NOTICE AND AGREEMENT ON THE PROCESSING OF PERSONAL DATA AND RULES FOR THE PROTECTION OF CONSUMER INFORMATION

SECTION 1: NOTICE AND AGREEMENT ON THE PROCESSING OF PERSONAL DATA

This Personal Data Processing Notice and Agreement (“Notice”) establishes an agreement between the Company and the Personal Data Subject regarding the Processing of Personal Data by the Personal Data Subject in accordance with the applicable Personal Data Protection Laws.

To ensure their rights, Personal Data Subjects should carefully read the following contents. The Company will proactively update the content of the Notice to reflect any changes and will regain the consent of the Personal Data Subject where required by law.

1. Definition:

The capitalized letters in this Notice shall have the following meanings:

(a) Personal Data: means digital data or other forms of information that identify or help identify a specific person, including: Basic Personal Data and Sensitive Personal Data. Personal Data after de-identification is no longer Personal Data.

(b) Processing of Personal Data: means an activity that affects Personal Data, including one or more of the following activities: collection, analysis, aggregation, encryption, decryption, correction, deletion, destruction, de-identification, provision, disclosure, transfer of Personal Data and other activities that affect Personal Data.

(d) Personal Data Controller: means the agency, organization or individual that decides the purposes and means of processing Personal Data.

(e) Controller and Processor of Personal Data: means an agency, organization or individual that decides the purpose, means and directly processes Personal Data.

In the event that the Personal Data Protection Law provides differently for capitalized letters in this Item 1, the meaning of such capital letters shall be construed in accordance with the respective provisions.

2. Types of Personal Data to be processed:

Unless otherwise provided for by law, the types of Personal Data of Personal Data Subjects that the Company collects in part or in full, include:

2.1 Basic Personal Data:

(a) Full name, middle name and birth name, other names (if any);

(b) Date of birth; date of death or disappearance;

(d) Place of birth, place of birth registration, place of permanent residence registration, place of temporary residence registration, current residence, hometown, contact address;

(e) Nationality;

(f) Images of individuals;

(g) Telephone number; personal identification number, passport number;

(h) Driver’s license number, license plate number;

(i) Marital status;

(j) Information about family relationships (parents, children, spouses);

(k) Information about the individual’s digital account;

(l) Email address;

(m) Identity card number, identity card number, citizen identification number, personal tax identification number;

(n) Information about guardians, dependents, representatives, authorized persons, members, number of family members, relatives and other related persons;

(o) Date, month, year of issuance, place of issuance of identity cards, citizen identity cards, people’s identity cards or personal legal papers of similar nature;

(p) Information about occupations and fields of work;

(q) Personal titles on social networking platforms;

(r) Other information that is associated with a specific person or helps to identify a specific person that is not Sensitive Personal Data;

(s) Other basic Personal Data as required by law from time to time.

2.2 Sensitive Personal Data:

(a) Data revealing racial and ethnic origins;

(b) Views on politics, religion and belief;

(d) Health status;

(e) Biometric data, genetic characteristics;

(f) Data revealing the sex life and sexual orientation of individuals;

(g) Data on crimes and violations of law collected and stored by law enforcement agencies;

(h) The individual’s location is determined through location services;

(i) Information on usernames and passwords to access electronic identification accounts of individuals; images of identity cards, citizen identity cards, identity cards;

(j) Bank card information, data on the transaction history of bank accounts with the Company;

(k) Financial and credit information and information on activities and history of financial, securities and insurance transactions of customers at credit institutions, foreign bank branches, payment intermediary service providers, securities, insurance, and other licensed organizations;

(l) Data to track behaviors and activities of using telecommunications services, social networks, online communication services and other services in cyberspace;

(m) Personal Data reflects activities and history of activities in cyberspace such as:

(i) data related to the Company’s websites or applications;
(ii) technical data (such as device type, operating system, browser type, browser settings, IP address, language settings, date and time of connection to the Company’s website or application, access source, frequency statistics, time spent on the Company’s website or application, other technical communications);
(iii) account data, usernames, passwords, information and login history, access and logout of the Company’s website or application; login status, session history, authentication method, as well as activities related to security and account management on the Company’s website or application;
(iv) data on the use of the Company’s website or application;
(v) cookies, technologies equivalent to cookies (which are small data files stored on the user’s device when visiting the Company’s website or application);
(vi) clickstreams, scrolling pages on the Company’s website or application;
(vii) channel viewing history, VOD (video on demand) and related data such as viewing time, frequency, content watched, interactions with the content and other Personal Data reflecting activities and activity history in cyberspace;

