Privacy Policy

1. Scope of Application

The policy applies to:

• Candidates, job seekers, and profile submitters.
• Employers/companies posting job advertisements or using candidate referral services.
• Trainees/customers using Training & Development services.
• Website visitors and recipients of career counseling.

2. Personal Data We Collect

Depending on the service you use and your consent, we may collect:

2.1. Identification & Contact Information

Full name, gender, date of birth, nationality, photo, phone number, email, contact/residential address. Company information: company name, tax identification number, logo, industry, company size, office location (province/city, district, address), website, company description.

2.2. Employment & Education Information

Resume/profile, education and work history, certificates, skills, recommendation letters, references, job preferences, application/interview history.

2.3. Account & Transaction Information

Username, login/usage history, purchased service packages, payment information (e.g., transaction ID, payment processor). Payment cards/accounts, if any, are processed and encrypted by the partner payment gateway.

2.4. Technical Data When Accessing the Website

IP address, browser type, device, cookies, tracking pixels/codes, access logs, visited pages, feature interactions.

2.5. Sensitive Data (only when necessary and with a lawful basis/clear consent)

Processing of sensitive data is carried out only when there is explicit written consent or an equivalent form from the data subject, except where permitted by law pursuant to Article 15 of the Personal Data Protection Law No. 91/2025/QH15.

Sensitive data includes but is not limited to:

• Health information (health status, medical history)
• Religious beliefs, political opinions
• Racial or ethnic origin
• Personal and private life information
• Criminal record information (if any)

Examples of sensitive data we may collect: recordings of customer service calls; health/legal information used for screening specific positions (if applicable); desired/actual salary levels; ethnic, religious or political information (only when you voluntarily provide it to meet a specific job requirement).

2.6. Third‑Party Data You Provide

When you provide information about references/colleagues, you represent that you have obtained their valid consent.

2.7. Email Subscription Management Data

To manage unsubscribe/re‑subscribe requests, we may process information such as: email address, email subscription status, request timestamp, confirmation timestamp, request source (website/email), and related technical logs for abuse prevention and complaint handling.

3. Purpose of Data Processing

We process data to:

• Core service provision: Executive Search (headhunting), candidate introduction/nomination, posting job ads, posting job seeker profiles, career counseling, Training & Development, account operation.
• Recruitment connection: Share candidate profiles/job requirements with suitable employers; share company information/recruitment needs with potential candidates.
• Company information display: Display your company information on job postings and the company page for candidates to view.
• Suggestion – experience optimization: Analyze profiles and behavior to recommend suitable jobs/candidates/courses/content; improve the product.
• Transaction & support: Process payments; customer service; respond to complaints/disputes.
• Verification & compliance: Verify the authenticity of profiles (with consent), meet legal/government requirements; fraud prevention.
• Selective marketing: Send information about jobs, courses, events, newsletters, offers… when you have not opted out.
• Email preference management: Receive and process unsubscribe/resubscribe requests, send confirmation emails and update your email subscription status.

We only process data beyond the above purposes when we have a lawful basis or your additional consent.

4. Cookies and Tracking Technologies

We use cookies, pixel tags and similar technologies to:

• Remember login sessions, display preferences, "bookmark" news/items of interest.
• Analyze traffic, measure the effectiveness of content/recruitment.
• Personalize content/job/candidate suggestions.

Cookie Classification:

4.1. Essential Cookies:

Cannot be disabled because they are required for the basic operation of the website (e.g., user authentication, shopping cart, security).

4.2. Analytical Cookies:

Help us understand how you use the website to improve the user experience.

4.3. Marketing Cookies:

Used to personalize advertising and marketing content in line with your preferences.

Managing Cookies:

• Disable cookies in your browser settings
• Use the cookie management tool on our website (if available)
• Decline non‑essential cookies when you first visit the website via the cookie banner

Note: Disabling certain cookies may affect your experience and some features may not function fully.

