privacy-polic

Privacy Policy for Xưởng thêu 4.0

Last updated: May 13, 2026

This Privacy Policy describes how Xưởng thêu 4.0 (“the Service”, “We”, “Us”, “Our”) collects, uses, stores, and discloses information when You use Our Service, and tells You about Your privacy rights.

By using the Service, You agree to the collection and use of information in accordance with this Privacy Policy.

1. Definitions

• Service refers to the Xưởng thêu 4.0 application, an internal embroidery workshop management tool that also offers optional integration with Meta (Facebook) Pages for automated social media posting.
• Company (“We”, “Us”, “Our”) refers to Xưởng thêu 4.0, operated as a sole proprietorship in Vietnam.
• Personal Data is any information that relates to an identified or identifiable individual.
• User (“You”) means the individual accessing or using the Service. Users of this Service are limited to internal staff and administrators of the embroidery workshop.
• Meta Platform refers to the products and services provided by Meta Platforms, Inc., including Facebook and the Facebook Graph API.

2. Information We Collect

2.1. Account Information (User-provided)

When You create an account on Our Service, We collect:

• Email address
• Display name
• Role assignment within the workshop (e.g., admin, sale, kế toán)

2.2. Operational Data (User-provided)

As an embroidery workshop management tool, the Service stores operational data You input, including: customer orders, customer contact information, shipping records, financial transactions, and product images. This data is generated by Your workshop’s operations and is not collected from third parties.

2.3. Facebook Platform Data (only if You explicitly connect a Facebook Page)

The Service offers an optional feature to publish posts to Facebook Pages You administer. This feature uses Facebook Login and the Facebook Graph API. If, and only if, You explicitly initiate the “Connect Facebook” OAuth flow, We collect and store:

• Facebook Page ID, Page name, and Page avatar URL of the Pages You administer and choose to connect
• Long-lived Facebook Page Access Tokens issued by Meta for each connected Page (these tokens are scoped to Pages You explicitly select during the OAuth consent screen — We never receive tokens for Pages You do not select)
• Post content and media that You create within Our Service for the purpose of publishing to Your connected Pages
• Platform post identifiers and permalinks returned by Facebook after a post is successfully published
• Public engagement metrics (such as like count, comment count) of posts that Our Service has published to Your Pages, retrieved via the pages_read_engagement permission

2.4. Facebook Permissions We Request and Why

When You connect a Facebook Page, Meta will ask You to grant the following permissions. We request only what is strictly necessary for the feature to function:

Permission	Purpose
pages_show_list	To display the list of Facebook Pages You administer, so You can choose which Page(s) to connect to the Service.
pages_manage_posts	To publish posts (text, images, videos) that You explicitly create inside the Service to the Facebook Page(s) You have connected.
pages_read_engagement	To retrieve public engagement metrics on posts that Our Service has published, so You can monitor post performance from within the Service dashboard.

We do not request, access, or store any other Facebook data, including but not limited to: friends list, private messages, ad accounts, audience insights of Pages You do not administer, or data of any Facebook user who is not the connecting account holder.

2.5. Usage Data (Automatically collected)

When You access the Service, Our server automatically records limited diagnostic information for security and troubleshooting:

• IP address
• Date and time of access
• Pages of the Service visited

We do not use third-party analytics, advertising trackers, or cookies for tracking purposes.

3. How We Use Your Information

We use the information collected solely for the following purposes:

1. To provide and operate the Service, including authenticating Your account, managing orders and customers, and rendering Your dashboard.
2. To publish posts to Your connected Facebook Pages on Your explicit instruction. We never publish content automatically without an explicit action initiated by You (manual “Post Now” or a “Schedule” set by You).
3. To display engagement metrics of posts published by the Service.
4. To secure the Service, detect abuse, and troubleshoot technical issues.
5. To comply with legal obligations (e.g., financial record retention required by Vietnamese tax law).

We do not use Your data for advertising, profiling, behavioral analytics, or to train AI models.

