PRIVACY POLICY - MAYOGU SOCIAL NETWORK

PREAMBLE

This Privacy Policy (hereinafter referred to as the "Policy") is issued by MAYogu Joint Stock Company (hereinafter referred to as "MAYogu", "We", "Us") to publicly and transparently disclose how MAYogu collects, uses, stores, protects, and shares the information of Service Users (hereinafter referred to as "Users", "You") when using MAYogu's applications, websites, and related services (collectively referred to as the "Services").

This Policy describes in technical and operational detail how MAYogu processes Your personal data. The legal basis for processing, Your consent, and the binding rights and obligations between the two parties are regulated in the Personal Data Processing Agreement.

This Policy is an integral part of the MAYogu Social Network Service Provision and Usage Agreement.

Article 1. Information about the Data Controller and Processor

MAYogu acts as the Personal Data Controller and Processor in accordance with the Law on Personal Data Protection No. 91/2025/QH15:

• Entity Name: MAYogu Joint Stock Company
• Support Email: support@mayogu.com
• Data Protection Department: legal@mayogu.com

Article 2. Types of Data Collected

MAYogu collects and processes personal data based on the principles of minimality and necessity. Data groups are classified as follows:

2.1. Basic Personal Data

This is the fundamental information used to create, manage Accounts, and identify Users:

• Identity Information: Full name (including middle name); date of birth; gender.
• Contact Information: Primary mobile phone number registered in Vietnam; email address.
• Account Information: Username, User ID, display name, profile picture (Avatar), cover photo, and other public profile information voluntarily provided by the User.

2.2. Sensitive Personal Data

MAYogu only collects sensitive data groups when the User actively activates corresponding features:

• Behavioral Data and Usage Habits: Video watch history, viewing time, interactions (likes, comments, shares), search keywords, and following lists to operate the content recommendation system.
• Payment Data: Bank account information, linked e-wallets, and transaction history for Virtual Item top-ups – collected only when the User performs a financial transaction.
• Location Data: Device location via GPS – only when the User grants access permission.
• Biometric and Identification Data: ID card authentication (CCCD), facial images (Face Matching) – only when registering for commercial Livestreaming, eKYC authentication, or handling disputes/complaints.

Note: MAYogu does not require sensitive data for normal Account registration. MAYogu commits not to request photos/videos containing identity documents as an account authentication factor.

2.3. Automatically Collected Technical Data

The system automatically records data to maintain operations and system security:

• IP address, Device ID, device type, operating system, and telecommunications carrier.
• Relative location data (estimated from IP, not based on GPS).
• Cookies and access logs.

2.4. Data from Third Parties

• Linked Platforms: If logging in via Google/Apple, MAYogu collects basic information (name, email, avatar) that the User permits to be shared.
• Payment Partners: Transaction status confirmation data (success/failure) from App Store, Google Play, or banks.

Article 3. Purposes of Data Processing

MAYogu uses data for the following legitimate and transparent purposes:

1. Providing and Maintaining Services: Creating digital identities, managing Accounts, maintaining login sessions; verifying identity via phone numbers to grant rights for posting content, commenting, and livestreaming; connecting the community; and customer support.
2. Personalizing Experience and Automated Processing:

• Content Recommendations: The AI system analyzes watch and interaction history to organize the Newsfeed and suggest suitable community groups.
• Service Improvement: Analyzing behavioral data in anonymized form to detect bugs and upgrade quality.
• AI Algorithms: The system records interactions (views, likes, comments, shares, watch time), builds interest profiles, and matches them with the content library to propose content with the highest probability of relevance – automatically, without human intervention. Users have the right to opt-out via the "Do Not Track" option in Settings.

3. Operating the Financial Ecosystem: Processing top-ups, purchasing Virtual Items, recording balances; paying revenue to Content Creators; and tax declaration/withholding as per regulations.
4. Ensuring Security and Fraud Prevention: Enhanced authentication (eKYC); prevention of money laundering and Virtual Item purchase fraud; AI-based content moderation; and log storage for investigations at the request of State authorities.
5. Marketing and Advertising: Displaying relevant advertisements (without sharing real identities with advertisers); sending promotional notifications and events. Users have the right to opt-out of advertising in the Settings section.

Article 4. Technical Data Processing Procedures

4.1. Processing Cycle

• Collection and Recording: Directly when the User enters information or automatically recorded from the device via secure API protocols.
• Verification and Standardization: Checking validity (phone verification via OTP, email format check) before saving to the database.
• Analysis and Exploitation: Using Big Data analysis tools to aggregate behavior for content recommendations and product improvement.
• Storage: According to the periods specified in Article 7.
• Destruction: Permanent deletion using non-recoverable overwriting algorithms once the storage period expires.

4.2. AI Applications and Automated Processing

• Analyzing interaction history to rank content on the Newsfeed.
• Scanning and detecting images/videos that violate Community Standards.
• Classifying data processing risk levels using AI to apply appropriate protection measures.

Article 5. Security Measures

• Transmission and Storage Encryption: All exchanged data is protected by secure encryption protocols. Sensitive data is encrypted in storage using strong encryption algorithms.
• Access Authorization: Based on the "Need-to-Know" principle. Only authorized personnel are permitted access.
• Multi-Factor Authentication (MFA): At minimum, a password combined with an OTP code or biometric factor, consistent with the sensitivity level of the data.
• Firewalls and Continuous Monitoring: Timely detection and prevention of unauthorized intrusion behaviors.
• Periodic Audits: Assessing cybersecurity and data security to detect and fix vulnerabilities.

