Privacy Policy

01Who We Are and Our Role

Innovista Solutions Company Limited is the entity responsible for the Service.

Allingo is a delivery orchestration platform connecting businesses and individuals with independent third-party delivery and logistics providers. Allingo does not operate transportation, logistics, or courier services directly.

Depending on the data, we act in different legal roles:

• As a data controller (and processor where applicable) for the personal data of our account holders and their team members (e.g., account, business, financial, usage data). We decide the purposes and means of this processing.
• As a data processor on behalf of our business clients for personal data of senders and delivery recipients (e.g., buyer names, phone numbers, addresses) that clients submit or sync through connected platforms (such as Pancake) to create shipments. For this data, the client is the controller and we process it only to perform delivery orchestration services under their instructions. Clients are responsible for having a lawful basis to share this data with us.

02Personal Data We Collect

2.1 Data you provide

• Account data: full name, email address, phone number, username, password (stored in hashed form).
• Business data: company name, business registration information, tax identification number, business addresses, contact persons, pickup and delivery locations.
• Shipment data: sender and recipient details, delivery instructions, package details, contents descriptions, COD amounts, delivery preferences.
• Financial data (sensitive): bank account information, billing information, payment method details, wallet and postpaid account information, invoice information. Payment card data is processed by licensed payment providers and is not stored by Allingo.
• Verification data: business registration certificates, government-issued identification, tax documents, and other documents required for verification or postpaid activation.
• Communications data: information you provide when contacting support, sales, operations, or account managers.

2.2 Data collected automatically

• Device and log data: device type, browser, operating system, application version, IP address, access timestamps, pages visited, referring URLs, session activity.
• Location data (sensitive): collected only if you enable it, for shipment tracking and operational purposes.
• Usage and technical data: platform and shipment activity, feature usage, error logs, performance data, API usage logs, security monitoring data.

2.3 Data from third parties

• Delivery and logistics partners: order statuses, tracking updates, delivery confirmations, proof of delivery, COD information, operational performance data.
• Payment providers: payment confirmations, settlement, withdrawal, and payment failure information.
• Verification providers: identity and business verification results, compliance checks.
• Connected platforms you authorize (e.g., Pancake, e-commerce, ERP, POS, CRM, marketplaces, custom API integrations): data necessary for synchronization, shipment creation, tracking, and reporting.

Sensitive personal data. Under the PDPL, certain data we process is classified as sensitive — including financial and credit information and location data. Where we collect sensitive personal data, we will inform you that the data is sensitive at the time consent is requested and apply heightened security measures.

03Legal Bases for Processing

We process personal data only where a legal basis applies under Vietnamese law:

• Your consent, obtained explicitly and per purpose (e.g., marketing communications, optional location collection).
• Performance of a contract: processing necessary to provide the Service you registered for, including creating shipments, coordinating deliveries, wallet and COD operations, and billing.
• Legal obligations: processing required by accounting, tax, e-commerce, cybersecurity, anti-fraud, and other applicable laws.
• Other cases permitted by law, including protection of life and health in emergencies, national security, and public interest as defined in the PDPL.

04How We Use Personal Data

Our delivery recommendations (such as Best Matched) are generated automatically based on cost, speed, and courier performance data. They do not produce legal effects on you, and you can always select a different option manually.

05Consent and How to Withdraw It

• Where consent is the legal basis, we request it explicitly, separately for each purpose, in a form that can be printed, copied, or re-verified (in writing, by electronic confirmation, or other verifiable means).
• We do not bundle consent: access to the core Service is never conditioned on consenting to unrelated purposes such as marketing.
• You may withdraw consent at any time through your account settings or by contacting us (Section 13). Withdrawal does not affect the lawfulness of processing carried out before withdrawal. We will inform you of any consequences (e.g., loss of optional features) before completing the withdrawal.
• We acknowledge consent-withdrawal and other rights requests within 2 (two) working days of receipt and process them within the statutory timeframes.

