PRIVACY POLICY

Last updated: February 24, 2026

This Privacy Policy of Danahost Vietnam LLC (doing business as Danahost, hereinafter referred to as "we", "us", or "our") describes how and why we collect, store, use, share, and protect ("process") your personal information when you use the Danahost property management platform and related services ("Services"), including when you:

Visit our website at https://danahost.vn/en or any website that links to this Policy;
Register an account and use the Danahost platform;
Interact with us via email, customer support, or other communication channels.

This Policy is built in compliance with Decree 13/2023/ND-CP on Personal Data Protection of Vietnam (effective from July 1, 2023) and international data protection standards.

Questions? Please contact us at [email protected].

Danahost's Data Processing Role
What Information Do We Collect?
Legal Basis and Processing Purposes
Sharing Information with Third Parties
Cross-Border Data Transfer
Cookies and Tracking Technologies
Artificial Intelligence (AI) Products
Social Media Logins
Data Retention Period
Security Measures
Data Breach Notification
Your Rights Regarding Personal Data
Children's Data Protection
Do-Not-Track (DNT) Signals
Updates to This Policy
Contact Us

1. DANAHOST'S DATA PROCESSING ROLE

In Short: Danahost plays two different roles depending on the type of data being processed.

Danahost is a SaaS (Software as a Service) platform providing property management solutions. In our operations, we play two distinct roles:

a) Data Controller

Danahost acts as the Data Controller for the personal information of platform users (property owners, management staff). We determine the purposes and means of processing this data, which includes: account information, service usage data, contact information, and payment details.

b) Data Processor

Danahost acts as the Data Processor for the personal information of guests that users enter into the system. In this case:

The property owner (Danahost user) is the Data Controller, responsible for ensuring the lawfulness of collecting and using guest data.
Danahost only processes guest data according to the property owner's instructions and for the purpose of providing the Services.
Guest data may include: full name, email, phone number, national ID/passport number, and related booking information.

Data Processing Agreement (DPA): For enterprise customers, Danahost provides a separate Data Processing Agreement specifying in detail the responsibilities of each party. To request a DPA, please contact [email protected].

2. WHAT INFORMATION DO WE COLLECT?

In Short: We collect information you provide directly and some information collected automatically when you use the Services.

a) Information You Provide Directly

When you register an account, use the Services, or contact us, you may provide:

Data Type	Details	Required?
Identification	Full name, username	Yes
Contact data	Email address, phone number, mailing address	Yes (email)
Account data	Password (encrypted), settings preferences	Yes
Business data	Property name, address, business type	Yes
Communication Preferences	Marketing email preferences, preferred language	No

b) Guest Data

When you use Danahost to manage your property, you may enter customer data into the system, including:

Guest full name
Email address and phone number
National ID or passport number
Booking information (check-in/check-out dates, room type, special requests)

Important Note: National ID/passport numbers are classified as sensitive personal data under Article 2 of Decree 13/2023/ND-CP. The property owner (as Data Controller) is responsible for ensuring there is a sufficient legal basis and valid consent from guests before entering this data into the Danahost system. Danahost processes this data in its role as Data Processor in accordance with accommodation regulations.

c) Automatically Collected Information

When you access the Services, we automatically collect certain technical information:

Data Type	Details	Purpose
Log Data	IP address, browser type, operating system, access time, pages viewed	Security, technical analysis
Device data	Device model, device ID, mobile carrier, system configuration	Compatibility, technical support
Estimated location data	Country, city (based on IP address)	Language display, security
Cookies and Similar Technologies	See details in Section 6	Operations, analytics

Regarding location data: We do not collect precise location (GPS). We only use IP addresses to determine estimated location (country/city) for the purpose of displaying the appropriate language and detecting unusual access.

d) Sensitive Information

We do not directly collect or request sensitive personal information from platform users (such as biometric data, religious beliefs, or sexual orientation). However, guest national ID/passport data entered by property owners falls under the sensitive data category and is processed with enhanced protection measures (see Section 10).

e) Information from Third Parties

We may receive booking information from OTA (Online Travel Agency) channels via Channex, including customer information synced from Booking.com, Airbnb, and similar platforms. This data is processed according to the property owner's instructions and the policies of each OTA.

All information you provide must be truthful, complete, and accurate. You are responsible for notifying us of any changes.

3. LEGAL BASIS AND PROCESSING PURPOSES

In Short: We only process data when there is a valid legal basis under Decree 13/2023/ND-CP.