5. Legal Basis for Data Processing

• Your consent (e.g., sharing your profile with recruiters, receiving marketing communications).
• Performance of a contract/service between you and us.
• Legal obligations (e.g., storing invoices, providing information upon lawful request).
• Legitimate interests (e.g., system security, fraud prevention, service improvement) — always balanced with your rights.

6. Who We Share Data With

We do not sell personal data. Data may be shared in the following circumstances:

• Employers/recruitment partners: When you apply for a position, enable the searchable status, or consent to being nominated/referred.
• Service providers acting on our behalf: Infrastructure hosting, data analytics, marketing, customer support, payment gateways… (access limited to what is necessary, with security safeguards).
• Government agencies/authorities: When a lawful request is received.
• Corporate transactions: Mergers/acquisitions/restructurings (data will continue to be protected at least at an equivalent level).
• Training/event partners: When you register for a course or event organized or co‑organized by us.

7. Transfer of Data Abroad

In certain circumstances (e.g., using cloud infrastructure, partner analytics/ATS tools), data may be transferred and stored outside Vietnam. The transfer of personal data abroad is carried out in compliance with Articles 25 and 26 of the Personal Data Protection Law No. 91/2025/QH15.

Conditions for International Data Transfer:

7.1. Consent of the Data Subject:

Data may be transferred only with your explicit consent or when one of the legal conditions is met.

7.2. Data Protection Level of the Receiving Country:

The receiving country must provide a level of personal data protection that is comparable to or higher than that of Vietnam, as required by law.

7.3. Notification to the Data Subject:

We will inform you when your data is transferred abroad and the protective measures applied.

7.4. Additional Protective Measures:

If data is transferred to a country without an equivalent level of protection, we will implement appropriate safeguards in accordance with the law (e.g., entering into a confidentiality agreement, using standard contractual clauses).

Our Obligations

Pursuant to Articles 24 through 28 of the Personal Data Protection Law No. 91/2025/QH15, as a data controller, we have the following obligations:

1. Implement Measures to Protect Data Subject Rights

We commit to respecting and safeguarding your lawful rights throughout the personal data processing.

2. Establish Mechanisms for Receiving and Handling Data Subject Requests

We have established clear procedures to receive, process, and respond to requests concerning your personal data.

3. Maintain Records of Personal Data Processing Activities

We maintain comprehensive records of personal data processing activities as required by law.

4. Conduct Data Protection Impact Assessments When Necessary

Before undertaking high-risk data processing activities, we conduct impact assessments to identify and mitigate risks.

5. Implement Controls and Supervision of Data Processing Activities

We apply stringent control and monitoring measures to ensure compliance with personal data protection laws.

6. Apply Appropriate Personal Data Protection Measures

We employ suitable technical and organizational measures to protect personal data (encryption, access controls, monitoring, backup, periodic risk assessments, etc.).

Our Obligations

Pursuant to Articles 24 to 28 of the Personal Data Protection Law No. 91/2025/QH15, as a data controller, we have the following obligations:1. Implement measures to protect data subject rightsWe are committed to respecting and safeguarding your lawful rights throughout the personal data processing.2. Establish mechanisms for receiving and handling data subject requestsWe have established clear procedures to receive, process, and respond to requests concerning your personal data.3. Maintain records of personal data processing activitiesWe maintain comprehensive records of personal data processing activities as required by law.4. Conduct data protection impact assessments when necessaryBefore undertaking high‑risk data processing activities, we conduct impact assessments to identify and mitigate risks.5. Implement controls and monitoring of data processing activitiesWe apply strict control and monitoring measures to ensure compliance with personal data protection laws.6. Apply appropriate personal data protection measuresWe employ suitable technical and organizational measures to protect personal data (encryption, access controls, monitoring, backup, periodic risk assessments, etc.).

