LohasaleLohasale

Privacy Policy

Last updated: April 18, 2026

Compliant with Decree 13/2023/ND-CP on Personal Data Protection and Cybersecurity Law 2018

1. Data Controller Information

  • Company: Lohasale Co., Ltd.
  • Business registration: [To be updated upon registration]
  • Address: Ha Dong, Hanoi, Vietnam
  • Legal representative: [To be updated]
  • Privacy email: privacy@lohasale.com
  • Hotline: 0399 692 275

2. Data Collection Scope

2.1 Information You provide directly

  • Full name, email, phone number, company name during registration
  • Payment information (we do not store credit card numbers — processed via PCI DSS-certified third-party payment gateways)
  • Product documents, FAQs, price lists uploaded to the Knowledge Base
  • Chatbot configuration: bot name, tone, system prompt, welcome message

2.2 Information collected automatically

  • Conversation content between chatbot and end users (stored in Customer's system)
  • Channel credentials: Zalo OA, Facebook Page, Telegram Bot tokens/API keys (encrypted with AES-256-GCM)
  • Usage data: message count, AI tokens used, response time
  • Technical information: IP address, browser type, operating system, pages visited

2.3 Information from third-party platforms

When Customers connect channels (Zalo, Facebook, Telegram), we receive information from these platforms within the scope of permissions granted by the Customer (e.g., user IDs, messages sent to Page/OA). We only process information necessary to provide the Service.

3. Purpose of Collection

  • Service delivery: Operating the AI chatbot, processing and responding to customer messages
  • Account management: Identity verification, access control, account security
  • Billing: Transaction processing, invoice generation, plan management
  • Technical support: Issue resolution, support request handling
  • Quality improvement: Anonymized usage analytics to enhance the Service
  • Communications: Service notifications, feature updates, security alerts. No marketing without consent
  • Legal compliance: Accounting, tax and reporting obligations as required by authorities

4. Legal Basis for Processing

Per Decree 13/2023/ND-CP, we process personal data based on:

  • Consent: When You register and accept the Terms of Service
  • Contractual necessity: To provide the Service per your selected plan
  • Legal obligation: Compliance with requests from competent authorities
  • Legitimate interest: Protecting system security, preventing fraud and abuse

5. Data Retention Period

  • During active use: Data is retained while the Account remains active
  • After termination: Data is kept for 30 days for Customer export, then permanently deleted
  • Payment data: Retained for 5 years per accounting and tax regulations
  • System logs: Automatically deleted after 90 days

6. Data Security

We implement technical and organizational security measures including:

  • Encryption: AES-256-GCM for sensitive information (channel credentials), TLS 1.3 for data in transit
  • Authentication: Time-limited JWT tokens, bcrypt password hashing
  • Data isolation: Multi-tenant architecture ensuring complete data separation per business
  • Access control: Role-based permissions (Super Admin / Tenant Admin), only authorized personnel access data
  • Backups: Daily encrypted backups
  • Monitoring: Anomaly detection with automatic alerts for suspicious activity

7. No Data Sales Commitment

Lohasale commits to NEVER sell, trade, lease or transfer personal data of Customers and end users to any third party for commercial purposes.

8. Third-Party Data Sharing

We only share information in the following cases:

  • Service providers: Google AI (language processing), hosting providers (data storage), payment gateways — all with Data Processing Agreements (DPA) and security compliance
  • Integration platforms: Facebook, Zalo, Telegram — only as necessary to send/receive messages per Customer request
  • Legal requirements: When required by competent government authorities pursuant to law
  • Rights protection: When necessary to protect the rights, property or safety of Lohasale, Customers or the public

We do NOT share information for third-party advertising or marketing purposes.

9. Cross-Border Data Transfers

Per Decree 13/2023/ND-CP and the Cybersecurity Law 2018:

  • Personal data of Vietnamese users is stored on servers located in Vietnam or regions with equivalent data protection
  • When using Google AI services (located outside Vietnam), only anonymized conversation content is sent for language processing — no personally identifiable information
  • Any cross-border transfers undergo impact assessment and require data subject consent

10. Data Subject Rights

Per Decree 13/2023/ND-CP, You have the right to:

  • Access: View personal data we store about You
  • Correction: Request modification of inaccurate or incomplete information
  • Deletion: Request personal data deletion (except where legally required to retain)
  • Restriction: Request limiting data processing in certain circumstances
  • Objection: Object to processing for direct marketing purposes
  • Portability: Request a copy of your data in structured format (JSON, CSV)
  • Consent withdrawal: Withdraw processing consent at any time
  • Complaint: File complaints with competent data protection authorities

To exercise these rights, contact: privacy@lohasale.com. We will respond within 15 business days.

11. How to Delete Your Data

  • Log in to Dashboard → Settings → Delete Account
  • Or email privacy@lohasale.com with subject “Data Deletion Request”
  • We confirm receipt within 24 hours and complete deletion within 30 days
  • Deletion is irreversible

12. Cookies and Tracking Technologies

  • Essential cookies: Required for website and Service operation (login, session security)
  • Analytics cookies: Help us understand Service usage to improve experience (Google Analytics with IP anonymization enabled)
  • You can disable non-essential cookies via browser settings. Disabling essential cookies may affect Service functionality

13. Children's Privacy

Lohasale is not directed at individuals under 18. We do not knowingly collect personal data from children. If we discover data was collected from a minor without parental/guardian consent, we will delete it immediately.

14. Mergers and Transfers

If Lohasale is involved in a merger, acquisition or asset sale, personal data may be transferred to the successor. We will notify Customers at least 30 days in advance, and Customers have the right to delete their data before transfer.

15. Policy Changes

We may update this Privacy Policy from time to time. Material changes will be communicated via registered email at least 30 days in advance. The latest version is always available on our website. Continued use of the Service after changes take effect constitutes acceptance.

16. Privacy Contact

For questions, requests or complaints about data privacy:

  • Company: Lohasale Co., Ltd.
  • Privacy email: privacy@lohasale.com
  • General email: hello@lohasale.com
  • Hotline: 0399 692 275
  • Address: Ha Dong, Hanoi, Vietnam
  • Response time: Within 15 business days