×Where would you like to go?
default cboxNationListofCitySelector :
Popular attraction - Nation Name
×22222

Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Aenean commodo ligula eget dolor. Aenean massa.

Privacy policy

Article 1 (General Provisions and Scope of Application)

1.    This Privacy Policy (hereinafter referred to as the “Policy”) applies to all personal data that is collected, used, stored, provided, transferred, or otherwise processed through ComboBooking.com and related websites, mobile applications, customer support channels, marketing channels, partner registration systems, and other integrated services (collectively referred to as the “Services”) operated by Coach Travel Co Ltd (hereinafter referred to as “ComboBooking” or the “Company”).

2.    The Company recognizes the importance of protecting users’ personal data and strives to comply with applicable data protection laws in Vietnam (including Decree No. 13/2023/ND-CP) and equivalent international standards. The Company adheres to the following principles in processing personal data:

·         Lawfulness and fairness

·         Transparency

·         Purpose limitation

·         Data minimization

·         Accuracy and up-to-date maintenance

·         Security and confidentiality

·         Protection of data subject rights

3.    This Policy applies to the following categories of individuals:

·         Members and non-members of ComboBooking

·         Users who search for, book, or pay for travel products through ComboBooking

·         Businesses and individuals applying for partner registration or partnership with ComboBooking

·         Content partners who upload reviews, images, blogs, or other content via the ComboBooking platform or external channels

·         All individuals interacting with the Company through customer support, events, promotions, newsletters, partnership inquiries, recruitment inquiries, or other means

4.    ComboBooking is not a direct seller or provider of travel products but operates as an online intermediary platform connecting transactions between users and partners. Accordingly, the Company processes personal data within the following scope:

·         User management and authentication

·         Reservation and payment integration support

·         Customer inquiry handling and dispute resolution support

·         Service operation and improvement

·         Marketing and promotional activities

·         Security maintenance and compliance with legal obligations

In addition, for personal data processing arising from the actual provision and fulfillment of individual travel products, the respective partner providing such products shall bear responsibility as an independent data controller. The Company performs reasonable management and supervisory duties as a platform operator; however, it shall not, in principle, be held liable for personal data processing issues arising from the fault of partners.

5.    When users utilize the Services of ComboBooking or proceed with processes involving the provision of personal data, such as registration, booking, payment, inquiries, partnership applications, or content submissions, users shall be deemed to have acknowledged this Policy. However, where explicit consent is required by applicable laws, such matters shall be processed through separate consent procedures.

6.    This Policy may be applied in conjunction with the Terms of Use, Electronic Financial Services Terms, Partner Agreements, individual service terms, booking conditions, marketing consent forms, and other related documents. Unless otherwise specified, this Policy shall serve as the fundamental standard for personal data processing.

7.    The Company may amend this Policy in the following cases:

·         Amendments to applicable laws and regulations

·         Changes in service structure or operation

·         Changes in security policies or technological environment

·         Changes in internal policies

In the event of material changes, the Company shall provide prior notice through the Services or by electronic means (such as email or notifications).

Article 2 (Categories of Personal Data Collected)

The Company collects only the minimum personal data necessary for the provision of the Services, and such data includes the following:

1.    Membership Registration and Account Management
The Company may collect the following information for membership registration and account management:

·         Required Information
Name, username, password, email address, mobile phone number

·         Optional Information
Date of birth, gender, country, profile information, marketing preferences

·         Other Information
Verification information for password recovery (security questions and answers, etc.)

2.    Reservations, Payments, and Service Use
The Company may collect the following information for booking, payment, and provision of travel services:

·         Reservation Information
Name of the person making the reservation, contact details, email, usage schedule, number of participants, special requests

·         Payment Information
Payment method details (card, bank account, e-wallet, etc.), payment authorization information

·         However, sensitive payment information such as credit card numbers is not stored directly by the Company and is securely processed through payment service providers (PGs).

·         Service Usage Information
Product usage history, cancellation/refund/change records

·         Additional Information (if necessary)
Passport information, date of birth, nationality, passenger information, etc.