8. Retention Period

We retain personal data for as long as necessary to fulfil the purposes described or as required by law. The retention periods for each data category are as follows:

Retention periods by data type:

8.1. Account data:

Retained for the entire duration the account is active and up to a maximum of 5 years after the account is locked or deleted upon request.

8.2. Application data:

Retained for up to 5 years after the conclusion of the recruitment process, unless a different legal requirement applies.

8.3. Payment data:

Retained in accordance with current accounting and tax regulations.

8.4. Marketing data:

Retained until you opt out of receiving marketing communications.

8.5. Email subscription management data:

Retained the email subscription status and confirmation request history for as long as necessary to operate the service, prevent abuse, handle complaints, and comply with legal obligations.

If there is no legal requirement or dispute/complaint resolution need for a longer retention, this data is retained for a maximum of 5 years from the most recent subscription status update.

When the retention period expires or the purpose/legal basis no longer exists, the data will be permanently deleted or anonymised in accordance with our internal procedures.

9. Your Rights

According to Article 9 of the Personal Data Protection Law 91/2025/QH15, you have the following rights (subject to applicable conditions):

• Right to be informed about personal data processing activities.
• Right of access, to obtain a copy of personal data.
• Right to rectification, to update, supplement inaccurate/incomplete data.
• Right to withdraw consent (without affecting the lawfulness of processing prior to withdrawal).
• Right to erasure, restriction of processing, and objection to processing in certain circumstances as provided by law.
• Right to lodge a complaint or report to the competent authority.
• Right to data portability: Receive data in a commonly used structured format.
• Right to object to personal data processing in specific cases.
• Right to claim compensation for damages resulting from personal data protection violations.

How to exercise your rights:

Contact info@headhuntvietnam.com with the subject line: "Personal Data Request" and include identity verification information.

For managing marketing email preferences, you may do so directly via the Email Subscription Center on our website or follow the unsubscribe/subscribe link provided in the email (if available).

We will update your email subscription status immediately after successful confirmation or within a reasonable period in accordance with our operational procedures.

Response timeframes:

9.1. Data breach notification:

We will notify you within 72 hours of discovering the incident, pursuant to Article 23 of the Personal Data Protection Law 91/2025/QH15.

9.2. Other data subject requests:

We will respond within 72 hours of receiving a valid request and complete the request within a reasonable period as required by law. For complex requests, processing may take up to 30 days; in such cases we will inform you of any extension.

Complaint handling procedure:

If you wish to lodge a complaint or make a request regarding your personal data, please follow the procedure below:

1. Submit complaint/request: Email info@headhuntvietnam.com with the subject line: "Personal Data Complaint" and include:
   • Your full name and contact information
   • A description of your complaint or request
   • Any supporting documentation (if applicable)
   • A copy of identity verification documents
2. Initial acknowledgment: We will acknowledge receipt of the complaint within 24 hours.
3. Investigation and response: Our Data Protection Officer will investigate and provide a detailed response within 72 hours.
4. Resolution: If you are satisfied with our response, the complaint will be closed. If not, you may lodge a complaint with the competent authority.

Complaint to the supervisory authority:

If you are not satisfied with our response or believe your personal data protection rights have been infringed, you have the right to complain to:

Personal Data Protection Supervisory Authority

Contact point: Ministry of Science and Technology

Website: [Update official link when announced]

10. Data Security

We apply appropriate technical and organizational measures (encryption, access control, monitoring, backup, periodic risk assessments…). However, no method is absolutely safe on the Internet; please:

• Keep login credentials confidential; log out after use; be cautious when accessing from public devices.
• Notify us immediately if you suspect unauthorized access to your account.

Incident handling for data leaks (if any):

We will inform the affected individuals and the competent authorities as required; at the same time we will implement remedial measures and provide guidance to mitigate risk.

11. Individuals Under 16 Years Old

The website/service is not directed at users under 16 years of age. If we inadvertently collect data from a person under 16 without valid parental/guardian consent, we will delete it as soon as possible upon notification.

