Your privacy is important to us at X-Border. We are committed to protecting personal data that we receive when we provide our services. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our services.

The terms and conditions of the Personal Data Protection Policy displayed below (hereinafter referred to as the "Data Protection Policy" or "Policy") set out the terms and conditions agreed upon by and between Money X-Border Co., Ltd (hereinafter referred to as "X-Border", or the "Company") and the Service Users (hereinafter referred to as the "Users" or "User") - meaning individuals, organizations, individual business households, and enterprises established in accordance with business law that access and use X-Border's Services through X-Border's Website/app, email, social networks, or other methods - regarding the use of the services provided by the Company (hereinafter referred to as the "Service" or "Services"). This Data Protection Policy is as binding as a signed agreement between X-Border and the Users with corresponding terms. By clicking the consent checkbox when creating an account, the Users has agreed to all contents of the Data Protection Policy, has read, understood, and fully agrees with the contents of the Policy as follows:

1. Definition of Terms

Service is understood as the data collection and processing support service provided by X-Border to the Users for payment support purposes and under the authorization of the PAU.

Website/app means the electronic information page and other electronic information pages used by X-Border to maintain, provide, and operate the Service, or related to the Service provided to the Users.

Partner is understood as a unit that cooperates with X-Border in providing the Service.

Personal Data is information in the form of symbols, text, numbers, images, sounds, or similar forms in an electronic environment associated with a specific person or helping to identify a specific person. Personal Data includes basic personal data and sensitive personal data.

Personal Data Processing means one or more activities affecting Personal Data, such as collecting, recording, analyzing, confirming, storing, editing, disclosing, combining, accessing, retrieving, revoking, encrypting, decrypting, copying, sharing, transmitting, providing, transferring, deleting, destroying Personal Data, or other related actions.

Know Your Customer/Know Your Business (KYC/KYB) means the process of verifying a customer's or business's identity through personal information and documentation to comply with legal and regulatory requirements.

X-Border, is one of the commercial brands of Money X-Border Co., Ltd.

2. Purpose and Scope of Application

2.1. Purpose

This Policy aims to ensure that X-Border fully fulfills its responsibility to protect the personal data of Users, provided by Users, Partners, and employees in accordance with the law, specifically Decree 356/2025/ND-CP on personal data protection. The objectives include:

• Ensuring the confidentiality, integrity, and availability of personal data.
• Ensuring that the collection, processing, storage, and sharing of data are carried out in a transparent, lawful, and responsible manner.

X-Border collects and processes the User's Personal Data to provide the best Service, as well as to maintain and improve the quality and security of the Service, in order to best protect the interests of both the Company and the Users. The information that the Company receives and collects from Users will play an important role in improving the Service and website, as well as providing the Company with a source of information and customer concerns so that X-Border can develop and update features and utilities suitable for the needs of the Users and/or to comply with legal obligations, including but not limited to, law on Anti-Money Laundering, Counter-Terrorist Financing, and reporting requirements to competent authorities.

2.2. Subjects of Application

This Policy applies to all Users, the personal data of Users, and all officials, employees, Partners, and related parties of X-Border.

X-Border acts, depending on the context, as the Personal Data Controller, Personal Data Processor, Personal Data Controller and Processor, and/or a Third Party with respect to the personal data that Partner collects from the Users or collects during the course of X-Border providing the Service.

2.3. Scope of Application

This Policy applies to:

• The types of data, information, and methods by which X-Border collects them.
• All activities of collecting, processing, storing, transmitting, using, and other information performed by Partner during the User's access and use of the Service that involves sharing personal data related to the Users, employees, and related parties.

2.4 Principles of Personal Data Protection

X-Border is committed to adhering to the following fundamental principles:

• Lawfulness, Fairness, and Transparency: The collection and processing of personal data must have a legal basis or the valid consent of the data subject. Information regarding the purpose of data use must be clearly communicated.

• Purpose Limitation: Data shall only be collected, processed, and used for the purposes that have been identified and communicated to the data subject in advance. Any use outside the original purpose must be notified and receive consent from the data subject.

• Data Minimization: Only personal data necessary for the stated purpose shall be collected and not stored for longer than necessary as required by law.