·         For certain travel products (flights, tours, accommodations, activities, etc.), additional information may be required by partners or applicable laws; in such cases, the Company will notify users in advance and obtain separate consent before collection.

3.    Partner (Seller) Registration and Settlement
The Company may collect the following information for partner registration, product operation, and settlement:

·         Business Information
Company name, representative name, business registration number or legal identification information

·         Contact Person Information
Name, email, contact details

·         Settlement Information
Bank account details, payment method information

4.    Customer Inquiries and Dispute Resolution
The Company may collect the following information to handle customer inquiries and resolve disputes:

·         Name, contact details, email

·         Inquiry content and communication records

·         Reservation and transaction-related information

5.    Marketing and Events
The Company may collect the following information for marketing, promotions, and events:

·         Email address, mobile phone number

·         Interested products and usage history

·         Event participation information
Marketing communications will only be sent with the user’s separate consent.

6.    Content and Blog Submissions
The Company may collect the following information for managing content submitted by content partners and users:

·         Author information (name or nickname, account details)

·         Content (text, images, videos, etc.)

·         Location information or travel route data (if provided by the user)

7.    Automatically Collected Information
During the use of the Services, the following information may be automatically generated and collected:

·         IP address

·         Access date and time

·         Service usage records

·         Device information (browser, operating system, etc.)

·         Cookies and log data

8.    Sensitive Data and Data Minimization Principle

·         As a general rule, the Company does not collect sensitive personal data (such as health information, political opinions, religion, etc.).

·         Where it is unavoidable to collect sensitive data or additional information for service provision, the Company will clearly inform users in advance and obtain separate consent.

·         The Company collects only the minimum personal data necessary for providing the Services, and failure to provide optional information shall not restrict the use of basic Services.


Article 3 (Methods and Timing of Personal Data Collection)

The Company may collect personal data through the following methods and at the following times:

1.    During Membership Registration and Service Use
Personal data is collected during the process of user registration or account creation.
Additional information may also be collected during login, account updates, and service usage.

2.    During Reservation and Payment Processes
When users make reservations or payments through the ComboBooking platform, the following information may be collected:

·         Reservation holder information

·         User information

·         Payment-related information

·         Usage schedule and special requests

Financial information generated during the payment process may be processed through payment service providers (PGs).

3.    During Partner Registration and Product Operations
When partners register on the ComboBooking platform or register and manage products, the following information may be collected:

·         Business information

·         Contact person information

·         Settlement-related information

4.    During Customer Inquiries and Support
When users contact the Company via customer support, email, telephone, or other methods, personal data may be collected for consultation and issue resolution.

5.    During Events and Marketing Participation
When users participate in events or consent to receive marketing communications, necessary information may be collected to provide such services.

6.    During Content Submission and Activities
When users upload content such as reviews, blogs, or images, or engage in platform activities, author information and content-related data may be collected.

7.    Automatic Collection
During the use of the Services, the following information may be automatically collected:

·         IP address

·         Access time and usage records

·         Device and browser information

·         Cookies and log data

Such information is used for the following purposes:

·         Service operation and quality improvement

·         Security and prevention of fraudulent use

·         Enhancement of user experience

8.    Integration with External Services
When users log in or link their accounts via social media or external services, basic user information may be provided by such services.

In such cases, personal data shall be processed in accordance with the following principles:

·         The scope of data provided is limited to what the user has consented to in the external service

·         The processing of personal data by external services is governed by their respective policies

·         The Company does not have direct control over the personal data processing practices of external service providers


Article 4 (Purposes of Processing Personal Data)

The Company shall use the collected personal data only within the scope of the following purposes. Where the purpose of use changes, prior consent shall be obtained in accordance with applicable laws. The Company shall not use personal data beyond a scope reasonably related to the stated purposes.

1.    Membership Management and Identity Verification
Personal data is used to verify user identity, manage accounts, confirm the intent to use the Services, prevent unauthorized use, and maintain security.

2.    Service Provision and Contract Performance
Personal data is used to perform activities related to the provision of services, including travel product reservations, payment processing, booking confirmations, usage guidance, and cancellation and refund processing.