The table below details each processing purpose, the data types involved, and the corresponding legal basis:

Processing Purpose	Data Type	Legal Basis
Account creation and management Allowing you to register, log in, and use the Services	Identification, contact, and account data	Contract performance — Necessary to provide the Services you have subscribed to
Service delivery Operating the platform, processing bookings, channel synchronization	Account data, business data, guest data	Contract performance
Customer support Answering questions, handling requests, troubleshooting issues	Contact information, support request content	Contract performance
Service notifications Sending updates, terms changes, and maintenance alerts	Email, name	Contract performance — Essential notifications related to the Services
Security and fraud prevention Detecting unusual access, preventing abuse	Log data, IP, device data	Legitimate interest — Protecting the Services and users from security threats (*)
Analytics and service improvement Understanding how users use the platform to improve the experience	Log data, usage data (anonymized)	Legitimate interest — Improving service quality (*)
Marketing and promotions Sending emails about new features, promotional campaigns	Email, name, communication preferences	Consent — Only when you actively opt in for marketing communications
Targeted advertising Displaying ads relevant to your interests	Cookies, browsing data	Consent — Only when you accept advertising cookies (see Section 6)
Legal compliance Meeting legal, tax, and accounting requirements	Information required by competent authorities	Legal obligation

(*) Regarding Legitimate Interest: When relying on "legitimate interest" as a legal basis, we conduct a balancing assessment between Danahost's interests and your rights and freedoms, and conclude that the processing does not unduly infringe upon your rights. You have the right to object to any processing based on legitimate interest by contacting us at [email protected]. We will stop processing unless we can demonstrate compelling legitimate grounds.

4. SHARING INFORMATION WITH THIRD PARTIES

In Short: We only share data with third parties necessary to operate the Services and always ensure appropriate safeguards are in place.

We do not sell your personal information. We may share data with the following third parties to the extent necessary:

Third Party	Purpose	Data Type	Country
Google Analytics (Google LLC)	Analyzing website traffic and usage behavior	Browsing data, cookies, IP (anonymized)	United States
OpenAI (OpenAI LLC)	Providing AI features on the platform (see Section 7)	AI feature input data	United States
Google Cloud AI (Google LLC)	Providing AI features on the platform (see Section 7)	AI feature input data	United States / Singapore
Channex	Syncing booking data with OTA channels	Booking data, guest information	See Channex's policy
OTAs (Booking.com, Airbnb, etc.)	Syncing rooms, rates, and bookings (via Channex)	Booking data, guest information	Multiple countries
Social media providers (Facebook, Google, etc.)	Social media login (if you choose to use it)	Public profile information	United States

Additionally, we may share data in the following situations:

Legal requests: When required by a competent state authority under Vietnamese law.
Business transfers: In the event of a merger, acquisition, or sale of assets, data may be transferred to the acquiring party. We will notify you before data is transferred and becomes subject to a different privacy policy.
With your consent: When you explicitly authorize sharing with a specific party.

All third parties must commit to keeping information confidential through appropriate contracts or data processing agreements.

5. CROSS-BORDER DATA TRANSFER

In Short: Some data may be processed abroad. We ensure appropriate safeguards in accordance with Decree 13/2023/ND-CP.

Your core data is stored on servers located in Vietnam. However, some data may be transferred and processed abroad when you use features involving third parties:

Service	Processing Country	Data Type	Safeguards
Google Analytics	United States	Browsing data (IP anonymized)	Google Data Processing Terms; IP anonymization
OpenAI	United States	AI input data	Data Processing Agreement (DPA); commitment not to use for training
Google Cloud AI	United States / Singapore	AI input data	Google Cloud Data Processing Terms
Channex / OTAs	Multiple countries	Booking data	Service contracts with confidentiality clauses

Under Article 25 of Decree 13/2023/ND-CP, when transferring personal data internationally, we ensure:

The data recipient commits to protecting personal data at a level equivalent to or higher than Vietnamese law;
Binding contracts or agreements on data processing and protection are in place;
Impact assessments are conducted for transfers involving sensitive data;
Data subjects are notified and consent is obtained when required by law.

6. COOKIES AND TRACKING TECHNOLOGIES

In Short: We use essential cookies to operate the Services. Analytics and advertising cookies are only activated with your consent.

We categorize cookies into the following groups:

Cookie Type	Purpose	Consent Required?
Essential cookies	Maintaining login sessions, security, basic site functionality	No (necessary for operation)
Analytics cookies	Collecting anonymized usage data via Google Analytics to improve the Services	Yes — Opt-in
Advertising cookies	Displaying relevant ads, remarketing	Yes — Opt-in

How to manage cookies:

On your first visit, a cookie banner will appear allowing you to accept or reject each type of cookie.
You can change your cookie preferences at any time in the cookie settings on our website.
You can also configure your browser to block or delete cookies. Note that blocking essential cookies may affect Service functionality.

