Preamble
This Privacy and Personal Data Processing Policy (hereinafter referred to as the "Policy") sets out how Filum One-Member Company Limited (hereinafter referred to as "Filum" or "we") collects, uses, stores, protects, and shares personal data through:
- The Filum website at https://filum.ai and associated websites;
- The Filum AI Platform software (hereinafter referred to as the "Platform") and related service modules;
- Mobile applications and integration tools provided by Filum;
- Communication channels including email, telephone, and customer support.
This Policy applies when Filum acts as a Personal Data Processor on behalf of its B2B customers. If you are not a user of a customer who has entered into a contract with Filum, certain provisions of this Policy may not apply to you — please refer to the contact section at the end of this document for support.
This Policy is established and maintained to comply with:
- Personal Data Protection Law No. 91/2025/QH15 dated 26 June 2025 (hereinafter referred to as the "PDPL");
- Decree No. 356/2025/ND-CP dated 31 December 2025 providing detailed regulations and implementation measures for the PDPL (hereinafter referred to as "Decree 356");
- Law on Cyber Information Security No. 86/2015/QH13;
- Law on Cybersecurity No. 24/2018/QH14.
1. Definitions
In this Policy, the following terms shall have the meanings set out below:
| Term | Definition |
|---|---|
| Filum | Filum One-Member Company Limited, with its registered office at 3rd Floor, No. 67 B4 Street, An Khanh Ward, Ho Chi Minh City. Tax Code: 0318896099. |
| Customer | Organizations, legal entities, or individuals who have entered into a legitimate contract with Filum to use the Platform, acting as the Data Controller for the personal data processed within their system. |
| User | An individual granted access to and use of the Platform by a Customer, under the Customer's management. |
| Data Subject | An individual to whom personal data relates, including End-Customers of Filum's Customers whose information is processed on the Platform. |
| Personal Data | Any information attached to or that helps identify a specific individual, as defined under the PDPL and Decree 356. |
| Basic Personal Data and Sensitive Personal Data | As defined in Article 2 of the PDPL and Articles 3 and 4 of Decree 356. |
| Data Controller | An organization or individual that determines the purpose and means of processing personal data. In the contract between Filum and the Customer, the Customer acts as the Data Controller. |
| Data Processor | An organization or individual that processes data on behalf of the Data Controller. In the contract between Filum and the Customer, Filum acts as the Data Processor. |
| Platform | Filum AI Platform — an AI-powered customer experience management (CXM) platform operated by Filum. |
| Agreement | The software services agreement, Data Processing Agreement (DPA), and related annexes signed between Filum and the Customer. |
2. Personal Data Processed by Filum
As a Data Processor, Filum does not actively collect personal data from Data Subjects. Filum only processes personal data within the scope and for the purposes entrusted by the Customer (the Data Controller) under the Agreement.
2.1. Data Provided by the Customer
In the course of providing the Platform and Services, Filum receives and processes the following types of personal data, depending on the Customer's configuration:
- Full name, middle name, given name, and any aliases (if applicable);
- Date of birth; gender;
- Telephone number; email address; social media accounts;
- Photographs and personal profile images;
- Contact address and current residence;
- Nationality;
- Interaction history, service usage behavior, and purchase history of End-Customers;
- Conversation content (chat, email, voice transcript) between End-Customers and Filum's Customers through integrated channels;
- Preferences, ratings, and feedback from End-Customers;
- Voice of Customer (VoC) survey data collected through the Platform;
- Other information that the Customer decides to collect and process on the Platform in accordance with applicable laws.
2.2. Automatically Collected Data
When Users or visitors access the Filum website at https://filum.ai, Filum automatically collects certain information through technologies such as cookies, web beacons, and log files, including:
- IP address, device identifier, device type;
- Browser and operating system version;
- Web pages visited before/after the Filum website;
- Date, time, and duration of access;
- Behavioral analytics data (page views, click stream).
For details on the use of cookies, please refer to the Cookies Policy.
2.3. Data Collected from Integrated Services
When the Customer activates integrations with third-party platforms (Zalo, Facebook Messenger, WhatsApp, email gateway, CRM, etc.), Filum receives and processes personal data transferred from these platforms within the scope of the integration configuration approved by the Customer.
2.4. Data Collected from Other Sources
Filum may receive personal data from the Data Controller, third parties designated by the Customer, or from public sources at the Customer's request and in accordance with applicable laws.
3. Purposes of Personal Data Processing
Filum uses collected personal data for the following purposes:
3.1. Platform Operations
To provide, maintain, and ensure the availability of the Platform and Services under the Agreement with the Customer. To store, transmit, and analyze data according to the Customer's configuration.
3.2. AI Processing
Filum uses Large Language Models (LLM) and AI/ML algorithms to deliver core Platform features, including: sentiment analysis, conversation summarization, automated classification, behavioral prediction, response suggestions, automated content generation, and similar features.