3.    Connection with Partners and Service Operation
As ComboBooking operates as a platform connecting users and partners, personal data may be used and shared for the following purposes to ensure smooth service delivery:

·         Reservation confirmation and product provision

·         On-site operations and customer support

·         Service fulfillment and post-service processing

The personal data provided in this process is limited to the minimum necessary for service provision. In addition, personal data processing arising from the actual provision and fulfillment of individual travel products shall be the responsibility of the respective partner as an independent data controller. The Company shall provide necessary support within the scope of platform operation.

4.    Customer Support and Dispute Resolution
Personal data is used to respond to customer inquiries, handle complaints, improve services, and resolve disputes.

5.    Personalized Service Provision
Personal data may be used to recommend customized products, provide personalized content, and enhance user experience based on user interests, usage history, and travel preferences.

6.    Marketing and Promotions (Subject to Consent)
Personal data may be used to provide information on events, discounts, and new services. Users may withdraw their consent to receive such communications at any time.

7.    Service Improvement and New Service Development
User behavior data and statistical data are analyzed to improve service quality, enhance features, and develop new services. In this process, personal data may be used in anonymized or aggregated form where possible.

8.    Establishment of a Secure Service Environment
Personal data is used to prevent fraudulent transactions, unauthorized access, and to maintain system security in order to ensure a safe service environment.


Article 5 (Legal Basis and Consent for Personal Data Processing)

The Company processes personal data based on lawful grounds in accordance with applicable laws, and each processing activity is carried out based on one or more of the following legal bases:

1.    User Consent
The Company processes personal data based on the user’s explicit consent where necessary in the course of providing services, including membership registration, reservations, marketing communications, and event participation.
Users may withdraw their consent to personal data processing at any time; however, withdrawal of consent may result in limitations on certain services.

2.    Performance of a Contract
Where users make reservations or use services through the ComboBooking platform, personal data is processed for the performance of a contract and the provision of services.
This includes:

·         Processing reservations and payments

·         Sharing information with partners

·         Providing and operating services

In such cases, personal data processing may be carried out without separate consent.

3.    Compliance with Legal Obligations
The Company may process personal data where retention or disclosure is required by applicable laws in order to comply with legal obligations.
Examples include:

·         Retention of transaction records

·         Retention of tax and accounting records

·         Responding to requests from competent authorities

4.    Legitimate Interests
The Company may process personal data based on its legitimate interests for the following purposes:

·         Service improvement and quality enhancement

·         Prevention of fraudulent or unauthorized use

·         Maintenance of security and system stability

·         Enhancement of user experience

However, such processing shall only be carried out to the extent that it does not infringe upon the rights and interests of users.

Article 6 (Provision of Personal Data to Third Parties)

In principle, the Company does not provide users’ personal data to third parties.
However, in the following cases, personal data may be provided to third parties in accordance with applicable laws:

1.    Provision to Partners for Service Delivery
ComboBooking operates as a platform connecting users with travel product providers. When users make reservations or purchases, the Company may provide partners with the minimum personal data necessary for service delivery.

The information provided may include:

·         Reservation holder information (name, contact details, etc.)

·         Usage-related information (reservation details, schedules, etc.)

·         Other information necessary for service provision

The purposes of such provision include:

·         Reservation confirmation and service delivery

·         Customer support and on-site operations

·         Processing of cancellations, changes, and refunds

The partner receiving the personal data shall act as an independent data controller and is responsible for complying with applicable data protection laws. The Company performs reasonable management and supervisory duties as a platform operator; however, it shall not, in principle, be liable for personal data processing issues arising from the partner’s fault.

2.    Payment and Settlement Processing
Where necessary for payment services and settlement processing, personal data may be provided to payment service providers (PGs), financial institutions, or banks.

In such cases:

·         Payment information shall be processed in accordance with the policies of the relevant payment service provider

·         The Company may not directly store or manage financial information generated during the payment process

3.    Provision in Accordance with Legal Requirements
Where required by applicable laws or upon request from competent authorities such as investigative or governmental agencies, personal data may be provided in accordance with legal procedures.