• Data Accuracy: Ensure that personal data is updated and accurate. Data subjects have the right to request correction or updating of their information.

• Data Security and Integrity: Apply appropriate technical and organizational measures to protect personal data from unauthorized access, loss, alteration, disclosure, or destruction.

• Accountability: X-Border is responsible for complying with personal data protection regulations and has internal monitoring and inspection mechanisms to ensure the implementation of this Policy.

3. What Personal Data is being collected and processed?

Personal data is information that relates to an identified or identifiable individual. This includes information Users provide to X-Border, information which is collected about Users automatically, and information obtained from third parties. This process is required by law to comply with "Know-Your-Customer" regulations. The following types of information may be collected:

3.1. Basic Personal Data

• Full name & other names (if any); Date of birth; Gender;

• Place of birth, place of birth registration, permanent residence, temporary residence, current residence, hometown, contact address;

• Nationality;

• Image of the individual;

• Phone number, identity card number, personal identification number, passport number, personal tax identification number, social insurance number;

• Information about the individual's digital account;

• Other information associated with a specific person or helping to identify a specific person not covered by this section.

3.2. Sensitive Personal Data

• Financial and banking data;

• Biometric data (if any);

• Information related to racial or ethnic origin;

• Data on crimes and criminal offenses collected and stored by law enforcement agencies;

• Data on the location of an individual determined through location services;

• Other personal data specified by law as specific and requiring necessary security measures.

4. Personal Data Collection and Processing Procedures

4.1. Data Collection

• Notification and Consent: Before collection, X-Border will clearly inform about the purpose, scope, and method of data processing, and ensure the consent of the data subject is obtained (unless otherwise provided by law).

• Collection Methods: Data may be collected through online channels, telephone, in person, or through authorized Partners.

4.2. Data Processing and Storage

• Processing: Personal data will only be used for the stated purpose and the processing purpose will not be changed without the additional consent of the data subject.

• Storage: Personal data is stored on a secure system with technical measures to prevent unauthorized access, ensuring integrity and confidentiality.

• Storage Period: Data is only stored for the period necessary for the processing purpose or as required by law.

4.3. Data Sharing and Transfer

• Internally: Data is only shared with relevant and authorized individuals and departments.

• With Third Parties: The transfer of data to partners or third parties must be carried out in accordance with the law and ensure there is a clear contract and data transfer record, protecting the rights of the data subject.

• International Transfer: If there is a transfer of data abroad, X-Border must ensure legal requirements and equivalent protection measures are in place as stipulated in Decree 356/2025/ND-CP.

5. Rights of the Users

• Right to be Informed: Users have the right to find out what information is being collected and processed.

• Users have the Right to view, modify, or request modification of their personal data.

• Users have the Right to consent, refuse, or request withdrawal of consent to the personal data processing.

• Users have the Right to request the deletion or destruction of personal data recorded, unless doing so shall infringe upon Decree 356/2025/ND-CP.

• Users have the right to file complaints, report violations, initiate lawsuits, or seek compensation.

• Users have the Right to request relevant authorities or entities take measures to protect their personal data.

6. Data Protection Measures

6.1. Technical Measures

• Use of encryption technologies, firewalls, and monitoring systems to protect data.

• Regularly update and patch the system to ensure data safety.

• Control data access according to the role and responsibility of each individual.

6.2. Administrative and Organizational Measures

• Train and raise awareness for employees about personal data protection.

• Establish internal processes and procedures to monitor the collection, processing, and storage of data.

• Identify and appoint a Data Protection Officer responsible for monitoring the implementation of the Policy.

6.3. Personal data protection in blockchain

X-Border applies only encryption algorithms, hashing algorithms, and digital signature algorithms that ensure safety;

X-Border will refrain from directly storing personal data on the blockchain, and only storing such data where personal data has been de-identified or where hash values of personal data are stored;

X-Border conducts periodic assessments of compliance with personal data protection regulations once per year.

6.4 Regarding personal data of Children and Vulnerable Individuals.

In accordance with Article 24 of Vietnam's Personal Data Protection Law, X-Border does not knowingly collect or process personal data of children under seven (7) years of age, or of individuals who have lost or have limited civil act capacity, or who face difficulties in cognition or behavior control, through cookies or similar technologies.