Google Analytics: We use Google Analytics with the IP anonymization feature. Google Analytics is only activated after you consent to analytics cookies. To opt out of Google Analytics, you can:

Decline in our cookie banner;
Install the Google Analytics Opt-out Browser Add-on;
Adjust your Google Ads Settings.

Full details are provided in our Cookie Policy.

7. ARTIFICIAL INTELLIGENCE (AI) PRODUCTS

In Short: Some features use AI through third-party providers. You have the right to opt out of these features.

Danahost integrates features powered by artificial intelligence ("AI Features") through third-party service providers, including OpenAI and Google Cloud AI.

a) AI Features

Our AI Features may include: booking data analysis, room rate suggestions, automated support, and business analytics tools.

b) Data Processed by AI

When you use AI Features, input and output data will be sent to and processed by the AI provider. We commit to the following:

Not used to train AI models: Your data is not used to train or improve the provider's AI models. We use commercial APIs with commitments not to use customer data for training purposes.
Temporary retention: AI providers may retain input/output data for a short period (typically up to 30 days) for abuse detection purposes, after which it is automatically deleted.
Encryption: Data is transmitted to the AI provider over an encrypted channel (TLS 1.2+).

c) Right to Opt Out

You have the right to opt out of AI Features by:

Disabling AI features in your account settings;
Contacting us at [email protected].

Opting out will not affect other basic functionalities of the Services.

Note: You may not use AI Features in any way that violates the terms or policies of the AI provider (OpenAI: Usage Policies; Google Cloud: Acceptable Use Policy).

8. SOCIAL MEDIA LOGINS

In Short: If you log in using a social media account, we receive certain information from that provider.

The Services allow you to register and log in using your social media account (Facebook, Google, etc.). When you choose this option, we receive:

First and last name;
Email address;
Profile picture;
Other information you have set to public on the social media platform.

We only use this information to create and manage your Danahost account. We do not control and are not responsible for how social media providers process your data. Please review their privacy policies.

9. DATA RETENTION PERIOD

In Short: We retain data for the period necessary for each specific purpose.

We apply the following data retention periods:

Data Type	Retention Period	Reason
Account data	For the duration of the active account + 30 days after account deletion	Service provision; account recovery
Guest Data	Per property owner settings; max duration of active account + 30 days	Contract performance; compliance with accommodation regulations
Log data	Maximum 12 months	Security, technical analysis
Marketing data	Until you unsubscribe + 6 months	Ensuring no resends after opt-out
Customer support data	24 months from the last interaction	Providing continuous support, service improvement
Backups	Automatically deleted after 90 days	System recovery in the event of an incident
Accounting / tax data	Minimum 5 years as required by Vietnamese law	Legal obligation

Upon expiration of the retention period or when there is no longer a lawful processing purpose, we will delete or anonymize the data. If data is stored in backups, we will isolate it and delete it when the backup expires (maximum 90 days).

10. SECURITY MEASURES

In Short: We apply various technical and organizational measures to protect your data.

We implement security measures appropriate to industry standards and in accordance with Article 26 of Decree 13/2023/ND-CP, including:

Technical Measures

Transit encryption: All data transmitted over the Internet is encrypted using TLS 1.2 or higher (HTTPS).
Storage encryption: Sensitive data (passwords, national ID/passport data) is encrypted at rest.
Passwords: Passwords are hashed using one-way algorithms; we do not store passwords in plain text.
Access control: We apply Role-Based Access Control (RBAC); only authorized personnel have access to personal data.
Monitoring: Audit logging systems are in place to detect and investigate abnormal access.
Backups: Data is regularly backed up and stored securely.

Organizational Measures

Staff training on security and personal data protection;
Restricting access to personal data on a need-to-know basis;
Periodic reviews of security measures and updates as required.

While we make every effort to protect your data using industry-standard security measures, no method of transmission over the Internet or electronic storage is completely secure. We commit to continuously improving our security measures to protect your information.

11. DATA BREACH NOTIFICATION

In Short: We commit to providing timely notification in the event of a data breach affecting you.

In the event of a data security breach, we commit to:

Notifying authorities: Informing the Ministry of Public Security (Department of Cyber Security) within 72 hours of discovering the breach, as required by Article 23 of Decree 13/2023/ND-CP.
Notifying you: If the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay via your registered email and/or in-platform notification.
Notification content: The notice will include: (i) a description of the incident; (iv) recommendations for you to protect yourself; (v) contact information for further details.

