity and ensure the security of the Customer's data, Inipod may cross-check the data provided by the requester when submitting the request with the data Inipod has stored.

If Inipod proceeds with the deletion, disposal, or restriction of data use as requested by Customer, the Customer’s rights under any contracts or agreements with Inipod, which require the use of such data, may be interrupted, altered, or terminated.

15.4 Inipod and Customer commit to complying with the provisions of this Policy. For any matters or regulations not specified in this Policy, both parties agree to apply the relevant legal regulations, guidance from the competent state authorities, and/or any amendments or supplements to this Policy as notified by Inipod to Customer from time to time.