(n) Bank account number, personal income;

(o) History, frequency, time and location of shops to shop for goods, use of services, cash value, invoice value at the Company or at the Company’s partners;

(p) History and frequency of accumulation, point redemption, gift redemption, vouchers, service vouchers, vouchers, vouchers;

(q) The type of goods and services that are interested, loved, regularly purchased and used;

(r) Information related to the use of payment intermediary services;

(s) Photos of passports, driver’s licenses;

(t) Status and results of authentication of biometric data, genetic characteristics;

(u) Other Personal Data that is required by law to be kept confidential or requires strict security measures;

(v) Other Sensitive Personal Data as required by law from time to time.

3. Purposes of Processing Personal Data:

The Personal Data referred to in Item 2 of this Notice may be processed for the following purposes:

3.1. Purposes necessary to ensure the interests of the Data Subject:

(a) Contacting and checking the information of the Personal Data Subject, assessing the ability to provide goods and services to the Personal Data Subject; conduct quotations, conclude purchase orders, contracts and related documents with the Personal Data Subject or the Personal Data Subject’s legal representative;

(b) Exercising the rights and obligations arising from transactions with Personal Data Subjects in order to provide goods and services to Personal Data Subjects such as: providing; delivery; installation; payment; issuing invoices; exchange, refund; collating data with relevant partners; and other rights and obligations as prescribed by law, as agreed between the Company and the Personal Data Subject from time to time;

(c) Organizing and managing sales promotion activities, fairs, trade exhibitions, displaying and introducing goods such as: receiving registration from Personal Data Subjects, announcing results, awarding prizes, reporting to state agencies (if any), exercising other rights and obligations as prescribed by law, as agreed between the Company and the Personal Data Subject from time to time;

(d) Facilitate the Personal Data Subject to access, register and use features on the Company’s website and application; authenticate, control the access and management of the Personal Data Subject’s account on the Company’s website and application; carry out e-commerce activities on the Company’s website and application;

(e) Provision of available services and facilities (such as lockers; lending of wheelchairs, baby strollers; self-service services, etc.) at the Company’s business locations from time to time;

(f) Taking care of, communicating and responding to questions, requests or complaints from Personal Data Subjects; taking necessary support measures to resolve incidents arising in relation to questions, requests or complaints from Personal Data Subjects; receiving and handling assets, documents that are forgotten or dropped at the Company’s business locations;

(g) Analysis, synthesis, storage, reporting, statistics for business and operation activities; measuring and evaluating reality to build business development strategies as well as improve the quality of the Company’s goods and services, improve the quality of goods and services, activities, membership programs, promotions, and events of the Company in order to bring a better experience within the scope of compliance with the provisions of law.

(h) Perform the Company’s obligations in accordance with the law and at the request of state agencies, such as regulations on inspection, examination, auditing, statistics, reporting, finance, accounting and taxation, prevention of money laundering and or in accordance with other relevant legal regulations or at the request of competent state agencies.

3.2. Advertising purpose:

Carrying out activities that are considered advertising in accordance with the law, marketing support services. Accordingly, depending on each activity, the Company is sent and the Personal Data Subject receives information with appropriate content, method, form and frequency as follows:

(a) Content:
- (i)1. the contents of the introduction of the Company and its partners;
- (i)2. Introduction to:
  - products, goods, services provided by the Company, its partners,
  - activities and events organized by the Company, its partners
- which are considered advertising content in accordance with the provisions of law;
(b) Methods: The Company may choose from methods such as sending SMS, MMS; sending emails; making phone calls; sending messages, sending notifications through social networking sites; sending notifications through features on the Company’s websites and applications; or by other methods in accordance with the law;
(c) Form: send to the Personal Data Subject via device, electronic means or other forms in accordance with the law;
(d) Frequency: not exceeding the maximum level (if any) as prescribed by law.