12. YOUR RIGHTS REGARDING PERSONAL DATA

In Short: You have several important rights over your personal data under Decree 13/2023/ND-CP.

Under Article 9 of Decree 13/2023/ND-CP and international data protection standards, you have the following rights:

Right	Description
Right to be informed	You have the right to know about the processing of your personal data, including the purpose, methods, and recipients.
Right to consent	You have the right to consent to or withhold consent for the processing of your personal data, except where otherwise required by law.
Right of access	You have the right to request access to and receive a copy of the personal data we hold about you.
Right to withdraw consent	You have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
Right to erasure	You have the right to request deletion of your personal data when: it is no longer necessary for the purpose for which it was collected; you withdraw consent; or it was processed unlawfully.
Right to restrict processing	You have the right to request the restriction of data processing in certain circumstances.
Right to data portability	You have the right to request that we provide your personal data in a structured, commonly used, machine-readable format.
Right to object	You have the right to object to the processing of data based on legitimate interest or for direct marketing purposes.
Right not to be subject to automated decision-making	You have the right not to be subject to a decision based solely on automated processing (including AI profiling) that significantly affects you.
Right to lodge a complaint	You have the right to lodge a complaint with the Ministry of Public Security (Department of Cyber Security and Hi-Tech Crime Prevention) if you believe the processing of your data violates the law.
Right to compensation	You have the right to claim compensation for damages if the processing of your personal data violates the law and causes harm to you.

How to Exercise Your Rights

You may exercise any of the rights above by:

Submitting a data subject access request (DSAR) online; or
Emailing us directly at [email protected].

We commit to responding to your request within 30 days. For complex or high-volume requests, the deadline may be extended by an additional 30 days, and we will notify you of the reason. We may require identity verification before processing your request to protect your data.

Marketing Opt-Out

You may unsubscribe from marketing emails at any time by clicking the "Unsubscribe" link in any email, or by contacting us. After opting out, you will still receive essential service notifications (terms updates, maintenance, security alerts).

Account Deletion

You may request account deletion at any time via your account settings or by contacting us. Upon deletion, we will delete or anonymize your personal data in accordance with the retention periods in Section 9, unless the law requires longer retention.

13. CHILDREN'S DATA PROTECTION

In Short: The Services are not intended for individuals under 18.

Our Services are designed for property owners and business managers. We do not knowingly collect, solicit data from, or market to children under 18 years of age.

By using the Services, you confirm that you are at least 18 years old. If we discover that data has been collected from an individual under 18, we will delete it immediately.

If you discover that a child's data may have been collected, please contact us immediately at [email protected].

14. DO-NOT-TRACK (DNT) SIGNALS

There is currently no unified technical standard for browser "Do Not Track" (DNT) signals. Therefore, we do not currently respond automatically to DNT signals.

However, you can fully control tracking through our website's cookie settings (see Section 6). Analytics and advertising cookies are only activated when you give your consent.

If a DNT standard or other privacy signal mechanism (such as Global Privacy Control) becomes widely adopted in our region of operation, we will update our response policy accordingly.

15. UPDATES TO THIS POLICY

In Short: We will clearly notify you when significant changes are made.

We may update this Privacy Policy to reflect changes in our business operations, technology, or applicable law. When updates are made:

The "Last updated" date at the top of this page will change.
For material changes (expanding the scope of data collection, changing processing purposes, changing third-party recipients of data), we will:
- Send a notification to your registered email address at least 30 days before the changes take effect;
- Display a prominent notification banner on the website and within the platform;
- Request your renewed consent if the changes significantly expand the scope of data processing.

We encourage you to review this Policy regularly. Your continued use of the Services after a change takes effect constitutes your acceptance of the updated version.

16. CONTACT US

If you have questions, requests, or complaints about this Privacy Policy or how we process personal data, please contact us:

Danahost Vietnam LLC

Data Protection Officer: Nguyen Hai Quang

Address: 67 3/2 Street, Hai Chau Ward, Da Nang, Vietnam 550000

Privacy email: [email protected]

General email: [email protected]

Regarding the Data Protection Officer: Under Article 28 of Decree 13/2023/ND-CP, Danahost is in the process of formally designating a personal data protection officer/department. Contact information will be updated in this section upon completion.

To exercise your rights over personal data, you may:

Submit a data subject access request (DSAR) online; or
Email [email protected] with the subject line "[DSAR] Personal Data Request".

© 2026 Danahost Vietnam LLC. All rights reserved.
This Policy complies with Decree 13/2023/ND-CP on Personal Data Protection.

