Effective: [DATE] | Last updated: [DATE] | Version: 3.0
1.1 NQuy (“we”) is committed to protecting your personal data in accordance with the Personal Data Protection Law 2025 (Law No. 91/2025/QH15, effective 01/01/2026), Decree 356/2025/ND-CP (the implementing decree for the PDPL), and applicable Vietnamese legislation. This policy explains what data we collect, why we collect it, how we use and protect it, and your rights.
1.2 This Privacy Policy forms an integral part of the NQuy Terms of Service. The following capitalised terms are used in this Privacy Policy:
Where a term is not defined in this Privacy Policy, it has the meaning given to it in the Terms of Service.
1.3 NQuy is a business-to-business service for employers. This Privacy Policy addresses the processing of data provided by our customers (employers and their authorised representatives). It does not address the processing of employee personal data by the employer — that is the employer’s responsibility (see Section 4).
| Category | Specific Data | Purpose | Data Type |
|---|---|---|---|
| Account information | Email address (used for magic link authentication — no password is stored) | Account creation, login, and communications | Basic |
| Business information | Company name, address, tax code, province, industry, working hours, salary structure, signatory names, Employee Count | Generating compliance documents and operating the Compliance Helper | Basic |
| Employee Count verification | Total headcount evidence (redacted to exclude individual employee personal data) — collected only if requested under Section 4.3 of the Terms of Service | Verifying the accuracy of the declared Employee Count for billing purposes | Basic |
| Payment information | Payment method and transaction records (via third-party payment gateway — NQuy does not store card details) | Processing payments and issuing VAT invoices | Basic |
| Compliance Helper interactions | Queries submitted to the Compliance Helper, the responses generated, linked case data, and conversation transcripts | Operating the Compliance Helper, providing step-by-step guidance, maintaining case history, and improving the Service | Basic (may include sensitive data if you include it in your queries — see Section 2.2) |
| Demo access data | Email address, queries submitted during the demo, and watermarked outputs | Providing demo access, delivering demo outputs by email, and marketing communications (with your consent) | Basic |
| Usage data | Pages viewed, features used, session duration, device type, IP address | Service improvement, bug detection, security monitoring | Basic |
| Support interactions | Messages sent via contact form, email, Zalo, or WhatsApp | Responding to enquiries and improving the Service | Basic |
3.1 NQuy uses artificial intelligence in the operation of its platform, including for document generation and the Compliance Helper. All outputs are generated entirely by automated systems and are not reviewed, checked, or approved by any person before delivery.
3.2 When you use the Compliance Helper, your queries and the business context from your Generated Documents are transmitted to NQuy’s AI service provider (currently Anthropic, PBC, based in the United States) for processing. The AI service provider processes this data solely to generate a response to your query. NQuy does not transmit individual employee names, identification numbers, or other employee personal data to the AI service provider unless you include such information in your query.
3.3 Compliance Helper conversation transcripts are stored by NQuy to maintain your case history and to enable the Compliance Helper to reference previous interactions. These transcripts may contain details about employment situations that you describe in your queries.
3.4 AI-generated data: Under Decree 356/2025, data generated or derived from AI technology may be classified as personal data if it can identify an individual. NQuy’s Compliance Helper generates guidance based on the situations you describe. If the AI output references or could identify a specific individual (because you included identifying information in your query), that output may constitute personal data subject to the PDPL. This is a further reason to follow the data minimisation guidance in Section 2.2 and avoid including identifying information in your queries.
3.5 For further information about the nature and limitations of NQuy’s automated processing, see Sections 3, 8, and 10 of the Terms of Service.
4.1 In the course of using the Service, you may input information about your employees into the NQuy platform — for example, when generating labour contracts, describing employment situations to the Compliance Helper, or providing signatory names for compliance documents.
4.2 In relation to any employee personal data you provide to NQuy, you are the data controller and NQuy is a data processor acting on your instructions. NQuy processes employee data solely for the purpose of providing the Service to you. NQuy does not use employee data for any other purpose.