4. Means of processing personal data:

The Company uses appropriate means to Process the Personal Data of the Personal Data of the Personal Data Subject such as:

(a) Electronic media (digital): Software systems, applications, websites, server systems, cloud computing;

(b) Physical means: Computers, telephones, hard drives, memory cards, scanning devices, audio and video recording devices;

(d) Other necessary and appropriate means are not contrary to the provisions of law.

5. Correction of Personal Data:

(a) The Personal Data Subject may access and edit some of his/her Personal Data displayed on the Company’s website or application (note: only applicable to Personal Data fields with self-correction feature);

(b) With respect to Personal Data that the Personal Data Subject cannot correct by itself, the Personal Data Subject has the right to request the Company to correct the Personal Data in accordance with the law.

6. Deletion and destruction of personal data:

(a) Personal Data will be deleted and destroyed in accordance with the provisions of law;

(b) Unless otherwise provided for by law, the Company will actively delete and destroy Personal Data when necessary to ensure appropriate and secure data management.

7. Other activities in the Processing of Personal Data:

(a) Unless otherwise provided for by law, the Company will store, access, retrieve, connect, coordinate, confirm, authenticate Personal Data and other activities that affect Personal Data in accordance with the agreed purposes;

(b) The storage, access, retrieval, connection, coordination, confirmation, authentication of Personal Data and other activities affecting Personal Data shall be carried out in accordance with the provisions of law and in forms suitable to the Company’s activities.

8. Protection of Personal Data of children, persons who have lost or have limited capacity for civil acts, persons with difficulties in cognition and control of behaviors:

(a) The Company does not proactively collect or process any Personal Data of children, persons who have lost or limited their capacity for civil acts, persons with cognitive difficulties or control behavior (hereinafter collectively referred to as “Persons”) without the consent of the legal representative of the Representative.

(b) In the case of a Personal Data Subject: (i) providing the Personal Data of the Person Represented to the Company; and (ii) on behalf of exercising the rights of the Represented Person, the Personal Data Subject ensures that the Personal Data Subject is the legal representative of the Represented Person.

9. Provision and transfer of Personal Data:

Depending on the case, the Company may provide and transfer Personal Data within the territory of Vietnam or abroad as follows:

(a) provide the Personal Data of the Personal Data Subject to the Personal Data Subject and/or other agencies, organizations and individuals when the Personal Data Subject requests in accordance with the provisions of law and within the scope and ability of the Company to provide it;

(b) transfer and provide Personal Data for further processing of personal data:

(i) in case of division, separation, merger, consolidation or termination of the Company’s operations;
(ii) for units and organizations established on the basis of the termination of the Company’s operation;
(iii) when carrying out other activities in accordance with the law on investment and business;

(c) transfer and provide Personal Data to Personal Data processors, third parties to process Personal Data in accordance with regulations;

(d) transfer and provide Personal Data at the request of competent state agencies;

(e) transfer and provide Personal Data to related parties, affiliates of the Company, parties directly or indirectly related to the Company, member companies of the AEON Group;

(f) transfer and provide Personal Data to: (i) partners providing products, goods, services, infrastructure, information technology solutions, cloud computing; (ii) agents; (iii) business cooperation partners; (iv) consultants, consultants, auditors, lawyers.

Parties to whom the Company provides Personal Data and recipients of Personal Data transfer are responsible for processing Personal Data and protecting Personal Data in accordance with the law; agreements and contracts with the Company.

10. Disclosure of Personal Data:

The Company may disclose Personal Data in appropriate forms in accordance with the law in necessary cases to ensure the safety of assets, health, life, legitimate rights and interests of the Data Subject or assist in the search for relatives, documents, etc neglected or lost objects.

11. Personal Data Controller, Controller and Processor of Personal Data:

(a) As the case may be, AEON Vietnam Co., Ltd. may be the Controller of Personal Data or the Controller and Processor of Personal Data;

(b) For Personal Data of Personal Data Subjects who are members of the WAON membership point program: AEON Vietnam Co., Ltd. is the Controller and Processor of Personal Data; at the same time, ACS Vietnam Trading Co., Ltd. is also the Controller and Processor of Personal Data where permitted by law.