PRIVACY POLICY

Last updated: February 24, 2026

Visit our website at https://danahost.vn/en or any website that links to this Policy;
Register an account and use the Danahost platform;
Interact with us via email, customer support, or other communication channels.

This Policy is built in compliance with Decree 13/2023/ND-CP on Personal Data Protection of Vietnam (effective from July 1, 2023) and international data protection standards.

Questions? Please contact us at [email protected].

Danahost's Data Processing Role
What Information Do We Collect?
Legal Basis and Processing Purposes
Sharing Information with Third Parties
Cross-Border Data Transfer
Cookies and Tracking Technologies
Artificial Intelligence (AI) Products
Social Media Logins
Data Retention Period
Security Measures
Data Breach Notification
Your Rights Regarding Personal Data
Children's Data Protection
Do-Not-Track (DNT) Signals
Updates to This Policy
Contact Us

1. DANAHOST'S DATA PROCESSING ROLE

In Short: Danahost plays two different roles depending on the type of data being processed.

Danahost is a SaaS (Software as a Service) platform providing property management solutions. In our operations, we play two distinct roles:

a) Data Controller

b) Data Processor

Danahost acts as the Data Processor for the personal information of guests that users enter into the system. In this case:

The property owner (Danahost user) is the Data Controller, responsible for ensuring the lawfulness of collecting and using guest data.
Danahost only processes guest data according to the property owner's instructions and for the purpose of providing the Services.
Guest data may include: full name, email, phone number, national ID/passport number, and related booking information.

2. WHAT INFORMATION DO WE COLLECT?

In Short: We collect information you provide directly and some information collected automatically when you use the Services.

a) Information You Provide Directly

When you register an account, use the Services, or contact us, you may provide:

Data Type	Details	Required?
Identification	Full name, username	Yes
Contact data	Email address, phone number, mailing address	Yes (email)
Account data	Password (encrypted), settings preferences	Yes
Business data	Property name, address, business type	Yes
Communication Preferences	Marketing email preferences, preferred language	No

b) Guest Data

When you use Danahost to manage your property, you may enter customer data into the system, including:

Guest full name
Email address and phone number
National ID or passport number
Booking information (check-in/check-out dates, room type, special requests)

Important Note: National ID/passport numbers are classified as sensitive personal data under Article 2 of Decree 13/2023/ND-CP. The property owner (as Data Controller) is responsible for ensuring there is a sufficient legal basis and valid consent from guests before entering this data into the Danahost system. Danahost processes this data in its role as Data Processor in accordance with accommodation regulations.

c) Automatically Collected Information

When you access the Services, we automatically collect certain technical information:

Data Type	Details	Purpose
Log Data	IP address, browser type, operating system, access time, pages viewed	Security, technical analysis
Device data	Device model, device ID, mobile carrier, system configuration	Compatibility, technical support
Estimated location data	Country, city (based on IP address)	Language display, security
Cookies and Similar Technologies	See details in Section 6	Operations, analytics

d) Sensitive Information

e) Information from Third Parties

All information you provide must be truthful, complete, and accurate. You are responsible for notifying us of any changes.

3. LEGAL BASIS AND PROCESSING PURPOSES

In Short: We only process data when there is a valid legal basis under Decree 13/2023/ND-CP.

The table below details each processing purpose, the data types involved, and the corresponding legal basis:

Processing Purpose	Data Type	Legal Basis
Account creation and management Allowing you to register, log in, and use the Services	Identification, contact, and account data	Contract performance — Necessary to provide the Services you have subscribed to
Service delivery Operating the platform, processing bookings, channel synchronization	Account data, business data, guest data	Contract performance
Customer support Answering questions, handling requests, troubleshooting issues	Contact information, support request content	Contract performance
Service notifications Sending updates, terms changes, and maintenance alerts	Email, name	Contract performance — Essential notifications related to the Services
Security and fraud prevention Detecting unusual access, preventing abuse	Log data, IP, device data	Legitimate interest — Protecting the Services and users from security threats (*)
Analytics and service improvement Understanding how users use the platform to improve the experience	Log data, usage data (anonymized)	Legitimate interest — Improving service quality (*)
Marketing and promotions Sending emails about new features, promotional campaigns	Email, name, communication preferences	Consent — Only when you actively opt in for marketing communications
Targeted advertising Displaying ads relevant to your interests	Cookies, browsing data	Consent — Only when you accept advertising cookies (see Section 6)
Legal compliance Meeting legal, tax, and accounting requirements	Information required by competent authorities	Legal obligation

4. SHARING INFORMATION WITH THIRD PARTIES

In Short: We only share data with third parties necessary to operate the Services and always ensure appropriate safeguards are in place.

