Last Updated: 26 May 2026
Effective Date: 26 May 2026
Version: 3.0 (Multi-Jurisdictional)

1. Introduction and Scope

This Personal Data Protection Policy (“Policy“) describes how Boxme Group (“Boxme“, “we“, “us“) collects, uses, stores, shares, and protects the personal data of customers, partners, website visitors, and other data subjects (“you“, “Data Subject“).

Boxme is a multi-national logistics group, so this Policy is designed to simultaneously comply with the following legal frameworks:

• Vietnam: Law on Personal Data Protection No. 91/2025/QH15, Cybersecurity Law 2018, Electronic Transactions Law 2023, Decree No. 53/2022/ND-CP
• Thailand: Personal Data Protection Act B.E. 2562 (2019) — PDPA
• International (as baseline): EU General Data Protection Regulation (GDPR) — applying the highest standards as our baseline

“Highest Standard” Principle: Where the requirements differ between jurisdictions, Boxme applies the highest level of protection to all Data Subjects, regardless of nationality or residence.

2. Data Controllers

2.1. Primary Data Controller in Vietnam:

Boxme Vietnam Joint Stock Company

• Tax Code: 0106693837
• Date of Establishment: 18 November 2014
• Head Office: 3rd Floor, VTC Online Building, No. 18 Tam Trinh Street, Tuong Mai Ward, Hanoi, Vietnam
• Southern Office: 185B Trung My Tay 5 Street, Quarter 6, Group 18, Trung My Tay Ward, District 12, Ho Chi Minh City
• Website: boxme.asia
• General Contact: contact@boxme.asia

2.2. Data Controller in Thailand:

Boxme Thailand Co., Ltd. (Thailand Tax Code: 0105560012784) — for personal data of Data Subjects in Thailand.

2.3. Affiliated entities in Vietnam that may jointly control or process data:

• Global Shopping Joint Stock Company (Tax Code 0109011779)
• BMG Tech Joint Stock Company (Tax Code 0109011786)

3. Data Protection Officer (DPO)

To exercise your rights or raise questions about this Policy, please contact our Data Protection Officer:

• Email: privacy@boxme.asia
• Postal Address: Data Protection Officer — Boxme Vietnam Joint Stock Company, 3rd Floor VTC Online, 18 Tam Trinh, Tuong Mai Ward, Hanoi
• Request Channels: via email, postal mail, or online form on our website
• Initial Response Time: within 72 working hours

4. Data Protection Principles

Boxme is committed to the following 7 fundamental principles (consistent across GDPR, Thailand PDPA, and Vietnam Law 91/2025):

1. Lawfulness, fairness, transparency — processing based on clear legal grounds with full notification to you
2. Purpose limitation — only processing for notified purposes, no misuse
3. Data minimization — collecting only the data necessary
4. Accuracy — ensuring data is up to date, allowing you to correct it
5. Storage limitation — retaining only as long as necessary, with scheduled deletion
6. Integrity and confidentiality — applying appropriate technical and organizational measures
7. Accountability — we are responsible for demonstrating compliance

5. Personal Data We Collect

5.1. Basic Personal Data

• Full name, date of birth, gender
• Phone number, email address
• Delivery address, residential address
• Company name, job title (for B2B customers)
• Account information: username, encrypted password
• Order history, transaction history, shopping preferences
• IP address, browser information, cookie data, session data
• Images and videos you voluntarily submit through customer support channels

5.2. Sensitive Personal Data

As classified under Vietnam Law 91/2025, Section 26 of Thailand PDPA, and Article 9 of GDPR, the following data types are considered sensitive. Boxme only collects them with your explicit consent or where required by law:

• National ID Card / Citizen ID / Passport number (only for high-value deliveries, as required by delivery partners or customs authorities)
• Bank account information (only for B2B customers/partners with payment or reconciliation transactions)
• Precise geolocation (only when you enable it on the order tracking app)

5.3. Data Boxme Does NOT Collect

Boxme does not collect data about health status, sexual life, religious beliefs, political views, genetic data, biometric data, or criminal records of consumer customers.

6. Collection Methods

We collect personal data from the following sources:

• Directly from you: through contact forms, account registration, newsletter subscription, support chat, phone calls, email
• From your business partners: brand owners and sellers who engage Boxme to fulfill orders to end customers
• From e-commerce platforms and sales channels: Shopee, Lazada, TikTok Shop when orders are routed to Boxme for processing
• Automatically via cookies and similar technologies: when you visit boxme.asia
• From public sources: National Business Registration Portal (for B2B customers)

7. Legal Basis and Processing Purposes

All personal data processing by Boxme is based on at least one of the following legal grounds (per Article 6 GDPR, Section 24 of Thailand PDPA, and Article 11 of Vietnam Law 91/2025):

8. Sharing Data with Third Parties

Boxme only shares personal data with the following third parties, to the extent necessary and under confidentiality contracts:

8.1. Shipping and Delivery Partners

Giao Hang Nhanh (GHN), Giao Hang Tiet Kiem (GHTK), Viettel Post, J&T Express, Ninja Van, Best Express, Lalamove, Ahamove, Flash Express (Thailand), Kerry Express (Thailand), and other carriers within Boxme’s network of 50+ partners.

