Privacy Policy

Effective date: 2026-05-15 (Phase 1B launch) Last updated: 2026-05-17 (V31 update per D24.2 joint sign-off — Option C+ passport workflow honest disclosure) Service: govietnamglobal.com (Vietnam E-Visa application service) Operator: Tâm Việt Korea (TVK) — Korean entity at 2F #203A, 32 Eulji-ro 15-gil, Jung-gu, Seoul, Korea

1. Who we are

GoVietnamGlobal is operated by Tâm Việt Korea (TVK), a Korean business entity headquartered in Eulji-ro, Seoul.

Contact: - Email: [email protected] - Mail: Tâm Việt Korea, 2F #203A, 32 Eulji-ro 15-gil, Jung-gu, Seoul, Korea - DPO (Data Protection Officer): [email protected] (CEO designated)

2. Data we collect

2.1. Information you provide

When you apply for a Vietnam E-Visa through us:

Identity: Full name (per passport), date of birth, gender, nationality
Travel documents (text): Passport number, dates of issue/expiry, country of issue
Passport scan/photo: Collected via secure email follow-up from [email protected] within 24 hours of order confirmation. NOT auto-uploaded via web form. Stored encrypted for visa processing duration + 30 days post-delivery.
Contact: Email, phone number, WhatsApp/WeChat ID (optional)
Travel info: Arrival/departure dates, port of entry, purpose, accommodation address
Payment: We use PayPal Business Korea (Visa/Mastercard/Amex globally — no PayPal account required) and Toss Payments (Korean cards and bank accounts). WeChat Pay added Phase 2. We DO NOT store credit card numbers — payment processors handle all card data per PCI-DSS Level 1 standards.

2.2. Information collected automatically

Web analytics: Page views, language preference, device type — via Google Analytics 4 (anonymous, IP-anonymized)
Cookies: Functional cookies for language switching + analytics consent (banner-managed via Termly)
IP address: We hash your IP (SHA-256) for security/fraud detection. We DO NOT store raw IP addresses.

2.3. We do NOT collect

Social Security Numbers (or equivalents)
Financial account numbers (credit card details handled by PayPal and Toss only)
Biometric data
Children's data (service is 18+; minors apply through parent/guardian)
Sensitive categories (race, religion, political views, health) — we don't ask, please don't include

3. Why we collect (legal basis)

Data	Purpose	Legal basis (GDPR)
Passport + travel info	Submit application to Vietnamese Immigration Department	Performance of contract
Email	Send order updates + e-visa delivery	Performance of contract
Phone (optional)	Express order SMS notifications	Consent (you provided voluntarily)
Hashed IP	Fraud prevention, security	Legitimate interest
Analytics	Improve service quality	Consent (cookie banner)

4. Who we share with

4.1. Vietnamese Immigration Department

Required by Vietnamese law for e-visa application
We submit: full name, passport, DOB, nationality, travel info
Government holds data per Vietnamese government retention policies

4.2. Vietnamese partner company (processing agent)

Tâm Việt Korea contracts with a Vietnamese partner who liaises with the Immigration Department
They process your application on our behalf
Bound by data processing agreement with TVK

4.3. Service providers (data processors)

PayPal (payment processing — global cards) — USA — PCI-DSS Level 1, Privacy Shield successor
Toss Payments (payment processing — Korean cards/bank) — Korea — PCI-DSS, PIPA-compliant
Supabase (database hosting) — Singapore region — SOC 2 Type II
Cloudflare (CDN, edge compute) — Global — GDPR/CCPA compliant
Brevo (transactional email — Phase 2) — France/EU — GDPR compliant
Twilio (SMS — Express orders only) — USA — Privacy Shield successor

4.4. Legal requirements

We may disclose data if required by court order, subpoena, or law enforcement request from competent authority (Korea, Vietnam, or country of customer's residence)

4.5. We DO NOT sell data

We never sell your personal data to advertisers, data brokers, or any third party