We do not sell your personal information. We may share data with the following third parties to the extent necessary:

Third Party	Purpose	Data Type	Country
Google Analytics (Google LLC)	Analyzing website traffic and usage behavior	Browsing data, cookies, IP (anonymized)	United States
OpenAI (OpenAI LLC)	Providing AI features on the platform (see Section 7)	AI feature input data	United States
Google Cloud AI (Google LLC)	Providing AI features on the platform (see Section 7)	AI feature input data	United States / Singapore
Channex	Syncing booking data with OTA channels	Booking data, guest information	See Channex's policy
OTAs (Booking.com, Airbnb, etc.)	Syncing rooms, rates, and bookings (via Channex)	Booking data, guest information	Multiple countries
Social media providers (Facebook, Google, etc.)	Social media login (if you choose to use it)	Public profile information	United States

Additionally, we may share data in the following situations:

Legal requests: When required by a competent state authority under Vietnamese law.
Business transfers: In the event of a merger, acquisition, or sale of assets, data may be transferred to the acquiring party. We will notify you before data is transferred and becomes subject to a different privacy policy.
With your consent: When you explicitly authorize sharing with a specific party.

All third parties must commit to keeping information confidential through appropriate contracts or data processing agreements.

5. CROSS-BORDER DATA TRANSFER

In Short: Some data may be processed abroad. We ensure appropriate safeguards in accordance with Decree 13/2023/ND-CP.

Your core data is stored on servers located in Vietnam. However, some data may be transferred and processed abroad when you use features involving third parties:

Service	Processing Country	Data Type	Safeguards
Google Analytics	United States	Browsing data (IP anonymized)	Google Data Processing Terms; IP anonymization
OpenAI	United States	AI input data	Data Processing Agreement (DPA); commitment not to use for training
Google Cloud AI	United States / Singapore	AI input data	Google Cloud Data Processing Terms
Channex / OTAs	Multiple countries	Booking data	Service contracts with confidentiality clauses

Under Article 25 of Decree 13/2023/ND-CP, when transferring personal data internationally, we ensure:

The data recipient commits to protecting personal data at a level equivalent to or higher than Vietnamese law;
Binding contracts or agreements on data processing and protection are in place;
Impact assessments are conducted for transfers involving sensitive data;
Data subjects are notified and consent is obtained when required by law.

6. COOKIES AND TRACKING TECHNOLOGIES

In Short: We use essential cookies to operate the Services. Analytics and advertising cookies are only activated with your consent.

We categorize cookies into the following groups:

Cookie Type	Purpose	Consent Required?
Essential cookies	Maintaining login sessions, security, basic site functionality	No (necessary for operation)
Analytics cookies	Collecting anonymized usage data via Google Analytics to improve the Services	Yes — Opt-in
Advertising cookies	Displaying relevant ads, remarketing	Yes — Opt-in

How to manage cookies:

On your first visit, a cookie banner will appear allowing you to accept or reject each type of cookie.
You can change your cookie preferences at any time in the cookie settings on our website.
You can also configure your browser to block or delete cookies. Note that blocking essential cookies may affect Service functionality.

Decline in our cookie banner;
Install the Google Analytics Opt-out Browser Add-on;
Adjust your Google Ads Settings.

Full details are provided in our Cookie Policy.

7. ARTIFICIAL INTELLIGENCE (AI) PRODUCTS

In Short: Some features use AI through third-party providers. You have the right to opt out of these features.

Danahost integrates features powered by artificial intelligence ("AI Features") through third-party service providers, including OpenAI and Google Cloud AI.

a) AI Features

Our AI Features may include: booking data analysis, room rate suggestions, automated support, and business analytics tools.

b) Data Processed by AI

When you use AI Features, input and output data will be sent to and processed by the AI provider. We commit to the following:

Not used to train AI models: Your data is not used to train or improve the provider's AI models. We use commercial APIs with commitments not to use customer data for training purposes.
Temporary retention: AI providers may retain input/output data for a short period (typically up to 30 days) for abuse detection purposes, after which it is automatically deleted.
Encryption: Data is transmitted to the AI provider over an encrypted channel (TLS 1.2+).

c) Right to Opt Out

You have the right to opt out of AI Features by:

Disabling AI features in your account settings;
Contacting us at [email protected].

Opting out will not affect other basic functionalities of the Services.

Note: You may not use AI Features in any way that violates the terms or policies of the AI provider (OpenAI: Usage Policies; Google Cloud: Acceptable Use Policy).

8. SOCIAL MEDIA LOGINS

In Short: If you log in using a social media account, we receive certain information from that provider.