8.2. Technology and Infrastructure Partners

• Cloud service, data storage, and backup providers
• Email marketing and CRM service providers
• Web analytics providers (Google Analytics)
• Payment processing and e-invoicing providers

8.3. E-commerce Platforms and Sales Channels

Shopee, Lazada, TikTok Shop, Tiki, Sendo — when orders are created and synchronized with Boxme’s systems.

8.4. Government Authorities

Upon lawful written request from:

• Tax Authorities, Police Authorities, Courts, Department of Cybersecurity and High-Tech Crime Prevention (A05) — Ministry of Public Security of Vietnam
• Personal Data Protection Committee (PDPC) — Thailand, and other competent Thai authorities

8.5. Affiliated Entities

Global Shopping Joint Stock Company, BMG Tech Joint Stock Company, Boxme Thailand Co., Ltd., and other Boxme subsidiaries and branches.

Boxme undertakes NOT to sell, lease, or trade your personal data with any third party for commercial purposes.

9. Cross-Border Data Transfers

As Boxme operates across multiple countries, personal data may be transferred from your country of origin to the following jurisdictions:

• Vietnam and Thailand: between the two main entities of the group
• Philippines: Boxme Philippines branch
• United States, Singapore, Hong Kong: server locations of our cloud service providers and e-commerce platforms

9.1. For Data Subjects in Vietnam

Boxme fully complies with Articles 27 and 28 of Law 91/2025, including:

• Preparing a Cross-Border Data Transfer Impact Assessment (TIA)
• Notifying the Ministry of Public Security prior to transfer
• Executing Standard Contractual Clauses (SCC) with the receiving party

9.2. For Data Subjects in Thailand

Boxme complies with Sections 28-29 of Thailand PDPA and the PDPC Notification dated 24 March 2024 on cross-border data transfers. Specifically, Boxme applies appropriate safeguards such as:

• ASEAN Model Contractual Clauses for Cross-Border Data Flows
• Or EU Standard Contractual Clauses (SCC)
• Ensuring the receiving party applies protection measures equivalent to PDPA

9.3. For Data Subjects in EU/EEA (if applicable)

Where Boxme processes data of EU residents, all transfers outside EU/EEA are made via EU Standard Contractual Clauses pursuant to European Commission Decision (EU) 2021/914, with supplementary measures as needed.

10. Data Retention Period

After the retention period expires, data will be permanently deleted or anonymized through a controlled process.

11. Rights of Data Subjects

Boxme recognizes and guarantees the following rights to every Data Subject, regardless of nationality or residence (applying the highest standard among Vietnam Law 91/2025, Thailand PDPA, and GDPR):

1. Right to be informed about data processing
2. Right to consent or refuse consent to processing
3. Right of access: request to view and copy your data
4. Right to withdraw consent at any time, free of charge, without reason — withdrawal does not affect the lawfulness of prior processing
5. Right to rectification of inaccurate, incorrect, or incomplete information
6. Right to erasure (“Right to be Forgotten” per GDPR Art. 17) — request deletion, except where law requires retention
7. Right to restrict processing — request temporary suspension in dispute cases
8. Right to data portability (GDPR Art. 20) — receive data in a structured, machine-readable format
9. Right to object particularly to direct marketing and automated profiling
10. Right not to be subject to automated decision-making with significant legal effects (GDPR Art. 22) — request human intervention
11. Right to lodge complaints, denunciations, lawsuits as provided by law
12. Right to compensation for damages caused by wrongful processing

11.1. How to Exercise Your Rights

You may submit a request through the following channels (Boxme provides at least 2 channels to comply with Thailand PDPA):

• Email: privacy@boxme.asia
• Online form: [link to Data Subject Request Form]
• Postal mail: Data Protection Officer, Boxme Vietnam, 3rd Floor VTC Online, 18 Tam Trinh, Tuong Mai Ward, Hanoi
• In person at Boxme’s offices in Hanoi or HCMC (by appointment)

11.2. Request Processing Timeline

11.3. Fees and Conditions

Exercising your rights is entirely free of charge. For requests that are manifestly unfounded or excessively repetitive, Boxme may charge a reasonable fee or refuse the request, with written reasons.