4.    With User Consent
Personal data may be provided to third parties where the user has given separate consent.

5.    Right to Refuse Provision
Users have the right to refuse the provision of their personal data to third parties. However, if users refuse to provide information that is essential for service delivery, certain services such as reservations or payments may be restricted.

In all cases, the Company limits the provision of personal data to the minimum necessary for service delivery and implements reasonable safeguards to prevent use beyond the stated purposes.

Article 7 (Outsourcing of Personal Data Processing)

For the purpose of providing services efficiently and ensuring smooth operation, the Company may outsource certain personal data processing activities to external professional service providers (hereinafter referred to as “Processors”).

1.    Purpose of Outsourcing
The Company may outsource personal data processing for the following purposes:

·         Payment processing and settlement services

·         Notification services (email, SMS, etc.)

·         Server and system operations (cloud services, data storage, etc.)

·         Customer support and assistance

·         Data analysis and service improvement

“Outsourcing of personal data processing” under this Article is intended to support the Company’s operations and does not include the provision of personal data to partners for service delivery (as set forth in Article 6).

2.    Management Principles for Outsourcing
When outsourcing personal data processing, the Company shall comply with the following:

·         Clearly stipulate the Processor’s obligations to comply with applicable data protection laws through contractual agreements

·         Require appropriate technical and organizational measures to ensure data security

·         Clearly define the purpose and scope of processing and prohibit use beyond such purpose

·         Regularly monitor and supervise the Processor’s data processing activities

3.    Sub-processing (Sub-processors)
Where a Processor further engages a third party to perform processing activities, the Company shall require:

·         Sub-processing only within prior approval or contractually permitted scope

·         Application of an equivalent level of data protection obligations

·         Clear allocation of responsibilities arising from sub-processing

4.    Scope and Data Minimization Principle
The Company shall provide personal data to Processors only to the minimum extent necessary for service provision.

5.    Disclosure of Outsourcing
The Company may disclose information regarding outsourced processing through this Privacy Policy or a separate page.

6.    Notification of Changes in Outsourcing
In the event of any change to the Processor or the scope of outsourced processing, the Company shall provide prior notice.
Where the Processor is located overseas, personal data may be transferred and processed outside the country, and such matters shall be governed by Article 8 (Cross-border Transfer and Overseas Storage/Processing).


Article 8 (Cross-border Transfer and Overseas Storage/Processing of Personal Data)

The Company may transfer personal data to overseas locations or store and process such data abroad for the purpose of providing services.

1.    Purpose of Transfer
The Company may transfer or process personal data overseas for the following purposes:

·         Operation of global services

·         Provision of services through overseas partners

·         Operation of cloud servers and systems

·         Data storage and backup

2.    Categories of Personal Data Transferred
The categories of personal data that may be transferred overseas include:

·         Member information

·         Reservation and usage information

·         Payment-related information

·         Service usage records

The transferred data shall be limited to the minimum necessary for service provision.

3.    Countries and Methods of Transfer
Personal data may be transferred overseas through the following methods:

·         Storage and processing via cloud services (e.g., global server infrastructure)

·         Processing by overseas Processors or service providers

·         Provision to overseas partners

Personal data is not limited to a specific country and may be transferred to multiple jurisdictions as necessary for service operation. In such cases, the Company implements the following safeguards:

·         Data encryption and access control

·         Secure data transmission (e.g., SSL)

·         Application of security requirements to Processors and partners

·         Execution and management of data protection agreements

4.    Legal Basis and Consent
Cross-border transfer of personal data shall be carried out based on the following legal grounds:

·         User consent

·         Performance of a contract and service provision

·         Legal requirements under applicable laws

5.    User Rights
Users have the right to refuse the cross-border transfer of their personal data. However, refusal may result in limitations on certain services such as reservations, payments, or global services.
The Company shall continuously maintain reasonable safeguards to ensure that users’ rights and the level of personal data protection are not compromised in the course of cross-border data transfers.