AEON Vietnam Co., Ltd. and ACS Vietnam Trading Co., Ltd. are collectively referred to as the “Company” in this Notice.

12. Rights and obligations of Personal Data Subjects:

12.1 Customer’s Rights:

(a) Be informed about the processing of Personal Data.

(b) Consent or disagreement, request withdrawal of consent to the processing of Personal Data.

(d) Request the provision, erasure, restriction of the processing of Personal Data; submit a request to object to the processing of Personal Data.

(e) Complaints, denunciations, lawsuits, claims for compensation for damage in accordance with law.

(f) Request competent authorities or agencies, organizations and individuals related to the processing of Personal Data to take measures and solutions to protect their Personal Data in accordance with the provisions of law.

(g) Other rights as prescribed by law.

12.2 Obligations of the Client:

(a) Protect your Personal Data yourself.

(b) Respect and protect the Personal Data of others.

(c) Provide fully and accurately his/her Personal Data in accordance with the law, under a contract or when agreeing to consent to the processing of his/her Personal Data.

(d) Comply with the law on the protection of Personal Data and participate in the prevention and control of Personal Data infringement activities.

(e) Other obligations as prescribed by law.

12.3 Personal Data Subjects in exercising their rights and obligations must fully comply with the following principles:

(a) Comply with the provisions of law; comply with the obligations of the Personal Data Subject. The exercise of the rights and obligations of the Personal Data Subject must be aimed at protecting the legitimate rights and interests of such Personal Data Subject;

(b) Not to cause difficulties or obstruct the exercise of legal rights and obligations of the Personal Data Controller, the Controller and Processor of Personal Data, and the Personal Data Processor;

(c) It must not infringe upon the legitimate rights and interests of the State, other agencies, organizations and individuals.

13. Contact information:

In the event that the Personal Data Subject: (i) has any questions about the Processing of Personal Data in relation to the Personal Data Subject; or (ii) have a request to exercise the rights of the Personal Data Subject, please contact the following information:

AEON Vietnam Co., Ltd.
Head office address: No. 30 Tan Thang Street, Tan Son Nhi Ward, Ho Chi Minh City.
Phone: 1800-888-886
Email Box: contact@aeon.com.vn

In the event that the Personal Data Subject: (i) has any questions about the Processing of Personal Data in relation to the Personal Data Subject; or (ii) there is a request to exercise the rights of the Personal Data Subject in relation to the WAON membership points program, the Personal Data Subject may also contact:

ACS Vietnam Trading Co., Ltd.
Address: No. 246 Cong Quynh Street, Ben Thanh Ward, Ho Chi Minh City.
Phone: 19005150, Ext. 2
Email Box: waonpoint.support@acsvietnam.com.vn

or according to the information published by ACS Vietnam Trading Co., Ltd. within the scope of the WAON membership point program from time to time.

14. When the Notice applies:

This Notice is effective as of May 10, 2026.

SECTION 2: RULES FOR THE PROTECTION OF CONSUMER INFORMATION

This Consumer Information Protection Rules (“Rules”) are formulated by AEON Vietnam Co., Ltd. (the “Company”) in accordance with the current Law on Consumer Rights Protection.

To ensure the rights, Consumers should carefully read the following contents. The Company will proactively update the content of the Rules to reflect any changes and will regain the Consumer’s consent if required by law.

1. Definition:

The capitalized letters in these Rules shall have the following meanings:
(a) Consumer: means a person who buys and uses products, goods and services for the purpose of consumption and daily life of individuals, families, agencies, organizations and not for commercial purposes.

(b) Consumer Information: includes personal information of consumers, information about the process of purchasing and using products, goods and services of consumers and other information related to transactions between consumers and business organizations and individuals.

In the event that the Law on Protection of Consumer Rights contains different provisions on capitalized letters in this Section 1, the meaning of such capital letters shall be construed in accordance with the corresponding provisions.