The Services allow you to register and log in using your social media account (Facebook, Google, etc.). When you choose this option, we receive:

First and last name;
Email address;
Profile picture;
Other information you have set to public on the social media platform.

9. DATA RETENTION PERIOD

In Short: We retain data for the period necessary for each specific purpose.

We apply the following data retention periods:

Data Type	Retention Period	Reason
Account data	For the duration of the active account + 30 days after account deletion	Service provision; account recovery
Guest Data	Per property owner settings; max duration of active account + 30 days	Contract performance; compliance with accommodation regulations
Log data	Maximum 12 months	Security, technical analysis
Marketing data	Until you unsubscribe + 6 months	Ensuring no resends after opt-out
Customer support data	24 months from the last interaction	Providing continuous support, service improvement
Backups	Automatically deleted after 90 days	System recovery in the event of an incident
Accounting / tax data	Minimum 5 years as required by Vietnamese law	Legal obligation

10. SECURITY MEASURES

In Short: We apply various technical and organizational measures to protect your data.

We implement security measures appropriate to industry standards and in accordance with Article 26 of Decree 13/2023/ND-CP, including:

Technical Measures

Transit encryption: All data transmitted over the Internet is encrypted using TLS 1.2 or higher (HTTPS).
Storage encryption: Sensitive data (passwords, national ID/passport data) is encrypted at rest.
Passwords: Passwords are hashed using one-way algorithms; we do not store passwords in plain text.
Access control: We apply Role-Based Access Control (RBAC); only authorized personnel have access to personal data.
Monitoring: Audit logging systems are in place to detect and investigate abnormal access.
Backups: Data is regularly backed up and stored securely.

Organizational Measures

Staff training on security and personal data protection;
Restricting access to personal data on a need-to-know basis;
Periodic reviews of security measures and updates as required.

11. DATA BREACH NOTIFICATION

In Short: We commit to providing timely notification in the event of a data breach affecting you.

In the event of a data security breach, we commit to:

Notifying authorities: Informing the Ministry of Public Security (Department of Cyber Security) within 72 hours of discovering the breach, as required by Article 23 of Decree 13/2023/ND-CP.
Notifying you: If the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay via your registered email and/or in-platform notification.
Notification content: The notice will include: (i) a description of the incident; (iv) recommendations for you to protect yourself; (v) contact information for further details.

12. YOUR RIGHTS REGARDING PERSONAL DATA

In Short: You have several important rights over your personal data under Decree 13/2023/ND-CP.

Under Article 9 of Decree 13/2023/ND-CP and international data protection standards, you have the following rights:

Right	Description
Right to be informed	You have the right to know about the processing of your personal data, including the purpose, methods, and recipients.
Right to consent	You have the right to consent to or withhold consent for the processing of your personal data, except where otherwise required by law.
Right of access	You have the right to request access to and receive a copy of the personal data we hold about you.
Right to withdraw consent	You have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
Right to erasure	You have the right to request deletion of your personal data when: it is no longer necessary for the purpose for which it was collected; you withdraw consent; or it was processed unlawfully.
Right to restrict processing	You have the right to request the restriction of data processing in certain circumstances.
Right to data portability	You have the right to request that we provide your personal data in a structured, commonly used, machine-readable format.
Right to object	You have the right to object to the processing of data based on legitimate interest or for direct marketing purposes.
Right not to be subject to automated decision-making	You have the right not to be subject to a decision based solely on automated processing (including AI profiling) that significantly affects you.
Right to lodge a complaint	You have the right to lodge a complaint with the Ministry of Public Security (Department of Cyber Security and Hi-Tech Crime Prevention) if you believe the processing of your data violates the law.
Right to compensation	You have the right to claim compensation for damages if the processing of your personal data violates the law and causes harm to you.

How to Exercise Your Rights

You may exercise any of the rights above by:

Submitting a data subject access request (DSAR) online; or
Emailing us directly at [email protected].

Marketing Opt-Out

Account Deletion

13. CHILDREN'S DATA PROTECTION

In Short: The Services are not intended for individuals under 18.

Our Services are designed for property owners and business managers. We do not knowingly collect, solicit data from, or market to children under 18 years of age.

By using the Services, you confirm that you are at least 18 years old. If we discover that data has been collected from an individual under 18, we will delete it immediately.

If you discover that a child's data may have been collected, please contact us immediately at [email protected].

14. DO-NOT-TRACK (DNT) SIGNALS

There is currently no unified technical standard for browser "Do Not Track" (DNT) signals. Therefore, we do not currently respond automatically to DNT signals.

However, you can fully control tracking through our website's cookie settings (see Section 6). Analytics and advertising cookies are only activated when you give your consent.

