Information
CHAPA EXPRESS TRAIN DATA PRIVACY POLICY
Welcome to the privacy of CHAPA TOURISM JOINT STOCK COMPANY, located at Lao Cai Station, Khanh Yen Str, Lao Cai Ward, Lao Cai city, Lao Cai province (referred to as “CHAPA Express Train”, “we”, “our”, or “us”). This policy outlines how we process personal data as the data controller for users of our website (https://www.chapaexpresstrain.com/ and individuals who book itineraries aboard our trains (“Guests”), collectively referred to as “you”.
We have drafted this Privacy Policy (the “Policy”) to provide you with transparent and comprehensive information about:
- The purposes and methods of personnal data processing.
- Your rights under applicable laws.
I. Our Commitmetn to Protecting Your Data
We adhere to ten core principles to ensure the lawful, fair, and transparent processing of your personal data:
- Lawfulness: We collect and use your data only when:
- You provide explicit consent.
- It is required to perform a contract with you.
- Compliance with a legal obligation is necessary
- It protects vital interests, or we have a legitimate interest.
- For our legitimate interest, without adversely affecting your rights.
- Fairness: We explain why we need your data and ensure ethical usage.
- Purpose limitation: Data is collected only for specific purpose and minimized.
- Transparency: We inform you about how your data is used
- Right Facilitation: We support your rights, including access, rectification, erasure, annd objection.
- Storage limitation: We retain personal data for a limited period.
- Data Security : We protect your data’s integrity and confidentiality.
- Third-Party Responsibility: We ensure that any third party accessinng your data complies with our standards.
- International Transfers: We secure data transfer across borders.
- Breach Notificationns: We promptly notify relevant authorities and affected individuals of anydata breach.
- Retention Limitation: We store your data ony for as long as necessary.
- For any questions regarding these ten principles, please contact us at the coordinates indicated in article 7 “Your rights”.
II. Data We Collect
- For Website Users:
- Title, full name, email, phone, coutry, guest type, and navigation data.
- Any information vomutarily provided when contacting us.
- For Guests:
- Collected via booking forms or direct communication:
- Personal details (e.g., title, full name, date of birth, nationality).
- Contact information (e.g., phone numer, email, postal address).
- Payment details (e.g., credit card nummer for reservations).
- Additional preferences or comments related to your booking.
- Information about children traveling with you (if applicable).
III. Purpose and Retention of Your Data
We process your data for specific purposes, as outlined below:
Purposes | Legal Basis | Retention Periods (Thời gian lưu trữ) |
Management booking and payments. | Contractual necessary | 3 years from last contact As required |
Addressing preferences/special requirements needs | Consent. | |
Internal incident management | Legitimate interest | Up to 122 days |
Emergency guest location | Vital interests | Duration of the event. |
Statistical analysis and service improvement | Legitimate interest | |
Customer satisfaction surveys | Consent
| 3 years from last contact |
Responding to inquires | Legitimate interest | Duration of request hanndling Where applicable, if your call was recorded, the related data will be retained until you object to its storage or for a period of 3 months from the call date. |
Sending newsletters | Consent. | Until consent withdrawal or 3 years. |
Securing online navigation | Legitimate interest | Maximum of 25 months. |
Fraud prevention in payments | Legitimate interest | 90 days for analysis, 2 years for system improvement used for improving the system. In case of registration in the incident file, data will be retained for 2 years from the date of recording or until the issue is resolved, whichever is earlier. |
Managing legal and accounting obligations | Compliance with legal obligations | As required by law |
Litigation management | Processing necessary to our legitimate interest in establishing evidence in the event of litigation. | Statutory limitation periods. |
IV. Sharing your data
Your personal data may be shared with internal and external parties under the following conditions:
- Internal Teams: Authorized personnel (e.g., customer service, marketing, compliance)
- Service providers and partners: IT hosting services, payment processor, and call centers.
- Local authorities: As required by law or during an investigation, or in accordance with local regulations.
V. International transfers
For purposes in Article 3 personal data may be transferred to internal or external recipients, including countries with varying data protection levels.
CHAPA Express Train ensures secure transfers, inncluding using European Commission standard contractual clauses and additional safeguards when needed.
For more on information transfer frameworks, email the address in Article 7, “YOUR RIGHTS.”
VI. Data security
CHAPA Express Train adopts robust technical and organizational measures in compliannce with applicable laws to safeguard your personal data destruction, loss, alteration; misuse, unauthorized access, modification, or disclosure, whether such actions are intentional, accidental, or unlawful.
To ensure this, we have implemented both technical measures (e.g., firewalls, data encryption) and organizational measures (e.g., controlled access, user authentication systems, physical protection protocols.) These measures are designed to maintain the confidentiality, integrity, availability, and resilience of our processing systems and services.
VII. Your Rights
You have the right to:
- Access, correct, or delete your personal data
- Withdraw consent at any time
- Object to data processing for specific purposes
- Transfer your data
- Give instructions regarding the processing of your data after your death
For inquiries, please contact us at reservation@chapaexpresstrain.com.
To ensure confidentiality and data protection, we may verify your identity before responding to your request. If there is reasonable doubts, you might need to provide a monochrome copy of an official ID, such as an ID card or passport.
All requests will receive a response as swiftly as possible and in compliance with applicable law.
You also have the right to lodge a complaint with a data protection authority.