Some AI tasks are processed by self-hosted models on infrastructure controlled by Filum; other tasks are processed by third-party AI service providers. In all cases, data is used solely for inference (processing on demand) and is not used to train these providers' models.
Details on the use of AI and third-party AI service providers are set out in Section 4 — Data Disclosure and Sharing.
3.3. Service Improvement and Enhancement
Filum analyzes usage data in aggregated form to understand trends, improve Service quality, and develop new features. Such analysis is performed only on aggregated metrics (e.g. number of conversations, feature adoption rates, system performance) and is not intended to identify individuals.
Filum commits to not using End-Customer personal data to train (training) or fine-tune (fine-tuning) any AI model — whether Filum's own or third-party.
3.4. Customer Communication
To contact Users designated by the Customer (admins, administrators) regarding new features, security updates, technical support, or matters related to the Agreement. Filum does not send direct marketing to Data Subjects who are End-Customers.
3.5. Website Analytics
Filum uses analytics tools to measure website traffic. Users may opt out of such tracking through the cookie banner settings on the website.
3.6. Security and Legal Compliance
To detect and prevent fraud, cyberattacks, and violations of the terms of use. To comply with legal requirements, judicial proceedings, and requests from competent state authorities.
4. Disclosure and Sharing of Personal Data
Filum does not sell, rent, or transfer personal data to any third party except in the cases listed below.
4.1. Disclosure to Service Providers (Sub-processors)
To operate the Platform, Filum uses third-party service providers (sub-processors) that have been assessed against security standards. The current list of sub-processors includes:
| Provider | Purpose of Use | Type of Data Processed | Processing Location |
|---|---|---|---|
| Google Cloud Platform (GCP) | Cloud computing infrastructure (compute, storage, networking, identity) | All data on the Platform | Singapore (asia-southeast1) |
| MongoDB Atlas | Primary database of the Platform | Configuration data, conversation data, survey data, End-Customer data | Singapore (deployed on GCP) |
| Amazon Web Services (AWS) | Content delivery network (CDN) for the Platform's static assets | Non-personal data (static assets, images, public attachments) | [CHECK: CloudFront / CDN region — typically Global edge] |
| Microsoft Azure OpenAI Service | Natural language processing (NLP), generative AI | Conversation content, text for AI analysis | [CHECK: Azure region in use] |
| OpenAI | Natural language processing (NLP), generative AI | Conversation content, text for AI analysis | United States |
| Anthropic | Natural language processing (NLP), generative AI | Conversation content, text for AI analysis | United States |
| Google AI (Gemini) | Natural language processing (NLP), generative AI | Conversation content, text for AI analysis | United States |
| Google Workspace | Corporate email, internal collaboration | Contact emails, contract metadata, internal documents | United States |
| Lark | Internal communication and collaboration | Internal messages, internal documents, communication metadata | [CHECK: Lark tenant region in use] |
Filum's commitments regarding sub-processors:
- Each sub-processor undergoes an information security assessment prior to use and is reviewed at least annually.
- Contracts with sub-processors include personal data protection terms no less stringent than those set out in this Policy.
- For AI service providers (Microsoft Azure OpenAI, OpenAI, Anthropic, Google AI): Filum has activated the configuration to opt out of the use of data for model training (training opt-out). Data is used only for inference (processing on demand) and is not stored permanently by these providers.
- A portion of data may be processed outside the territory of Vietnam through the sub-processors listed above. In all cases, Filum ensures that data is protected in accordance with the laws of Vietnam and this Policy, with technical measures including encryption at rest and encryption in transit.
- The list of sub-processors is provided to Customers upon request.
4.2. Disclosure to State Authorities
Filum may disclose personal data at the request of competent state authorities or as required by law, including but not limited to:
- Decisions or requests from prosecuting authorities;
- Requests from the Department of Cybersecurity and High-Tech Crime Prevention (A05) — Ministry of Public Security;
- Decisions of competent Courts.
In such cases, Filum will notify the Customer (Data Controller) as soon as possible, unless such notification is prohibited by law.
4.3. Disclosure in the Event of Corporate Restructuring
In the event that Filum undergoes a merger, acquisition, demerger, or other corporate restructuring, personal data may be transferred to the successor entity. Filum commits that:
- The receiving entity must comply with data protection obligations no less stringent than those set out in this Policy;
- Customers and Data Subjects will be notified before the transfer takes effect.
4.4. Disclosure Within the Customer's System
Personal data within the Customer's system may be accessed by other Users within the same Customer system based on the permission configuration set by the Customer. Access control within the Customer's internal system is the Customer's responsibility.