2. Scope of Consumer Information Collection:

Unless otherwise provided for by law, the scope of collection of Consumer Information includes part or all of the following information:

2.1 The scope of Essential Consumer Information provides:

2.1.1. Basic Personal Data:
(a) Full name, middle name and birth name, other names (if any);

(b) Date of birth; date of death or disappearance;

(d) Place of birth, place of birth registration, place of permanent residence registration, place of temporary residence registration, current residence, hometown, contact address;

(e) Nationality;

(f) Images of individuals;

(g) Phone number; personal identification number, passport number;

(h) Driver’s license number, license plate number;

(i) Marital status;

(j) Information about family relationships (parents, children, spouses);

(k) Information about the individual’s digital account;

(l) Email address;

(m) Identity card number, identity number, citizen identification number, personal tax identification number;

(n) Information about guardians, dependents, representatives, authorized persons, members, number of family members, relatives and other related persons;

(o) Information about occupations and fields of work;

(p) Personal titles on social media platforms.

2.1.2. Sensitive Personal Data:
(a) Health status;

(b) Biometric data, genetic characteristics;

(d) Bank card information, data on the transaction history of bank accounts with the Company;

(e) Financial and credit information and information on activities and history of financial, securities and insurance transactions of customers at credit institutions, foreign bank branches, payment intermediary service providers, securities, insurance, and other licensed organizations;

(f) History, frequency, time and location of shops to shop for goods, use of services, cash value, invoice value at the Company or at the Company’s partners;

(g) History and frequency of accumulation, point redemption, gift redemption, vouchers, service vouchers, vouchers, vouchers;

(h) The type of goods and services that are interested, loved, regularly purchased and used;

(i) Information related to the use of payment intermediary services;

(j) Photos of passports, driver’s licenses;

(k) Status and results of authentication of biometric data, genetic characteristics;

(l) Bank account number, personal income;

(m) Personal data reflects activities and history of activities in cyberspace such as:

(i) Data related to the Company’s websites or applications;
(ii) technical data (such as device type, operating system, browser type, browser settings, IP address, language settings, date and time of connection to the Company’s website or application, access source, frequency statistics, time spent on the Company’s website or application, other technical communications);
(iii) account data, usernames, passwords, information and login history, access and logout of the Company’s website or application; login status, session history, authentication method, as well as activities related to security and account management on the Company’s website or application;
(iv) data on the use of the Company’s website or application.

2.2. The scope of Consumer Information provided to enhance the experience:

2.2.1.Basic Personal Data:
(a) Date, month, year of issuance, place of issuance of identity cards, citizen identity cards, people’s identity cards or personal legal papers of similar nature;

(b) Other information that is associated with a specific person or helps identify a specific person that is not sensitive personal data;

2.2.2.Sensitive Personal Data:
(a) Data revealing racial and ethnic origins;

(b) Views on politics, religion and belief;

(d) Data revealing the sex life and sexual orientation of individuals;

(e) Data on crimes and violations of law collected and stored by law enforcement agencies;

(f) Information on usernames and passwords to access electronic identification accounts of individuals; images of identity cards, citizen identity cards, identity cards;

(g) Data to track behaviors and activities of using telecommunications services, social networks, online communication services and other services in cyberspace;

(h) Personal data reflects activities and history of activities in cyberspace such as:

(i) cookies, technologies equivalent to cookies (which are small data files stored on the user’s device when visiting the Company’s website or application);
(ii) clickstreams, scrolling pages on the Company’s website or application;
(iii) channel viewing history, VOD (video on demand) and related data such as viewing time, frequency, content watched, interactions with content and personal data reflecting activities and other cyberspace activity history.

(i) Other personal data that is required by law to be kept confidential or requires strict security measures;

(j) Other sensitive personal data as required by law from time to time.

3 Purpose of collection, use, scope of use of Consumer Information:

Consumer Information is collected and used for the following purposes and scope:

3.1 Necessary purposes to ensure the interests of Consumers:

(a) Contact, check Consumer Information, assess the ability to provide goods and services to Consumers; conduct quotations, conclude purchase orders, contracts and related documents with Consumers or their legal representatives;

(b) Exercise the rights and obligations arising from transactions with Consumers in order to provide goods and services to Consumers such as: providing; delivery; installation; payment; issuing invoices; exchange, refund; collating data with relevant partners; and other rights and obligations as prescribed by law, as agreed between the Company and the Consumer from time to time;

