Privacy Policy

Updated: 05/05/2025
Available in: Vietnamese, English

This Privacy Policy is developed in accordance with Decree No. 13/2023/ND-CP of the Government of Vietnam on Personal Data Protection, along with other applicable legal documents.

By using our services, you entrust us with your personal information. We understand this is a great responsibility, and we work hard to protect your data while giving you control over it.

Cas was founded with the mission of unlocking the potential of open banking. By providing a platform that allows you to centrally manage your financial data and grant access to software developers, we make it easier, safer, and more secure to build open financial applications.

Our objective with this Policy is to provide a clear and accessible explanation of what data Cas collects from you, how we use it, and how we share it. We value transparency and aim to give you a concise yet comprehensive overview of how your data is handled.

Cas’s services are not intended for individuals under the age of 18. We do not knowingly collect data relating to minors.

PERSONAL DATA PROTECTION POLICY

This Personal Data Protection Policy (the “Policy”) is intended to inform users of Cas (hereinafter referred to as “Users”) about the personal data processed by Cas and third-party developers using Cas to connect with banks (“Third Parties”). The Policy explains the purposes of data processing, the methods of processing, data retention periods, and the rights and obligations of Users in accordance with Vietnamese law on personal data protection.

This Policy forms an integral part of the contracts, general terms and conditions, and terms of service of Cas. It applies to all products and services provided by Cas and to all digital platforms interacting with Users via Cas as an intermediary platform.

Cas is responsible for fully disclosing this Policy to Users before entering into any contract or transaction and must obtain their consent prior to processing personal data, in accordance with applicable laws. By checking boxes such as “I have read and agree” or “I agree to the Terms and Privacy Policy of Cas,” or by signing a contract referring to this Policy, or by continuing to register, log in, or use Cas’s websites/applications or services without raising objections, Users confirm that they have read, understood, and accepted the entire contents of this Policy.

DEFINITIONS

In this Policy, the following terms shall have the meanings assigned below:

Cas: A solution enabling developers to securely connect with users’ bank accounts through a consent-based, legally compliant, and standardized API process. Cas directly collects or intermediates the collection, processing, analysis, and aggregation of data from banks to provide financial services to end users and third parties.
Third Parties: Organizations and businesses using Cas to provide financial, analytical, and related services. These parties may request access to data through Cas to deliver value-added services to end users.
Users: Individuals, legal representatives of enterprises, and organizations that use financial services provided by Cas and Third Parties. End users provide their personal data to banks, Cas, and Third Parties for the purpose of data processing.

PERSONAL DATA PROCESSING

1.1 When Data Is Processed

Cas and Third Parties are required to notify Users of this Policy and obtain their consent prior to processing personal data in the following situations:

When Users or their legal representatives contact Cas or Third Parties for product or service consultation;
When Users trial, register for, or enter into contracts for products or services provided by Cas and/or Third Parties;
When Users access and/or create accounts on websites/applications of Cas and/or Third Parties;
When Users voluntarily provide personal data through public channels such as websites/applications, events, conferences, social media, or other programs organized or attended by Cas or Third Parties;
When Users of an organization or enterprise authorize that entity to share their personal data with Cas and/or Third Parties;
When Users belong to an entity in which Cas or Third Parties invest, acquire shares, or collaborate to provide products or services;
When required by competent state authorities;
When conducting data processing activities as specified in Article 3 of this Policy;
In other cases as provided by law.

1.2 Types of Personal Data Processed

Cas and Third Parties may process the following types of personal data, which may vary depending on the type of product or service and the way Users interact with Cas. Changes, if any, will be communicated to Users and additional consent will be obtained:

Basic Personal Data:

Full name, other names (if any);
Date of birth, date of death or disappearance;
Gender;
Place of birth, residence, contact address;
Nationality;
Phone number, personal identification number, national ID number, passport number, driver’s license, vehicle registration, tax ID, social insurance, health insurance card number;
Financial account information; personal data reflecting online activity and history.

Sensitive Personal Data:

User information held by financial institutions, including account and transaction data;
Location data determined by positioning services.

Users may also voluntarily provide additional personal data outside of Cas’s requirements. By doing so, Users agree to the terms of this Policy and consent to the processing of such data. Users are advised not to provide any sensitive personal data not explicitly requested by Cas or Third Parties. In such cases, Cas and Third Parties will not process such data and disclaim any legal responsibility.

3. Purpose of Personal Data Processing

The collection, updating, and supplementation of Personal Data must be appropriate and limited within the scope and purposes of processing as specified in this Policy. Users’ Personal Data is processed solely for one or several purposes to which the User has consented (“Purpose”). Users are kindly requested to tick the boxes for the Purposes they permit Cas and Third Parties to carry out regarding their Personal Data in the “User’s Consent” column. For any purposes the User does not consent to, please leave the boxes unchecked.