If a DNT standard or other privacy signal mechanism (such as Global Privacy Control) becomes widely adopted in our region of operation, we will update our response policy accordingly.

15. UPDATES TO THIS POLICY

In Short: We will clearly notify you when significant changes are made.

We may update this Privacy Policy to reflect changes in our business operations, technology, or applicable law. When updates are made:

The "Last updated" date at the top of this page will change.
For material changes (expanding the scope of data collection, changing processing purposes, changing third-party recipients of data), we will:
- Send a notification to your registered email address at least 30 days before the changes take effect;
- Display a prominent notification banner on the website and within the platform;
- Request your renewed consent if the changes significantly expand the scope of data processing.

We encourage you to review this Policy regularly. Your continued use of the Services after a change takes effect constitutes your acceptance of the updated version.

16. CONTACT US

If you have questions, requests, or complaints about this Privacy Policy or how we process personal data, please contact us:

Danahost Vietnam LLC

Data Protection Officer: Nguyen Hai Quang

Address: 67 3/2 Street, Hai Chau Ward, Da Nang, Vietnam 550000

Privacy email: [email protected]

General email: [email protected]

Regarding the Data Protection Officer: Under Article 28 of Decree 13/2023/ND-CP, Danahost is in the process of formally designating a personal data protection officer/department. Contact information will be updated in this section upon completion.

To exercise your rights over personal data, you may:

Submit a data subject access request (DSAR) online; or
Email [email protected] with the subject line "[DSAR] Personal Data Request".

PRIVACY POLICY

TABLE OF CONTENTS

1. DANAHOST'S DATA PROCESSING ROLE

a) Data Controller

b) Data Processor

2. WHAT INFORMATION DO WE COLLECT?

a) Information You Provide Directly

b) Guest Data

c) Automatically Collected Information

d) Sensitive Information

e) Information from Third Parties

3. LEGAL BASIS AND PROCESSING PURPOSES

4. SHARING INFORMATION WITH THIRD PARTIES

5. CROSS-BORDER DATA TRANSFER

6. COOKIES AND TRACKING TECHNOLOGIES

7. ARTIFICIAL INTELLIGENCE (AI) PRODUCTS

a) AI Features

b) Data Processed by AI

c) Right to Opt Out

8. SOCIAL MEDIA LOGINS

9. DATA RETENTION PERIOD

10. SECURITY MEASURES

Technical Measures

Organizational Measures

11. DATA BREACH NOTIFICATION

12. YOUR RIGHTS REGARDING PERSONAL DATA

How to Exercise Your Rights

Marketing Opt-Out

Account Deletion

13. CHILDREN'S DATA PROTECTION

14. DO-NOT-TRACK (DNT) SIGNALS

15. UPDATES TO THIS POLICY

16. CONTACT US

PRIVACY POLICY

TABLE OF CONTENTS

1. DANAHOST'S DATA PROCESSING ROLE

a) Data Controller

b) Data Processor

2. WHAT INFORMATION DO WE COLLECT?

a) Information You Provide Directly

b) Guest Data

c) Automatically Collected Information

d) Sensitive Information

e) Information from Third Parties

3. LEGAL BASIS AND PROCESSING PURPOSES

4. SHARING INFORMATION WITH THIRD PARTIES

5. CROSS-BORDER DATA TRANSFER

6. COOKIES AND TRACKING TECHNOLOGIES

7. ARTIFICIAL INTELLIGENCE (AI) PRODUCTS

a) AI Features

b) Data Processed by AI

c) Right to Opt Out

8. SOCIAL MEDIA LOGINS

9. DATA RETENTION PERIOD

10. SECURITY MEASURES

Technical Measures

Organizational Measures

11. DATA BREACH NOTIFICATION

12. YOUR RIGHTS REGARDING PERSONAL DATA

How to Exercise Your Rights

Marketing Opt-Out

Account Deletion

13. CHILDREN'S DATA PROTECTION

14. DO-NOT-TRACK (DNT) SIGNALS

15. UPDATES TO THIS POLICY

16. CONTACT US

PRIVACY POLICY

TABLE OF CONTENTS

1. DANAHOST'S DATA PROCESSING ROLE

a) Data Controller

b) Data Processor

2. WHAT INFORMATION DO WE COLLECT?

a) Information You Provide Directly

b) Guest Data

c) Automatically Collected Information

d) Sensitive Information

e) Information from Third Parties

3. LEGAL BASIS AND PROCESSING PURPOSES

4. SHARING INFORMATION WITH THIRD PARTIES

5. CROSS-BORDER DATA TRANSFER