Article 6. Data Sharing and Transfer

MAYogu commits not to trade, sell, or rent personal data. Data is only shared in the following necessary and legal cases:

1. Operational and Technology Partners: These entities are only permitted to process data under MAYogu's direction and are bound by confidentiality agreements:

• Server Infrastructure: Stored in Vietnam, using the network infrastructure of Viettel Group.
• Telecommunications Services: Sharing phone numbers with carriers or SMS Brandname partners to send OTP codes.
• Identification Technology: eKYC partners processing ID documents and facial images.

2. Financial and Payment Partners: Transaction information and identifiers are transferred to payment gateways, banks, or e-wallets for top-up processing and reconciliation. Apple/Google handle In-App Purchase payments according to their own policies; MAYogu only receives the transaction status.
3. Competent State Authorities: MAYogu has a legal obligation to provide personal information, activity logs, and communication content upon receiving a valid written request from investigating agencies, the Procuracy, Courts, or specialized management agencies.
4. Business Transfers: In the event of a merger, acquisition, restructuring, or dissolution, data may be transferred to a new legal entity provided that the entity continues to comply with this Policy.
5. Cross-border Data Transfer: Some auxiliary processing activities (error analysis, Apple/Google push notifications) may involve international partners. MAYogu commits to fully implementing Cross-border Data Transfer Impact Assessments and submitting dossiers to specialized agencies in accordance with the Law on Personal Data Protection and Decree 356/2025/ND-CP.

Article 7. Storage Duration and Data Destruction

1. Account Data and User Content: Stored throughout the duration of the Account maintenance. Deleted or anonymized after an Account deletion request is processed, except for exceptions in clauses 7.2 and 7.3.
2. System Logs: Stored for a minimum of 02 (two) years according to Decree 147/2024/ND-CP. Stored independently with high security, only extracted when requested by State authorities.
3. Financial and Transaction Data: Stored for a minimum of 10 (ten) years according to the Law on Accounting. This data is retained even if the User deletes their Account.
4. Destruction: Digital data is permanently deleted using non-recoverable overwriting algorithms. Physical data (if any) is destroyed ensuring no leakage.

Article 8. Cookies and Automatic Collection Technologies

8.1. Technologies Used

• Cookies: Small data files that remember login information, language configurations, and display preferences.
• Device Identifiers: Advertising IDs, hardware IDs – identifying devices for security and advertising measurement.
• Third-party SDKs: Code segments from partners integrated into the App to provide supplementary functions (eKYC, social login, error analysis).
• Web Beacons/Pixel Tags: Small images embedded in the Services/emails for access statistics and campaign measurement.

8.2. Purposes

1. Authentication and Security: Maintaining login sessions, detecting unusual access, and preventing fraud.
2. Analysis and Improvement: Anonymized statistics on traffic, feature frequency, and error reporting.
3. Personalization (AI): Recording behavior for algorithms to suggest suitable content and advertisements.

8.3. User Control Rights

Users have the right to refuse or restrict Cookies through:

• Cookie refusal options on the MAYogu App/Website.
• "Limit Ad Tracking" settings in the operating system.
• Activating "Do Not Track" in the operating system settings.
• Note: Complete disabling may cause some features to function unstable.

8.4. Third-party SDKs

MAYogu may allow analytics/advertising partners to place Cookies or SDKs on the App. Their collection is governed by their respective privacy policies. MAYogu only collaborates with reputable partners complying with equivalent security standards.

Article 9. Data Breach Incident Handling

1. Timeline: No later than 72 hours from detection, MAYogu will notify affected Users and the Ministry of Public Security (Cybersecurity Department).
2. Notification Content: Nature of the incident; types of data affected; estimated number of data subjects; contact information of the data protection department; potential consequences; and measures taken or to be taken for remediation.
3. All incidents are recorded in internal files for inspection by specialized agencies.

Article 10. Personal Data Processing Impact Assessment (DPIA)

1. MAYogu conducts personal data processing impact assessments and submits dossiers to specialized agencies within 60 days from the start of processing.
2. In cases of cross-border data transfer, a separate impact assessment is performed.
3. Impact assessment dossiers are always ready for inspection by specialized agencies.

Article 11. Age Limits

1. MAYogu is intended for users aged 16 and older. We do not intentionally collect data from children under 16.
2. Prevention Measures: Date of birth confirmation upon registration; AI and human moderators reviewing profiles; ID card (CCCD) verification for sensitive features – rejection and Account blocking if under 16.
3. If data from a child is discovered due to fraudulent declaration: The Account and data will be permanently deleted without prior notice.
4. Parents/guardians who discover children under 16 providing unauthorized data: Contact support@mayogu.com to request deletion.

Article 12. Contact Information and Updates

12.1. Contact:

• Entity: Data Protection Department - MAYogu Joint Stock Company
• Email: legal@mayogu.com

12.2. Updates:

MAYogu reserves the right to modify the Policy at any time. Significant changes will be notified via the App or email. Continued use of the Services after publication signifies Your acceptance of the new content.