Privacy Policy
Table of contents
HMV Chatbot AI (hereafter "the Service", "we", "us") is committed to protecting the personal data of our customers (each, a "Tenant") and the end users who interact with chatbots deployed by Tenants. This policy describes how we collect, use, store, and protect personal data, in compliance with Decree 13/2023/ND-CP on Personal Data Protection of Vietnam and other applicable regulations.
1. Scope
This policy applies to every visit to and use of the website hmvapp.com, all sub-domains of the Service, and any integration with third-party messaging platforms (Facebook Messenger, Zalo OA, Web widget, Email).
2. Data we collect
2.1 From Tenants (business account owners)
- Full name, email address, and phone number of the representative
- Business name and tax code (for invoicing)
- Payment information (handled via PayOS β we do not store card numbers)
- Documents uploaded by Tenants to train chatbots (knowledge base)
2.2 From end users (customers of the Tenant)
- Messages sent to the chatbot (text, images, file attachments)
- Public display name and profile picture from Facebook / Zalo (retrieved via Graph API / Zalo API)
- Platform-issued user IDs (Facebook PSID / Zalo UID β these are opaque identifiers, not real identity)
- Email address and phone number, only if voluntarily provided by the user during the conversation (lead form)
2.3 Automatic data
- IP address, browser type, device (for security and analytics)
- Visit timestamps and pages viewed
- Session cookies (HttpOnly, Secure, SameSite=Lax only)
3. Purposes of use
- Service delivery: chatbot replying to messages, conversation history, reply suggestions for customer support staff
- AI improvement: using anonymised messages to fine-tune models (Tenants may opt out)
- Billing and invoicing
- Technical support and Tenant communications
- Security: fraud, abuse, and policy-violation detection
- Legal compliance: in response to lawful requests from competent authorities
4. Third parties
We share only the data strictly necessary with the following service providers:
- Anthropic (AI provider) β message content is sent for natural language processing. Anthropic does not retain data for training under its API terms.
- Voyage AI β document embedding for Retrieval-Augmented Generation (RAG).
- Meta Platforms (Facebook) β when a Tenant connects Messenger, message exchange is governed by Facebook's Data Policy.
- Zalo Group (VNG) β when a Tenant connects a Zalo OA, governed by the Zalo OA Policy.
- PayOS β payment processing; does not access conversation data.
- Cloudflare / AWS / GCP β server infrastructure and CDN.
We do not sell personal data to any third party for advertising or marketing purposes.
5. Storage & security
- Passwords are hashed with bcrypt (cost factor β₯ 12) β we cannot view your real password.
- Access tokens (Facebook, Zalo) are encrypted with AES-256-GCM before being written to the database.
- All web traffic uses HTTPS/TLS 1.3.
- Authentication cookies are HttpOnly + Secure + SameSite=Lax.
- The system follows a multi-tenant, schema-per-tenant architecture β each Tenant's data is isolated in its own PostgreSQL schema.
- Two-factor authentication (2FA) is supported for admin accounts.
- An audit log records every sensitive operation (login, permission change, data deletion).
6. Retention periods
- Conversations: per the Tenant's plan (default 90 days; Enterprise plans may customise).
- Login audit log: 90 days, then auto-pruned.
- Invoices: 5 years (per Vietnamese accounting law).
- Deleted accounts: personal data is anonymised within 30 days.
7. Your rights
Under Decree 13/2023/ND-CP, you have the following rights:
- Right to be informed about what data is being processed.
- Right of access to your data (export available from the admin account).
- Right to rectification of inaccurate information.
- Right to erasure of your account and related data (request via email at privacy@hmvapp.com).
- Right to restrict processing in case of a dispute.
- Right to object to processing for marketing purposes.
- Right to lodge a complaint with the competent authority if we have breached our obligations.
8. Cookies
We use only essential cookies:
sessionβ keeps you signed in (HttpOnly, Secure, expires after 8 hours).zalo_oauth_state,fb_oauth_stateβ CSRF protection for OAuth flows (10 minutes).
We do not use third-party advertising tracking cookies.
9. Children
The Service is not designed for users under the age of 16. If we discover an account belonging to a minor, we will delete it immediately. Tenants are responsible for complying with child protection regulations when using the Service in products targeting minors.
10. Changes to this policy
We may update this policy from time to time. Material changes will be communicated to Tenants by email at least 30 days before they take effect. The most recent version is always published on this page with the update date at the top.
11. Contact
For any questions about this policy, please contact:
- Data deletion / DPO email: privacy@hmvapp.com
- General email: support@hmvapp.com
- Hotline: +84 24 5678 9012
- Address: N&D EDU GROUP, Hanoi, Vietnam
This English version is provided for convenience and for compliance review by international partners (e.g. Meta Platforms, Google). The Vietnamese version is the canonical text for users residing in Vietnam.