4. How We Store and Protect Facebook Data

• Encryption at rest: All Facebook Page Access Tokens are encrypted using AES-256-GCM before being written to Our database. The encryption key is stored separately on Our server, is never transmitted to clients, and is loaded only at server startup.
• Encryption in transit: All communication with Meta’s Graph API and between Your browser and Our server occurs over HTTPS (TLS 1.2 or higher).
• Access control: Facebook tokens are accessible only by the server-side worker process that publishes posts. They are never exposed to client-side JavaScript or sent back to the browser.
• Hosting: Data is stored on a private Virtual Private Server located in Asia, and on Supabase (Postgres) infrastructure. We do not share Facebook data with any third party other than Meta itself (when publishing posts on Your behalf).

5. How You Can Delete Your Data

5.1. Disconnecting a Facebook Page (immediate token revocation)

You can disconnect a Facebook Page from the Service at any time:

1. Sign in to the Service.
2. Open the Social Posting → Connections page.
3. Click Disconnect next to the Page You want to remove.

Upon disconnection, We immediately revoke the Page Access Token with Meta and delete the encrypted token from Our database. Posts already published to Your Page remain on Facebook; You can delete them directly on Facebook if desired.

You may also revoke the Service’s access at any time from Facebook itself: Facebook Settings → Apps and Websites → Active → Xưởng thêu 4.0 → Remove.

5.2. Full account and data deletion request

To request complete deletion of Your account and all associated data (including operational data, account information, and any remaining Facebook Page data), send an email to quanghuy.dn8@gmail.com with the subject line “Data Deletion Request” and include the email address of the account You want to delete.

We will:

1. Acknowledge Your request within 3 business days.
2. Permanently delete or anonymize Your data within 30 days of the request.
3. Send a confirmation email once the deletion is complete.

Some data may be retained in encrypted backup snapshots for up to 90 days after deletion, after which the backups are automatically rotated and overwritten. Data We are legally required to retain (e.g., financial transaction records for Vietnamese tax compliance) will be retained for the minimum period required by law and is not used for any other purpose.

6. Data Retention

Data category	Retention period
Account information	For the duration of Your account, plus up to 24 months after account closure
Facebook Page Access Tokens	Until You disconnect the Page or revoke access from Facebook (deleted immediately upon disconnection)
Operational data (orders, customers, finance)	Up to 10 years, as required by Vietnamese tax and accounting law
Server access logs	Up to 24 months for security and troubleshooting
Backup snapshots	Up to 90 days, then automatically overwritten

7. Sharing of Your Information

We do not sell, rent, or trade Your Personal Data. We share data only in the following limited cases:

• With Meta Platforms, Inc. — when publishing posts to Your Facebook Pages on Your explicit instruction.
• With infrastructure providers — Our hosting providers (VPS provider and Supabase) process data on Our behalf under their own data processing agreements. They do not access content data for any other purpose.
• For legal compliance — if required by a valid legal request from a Vietnamese government authority, court order, or applicable law.

We do not share Facebook data with any third party other than Meta itself.

8. Your Rights

You have the right to:

• Access the Personal Data We hold about You
• Correct inaccurate or incomplete data
• Delete Your data (see Section 5)
• Withdraw consent to Facebook integration at any time by disconnecting the Page
• Lodge a complaint with a data protection authority in Your jurisdiction

To exercise any of these rights, contact Us at quanghuy.dn8@gmail.com.

9. Children’s Privacy

The Service is an internal business tool and is not directed to children. We do not knowingly collect Personal Data from anyone under the age of 16. If We become aware that We have collected data from a child under 16 without verified parental consent, We will delete that information promptly.

10. International Data Transfers

Your information is processed on servers located in Asia (Vietnam and Singapore). If You access the Service from outside these regions, Your data will be transferred to and processed in these locations. We take reasonable steps to ensure Your data is treated securely and in accordance with this Privacy Policy.

11. Security

We use commercially reasonable technical and organizational measures to protect Your data, including encryption at rest (AES-256-GCM for Facebook tokens), encryption in transit (HTTPS/TLS), role-based access control, and regular security updates. However, no method of transmission over the Internet or method of electronic storage is 100% secure, and We cannot guarantee absolute security.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify You of material changes by posting the updated policy on this page and updating the “Last updated” date at the top. We encourage You to review this Privacy Policy periodically.

13. Contact Us

If You have any questions about this Privacy Policy, would like to exercise Your data rights, or want to submit a data deletion request:

• Email: quanghuy.dn8@gmail.com
• Subject line for deletion requests: “Data Deletion Request”

We will respond to all legitimate inquiries within 3 business days.