Article 9 (Retention, Use, and Destruction of Personal Data)

The Company retains personal data only for the period necessary to fulfill the purposes of collection and shall securely destroy such data without delay once the purpose has been achieved.

1.    Retention and Use Period
Users’ personal data shall be retained and used from the time of registration until the termination of service use (account deletion or termination of contract).
Upon a user’s request for account deletion, the Company shall destroy personal data within a reasonable period without delay, except where retention is required by applicable laws.

In the following cases, personal data may be retained for a certain period even after termination of service use:

·         Where retention is required by applicable laws

·         For dispute resolution and user protection

·         For prevention of fraudulent use and ensuring service stability

2.    Retention Period under Applicable Laws
In accordance with Vietnamese laws and other applicable regulations, the Company may retain personal data for the following periods:

·         Records related to contracts or withdrawal of offers: 5 years

·         Records related to payment and service provision: 5 years

·         Records related to consumer complaints or dispute resolution: 3 years

·         Electronic financial transaction records: 5 years

·         Access logs and IP information: 3 months

Such data shall be stored separately and shall not be used for purposes other than those prescribed by law. The Company may adjust retention periods and categories in accordance with applicable legal requirements.

3.    Dormant Account Management
For accounts that have not been used for a certain period (e.g., 12 months), the Company may:

·         Store the personal data separately, or

·         Destroy the personal data

In such cases, the Company shall notify users in advance via email or other appropriate means.

4.    Methods of Destruction of Personal Data
When the retention period has expired or the processing purpose has been fulfilled, personal data shall be destroyed as follows:

·         Electronic files: permanently deleted using irreversible technical methods

·         Paper documents: shredded or incinerated

5.    Use of De-identified Data
The Company may use data that has been anonymized or de-identified so that individuals cannot be identified, for purposes such as statistical analysis, service improvement, and research. In such cases, such data shall not be considered personal data.

6.    Destruction Principle
The Company shall not retain personal data solely on the basis of potential future use. Personal data shall be managed based on clear purposes and retention periods and shall be destroyed without delay once the purpose has been fulfilled.

Article 10 (Cookies, Logs, Device Information, and Automatically Collected Data)

The Company may automatically collect user information for the purposes of providing services, maintaining security, and improving user experience.

1.    Information Collected
During the use of the Services, the following information may be automatically collected:

·         IP address

·         Access date/time and usage records

·         Service access paths and behavioral data

·         Device information (browser, operating system (OS), device identifiers, etc.)

·         Cookies and similar technologies

2.    Purpose of Collection
The Company uses automatically collected information for the following purposes:

·         Service optimization and enhancement of user experience

·         Provision of personalized content and product recommendations

·         Analysis of usage patterns and service improvement

·         Maintenance of security and prevention of unauthorized use

·         Management of access logs and ensuring system stability

3.    Types and Use of Cookies
The Company may use the following types of cookies:

·         Essential Cookies
Cookies necessary for core service functions (e.g., maintaining login sessions, processing reservations)

·         Functional and Analytical Cookies
Cookies used to analyze user behavior for service improvement and feature optimization

·         Marketing and Advertising Cookies
Cookies used to provide personalized content, advertisements, and promotions based on user interests

4.    Third-party Tools and External Services
The Company may use third-party tools or services for analytics, advertising, and marketing purposes. In such cases, certain information may be shared with such service providers and processed in accordance with their respective privacy policies.

5.    Cookie Settings and Refusal
Users may allow or refuse the storage of cookies through their web browser settings:

·         Allow all cookies

·         Prompt before storing cookies

·         Block all cookies

However, refusal to store cookies may result in the following limitations:

·         Restrictions on login persistence

·         Potential errors in reservation and payment processes

·         Limitations in providing personalized services

·         Restrictions on certain features or services

6.    Security and Management of Automatically Collected Data
The Company manages automatically collected information to ensure security and system stability and may use such information for the prevention of fraudulent activities and incident response.

7.    User Choice
Users may exercise their choice regarding the use of cookies and automatically collected data through separate consent procedures where required by applicable laws and may change their settings at any time.