4.3 You are responsible for ensuring that you have a lawful basis under Vietnamese data protection law to provide your employees’ personal data to NQuy for processing. This may include obtaining employee consent where required by the PDPL and Decree 356/2025. NQuy does not verify whether you have obtained the necessary consents or authorisations.
4.4 You should minimise the amount of employee personal data you provide to NQuy. In particular, when using the Compliance Helper, you are encouraged to describe situations without including individual employee names, identification numbers, or other personal identifiers where this is not necessary for the guidance you are seeking.
NQuy obtains your consent at the point of account creation or, for demo users, at the point you provide your email address. Consent is obtained through a clear, affirmative action (checking an unchecked box or clicking an explicit consent button). NQuy does not use pre-selected boxes, implied consent, silence, inactivity, or any interface design that blurs the distinction between consent and refusal. NQuy records and retains verifiable evidence of each consent, including the timestamp, scope of consent, method of consent, and identity of the data subject.
In accordance with the PDPL and Decree 356/2025, NQuy obtains separate consent for each distinct processing purpose. At account creation, you are asked to consent separately to:
You may withdraw any consent at any time by contacting us or adjusting your account settings. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. Withdrawal of consent for document generation or AI processing will prevent NQuy from providing the relevant part of the Service.
We do not sell your personal data. We share data only with the following categories of recipients, and only to the extent necessary for the stated purpose:
| Recipient | Data Shared | Purpose | Location |
|---|---|---|---|
| AI service provider (currently Anthropic, PBC) | Compliance Helper queries and business context from your Generated Documents | Generating Compliance Helper responses | United States |
| Cloud hosting and CDN (currently Cloudflare, Inc.) | All web traffic data including IP addresses, page requests, and session data | Hosting the NQuy platform, content delivery, and security | Global (nearest edge server) |
| Email service (currently Resend) | Email address and name | Document delivery, notifications, and marketing communications | United States |
| Payment gateways (e.g. VietQR, MoMo, ZaloPay, Stripe) | Payment data as required by the gateway | Processing payments | Vietnam (VietQR, MoMo, ZaloPay); United States (Stripe) |
| Messaging platforms (Zalo, WhatsApp) | Messages and queries sent by you via these platforms | Operating the Compliance Helper via messaging channels | Vietnam (Zalo); United States/Ireland (WhatsApp/Meta) |
| Vietnamese government authorities | As required by law | Compliance with legal obligations | Vietnam |
Each third-party recipient processes data under its own privacy policy and terms. NQuy selects providers that maintain appropriate security standards, but NQuy does not control the data practices of third-party providers once data has been transmitted to them.
7.1 As described in Section 6, some of NQuy’s service providers are located outside Vietnam. When your data is transferred outside Vietnam, it may be processed in jurisdictions that do not provide the same level of data protection as Vietnamese law.
7.2 NQuy ensures compliance with the cross-border data transfer requirements under the PDPL and Decree 356/2025. NQuy has prepared and filed (or will file within the statutory deadline) a Cross-border Transfer Impact Assessment (CTIA) with the Department of Cybersecurity and High-Tech Crime Prevention (A05), Ministry of Public Security, for each category of cross-border transfer identified in Section 6. NQuy will update the CTIA when circumstances change, including when a new cross-border transfer recipient is added.
7.3 By using the Service, you acknowledge and consent to the transfer of your data to the jurisdictions identified in Section 6 for the purposes described in this Privacy Policy.
8.1 In accordance with the PDPL and Decree 356/2025, NQuy has prepared and filed (or will file within the statutory deadline) a Data Processing Impact Assessment (DPIA) with the competent authority (A05). The DPIA covers all personal data processing activities described in this Privacy Policy.
8.2 NQuy has prepared and filed (or will file within the statutory deadline) a Cross-border Transfer Impact Assessment (CTIA) for each category of cross-border transfer described in Section 7.
