PRIVACY AND PERSONAL DATA PROCESSING POLICY

This Privacy and Personal data processing policy ("Policy") sets out and governs the processing of personal data of individuals who register for and use the LS.POINT application "Application")– an application jointly managed by Lotte Shopping Plaza Vietnam Co., Ltd. (“LSPV”) and Lotte Properties Hanoi Co., Ltd. (“LPH”) (collectively referred to as “we”) or “our”). LSPV/LPH acts as the Controller and Processor of personal data.

This Policy is designed to help Customers understand how we collect, process, use, store, disclose, and protect personal data in the course of:

• Shopping at Lotte Mall Westlake Hanoi/Lotte Department Store;
• Using related services provided by LSPV/LPH and/or by third parties in cooperation with LSPV/LPH;
• Accessing and/or using the LS.POINT Website/Application or other Customer Care channels;
• Registering for, maintaining, and using the benefits of the Lotte Shopping Vietnam Membership Program (“Membership Program” or “Program”).

(Collectively referred to as the “Services”).

We are committed to collecting and processing Customers’ personal data only in accordance with the laws of Vietnam and other applicable regulations.

This Policy does not apply to any services, products, websites or content provided by third parties and/or subject to their own privacy policies. The Application may contain links to third-party websites, applications and online services that are not owned or controlled by LSPV and/or LPH; therefore, LSPV and/or LPH are not responsible for the content or privacy practices of such third parties.

By accessing, registering for the Application and/or using our Services, Members of the Program (“Members”) are deemed to have read, understood, and agreed to all the terms of this Policy. We may review and update this Policy from time to time to comply with legal requirements. Members are encouraged to regularly check the Policy on the Application, our website, and official communication channels to stay informed of the latest version and its effective date. By continuing to maintain and use the Membership Account (as defined in the Membership Policy – Terms and Conditions) after such changes are posted, Members are deemed to have agreed to those changes.

ARTICLE 1. PERSONAL DATA COLLECTED

In order to register and administer the Membership Program, we collect certain basic and sensitive personal data of Customers (collectively referred to as “Personal Data”) through the Application, our website or paper forms at the time Customers register for the Membership Program or during their use of the Services. Customers under fifteen (15) years of age are not eligible to register as Members.

For Customers who have not registered or are not yet eligible to register as Members: they may access and view our publicly available posts regarding events, programs and announcements.

For Customers who have registered as Members: they are entitled to use personalized Services or Services reserved for Members, including but not limited to point accumulation, point redemption and Member discounts. We need to collect a minimum amount of basic Personal Data necessary to provide the Services.

Personal Data which the Data Subject consents for us to collect at the time of Membership registration includes, but is not limited to, the following:

1. Basic Personal Data

   • Full name as stated on valid personal legal documents, and any other names used (if any);
   • Date of birth;
   • Gender;
   • Nationality;
   • Identity card number / citizen ID number / personal identification number / passport number;
   • Mobile phone number, email address, contact address (including both Members who consent and Members who do not consent to receive information via such addresses); password and L.POINT card information (converted from the former L.POINT system);
   • Personal image; information obtained from security systems (for Customers shopping at Lotte Mall Westlake Hanoi / Lotte Department Store, for example calls, direct messages and/or other forms of contact from and/or to us may be stored in forms including but not limited to audio recordings and video recordings at CCTV-monitored areas, automatic or manual, in order to assist in request handling, system updates, service quality improvement and other lawful purposes);
   • Income;
   • Occupation, marital status;
   • Number of children and their ages (if any);
   • Car information, car licence plate number, golf club membership (if any);
   • Other information arising in the course of using the Membership Card and other channels of the Program;
   • Any other information associated with or identifying a specific individual which does not fall within the category of Sensitive Personal Data.

2. Sensitive Personal Data

   • Detailed information about products or services that the Customer/Member has purchased or viewed on the Website/Application;
   • Payment information (bank account number, credit card number or any other payment details);
   • Data relating to the Website or Application: technical information (including Internet Protocol (IP) address, Customer login data, browser type and version, language settings, time zone and location, browser plug-in types and versions, operating system and platform, international mobile device version, device identifiers, interactions on platforms and applications, etc.).