(c) Organizing and managing sales promotion activities, fairs, trade exhibitions, displaying and introducing goods such as: receiving registration from consumers, announcing results, awarding prizes, reporting to state agencies (if any), exercising other rights and obligations as prescribed by law, as agreed between the Company and the Consumer from time to time;

(d) create conditions for Consumers to access, register and use features on the Company’s website and application; authenticate, control the Consumer’s access and account management on the Company’s website and application; carry out e-commerce activities on the Company’s website and application;

(e) Provision of available services and utilities (such as lockers; lending of wheelchairs, baby strollers; self-service services, etc.) at the Company’s business locations from time to time;

(f) Taking care of, communicating and responding to questions, requests or complaints from Consumers; take necessary support measures to resolve incidents arising in relation to questions, requests or complaints from Consumers; receive and handle assets and papers that are forgotten or dropped at the Company’s business locations;

(g) Analysis, synthesis, storage, reporting, statistics for business and operation activities; measuring and evaluating reality to develop business development strategies as well as improve the quality of the Company’s goods and services, improve the quality of goods and services, activities, membership programs, promotions, and events of the Company in order to bring a better experience within the scope of compliance with the provisions of law;

3.2 Advertising purpose:

Carrying out activities considered as advertising in accordance with the law, services supporting marketing activities, introducing products, goods, services and other activities of a commercial nature.

3.3 Sharing, disclosing and transferring Consumer Information to third parties:

(a) Depending on each case, the Company may share, disclose and transfer Consumer Information within the territory of Vietnam or abroad as follows:

(i) Sharing and disclosing Consumer’s own Consumer Information to Consumers and/or other agencies, organizations and individuals when the Consumer requests in accordance with the provisions of law and within the scope and ability of the Company.
(ii) Sharing, disclosing and transferring Consumer Information for further processing: (ii.1) in case of division, separation, merger, consolidation or termination of the Company’s operations; (ii.2) for units and organizations established on the basis of the termination of the Company’s operations; (ii.3) when carrying out other activities in accordance with the provisions of the law on investment and business.

(b) Sharing, disclosing, transferring Consumer Information to authorized parties and third parties to collect, store, use, edit, update, and cancel Consumer Information;

(d) Sharing, disclosing and transferring Consumer Information to related parties, affiliates of Mr. Ty, parties who have direct or indirect relations with the Company, member companies of AEON Group;

(e) Sharing, disclosing and transferring Consumer Information to: (i) partners providing products, goods, services, infrastructure, information technology solutions, cloud computing; (ii) agents; (iii) business cooperation partners; (iv) consultants, consultants, auditors, lawyers.

The parties shared by the Company, disclosed the Consumer’s Information, received the transfer of the Consumer’s Information are responsible for collecting, storing, using, editing, updating, canceling the Consumer’s Information, protecting the Consumer’s Information in accordance with the law; agreement, contract with the Company.

4. Retention period of Consumer Information:

The Company will store Consumer Information for the period necessary to fulfill the purposes, scope of collection and use of Consumer Information stated in this Rule. Unless otherwise provided for by law, the Company will proactively delete and destroy Consumer Information when necessary to ensure appropriate and safe data management.

5. The Company may by itself or authorize or hire a third party to collect, store, use, edit, update, or destroy Consumer Information in accordance with the law.

6. Measures to protect information and ensure the security of Consumers’ information:

In order to protect information and ensure the security of Consumers’ Information, the Company will apply the following measures:

(a) Appoint personnel or departments in charge of information protection and ensure the security of Consumers’ information;

(b) Develop policies, processes, regulations, and forms to comply with legal regulations on consumer information protection;

(c) Apply necessary technical measures to protect information and ensure the security of Consumers’ Information in accordance with the provisions of law.

7. Contact information:

In case the Consumer: (i) has any questions or concerns about the collection, storage, use, correction, update, cancellation of the Consumer’s Information related to the Consumer; or (ii) have a request to exercise the rights of the Consumer, please contact the following information:

AEON Vietnam Co., Ltd.
Head office address: No. 30 Tan Thang Street, Tan Son Nhi Ward, Ho Chi Minh City.
Phone: 1800-888-886
Email Box: contact@aeon.com.vn

8. When the Rules apply:

This Rule applies as of May 10, 2026.