Article 11 (Liability for External Services and Third-Party Websites)

For the convenience of users, the Company may provide links or integrations with third-party services. The scope of personal data processing and related responsibilities shall be as follows:

1.    External Services and Third-Party Integrations
The Company may link to or integrate third-party websites, applications, or services in the following cases:

·         Websites or systems of travel product partners

·         Payment service providers (PGs) and financial institutions

·         SNS login and external account integration services

·         Advertising, analytics, and marketing tools

·         Other external systems necessary for service provision

2.    Data Controller of Personal Data
Where users access or use external services, the personal data provided by users shall be processed in accordance with the privacy policy of the respective service provider. In such cases, the Company does not have direct control over such data processing.

3.    Scope of Liability
The Company shall not be liable for:

·         The personal data processing practices of external services or third-party websites

·         The security level or data protection measures of external services

·         The content, operation, or outcomes of services provided by external services

However, the Company endeavors to select reliable service providers within a reasonable scope to ensure safe use of the Services.

4.    Allocation of Responsibility for Partner Services
ComboBooking operates as a platform connecting users and partners, and the actual provision and operation of individual travel products are carried out under the responsibility of each partner. Accordingly, the processing, storage, and use of personal data received by partners shall be governed by the partner’s own policies and legal responsibilities.

5.    User Notice
Users are advised to review the privacy policies and terms of use of external or third-party services before using them. The Company shall not be liable for the use of external services chosen by users.


Article 12 (Rights of Users and Data Subjects)

The Company guarantees the rights of users (hereinafter referred to as “Data Subjects”) regarding their personal data, and Data Subjects may access, manage, and control their personal data at any time.

1.    Right to Access and Rectification
Data Subjects have the right to access and correct their personal data at any time.

·         Members: may update their information directly through the account settings page

·         Non-members or other cases: may request access or correction through customer support or email

2.    Right to Erasure and Account Deletion
Data Subjects have the right to request account deletion or erasure of personal data at any time.
The Company shall delete personal data within a reasonable period without delay, except where retention is required by applicable laws.

3.    Right to Restriction of Processing
Data Subjects have the right to request restriction of processing of their personal data.
However, such requests may be limited in the following cases:

·         Where data retention is required by law

·         Where necessary for contract performance or service provision

·         Where it may infringe upon the rights or safety of others

4.    Right to Withdraw Consent and Object to Processing
Data Subjects may withdraw their consent or object to specific processing activities at any time. However, this may result in limitations on service use or termination of contractual relationships.

5.    Right to Data Provision and Transfer
Data Subjects may request the provision or transfer of their personal data. The Company shall comply within the scope permitted by applicable laws, and reasonable costs may be incurred depending on the nature of the request.

6.    Right to Opt-out of Marketing Communications
Data Subjects may opt out of receiving marketing communications at any time, and such refusal shall not affect the use of basic services.

7.    Methods of Exercising Rights and Processing Procedures
Data Subjects may exercise their rights through the following methods:

·         Account information update functions on ComboBooking.com

·         Customer support inquiries

·         Email or designated communication channels

The Company shall process such requests within a reasonable period and may, where necessary:

·         Verify the identity of the requester

·         Request additional information

·         Verify proper authorization in the case of requests made by an agent

8.    Restriction or Refusal of Requests
The Company may restrict or refuse requests in the following cases:

·         Where compliance is restricted by applicable laws

·         Where requests are manifestly repetitive or excessive

·         Where it may infringe upon the rights or legitimate interests of others

In such cases, the Company shall provide an explanation within a reasonable scope.

9.    Principle of Rights Protection
The Company recognizes that personal data is not the property of the Company but belongs to the Data Subject as a matter of rights. The Company ensures such rights in a transparent and fair manner, enabling users to directly control their personal data.


Article 13 (User Obligations)

Users are responsible for protecting their personal data and must comply with the following to ensure safe use of the Services:

1.    Maintaining Accuracy of Personal Data
Users must ensure that their personal data is accurate and kept up to date.
Users shall be solely responsible for any issues arising from inaccurate or false information.