ARTICLE 2. PURPOSES OF PROCESSING PERSONAL DATA

At any time during the provision of the Services, we use Members’ Personal Data within the necessary and lawful scope for the following purposes:

1. Managing and maintaining Members accounts

   • Creating Members accounts

     • Verifying the purpose of Members registration, authenticating personal data and age, preventing abuse of Members benefits and other related actions to ensure implementation of the Membership Policy

   • Providing and operating the Services

     • Providing the Services (including interactions on the Application);
     • Verifying Members’ payment transactions when using the Services;
     • Authenticating Personal Data for shopping and payment, supplying products and Services necessary to provide paid Services;
     • Sending notices to Members, including but not limited to notifications regarding our policies, regulations and their amendments or updates; notifications and updates on security, accounts and Members’ cards;
     • Displaying LS.POINT point-accumulation barcodes on the Google Wallet platform according to Members’ integration and usage needs.

   • Customer support

     • Receiving and handling inquiries or complaints and sending notifications;
     • Recording, filming and storing communications to improve the quality of the Services.

   • Advertising, marketing and promotion

     • Sending to Customers, by means permitted under law, notifications, advertising information, promotional offers and materials related to the Program, the products and/or Services within the Program, specifically:

       • Content: Notifications, advertising information, promotional offers and materials related to the Program, the products and/or Services within the Program, including but not limited to marketing campaigns, promotions, customer care policies, warranty policies, gift programs, discounts or other special offers.
       • Methods: By text message, by telephone call, by email provided by the Member.
       • Frequency: No more than three (03) advertising text messages to a phone number, three (03) advertising emails to an email address, and one (01) advertising call to a phone number within 24 hours, during timeframes prescribed by law.
     • Optimizing the Program (implementing marketing campaigns and communications to Customers to enhance Program effectiveness);

     • Members hereby agree to receive advertising and promotional information until such time as they unsubscribe, specifically:

       • If a Member does not wish to receive advertising information via text messages, the Member may text according to the instructions in the advertising message;
       • If a Member does not wish to receive advertising information via telephone calls, the Member may register on the “Do Not Call List” through the following methods: (1) sending a text message with the syntax “DK DNC” to 5656; (2) via the website khongquangcao.ais.gov.vn. Subscribers on the “Do Not Call List” will not receive advertising messages or calls from any third party. Under this method, the Member will also not receive any advertising calls from any other third party;
       • If a Member does not wish to receive advertising emails, the Member may click “Unsubscribe” according to the instructions in the advertising email;
       • Members may also request to opt out of receiving advertising information by contacting us using the contact details at the end of this Policy.
         To review the arrangements regarding registration or refusal to receive advertising text messages, advertising emails or advertising telephone calls, Members may contact us using the contact details at the end of this Privacy Policy or on our websites (https://lotteshopping.com.vn/ and https://lottemallwestlakehanoi.vn/.

   • Improving and developing the Services

     • Adjusting, updating, securing and improving the products, Services, Application, equipment and systems provided and/or managed by LSPV/LPH;
     • Conducting market surveys, product research, developing new products, compiling Customer statistics, consumer behaviour data and other detailed information relating to the Program (such as transaction values, transaction times, shopping locations or service usage and other related information) to support the operation and improvement of our Services;
     • Detecting and preventing activities that impersonate or compromise Members’ Accounts or identity within the Program;
     • Preventing and handling activities interfering with the normal operation of the Services (including theft and fraud in the use of accounts);
     • Preventing or investigating any fraud, unlawful activities, misconduct or deficiencies relating to all operations of LSPV/LPH.

   • Compliance with law and requests from competent authorities

     • Providing data upon lawful requests from competent state authorities;
     • Other purposes as prescribed under Vietnamese law.

2. Enhancing Customers’ Experience with the Services

   Optimising the provision of the Services, including linked Services. We seek to deliver greater benefits to Customers through collaboration in developing and implementing platforms to offer a variety of products, services and utilities of LPH, LSPV and other services of companies within the Lotte Group to Customers.

