PERSONAL DATA PRIVACY POLICY
CÔNG TY TNHH DỊCH VỤ COSTORY
Effective Date: January 1, 2026
Last Updated: June 30, 2026
1. General Provisions & Legal Basis
Công ty TNHH Dịch Vụ CoStory (hereinafter referred to as “CoStory”, “We”, or “Our”) is committed to protecting the privacy and personal data of our Content Creators, Influencers, Brand Clients, and visitors to our digital platforms.
This Privacy Policy regulates how CoStory collects, stores, uses, processes, shares, and deletes personal data in strict compliance with:
- The Law on Personal Data Protection No. 91/2025/QH15 (PDPL).
- The guiding Decree No. 356/2025/ND-CP of the Government of Vietnam.
- The Law on Accounting and applicable tax regulations of the Socialist Republic of Vietnam.
2. Categories of Personal Data Collected
In accordance with Vietnamese law, CoStory explicitly categorizes and processes the following two tiers of personal data:
A. Basic Personal Data
- Content Creators / Influencers: Full legal name, stage name/alias, gender, date of birth, contact phone number, personal email address, social media profile links, public content metrics, and personal images or video materials.
- Brand Clients & Corporate Partners: Corporate representative's full name, job title, corporate email address, business phone number, and company operational address.
B. Sensitive Personal Data (Heightened Security Measures)
- Creator Financial Identity: Citizen Identity Card (CCCD) or Passport numbers, personal Tax Identification Numbers (TIN), and bank account details (account numbers, bank names, branch details) collected solely for contract execution and Personal Income Tax (PIT) withholding.
- Cyberspace Behavior Data: IP addresses, device information, browser types, and digital behavior tracking data collected automatically from users visiting our main site and subdomains via analytical infrastructure.
3. Channels of Collection & Platform Disclaimers
CoStory operates a highly communicative, decentralized workflow. We collect personal data directly from you across the following digital communication channels:
- Official Corporate Email: Electronic mail routed via info@costory.studio.
- Instant Messaging & Social Platforms: Official interactions across Zalo, Telegram, Facebook Messenger, Threads, Instagram Direct Messages, and TikTok chat utilities.
- Voice and SMS: Direct telephonic conversations and standard cellular messages.
- Platform Analytics: Automatically triggered scripts deployed directly on costory.studio and its associated subdomains.
Third-Party Platform Disclaimer: While CoStory guarantees the complete security of data once it enters our internal systems, we do not control the underlying data infrastructure of external communication platforms (such as Meta platforms, ByteDance, or Zalo). Users interact on these platforms at their own risk and are bound by the respective providers' privacy frameworks. Unsolicited sensitive data sent to us via these chats that is not required for contract execution will be permanently purged within thirty (30) days.
4. Purposes of Data Processing
CoStory processes your personal data strictly for legitimate business operations, restricted to the following defined scopes:
- Talent Matching & Booking: Analyzing public creator metrics to pitch optimized profiles to Brand Clients for upcoming campaigns.
- Contractual Fulfillment: Executing legal management and booking agreements between CoStory and Content Creators.
- Financial Remuneration: Executing private payment transfers, payouts, and tracking campaign fees.
- Statutory Tax Obligations: Calculating, withholding, and declaring Personal Income Tax (PIT) on behalf of creators to the General Department of Taxation of Vietnam.
- Platform Optimization: Evaluating technical performance, tracking user conversions, and refining the user experience on costory.studio.
5. Third-Party Disclosures & The "Middleman Firewall"
CoStory operates under a strict intermediary framework designed to maximize privacy for our talent:
- Absolute Non-Disclosure to Brands: Brand Clients are only provided with a Creator’s public stage name, profile handles, and campaign metrics. CoStory enforces a zero-exception firewall: no real names, private phone numbers, Citizen IDs, or banking details are ever shared with corporate clients.
- External Professional Accounting: To fulfill mandatory tax and accounting standards, CoStory shares the minimum necessary sensitive data (Real Names, CCCD, TIN, and Banking Details) with an authorized external Vietnamese freelance accountant. This professional operates under a binding Data Processing & Confidentiality Agreement and is legally prohibited from utilizing this data for any independent purpose.
6. Simultaneous Recording & Internal Data Governance
To maintain absolute corporate transparency, error correction, and to satisfy statutory state audit requirements, CoStory runs a parallel internal data tracking system:
- System Safeguards: All internal copies of payment sheets, identity numbers, and creator tax records are stored inside encrypted local hardware and restricted-access cloud systems.
- Personnel Access Control: Access to files holding Sensitive Personal Data is strictly blocked for unauthorized personnel and is reserved solely for core managing partners managing payouts.
7. Website Tracking & Cross-Border Data Transfers (Google Analytics)
CoStory operates Google Analytics tracking infrastructure across costory.studio and all related subdomains.
- Prior-Consent Mechanism: Analytical tracking cookies are entirely disabled by default. Tracking scripts will not deploy unless the user actively triggers the "Accept" button on our cookie pop-up banner.
- Outbound Routing: By clicking "Accept", users explicitly acknowledge that their cyberspace behavior tracking data will be transferred and stored across global server arrays operated by Google LLC outside the territory of Vietnam. Users may fully withdraw this consent at any time by wiping their browser cache or adjusting cookie parameters.
8. Data Subject Rights & Mandatory Legal Timelines
In strict adherence to the response windows defined by Decree No. 356/2025/ND-CP, data subjects can trigger their legal rights by writing directly to info@costory.studio.
Because our workflow coordinates internal operations with an external accounting professional, our statutory completion windows are structured as follows:
| Legal Right | CoStory Response Acknowledgment | Full Execution Deadline |
|---|---|---|
| Right to View, Extract, or Correct Data | Within 2 working days | Completed within 15 days |
| Right to Restrict Processing / Object | Within 2 working days | Completed within 20 days |
| Right to Data Erasure / Deletion | Within 2 working days | Completed within 30 days |
Legal Exception to Deletion: Financial logs, identity details bound to contracts, and transaction trails cannot be deleted upon user request if they are subject to the mandatory 10-year retention period dictated by the Vietnamese Law on Accounting for corporate tax audits.
9. Security Incident Commitments
In the event of a suspected system compromise, data leak, or unauthorized exposure of personal data within our internal systems or our external accountant’s infrastructure, CoStory will:
- Immediately isolate the breach and implement mitigation patches.
- Formally report the incident to the Department for Cybersecurity and High-tech Crime Prevention (A05) under the Ministry of Public Security within the legally mandated timeframe.
- Formally contact all affected data subjects via their registered email addresses outlining the nature of the leak and recommended defensive actions.
10. Contact Information
For all questions, complaints, consent withdrawals, or adjustments regarding your personal data rights, please contact our dedicated data handling portal at:
Công ty TNHH Dịch Vụ CoStory
Primary Compliance Email: info@costory.studio