8.3 NQuy will update the DPIA and CTIA as required by law, including when there is a material change in NQuy’s data processing activities or when a new cross-border transfer arrangement is established.
| Data Type | Retention Period |
|---|---|
| Account data and Generated Documents | Throughout your subscription and for 3 years after termination, to comply with record-keeping obligations and to resolve any disputes that may arise. After that, data is permanently deleted. |
| Compliance Helper transcripts | Throughout your subscription and for 3 years after termination. Deleted with account data. |
| Payment and accounting records | As required by Vietnamese tax law (minimum 10 years for accounting records). |
| Demo access data | Email address retained for marketing until you unsubscribe. Demo queries and outputs deleted after 12 months. |
| Usage data and analytics | Aggregated and anonymised data retained indefinitely. Identifiable usage data deleted after 24 months. |
Under the PDPL and Decree 356/2025, you have the following rights:
To exercise any of the rights listed above (other than the right to complain, which is addressed separately below), contact us via the Contact page form, email hello@nquy.app, or contact the Data Protection Officer at [DPO EMAIL]. We will acknowledge your request within 72 hours and respond substantively within the timeframe required by the PDPL and Decree 356/2025.
If you have a complaint about how NQuy processes your personal data, please contact us at hello@nquy.app or the Data Protection Officer at dpo@nquy.app, or via the contact form at nquy.app/contact. Please describe the nature of your complaint and the outcome you are seeking. We will acknowledge your complaint within 72 hours and provide a substantive response within 30 days. If we need more time to investigate, we will notify you of the extended timeline and the reasons for the delay.
If you are not satisfied with NQuy’s response to your complaint, or if you wish to complain directly, you have the right under the PDPL to file a complaint with the Department of Cybersecurity and High-Tech Crime Prevention (Cục An ninh mạng và phòng, chống tội phạm sử dụng công nghệ cao — A05), Ministry of Public Security of Vietnam. You also have the right to initiate legal proceedings before the competent People’s Court in accordance with Vietnamese law.
11.1 NQuy has appointed a Data Protection Officer (DPO) in accordance with the PDPL and Decree 356/2025. The DPO is responsible for overseeing NQuy’s compliance with personal data protection requirements, monitoring data processing activities, advising on impact assessments, and serving as the point of contact for data subjects and the competent authority.
11.2 You may contact the DPO at any time to exercise your rights under Section 10, to raise a complaint under Section 10.2, or to ask any question about how NQuy processes your personal data.
We implement appropriate technical and organisational measures to protect personal data, including: encryption in transit (TLS/SSL), encryption at rest, role-based access controls, periodic security monitoring, and secure authentication (passwordless magic link). No system is completely secure, and NQuy cannot guarantee absolute security of your data. If we become aware of a data breach that is likely to result in serious harm to your rights, we will notify you and the competent authority (A05) as soon as practicable and in accordance with the notification timelines prescribed by the PDPL and Decree 356/2025.
NQuy uses essential cookies for website operation (login sessions, language preferences). We use anonymous analytics to improve the Service. You can decline non-essential cookies via the cookie banner on first visit. The cookie banner is designed to present consent and refusal options with equal prominence. NQuy does not use pre-selected boxes, implied consent through inaction, or any deceptive design pattern in its consent mechanisms. NQuy does not use advertising cookies or tracking pixels. NQuy does not sell data to advertisers.
NQuy is a business-to-business service and is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.
We may update this Privacy Policy to reflect changes in the law, in our data practices, or in the Service. The updated version will be posted on this page with a new effective date. For material changes, we will notify you by email at the address registered on your account. Continued use of the Service after the effective date of a change constitutes acceptance of the updated Privacy Policy.
This Privacy Policy is governed by the laws of the Socialist Republic of Vietnam. Disputes relating to data protection are subject to the exclusive jurisdiction provisions set out in Section 17 of the Terms of Service.
Legal basis: Personal Data Protection Law 2025 (Law No. 91/2025/QH15) | Decree 356/2025/ND-CP | Cybersecurity Law 2018 (Law No. 24/2018/QH14) | Law on Electronic Transactions 2023