5. How long we keep data

Data type	Retention period	Reason
Passport scan/photo	Deleted within 30 days post-delivery per documented retention policy	PIPA + minimal necessary principle
Order details (text fields)	7 years	Korean tax law + dispute resolution
Audit log (state changes)	5 years	PIPA + dispute evidence
Analytics (anonymized)	26 months	GA4 default
Hashed IP	90 days	Security forensics

6. Where data is stored

Primary database: Supabase (Singapore region)
Edge cache: Cloudflare (global — your data may transit through nearest CF datacenter)
Email: Brevo (EU) or Gmail (USA) for sending only
Backups: Supabase auto-backup (Singapore)

For EU customers: We rely on Standard Contractual Clauses (SCCs) for data transfers outside EU.

7. Your rights

Under GDPR (EU customers)

Access: Get a copy of your data
Rectification: Correct inaccurate data
Erasure ("right to be forgotten"): Delete your data (within constraints of legal retention)
Restriction: Limit how we process
Portability: Receive data in machine-readable format
Object: Object to processing based on legitimate interest
Withdraw consent: For consent-based processing
Complain: To your country's Data Protection Authority

Under Korean PIPA

Access, correction, deletion: Same as GDPR rights
Suspension of processing: Halt processing of your data

Under Vietnam Personal Data Protection Law (Decree 13/2023)

Similar rights as GDPR
Request consent withdrawal

How to exercise rights

Email: [email protected]
Subject: "Data Subject Request — [your order ID if applicable]"
Response time: ≤30 days (≤45 days for complex requests)
Identity verification: We may ask for proof of identity to prevent unauthorized access

8. Security measures

TLS 1.2+ encryption for all data in transit
AES-256 encryption at rest (Supabase database + storage)
Row Level Security (RLS) policies — only authorized service accounts access data
Access control: Multi-factor authentication for admin access
Audit log: Every state change recorded with timestamp + actor
Passport scan/photo classified as 고유식별정보 (Unique Identifier) under Korean PIPA Article 24; subject to mandatory encryption + explicit consent + use limited to declared purpose. Reference: TVK internal legal research T5 2026 (PIPA + Vietnam Decree 13/2023 compliance).
Manual monthly cleanup of email-collected passport scans (deletion within 30 days post-delivery). Phase 2 migration to scheduled auto-deletion when volume justifies operational investment.
Annual security review

9. Children's privacy

This service is intended for adults (18+). If a minor needs a Vietnam visa: - Parent or guardian must apply on behalf of the minor - Parent's contact information used as primary record - Same data protections apply

10. International users

Korean customers: PIPA applies. Data may transfer to Vietnam (partner) and USA (PayPal) for payment processing. Korean card payments via Toss Payments stay in Korea. You consent by using the service.
EU customers: GDPR applies. SCCs in place for transfers outside EU.
Vietnamese customers: Decree 13/2023 applies. Most data stays in Vietnam (government processing).
Other regions: Local laws may apply. We comply with applicable laws.

11. Cookies & analytics

We use: - Strictly necessary cookies: Language preference, session - Analytics cookies: Google Analytics 4 (anonymized) — opt-in via banner - No advertising cookies: We don't run paid retargeting

You can manage cookies via the banner (powered by Termly) or your browser settings.

12. Changes to this policy

We may update this policy. Material changes notified via: - Banner on govietnamglobal.com - Email to active customers

Last 5 versions retained at: govietnamglobal.com/privacy/history

13. Complaints

If you believe we violated your privacy rights:

First: Contact [email protected] — we'll respond within 30 days
If unresolved: File complaint with appropriate authority: - Korea: Korea Internet & Security Agency (KISA) — 개인정보보호위원회 - EU: Your country's Data Protection Authority - Vietnam: Department of Cybersecurity and Anti-High-Tech Crimes (A05 — Bộ Công an)