ARTICLE 3. METHODS OF COLLECTION AND PROCESSING OF PERSONAL DATA

3.1. Collection and Processing of Personal Data

LSPV/LPH, at all times, has full discretion to determine the means and methods of collecting and processing Personal Data, including but not limited to:

• Collecting directly from Members who consent to the collection of their Personal Data when registering for Membership or using our Services;
• Personal Data lawfully provided by our partners or service providers who have entered into strategic cooperation agreements or cooperation contracts with us under the authorization of the data subjects;
• Collecting information via websites, applications, fax, telephone, etc. during service consultation;
• Collecting information from customers participating in online and offline promotional events, etc.;
• Collecting payment and point transaction information, etc. generated in the course of using the Services;
• Conducting surveys, research, etc.;
• And other methods permitted by law.

After collecting Personal Data, LSPV/LPH may itself, or authorize the organizations/individuals referred to in Article 4 of this Policy, to carry out one or more appropriate Personal Data processing activities, such as collecting, recording, analyzing, verifying, storing, modifying, disclosing, combining, accessing, retrieving, recovering, encrypting, decrypting, copying, sharing, transmitting, providing, transferring, deleting, destroying Personal Data or other related actions for the purposes of processing or to fulfill the Member’s rights as a Data Subject (e.g., the right to rectify, update, provide, restrict the processing of Personal Data, etc.) in accordance with applicable laws.

At the time of collecting Personal Data, we will inform Members of “the specific items of Personal Data to be collected,” “the purposes of collection and use of Personal Data,” and “the right to refuse to provide Personal Data and any disadvantages associated with such refusal.” The collection and processing of Personal Data are conducted solely on the basis of the Member’s consent, except where otherwise provided by law.

Members are responsible for ensuring that the information they provide is complete, accurate, and up-to-date to protect their own rights and ensure proper use of the corresponding Services. LSPV and/or LPH are under no obligation to verify customer information during collection; if Members provide inaccurate or incomplete information, LSPV and LPH reserve the right to determine appropriate measures, including suspension of Services, and will not be liable for any loss of the Member’s entitlements.

3.2. Cross-border transfer of Personal Data

LSPV/LPH may transfer or grant access to Personal Data to organizations or management units located overseas (including but not limited to the parent company, member companies of the Lotte Group, and any relevant units or branches), as well as to overseas partners and service providers, for the purpose of processing data in accordance with the processing purposes consented to by the Member.

In some cases, partners or service providers of LSPV/LPH based in Vietnam may use data processing systems or equipment located outside the territory of Vietnam to perform processing activities on behalf of LSPV/LPH. Such cases shall be deemed cross-border transfers of Personal Data.

Please note that the level and practices of Personal Data protection in some countries may differ from those stipulated by Vietnamese law and may be lower or higher. In all cases of cross-border transfer of Personal Data, LSPV/LPH will implement appropriate protective measures, including but not limited to entering into data protection agreements, selecting data processors that meet legal protection standards, and limiting processing strictly within the clearly defined scope of tasks.

Cross-border transfers of Personal Data will be carried out by us in compliance with applicable laws.

ARTICLE 4. PERSONAL DATA PROCESSORS AND PERSONAL DATA RECIPIENTS

The processing of Personal Data may be carried out directly by LSPV/LPH or through other individuals and organizations involved in the purposes of Personal Data Processing. In line with the purposes of using Personal Data as set forth in this Policy, the Member consents that LSPV/LPH may share the Member’s Personal Data by transferring or providing such Personal Data to the following organizations and individuals:

(i) Our personnel: employees and workers of LSPV/LPH;

(ii) Lotte Group: the parent company, member companies of Lotte Group, and its units and branches (if any);

(iii) Product and service providers: including but not limited to information technology services, data analytics and processing, market research, trade promotion, advertising services, training services, and legal services;

(iv) Consulting companies: auditors, lawyers, and consultants of LSPV/LPH;

(v) Financial partners: commercial banks, switching organizations, card organizations, and payment intermediaries cooperating with LSPV/LPH;

(vi) Business partners: merchants accepting payments and parties using LSPV/LPH’s intermediary payment services;

(vii) Governmental, judicial authorities or other third parties: including any individual, competent authority, regulator, or third party to whom LSPV/LPH is permitted or required to disclose under the laws of any jurisdiction;

(viii) Corporate transactions: we may transfer your Personal Data to a third party to continue the processing of Personal Data in the event of division, separation, merger, assignment, reorganization, acquisition, sale, winding up, or other corporate transactions (including during negotiations);

(ix) Data analytics and processing: service providers that supply data analytics and/or processing services for LSPV/LPH under agreements from time to time;

(x) Other business partners: recipients of Personal Data that are LSPV/LPH’s business partners under transfer agreements;

(xi) Other relevant organizations and individuals: we share information with other organizations and individuals involved in enforcing or maintaining any rights or obligations under the agreement(s) between the Member and LSPV/LPH; or parties to whom the Member consents or to whom LSPV/LPH has a legal basis to disclose the Member’s Personal Data.