12. Voluntary/mandatory nature

Some data fields are mandatory for the provision of services (marked when you register/apply/purchase a service). If you refuse to provide them or withdraw consent for core purposes, we may be unable to continue providing the corresponding service.

Personal data processing impact assessment

In accordance with legal provisions, we conduct a Data Protection Impact Assessment (DPIA) before carrying out data processing activities that may pose a high risk to the rights and legitimate interests of data subjects.

When a DPIA is mandatory:

Pursuant to Article 27 of the Personal Data Protection Law No. 91/2025/QH15, a DPIA must be carried out for the following processing activities:

• Systematic and comprehensive evaluation of personal aspects concerning an individual based on automated processing, including profiling
• Large‑scale processing of special categories of personal data (sensitive data) as defined in Article 15
• Large‑scale processing of data related to criminal offenses and violations of law
• Systematic monitoring of publicly accessible areas on a large scale
• Any other processing activity that could result in a high risk to the rights and legitimate interests of the data subject

The impact assessment shall include:

1. Description of the intended data processing activity

Details of the types of data to be processed, the purposes of processing, the scope of processing, and the parties involved.

2. Assessment of necessity and proportionality of the processing

Analysis of whether the data processing is necessary and proportionate to the stated purposes.

3. Risk assessment for the rights and interests of the data subject

Identification of potential risks and the extent of impact on the data subject’s privacy.

4. Risk mitigation measures

Proposed and implemented technical and organisational measures to mitigate the identified risks.

Data Protection Impact Assessment

In accordance with legal regulations, we conduct a Data Protection Impact Assessment (DPIA) prior to undertaking any data processing activities that may pose a high risk to the rights and legitimate interests of data subjects.

When a DPIA is Mandatory:

According to Article 27 of the Personal Data Protection Law No. 91/2025/QH15, a DPIA is mandatory for the following processing activities:

• Systematic and comprehensive assessment of personal aspects concerning individuals based on automated processing, including profiling
• Large-scale processing of special categories of personal data (sensitive data) as defined in Article 15
• Large-scale processing of data relating to criminal offenses and violations of the law
• Systematic monitoring of publicly accessible areas on a large scale
• Any other processing activity that may result in a high risk to the rights and legitimate interests of data subjects

The DPIA Must Include:

1. Description of the Planned Data Processing Activity

Details of the data types to be processed, the purposes of processing, the scope of processing, and the involved parties.

2. Assessment of Necessity and Proportionality of the Processing

Analysis of whether the data processing is necessary and proportionate to the stated purposes.

3. Risk Assessment Concerning the Rights and Interests of Data Subjects

Identification of potential risks and the extent of impact on the privacy of data subjects.

4. Risk Mitigation Measures

Proposed and implemented technical and organizational measures to mitigate the identified risks.

13. Third‑Party Links & Social Login

The website may contain links to third‑party websites/services (e.g., payment tools, social networks, ATS). Their privacy policies will govern the data you provide on those platforms. When you use login via a third‑party account (if available), you permit us to receive information to the extent you have agreed with that provider.

14. Policy Changes

We may update the Policy to reflect changes in the law or operational procedures. The updated version will be posted on the website together with the effective date. Your continued use of the service after the effective date constitutes your acceptance of the changes.

15. Contact

Vietnam Human Resources Recruitment Co., Ltd.

Email: info@headhuntvietnam.com

Phone: +84 28 7300 1519

Address: 119 Dien Bien Phu, Tan Dinh Ward, District 1, Ho Chi Minh City, Vietnam

Working hours: Monday – Friday, 08:30 – 17:30

Competent authority for personal data protection:

If you wish to lodge a complaint regarding personal data protection violations, please contact:

Specialized authority for personal data protection

Contact point: Ministry of Science and Technology

Website: https://most.gov.vn