2.    Responsibility for Account Information Management
Users must securely manage their account information, including ID and password, and must not transfer, share, or lend such information to third parties.
All activities conducted through a user’s account shall, in principle, be deemed the responsibility of that user.

3.    Security Obligations
Users must take appropriate security measures to protect their personal data, including regularly updating passwords and using information that is not easily guessable.

4.    Obligation to Report Unauthorized Access and Incidents
Users must promptly notify the Company in the following cases:

·         Suspected account compromise or unauthorized access

·         Personal data breaches or security incidents

The Company may not be liable for damages arising from delays or failure to report such incidents.

5.    Measures Upon Termination of Service Use
When using the Services on public or shared devices, users must take necessary security measures such as logging out and closing the browser.

6.    Protection of Others’ Personal Data
Users must not unlawfully collect, use, disclose, or misappropriate the personal data of others.
In particular, when uploading content (reviews, images, blogs, etc.), users must ensure that such content does not include others’ personal data.

7.    Responsibility for Content and Information
Users are responsible for all information and content they post or provide through the Services.
Where such content infringes upon the rights of others, violates personal data protection, or breaches applicable laws, users shall bear the corresponding legal responsibility.

8.    Scope of User Responsibility
The Company shall not be liable for damages arising from user negligence, account information leakage, insufficient security management, or unauthorized use by third parties, unless such damages are caused by the Company’s willful misconduct or gross negligence.

9.    Compliance with Laws and Policies
Users must comply with applicable data protection laws and this Policy.
Failure to comply may result in restrictions on service use or legal liability.


Article 14 (Children’s Personal Data)

The Company places special importance on the protection of children’s personal data and manages such data strictly in accordance with applicable laws and policies.

1.    Restriction on Collection
As a general rule, the Company does not collect personal data from children under the age of 14. Children under the age of 14 may be restricted from using the Services or registering accounts.

2.    Exceptional Collection
Personal data of children may be collected and used only with the explicit consent of a legal guardian (such as a parent). In such cases, the Company shall collect only the minimum information necessary.

3.    Age Verification and Responsibility
Users must provide accurate age information when using the Services, and any issues arising from false information shall be the responsibility of the user.

4.    Protective Measures
The Company applies stricter standards to protect children’s personal data than those applied to adults.
If it is determined that children’s personal data has been improperly collected or processed without the consent of a legal guardian, the Company shall delete such data without delay.

5.    Account Restriction and Deletion
The Company may restrict or delete accounts in the following cases:

·         Where a child under 14 registers without legal guardian consent

·         Where false age information is provided

·         Where children’s personal data has been improperly processed

6.    Roles of Users and Legal Guardians
Legal guardians are responsible for providing appropriate guidance and supervision when children use online services to ensure the protection of their personal data.
The Company may take reasonable measures to verify users’ age and may request additional information where necessary.


Article 15 (Responsibilities of Partners and Content Partners in Personal Data Processing)

ComboBooking operates as a platform connecting users and partners; therefore, the responsibilities for personal data processing are allocated as follows:

1.    Role of ComboBooking

·         Operation of the platform and information intermediation

·         Provision of reservation and payment systems

·         Management of personal data protection in accordance with applicable laws

2.    Role of Partners

·         Provision of products and operation of services

·         Customer support and on-site service delivery

·         Protection and management of personal data received during service performance

3.    Responsibilities of Content Partners
Content partners (including those who create blogs, reviews, etc.) must not collect, use, or disclose personal data of others without authorization.

4.    Allocation of Responsibility

·         Where a partner or content partner uses personal data beyond the intended purpose or violates applicable laws, all resulting liabilities shall be borne by the respective partner.

·         ComboBooking, as an e-commerce intermediary platform, performs platform operations and implements technical and organizational safeguards; however, it shall not be liable for personal data processing arising from the individual service operations of partners.


Article 16 (Technical and Organizational Measures for the Protection of Personal Data)

The Company implements the following technical and organizational measures to ensure the security of users’ personal data:

1.    Encryption of Personal Data
User passwords are stored using one-way encryption, and sensitive personal data, including identification and payment information, is protected באמצעות secure encryption technologies in accordance with applicable laws.