ARTICLE 5. POSSIBLE UNINTENDED CONSEQUENCES AND DAMAGES

5.1. LSPV/LPH always strives to protect and ensure the highest level of security for Members’ Personal Data and applies appropriate management and technical measures, such as encryption during data storage and transmission, to safeguard Members’ Personal Data from unauthorized disclosure, misuse, or sharing.

However, the processing of Personal Data by LSPV/LPH and/or third parties may result in Personal Data incidents affecting Members beyond the control or intention of LSPV/LPH. Possible unintended consequences and damages may include, but are not limited to:

(i) Hardware or software errors during data processing resulting in loss of Members’ data;

(ii) Security vulnerabilities beyond the control of LSPV/LPH, such as system attacks by hackers causing data breaches;

(iii) Members themselves disclosing their Personal Data due to carelessness, being deceived or scammed, having their accounts stolen, or accessing websites/downloading applications containing malware;

(iv) Other unforeseen consequences or damages arising from objective causes beyond LSPV/LPH’s anticipation.

5.2. In the event of an incident or discovery of a violation affecting Members’ Personal Data, LSPV/LPH will notify the competent State authority of the breach of Personal Data protection regulations and will endeavor to implement remedial measures to prevent or mitigate the consequences.

5.3. Members also agree that, to the extent LSPV/LPH has implemented reasonable measures to prevent such risks, LSPV/LPH shall not be liable for any damages caused by the acts of any third party adversely affecting Members’ Personal Data beyond LSPV/LPH’s control.

ARTICLE 6. COMMENCEMENT AND TERMINATION OF PERSONAL DATA PROCESSING

6.1. Commencement of Personal Data Processing: LSPV/LPH shall commence processing Members’ Personal Data from the moment it receives the Member’s consent to such processing.

6.2. Termination of Personal Data Processing: The processing of Members’ Personal Data shall end when the notified processing purposes have been fully achieved and/or LSPV/LPH no longer has any legal or previously notified obligations requiring continued processing.

Specifically, Personal Data will be stored and processed:

• for at least the period necessary to provide the Services;
• for the duration prescribed by law, contracts, or to fulfill statutory obligations (e.g., tax obligations);
• for a reasonable period to manage complaints, investigations, or resolve actual or anticipated disputes;
  until it is no longer needed for the purposes for which it was collected, or for a longer period if required by contract, by law, or in anonymized form for statistical purposes, with appropriate safeguards in place.

ARTICLE 7. RIGHTS AND OBLIGATIONS OF MEMBERS

7.1. Rights of Members

As the Data Subject, the Member has the following rights with respect to his/her Personal Data, unless otherwise provided by law:

• Right to be informed about the processing of his/her Personal Data;
• Right to consent or not to consent to the processing of his/her Personal Data, except where the law permits the processing of Personal Data without the Data Subject’s consent;
• Right of access: the right to access, view, edit or request the editing of his/her Personal Data by logging into the LS.POINT Account and updating personal information, or by requesting LSPV/LPH to do so through the official communication channels specified in Article 9 of this Policy;
• Right to withdraw consent for the processing of his/her Personal Data;
• Right to delete data or request deletion of his/her Personal Data;
• Right to request restriction of processing of Personal Data. The restriction shall be implemented within 72 hours from the time of the Member’s request, for all Personal Data requested to be restricted;
• Right to request provision of his/her Personal Data;
• Right to object to the processing of his/her Personal Data in order to prevent or restrict disclosure of Personal Data or its use for advertising or marketing purposes. The objection request shall be processed within 72 hours from the time of the Member’s request;
• Right to lodge complaints, denunciations, or lawsuits in accordance with the law;
• Right to claim compensation for damages in the event of a violation of regulations on the protection of his/her Personal Data;
• Right to self-protection: the Member may protect himself/herself in accordance with the Civil Code, other relevant laws, and Decree 13/2023/ND-CP on Personal Data Protection, and request competent agencies or organizations to implement civil protection measures. The Member has the right to file complaints about the disclosure of personal information to third parties at the address of LSPV/LPH as stated in Article 9 of this Policy.