To verify the accuracy and completeness of the information provided by the User; to identify or authenticate the User’s identity; and to perform user authentication processes; to process the registration for products and services of Cas and Third Parties;
To provide services to the User, to contact the User for consultation, exchange of information, resolution of requests or complaints, delivery of invoices, statements, reports, or other documents related to the products and services of Cas and Third Parties via various channels (e.g., email, chat); to respond to User requests; to contact the User (or persons designated by the User) regarding information related to the use of Cas and Third Party services;
To manage and evaluate business operations including the design, improvement, and enhancement of the quality of Cas’s and Third Parties’ products and services; to conduct marketing communications; to perform market research, surveys, and data analysis; to research and develop new products, services, or delivery models that meet User needs;
To comply with legal obligations in accordance with applicable laws;
To prevent fraud or mitigate threats to human life, health, and public interests: Cas and Third Parties may use Users’ Personal Data to prevent and detect fraud or abuse in order to protect Users, Cas, Third Parties, and related entities;
Internal administration.

Cas does not engage in the buying or renting of Personal Data under any circumstances.

4. Methods of Processing Personal Data

Cas may apply one or more operations on Personal Data including: collection, recording, analysis, verification, storage, modification, publication, combination, access, retrieval, recovery, encryption, decryption, copying, sharing, transmission, provision, transfer, deletion, destruction of Personal Data, or other actions as permitted by law.

5. Commencement and Termination of Data Processing

Commencement time: From the time the Purposes specified in Article 3 of this Policy arise.
Termination time: Cas and Third Parties shall cease processing Personal Data upon completion of the Purpose(s) chosen by the User, unless otherwise provided by law, the User withdraws their consent, or a competent state authority requests in writing.

6. Sharing of Personal Data

User’s Personal Data may be shared with the following organizations and individuals to fulfill the Purposes specified in this Policy:

Cas, its parent company, affiliates, subsidiaries, and other companies currently or in the future under common control or ownership;
Third Parties (i.e., developers using Cas to connect with banks) who are permitted to access, collect, use, and process User Personal Data within the scope authorized by Cas to perform their functions and who must comply with applicable laws on personal data protection in their role as Data Processors;
Corporate restructuring: During business development, Cas and its parent company may sell or acquire businesses or undergo restructuring in accordance with legal regulations. In such transactions, Personal Data will be transferred and the acquiring party will remain bound by the terms of this Policy;
Cas and Third Parties may disclose Personal Data as required by law or by competent state authorities.

7. User Rights

Right to be Informed and Right to Consent

Users have the right to be informed about the processing of their Personal Data unless otherwise provided by law. Except for the cases specified in Article 12 of this Policy, Users may agree or disagree with the terms and conditions of this Policy via methods as guided by Cas and Third Parties, such as SMS, calls, checkboxes on the website/application, or customer support hotlines. Cas and Third Parties shall only process Personal Data upon obtaining the User’s consent.

Right to Access and Request for Data Provision

Users have the right to access Cas and Third Party applications/websites and/or contact them directly to view, edit, or extract their Personal Data, unless otherwise provided by law. If Users are unable to do so, they may contact Cas or Third Parties for support using the contact details in Article 13 of this Policy.

Right to Rectify

Users may request the correction of their Personal Data, provided such modifications do not violate legal regulations. In case of difficulty editing the data, Users may request assistance from Cas via the contact methods listed in Article 13.

Right to Object, Restrict, or Withdraw Consent

Users may object to or request to restrict the processing of their Personal Data or withdraw their consent. However, this may prevent Cas and Third Parties from providing products or services. In such cases, Cas and Third Parties may unilaterally terminate the contract without compensation, as service conditions have changed (unless the fault lies with Cas or Third Parties). A notice will be provided to the User within 3 days before termination. Users are advised to consider carefully before withdrawing consent.

To opt out of marketing or promotional content, Users may contact Cas using the information in Article 13. For in-app notification settings, Users can modify their preferences directly in the app or device.

Right to Erasure

Users may request the deletion of their Personal Data in compliance with legal provisions. However, this may result in the inability to continue using Cas’s services, leading to potential contract termination without compensation unless Cas or Third Parties are at fault.

Right to Lodge Complaints, Accusations, and Lawsuits

Users have the right to lodge complaints, accusations, or initiate lawsuits in accordance with the law.

Right to Claim Damages

Users are entitled to claim compensation in case of violations of their personal data protection rights, unless otherwise agreed or stipulated by law.

Right to Self-Protection

Users have the right to self-protection under the Civil Code and relevant laws, including Decree No. 13/2023/ND-CP on Personal Data Protection (and its amendments), or may request competent authorities or organizations to protect their civil rights under Article 11 of the Civil Code.