06Sharing and Disclosure of Personal Data

We do not buy or sell personal data, and we prohibit our partners from doing so. We share personal data only as described below:

• Delivery partners: sender and recipient information, shipment details, delivery instructions, and business information needed for fulfillment. Partners process this data as required to perform delivery and under data protection agreements with us, as well as their own legal obligations.
• Payment service providers: licensed providers process payment, settlement, withdrawal, and fraud prevention information. We receive only what is necessary to operate the Service.
• Service providers: cloud hosting, data storage, analytics, communications, customer support, security monitoring, and identity verification vendors acting under our instructions and confidentiality and data protection obligations.
• Connected platforms: when you connect a third-party platform (e.g., Pancake), we exchange the data necessary to provide synchronization, shipment creation, tracking, and reporting that you have requested.
• Authorities: where disclosure is required by law or a valid request of a competent Vietnamese authority.
• Business transfers: in a merger, acquisition, reorganization, or asset transfer, personal data may be transferred subject to PDPL requirements; we will notify affected users where required.

07Cross-Border Data Transfers

Allingo primarily stores and processes personal data in Vietnam. If personal data of Vietnamese citizens is transferred outside Vietnam (for example, to regional cloud infrastructure), we will comply with PDPL cross-border transfer requirements, including preparing and submitting a Cross-Border Transfer Impact Assessment (CTIA) dossier to the Ministry of Public Security within the statutory deadline, and applying contractual and technical safeguards so the data receives protection consistent with Vietnamese law.

08Data Retention

When retention ends, we delete or irreversibly anonymize the data. Anonymized data that can no longer identify you may be retained for analytics.

09Data Security

• Encrypted data transmission (SSL/TLS) and encryption of sensitive data at rest where applicable.
• Access controls, role-based permissions, and restricted employee access on a need-to-know basis.
• Audit logging, security monitoring, and secure infrastructure.
• Backup and recovery procedures.
• Heightened controls for sensitive personal data (financial and location data), including access rules and processing procedures as required by Decree 356/2025/ND-CP.

No system can guarantee absolute security. You are responsible for keeping your account credentials confidential and for the accuracy of data you submit.

10Personal Data Breach Response

If a personal data breach occurs, we will activate our incident response procedures, notify the competent authority (Ministry of Public Security) within 72 hours of detection where required by the PDPL, and inform affected users without undue delay when the breach is likely to cause harm, including the nature of the breach, likely consequences, and measures taken.

11Your Rights

Under the PDPL you have the right to:

• Know about and be informed of the processing of your personal data.
• Give or refuse consent, and withdraw consent at any time.
• Access your personal data and request a copy.
• Rectify (correct or update) your personal data.
• Request deletion of your personal data.
• Restrict or object to processing, including objecting to direct marketing at any time.
• Request provision of your personal data to yourself or another party where technically feasible.
• Complain, denounce, and initiate legal proceedings, and claim compensation for damage caused by violations.

How to exercise your rights: submit a request via your account settings or to the contact in Section 13. We acknowledge requests within 2 (two) working days and resolve them within the timeframes prescribed by the PDPL and Decree 356/2025/ND-CP (generally 10 to 30 days depending on the request, with one permitted extension, of which we will notify you). We may need to verify your identity before acting. Some requests may be limited where the law requires us to retain data (e.g., accounting records) — we will explain any such limitation.

You also have the right to lodge a complaint with the Ministry of Public Security (Department of Cybersecurity and Hi-Tech Crime Prevention — A05).

12Cookies and Similar Technologies

We use cookies and similar technologies to maintain sessions, remember preferences, support security, and analyze usage and performance. Strictly necessary cookies are used to operate the Service; analytics and marketing cookies are used only with your consent, which you can manage through our cookie settings or your browser. Disabling some cookies may affect functionality.

13Contact Us

• Privacy contact: support@allingo.vn
• Address: Room 301, No. 48 Phu Thuan, Phu Thuan Ward, Ho Chi Minh City, Vietnam

14Children

The Service is intended for business use by individuals aged 18 or older. We do not knowingly collect personal data of children. Recipient data of minors submitted by clients for delivery purposes is processed on the client's instructions; if we learn we have processed a child's data without the consents required by the PDPL, we will delete it.

15Third-Party Platforms and Links

Connected platforms (such as Pancake), delivery partners, and payment providers operate under their own privacy policies. We encourage you to review them. We are not responsible for the privacy practices of third parties beyond the protections in our agreements with them.

16Updates to This Policy

We may update this Policy to reflect changes in law, technology, or our operations. Updated versions will be published on our website with a revised Effective Date, and we will notify you of material changes through the Service or by email. Where a change involves a new processing purpose that requires consent, we will request your consent before applying it — continued use alone will not be treated as consent for such purposes.

17Governing Law and Language

This Policy is governed by the laws of Vietnam. It is published in Vietnamese and English; in case of any inconsistency, the Vietnamese version prevails.