Privacy Policy

1. Scope & Data Controller

This policy applies to all websites, applications, services and portals provided by Fudubank Investment Fund Management JSC (operator of the Lĩnh Nam Group ecosystem) and its member companies, including:

• linhnam.vn — Group website
• cdrestop.com & cdrestop.io — CD Restop ecosystem
• vnyc.io — Vietnam Yacht Cruise
• erp.linhnam.vn — Internal ERP
• Mobile apps for VNYC, CD Restop, FuduBank, Lĩnh Nam Cosmos

Data Controller: 114 Nguyen Cuu Van, Gia Dinh Ward, Ho Chi Minh City — hi@linhnam.vn — (+84) 902 579 311

2. Data We Collect

We collect only what is necessary for stated purposes:

• Identifiers — name, date of birth, gender
• Contact — email, phone, address (for service customers)
• KYC — ID/passport (for VIP/Black Card members, investors)
• Transaction — booking history, payments (no card numbers stored)
• Behavioural — pages viewed, device info, IP address (1-octet anonymized)
• HR — CV, employment records (employees only)
• Shareholders — ownership records, meeting minutes

We do not collect health, religious, political, or sexual orientation data unless required by law.

3. Purposes & Legal Basis

Per Vietnam's Decree 13/2023/NĐ-CP and GDPR (for EU users):

• Service delivery — Contract
• Payment processing — Contract + legal obligation
• KYC for VIP customers — Legal obligation (AML)
• Marketing — Consent (revocable anytime)
• Analytics — Legitimate interest + cookie consent
• Security & fraud detection — Legitimate interest
• HR records — Employment contract + legal obligations

4. Sharing with Third Parties

We share data only when necessary, with binding DPAs:

• Group member companies (7 BUs) — only for the original consented purpose
• Hosting — Hostinger (Lithuania)
• Analytics — Google Analytics 4 (anonymized IP)
• Payment — VNPay, MoMo, Zalo Pay
• AI — Anthropic (anonymized inputs)
• CDN — Cloudflare
• Marketing — Meta, Zalo OA (hashed audiences only)
• Government — when legally required (tax, police, A05)

We do NOT sell your data to anyone.

5. Cookies

See our Cookie Policy. Categories: essential, analytics (GA4), preferences, advertising (consent-based).

6. Your Rights

You have 8 rights under Decree 13 and GDPR: Be informed · Access · Rectify · Erase · Restrict · Port · Object · Withdraw consent. To exercise: email dpo@linhnam.vn with ID verification — response within 72 working hours.

7. Retention

• Account data — Active period + 12 months after deletion
• Invoices — 10 years (Vietnam Accounting Law)
• Employment records — Duration + 75 years (Social Insurance)
• Web logs — 90 days raw, 13 months aggregated
• Marketing emails — Until you unsubscribe
• KYC docs — 5 years after relationship ends (AML Law)

8. Security

• TLS 1.3 (A+ SSL Labs)
• At-rest encryption (Postgres + S3)
• JWT auth (15-min rotation, httpOnly refresh)
• Daily encrypted backups
• Full audit log in core.activity_log
• RBAC (8 roles)
• Quarterly third-party pen-tests
• 72-hour breach notification (Decree 13)
• ISO 27001-aligned

9. International Transfers

Some processors are outside Vietnam (US: Google, Anthropic, Meta · Lithuania: Hostinger · Singapore: Cloudflare APAC). All under SCCs / GDPR adequacy / APEC CBPR. Cross-border transfer registered with Vietnam Cyber Security Department (A05) per Article 25 of Decree 13.

10. Children's Privacy

Our services are not directed at children under 16. We do not knowingly collect children's data. Parents who discover data submitted by their child may email dpo@linhnam.vn for immediate deletion.

11. Policy Changes

We may update this policy when products change, laws are amended, or processors change. Material changes are: (1) posted here with new "Last updated" date, (2) emailed to active accounts 30 days in advance, (3) shown as banner on next login.

12. Contact DPO