How Members may exercise their rights:

• To request restriction or objection to the processing of Personal Data, the Member must send the request to LSPV/LPH via the email address specified in Article 9 of this Policy or by another form presented in a format that can be printed, copied in writing, including electronic or verifiable formats. The Member’s request will be fulfilled by LSPV/LPH within the time limit prescribed by law, for all Personal Data that the Member requests to restrict/object.
• To request deletion of information or withdraw consent to the sharing of Personal Data, the Member may cancel his/her Membership. To exercise these rights, please go to the “My Profile” section on the Application or visit Lotte Department Store or Lotte Mall West Lake Hanoi to make a direct request. We may require certain information to authenticate your request.

• In case the Member requests LSPV/LPH to provide his/her Personal Data, the Member may do so in one of the following ways:

  • Directly or legally authorize another person to go to the head office of LSPV/LPH to request provision of Personal Data;
  • Send a Personal Data Request Form according to Form No. 01 or 02 in the Appendix issued together with Decree 13/2023/ND-CP, or according to the form stipulated in any amended, supplemented, or replaced documents (if any), via electronic means, postal services, or fax to LSPV/LPH.

After receiving a valid request for provision of Personal Data, LSPV/LPH will inform the Member of the time limit, place, and method of providing the Personal Data; the actual costs related to printing, copying, photographing, or sending information via postal or fax services (if any) and the method and deadline for payment; and will provide the Personal Data in accordance with the procedures prescribed by law.

7.2. Obligations of Members

Members’ obligations with respect to the protection of Personal Data:

• Members must protect their own Personal Data and request other relevant organizations or individuals to protect their Personal Data;
• Respect and protect the Personal Data of others;
• Promptly notify LSPV and/or LPH if they detect or suspect that their Personal Data has been leaked or disclosed through the use of the Services;
• Regularly review the privacy policy of the Membership Program on the LS.POINT application;
• By voluntarily providing Personal Data of a third party (including but not limited to spouse, children and/or parents and/or guardians, friends, beneficiaries, authorized persons, partners, or other individuals related to the Member) to LSPV/LPH, the Member represents, warrants, and undertakes that he/she has lawfully obtained the third party’s consent for the processing of such data and for the Member to be the subject of the processing for the purposes set out in this Policy. The Member also understands that LSPV/LPH is not required to re-verify such consent;
• Fulfil other obligations as prescribed by law.

ARTICLE 8. TERMS OF USE AND SECURITY OF ONE-TIME PASSWORD (OTP)

To ensure the safety and security of information when customers register as Members and use the LS.POINT application of LSPV and LPH, a One-Time Password (“OTP”) will be used as an identity authentication measure during registration and use of the Application. This Article sets out the manner of use, responsibilities, and other provisions relating to OTP.

Purpose of Use

• Authentication during Member registration: When a customer wishes to register as a Member, an OTP will be sent to the phone number provided by the customer to verify identity and personal information.
• Password recovery: In the event a Member forgets his/her password and needs to reset it, an OTP will be sent to the Member to confirm the password recovery request.

Method of Receiving OTP

• OTPs will be sent via SMS to the phone number provided by the customer during account registration.

Validity and Effectiveness of OTP

• Each OTP is valid for 3 minutes from the time it is sent. After this period, the customer must request a new OTP to continue the authentication process.
• OTPs cannot be reused after they expire or have been successfully used for authentication purposes.
• To ensure security and prevent abuse of OTPs, a customer may request an OTP a maximum of 5 consecutive times within a short period. After 5 consecutive OTP requests, the system will temporarily suspend the issuance of OTPs to the customer for 10 minutes. After the 10-minute suspension, the customer may continue requesting OTPs. However, if the customer again makes 5 consecutive requests, the suspension will be applied once more.
• If a customer incurs 5 consecutive suspensions (each lasting 10 minutes), the system will permanently block the sending of OTPs to that customer. In this case, the customer will not be able to request OTPs and must contact our Customer Service Department for assistance or to restore access.