2.    Protection Against Hacking and Intrusion
The Company operates intrusion detection systems and security solutions to protect personal data from hacking and unauthorized access, and monitors and blocks abnormal activities in real time.

3.    Access Control Management
Access to personal data is restricted to the minimum necessary personnel, with differentiated access rights assigned based on job responsibilities and continuously monitored and managed.

4.    Internal Management and Training
The Company provides regular training to employees handling personal data to ensure awareness of data protection and compliance with applicable laws and internal policies.

5.    Storage and Management of Personal Data
Personal data is stored in a secure server environment and protected by security systems designed to prevent unauthorized access, leakage, alteration, or damage.

6.    Protection During Transmission
Users’ personal data is transmitted through encrypted communication channels (such as SSL) and is securely protected during transmission.

7.    Incident Response System
In the event of a personal data breach or similar incident, the Company shall respond promptly in accordance with applicable laws, notify users, and take necessary measures to minimize damage.


Article 17 (Response to Personal Data Breaches and Notification)

In the event of incidents such as leakage, loss, damage, or unauthorized access to personal data, the Company shall respond promptly and appropriately in accordance with applicable laws.

1.    Incident Response
Where a personal data breach has occurred or is likely to occur, the Company shall immediately recognize the incident, investigate its cause, and take necessary measures without delay to prevent further damage and minimize impact.

2.    Notification to Users
In the event of a personal data breach, the Company shall promptly notify users in accordance with applicable laws, including the following information:

·         Categories of personal data affected

·         Time and circumstances of the breach

·         Measures that users may take

·         The Company’s response measures and contact information

However, notification may be restricted or delayed where there are legitimate grounds under applicable laws.

3.    Reporting to Authorities
In the event of a personal data breach, the Company shall report to supervisory or relevant authorities in accordance with applicable laws and shall fully cooperate with any investigation or response procedures as required.

4.    Measures to Prevent Recurrence
The Company shall analyze the causes of the incident and continuously improve its security systems and internal management procedures to prevent the recurrence of similar incidents.


Article 18 (Inquiries and Complaint Handling Regarding Personal Data)

The Company designates a Personal Data Protection Officer and relevant department to promptly and faithfully handle inquiries and complaints related to the protection of users’ personal data.

1.    Personal Data Protection Officer and Contact Information
Users may submit inquiries, access requests, correction requests, and complaints regarding personal data through the following contact details:

·         Company Name: Coach Travel Co., Ltd. (ComboBooking)

·         Address: B34, Ngo 70, Nguyen Thi Dinh, Thanh Xuan, Hanoi, Vietnam

·         Email: (To be provided) or designated contact channels within the Service

2.    Handling of Inquiries and Complaints
Users may raise inquiries, complaints, or requests for remedies related to personal data arising during the use of the Services.
Upon receiving such requests, the Company shall verify the facts without delay and provide results within a reasonable period.

3.    External Authorities
Users may also seek consultation or file complaints with relevant authorities regarding personal data protection outside the Company. (Relevant authorities may be specified separately depending on the jurisdiction)


Article 19 (Amendment and Notification of the Privacy Policy)

The Company may amend this Privacy Policy in accordance with changes in applicable laws, service updates, or internal policies.

1.    Notice of Changes
Where the contents of this Policy are added, deleted, or modified, the Company shall notify users at least 7 days prior to the effective date via notices within the ComboBooking Service or by email.
However, in cases where changes materially affect users’ rights, prior notice shall be provided at least 30 days in advance.

2.    Effectiveness of Policy
The revised Privacy Policy shall take effect from the announced effective date.

3.    Cases Requiring Separate Consent
Where changes materially affect users’ rights, such as changes in the purpose of collection/use of personal data or provision to third parties, the Company shall obtain separate consent in accordance with applicable laws.

4.    Last Updated and Effective Date

·         Last Updated: April 1, 2026

·         Effective Date: April 10, 2026

 

ComboBooking
X