User Obligations

Users are responsible for safeguarding their personal data as follows:

Users shall proactively implement protective measures to manage and securely use their accounts and personal technology devices (including smartphones, computers, tablets, and laptops). This includes logging out after use, setting strong passwords, and keeping login credentials confidential. These measures help prevent unauthorized access to the User’s account.
Cas and Third Parties shall not be liable for any damages incurred by the User in the event of password disclosure/loss, theft, or unauthorized account access, including access through lost or stolen devices, or in the event that Cas’s system is illegally breached by third parties, except where such damages are due to the fault of Cas or Third Parties.

Upon accepting all terms and conditions of this Policy, Users are responsible for providing accurate and complete personal data as requested by Cas and Third Parties and must notify Cas and Third Parties promptly upon discovering any violations regarding personal data protection.

Users may voluntarily provide additional personal data beyond what is requested by Cas and Third Parties, provided they comply with Clause 2.4, Article 2 of this Policy.

Users are also obligated to respect the personal data of other individuals and to comply with legal regulations on personal data protection, including participating in the prevention and detection of violations.

Personal Data Retention

The personal data of Users stored by Cas and Third Parties will be protected and secured. Cas and Third Parties are responsible for applying data protection measures in accordance with applicable law.

The necessity for data retention is determined based on the original collection purpose and legal obligations. User data is periodically reviewed to ensure it remains necessary for the stated purposes or other legal reasons.

If a Third Party disconnects a User from an application, Cas’s system will be designed to automatically delete that User’s personal data, except in the following cases:

The User has active connections with another application via Cas;
Cas needs the User’s data to continue providing requested services;
Legal regulations require the data to be retained;
Data is needed for fraud prevention, privacy protection, support, or abuse investigation;
There is another lawful basis for retention, and the User has consented to extended storage.

Storage location: Subject to legal allowances, Cas and Third Parties may store User personal data both within Vietnam and abroad, including via cloud computing solutions. Data protection standards will comply with current legal requirements. Cross-border data transfers shall adhere to Article 25 of Decree 13/2023/NĐ-CP and other relevant legal documents.

Retention period: Cas and Third Parties will store personal data only as long as necessary to fulfill the purposes outlined in this Policy. If existing law stipulates a different retention period, such regulations shall prevail.

Obligations of Cas and Third Parties

User personal data is committed to being protected in compliance with legal regulations and this Data Protection Policy.

Cas strives to safeguard personal data from loss, destruction, or damage through technical measures. Cas and Third Parties will maintain this commitment by implementing physical, electronic, and managerial safeguards, including but not limited to:

Protecting Cas’s official servers and systems that contain personal data with firewalls, encryption, and anti-intrusion technologies;
Implementing human resource controls and protocols for inspection, assessment, and auditing to prevent violations.

Cas will take all necessary measures to ensure User personal data is processed for the intended purposes only. All actions by Cas and Third Parties will comply with legal requirements on data storage and processing.

Cas will fulfill User requests related to personal data, provided such requests comply with applicable laws.

Other obligations as required by law and by this Policy shall also be fulfilled.

Unilateral Termination of Agreement

Cas reserves the right to unilaterally terminate service agreements with Users under circumstances permitted by law or specified in this Policy, service agreements, or terms of use, without compensation, provided such termination does not result from Cas’s fault or breach of legal obligations.

Termination does not affect accrued rights and obligations before the termination date, nor does it limit Cas’s rights to continue retaining and processing personal data according to legal provisions and the User’s prior consent, unless a valid data deletion request is made by the User.

Potential Risks and Unintended Consequences

While Cas employs various security technologies to protect Users’ personal data, there may still be unintended consequences beyond Cas’s control, including:

Hardware or software errors during data processing that result in loss or corruption of personal data;
Security vulnerabilities exploited by hackers leading to data breaches;
Users disclosing their own data due to negligence, phishing, downloading malware-infected applications, or willingly sharing information with others.

Processing Personal Data Without Consent

Cas and Third Parties may process personal data without the User’s consent under the following circumstances:

In emergencies where immediate data processing is needed to protect the life or health of the User or others;
Where public disclosure of personal data is legally mandated;
When state agencies process data during national defense, public security, social order emergencies, major disasters, dangerous epidemics, or to prevent terrorism, crime, and legal violations as permitted by law;
Where data processing is required to fulfill contractual obligations with the User in accordance with legal provisions;
For lawful activities of state authorities as regulated in sector-specific laws.

Contact Information

If you have any questions regarding this Policy or wish to exercise your rights related to your personal data, please contact Cas through the following means:

Call the hotline listed on Cas’s official website/applications at the relevant time;
Send official correspondence to the following address:
I.102D, Information Technolofy Park – Vietnam National University, Thu Duc City, Ho Chi Minh City, Vietnam;
Other contact methods include Cas’s official fanpage and the information security support email: cskh@cas.so.