Boxme may request identity verification before processing your request, to protect your data from unauthorized access.

12. Data Security

Boxme applies technical and organizational protection measures appropriate to the level of risk, as required by Article 24 of Vietnam Law 91/2025, Section 37 of Thailand PDPA, and Article 32 of GDPR.

12.1. Technical Measures

• SSL/TLS 1.3 encryption for all web communications
• AES-256 encryption for sensitive data at rest
• Two-factor authentication (2FA) for administrative accounts
• Least-privilege access control
• Audit logging of all sensitive data access
• Firewall and Intrusion Detection/Prevention Systems (IDS/IPS)
• Regular backups and Disaster Recovery (DR) plan
• Periodic security testing and penetration testing

12.2. Organizational Measures

• Regular data security training for all employees
• Non-Disclosure Agreements (NDA) with all employees and partners
• Physical access controls to data centers and warehouses
• Periodic risk assessment and updates to protection measures
• Data Processing Agreements (DPA) with all sub-processors handling data on Boxme’s behalf

13. Data Breach Response

In the event of a personal data breach, Boxme commits to:

1. Notify the supervisory authority within 72 hours:
   • Ministry of Public Security of Vietnam (for Vietnam citizen data)
   • Personal Data Protection Committee — PDPC Thailand (for Thai resident data)
   • Relevant EU DPA (if GDPR applies)
2. Notify affected Data Subjects directly as soon as possible if the breach poses a high risk
3. Implement remedial measures to minimize damage
4. Submit detailed reports on cause, impact, and response measures
5. Review and improve systems to prevent recurrence

14. Cookies and Tracking Technologies

The boxme.asia website uses cookies and similar technologies. Details are described in our separate Cookie Policy.

On your first visit, you will see a banner notification and may choose:

• Accept all cookies
• Accept only necessary cookies (essential cookies do not require consent under PDPA and GDPR)
• Customize each cookie category (analytics, marketing, functional)

Withdrawing cookie consent is as easy as giving it — you can change your preferences at any time via the cookie icon at the bottom of the website.

15. Protection of Children’s Data

Boxme applies the highest age threshold among applicable laws to protect children:

• Under 16: Boxme does not knowingly collect data, and requires consent from parents/legal guardians (per Vietnam Law 91/2025 and GDPR Art. 8)
• From 16 to under 20 (Thailand specifically): complying with Thailand PDPA — some processing activities may require additional guardian consent

If you become aware that we have collected data from a child without valid consent, please contact privacy@boxme.asia and we will delete such data immediately.

16. Links to Third-Party Websites

Our website may contain links to third-party websites (partners, e-commerce platforms, social media). This Policy does not apply to those websites. You should review the privacy policies of those websites before providing any information.

17. Changes to this Policy

Boxme may update this Policy from time to time to reflect changes in law or business operations. Material changes will be notified via:

• Display on the website homepage at least 30 days before effective date
• Email to registered accounts
• Update of the “Last Updated” date at the top of the Policy

Continued use of the services after the effective date of the amended Policy constitutes acceptance of the changes.

18. Complaints and Supervisory Authorities

If you believe Boxme has processed your personal data unlawfully, you have the right to:

18.1. Complain directly to Boxme

Send complaints to privacy@boxme.asia. Boxme commits to respond within 72 hours.

18.2. File complaints with competent supervisory authorities

In Vietnam:

• Department of Cybersecurity and High-Tech Crime Prevention (A05) — Ministry of Public Security
• Address: 47 Pham Van Dong, Mai Dich, Cau Giay, Hanoi

In Thailand:

• Office of the Personal Data Protection Committee (PDPC)
• Website: pdpc.or.th

In EU/EEA (if applicable):

• Data Protection Authority of the EU Member State where you reside
• List: edpb.europa.eu

18.3. Litigation

At a competent Court in accordance with the civil procedure law applicable to you.

19. Language and Order of Precedence

This Policy is published in both Vietnamese and English. In case of any inconsistency between the two versions:

• For data subjects in Vietnam: the Vietnamese version shall prevail
• For data subjects in other countries: the English version shall prevail

20. Contact Information

Boxme Vietnam Joint Stock Company

• Head Office: 3rd Floor, VTC Online Building, No. 18 Tam Trinh Street, Tuong Mai Ward, Hanoi
• General Contact: contact@boxme.asia
• Data Protection Officer (DPO): privacy@boxme.asia
• Website: https://boxme.asia

Boxme Thailand Co., Ltd.

• Thailand DPO Contact: privacy@boxme.asia (handled centrally via Group DPO)

© 2026 Boxme Vietnam Joint Stock Company. All rights reserved.