For children aged 7 and above, as well as for vulnerable individuals, the exercise of personal data rights must be carried out by their legal representative. Where the processing of personal data involves disclosure of private or personal information, the explicit consent of both the child (if aged 7 or above) and their legal representative is required.

The Company will immediately cease processing personal data in the following circumstances:

• Consent is withdrawn by the legal representative or, in the case of children aged 7 or above, by the child themselves.
• A competent authority requires cessation upon determining that such processing may infringe upon the lawful rights and interests of the child or vulnerable individual.

7. Data Breach Response

X-Border is committed to protecting the Users' personal data. However, in the event of a personal data breach:

X-Border shall promptly inform affected Users within 72 hours of noticing the breach.

X-Border will notify all relevant authorities as stated via Decree 356/2025/ND-CP.

X-Border shall record, store, and update all violation records to serve inspection, examination, and enforcement purposes. The Company shall retain such records for a minimum of five (5) years from the date the incident has been fully remedied. This obligation ensures transparency, accountability, and compliance with applicable regulatory requirements.

8. Policy Review, Monitoring, and Updates

• Periodic Review: X-Border will periodically review the effectiveness of personal data protection measures and make improvements as necessary.

• Monitoring and Inspection: The collection, processing, and storage of data will be periodically internally audited to ensure compliance with this Policy.

• Policy Updates: The Policy will be updated when there are changes in legal regulations or when X-Border adjusts its operations related to personal data.

9. Storage, Deletion, and Destruction of Personal Data

When the User's personal data is no longer necessary for the purposes of this Policy, or X-Border no longer has a legal basis to retain the User's personal data, or when the User's withdraws authorization, X-Border will take steps to delete, destroy, anonymize, or prevent access to or use of the personal data for any purpose other than to comply with this Policy, or for safety, security, detection, and prevention of fraud, in accordance with applicable law.

The deletion of data will not apply upon the request of the Users in the following cases:

• The law does not allow for the deletion of data;

• Personal data is processed by a competent authority for the purpose of serving the activities of the state agency in accordance with the law;

• Personal data has been made public in accordance with the law;

• Personal data is processed for legal requirements, scientific research, and statistics in accordance with the law;

• In the event of a national defense or security emergency, but not yet at the level of declaring a state of emergency: prevention of riots, terrorism, crime prevention, and law violations;

10. Responsibilities and Powers

• Board of Directors: Responsible for issuing, supervising, and directing the implementation of the Data Protection Policy throughout the organization.

• Data Protection Officer: Responsible for monitoring and evaluating the implementation of the Policy, advising, and assisting relevant departments on data protection issues.

• Relevant Departments: Each department is responsible for ensuring that its activities of collecting, processing, and storing personal data comply with the Policy and law.

• Employees: Each individual must comply with the regulations and procedures set out in this Policy and report immediately upon detecting any violations.

11. Provisions on Handling Violations

• Internal Violation Handling: Violations of personal data protection will be handled in accordance with the labor regulations and current rules and regulations of X-Border.

• Legal Violation Handling: In case of a violation of the law on data protection, X-Border will coordinate with the competent authorities to handle it in accordance with the law.

• Dispute resolution: Any dispute or disagreement under this Policy shall first be resolved through amicable negotiation. If an agreement cannot be reached through amicable negotiation, either party has the right to bring the dispute to the competent authority for resolution.

• Disputes between Users and Third Parties: X-Border bears no responsibility for disputes arising between Users and any third party. X-Border's role is limited to providing supporting information to assist Users and the relevant third party in resolving such matters. All issues related to transactions between Users and third parties must be settled directly between those parties.

12. Other Provisions

Any amendments, supplements, or replacements to this Data Protection Policy will be notified by X-Border on the company website or the application or through the Users' registered email. When the Company makes changes or additions to this Policy, the "Last Updated" date of the privacy policy will be amended. Unless otherwise specified, the User is deemed to have accepted all of the Company's amended contents as notified if the User continues to use Company's Service.

This Policy is governed by and construed in accordance with the laws of Vietnam. If any provision of this Policy is deemed unlawful, void, or for any reason unenforceable by a competent court or regulatory authority, then that provision shall be deemed severable from this Policy and shall not affect the validity and enforceability of any remaining provisions of this Policy.