Security of OTP

• Customers are responsible for keeping OTPs confidential. OTPs and/or the devices storing them must not be shared with any third party.
• Any disclosure or misuse of an OTP may result in loss of account access or risks relating to the security of personal information.
• LSPV and LPH shall not be liable for any loss arising from the customer’s disclosure or misuse of OTPs.

No Third-Party Interference

• Information about OTPs is encrypted when sent to customers. The sending and receiving of OTPs are fully secured, and no party other than the customer and the LSPV and LPH system has access to the OTPs.

Handling Violations Relating to OTP

• Any misuse of OTPs, sharing of OTPs with third parties without authorization, or intentional disruption of the authentication process will be deemed a violation of security regulations. Depending on the severity of the violation, the customer may have his/her account suspended or be subject to handling in accordance with applicable laws.

Obligations of Members

• Members are obligated to provide accurate contact information to receive OTPs. If there is a change in phone number, Members must promptly update their information to avoid interruptions in the authentication process (to change phone numbers, please refer to Article 11: LDSM-P-011 on Member Information Updates in “Membership Policy 2024 – Terms and Conditions”).
• Members must immediately notify our Customer Service Department in the following cases: loss or misplacement of the phone number receiving SMS messages; fraud or suspected fraud; hacking or suspected hacking related to receiving OTPs when using the Application.
• Members must check and correctly enter OTPs within their validity period to complete the registration process on the LS.POINT Application or to reset their passwords.

Contact for Support

• If you encounter any issues related to OTPs, please contact our Customer Service Department for timely assistance.

By registering as a Member of Lotte Department Store and Lotte Mall West Lake Hanoi, the customer agrees to the OTP-related security terms. This provision may be amended from time to time to comply with new security requirements and will be publicly posted on the LS.POINT Application.

ARTICLE 9. MEASURES TO ENSURE THE SECURITY OF PERSONAL DATA

LSPV and LPH strive to manage Members’ Personal Data securely through the following measures:

• Establishing and implementing internal management plans to protect Personal Data: Internal management plans for Personal Data are established, including matters relating to the protection of basic and sensitive Personal Data (if any), such as appointing personnel responsible for Personal Data protection and security, and organizing annual compliance checks of internal management plans.
• Implementing access controls and restricting access rights to Personal Data. To prevent unauthorized access to Personal Data, we have established and implemented standards for granting, modifying, and revoking access rights to personal data processing systems. We have installed and operate intrusion prevention and intrusion detection systems. In addition, we reduce the risk of information leakage within personal data processing systems by separating the external Internet network from the internal network used by employees authorized to download Personal Data.
• Encrypting to securely store and transmit Personal Data. Passwords, unique identifiers, and national ID cards/citizen cards/passports are encrypted and stored in accordance with legal regulations. Personal Data transmitted over networks is sent and received securely via encrypted channels, etc.
• Maintaining access logs to Personal Data and preventing falsification or alteration. Personal Data processors maintain access logs within personal data processing systems. Related access logs are securely stored to ensure they are not falsified, altered, stolen, or lost.
• Installing and updating security programs for Personal Data. To prevent damage to Personal Data, data is regularly backed up and the latest anti-virus software is used to prevent Personal Data or Members’ data from being leaked or damaged.
• Applying physical measures to securely store Personal Data. To prevent Personal Data from being leaked or damaged due to attacks, intrusions, or computer viruses, systems are set up in restricted-access areas and access control procedures are established and operated.
• We shall not be liable for data leaks or losses resulting from the fault of Members or third parties.
• We shall not be liable for technical errors, interruptions, security breaches, or any other errors on the part of Google Wallet.

For any questions, requests, or complaints, please contact:

• Lotte Properties Hanoi Co., Ltd.

  • Address: 13th Floor, Office Tower, Lotte Mall Hanoi, 272 Vo Chi Cong Street, Tay Ho Ward, Hanoi.
  • Customer Service Hotline: 024 3333 8041

• Lotte Shopping Plaza Vietnam Co., Ltd.

  • Address: 1st Floor – 6th Floor, Lotte Center Hanoi, 52 Lieu Giai Street, Ba Dinh Ward, Hanoi.
  • Customer Service Hotline: 024 3333 2514

This Privacy and Personal Data Processing Policy is publicly announced on the LS.POINT application and takes effect from 10^th October 2025.