5. Rights and Obligations of Data Subjects
5.1. 11 Rights of Data Subjects
Under the PDPL, Data Subjects have the following rights regarding their personal data:
| # | Right | Description |
|---|---|---|
| 1 | Right to be informed | To be notified about the processing of one's personal data. |
| 2 | Right to consent | To consent or withhold consent to the processing of personal data. |
| 3 | Right of access | To access and view personal data being processed. |
| 4 | Right to withdraw consent | To withdraw consent previously given. |
| 5 | Right to erasure | To request the deletion of personal data. |
| 6 | Right to restriction of processing | To request the suspension of personal data processing. |
| 7 | Right to data portability | To request personal data in a machine-readable format. |
| 8 | Right to object | To object to specific processing activities. |
| 9 | Right to complain, denounce, and initiate legal action | To complain to competent authorities when rights are violated. |
| 10 | Right to compensation | To request compensation when rights are violated and cause damage. |
| 11 | Right to self-protection | To take measures to protect one's own personal data. |
5.2. Mechanism for Exercising Rights
For Data Subjects who are End-Customers of Filum's Customers:
As Filum acts as the Data Processor, the Customer (Data Controller) is primarily responsible for fulfilling requests to exercise Data Subject rights. Please contact the relevant Filum Customer directly (the organization or business managing your data) for assistance.
In cases where a request is sent directly to Filum, Filum will forward the request to the relevant Customer within 30 (thirty) business days from the date of receipt, and coordinate with the Customer to process the request according to the Agreement.
For Data Subjects for whom Filum acts as the Direct Data Controller (e.g. website contact data, marketing lead data, personnel data):
Please send requests to [email protected]. Filum will respond to and process valid requests within 30 (thirty) business days from the date of receipt, in accordance with Article 14 of Decree 356.
5.3. Obligations of Data Subjects
In addition to obligations under applicable law, Data Subjects have the following obligations:
- To provide accurate and up-to-date information when interacting with Filum;
- To safeguard login credentials (username, password) and not share them with any third party;
- To notify Filum or the relevant Customer upon discovering signs of unauthorized access to or use of their personal data.
6. Protection of Personal Data
Filum applies technical, organizational, and administrative measures concurrently to protect personal data against unauthorized access, loss, alteration, disclosure, or destruction.
6.1. Security Standards and Commitments
Filum builds and operates its security systems in accordance with international standards for information security management. Information about security commitments, certifications, and control measures is publicly available at https://filum.ai/trust.
6.2. Technical Measures
- Data encryption: All data is encrypted at rest (encryption at rest, AES-256) and in transit (encryption in transit, TLS 1.2 or higher).
- Secure cloud infrastructure: The system operates primarily on Google Cloud Platform (GCP) in the Singapore region, combined with MongoDB Atlas deployed in the same region and Amazon Web Services (AWS) for content delivery (CDN) — all of which meet leading international security standards.
- Multi-Factor Authentication (MFA): Mandatory for all administrator accounts and recommended for all Users.
- Single Sign-On (SSO): Supports SSO integration via SAML 2.0 and OAuth 2.0 protocols with Google Workspace and Microsoft Entra ID. [CHECK: Verify actual deployment status before publishing]
- Least-privilege access control: Users and service accounts are granted access only to the data necessary for their work; production access is reviewed periodically.
- Monitoring and logging: All data access activities are logged, retained for a minimum of 12 months, and reviewed periodically.
- Backup and recovery: Data is automatically backed up daily using snapshot and point-in-time recovery (PITR) mechanisms; recovery testing is performed periodically. [CHECK: Verify periodic DR test reports exist — if not, adjust this statement to align with the ISO 27001 roadmap]
6.3. Organizational Measures
- All Filum personnel with access to personal data must sign a Non-Disclosure Agreement (NDA) and a Data Protection Commitment;
- Regular training on personal data protection is provided to all personnel;
- Periodic information security assessments of third-party service providers;
- An Incident Response process is in place and activated 24/7.
6.4. Data Breach Notification
In the event of a personal data breach, Filum commits to:
- Notify the Ministry of Public Security within the timeframe prescribed in Article 23 of Decree 356 (within 72 hours from the time the incident is detected);
- Notify the Customer (Data Controller) within 72 (seventy-two) hours from the time the incident is detected, so that the Customer can coordinate the response and notify their Data Subjects;
- Notify Data Subjects directly when the incident is likely to seriously affect their rights and interests, as soon as possible;
- Cooperate with authorities and relevant parties to mitigate consequences and prevent further risks.
6.5. Residual Risks
Despite the protective measures described above, no technology system can guarantee absolute security. Risks may include: zero-day vulnerabilities, targeted attacks, natural disasters, or third-party errors. Filum commits to making every effort to minimize risks and to maintain transparency in incident handling should they occur.
7. Personal Data Retention and Deletion
7.1. Retention Period
Filum retains personal data only for the period necessary to fulfill the purpose of processing, comply with the Agreement with the Customer, and meet legal requirements. Specifically:
| Type of Data | Retention Period |
|---|---|
| Data on systems with an active Customer subscription | According to the Agreement with the Customer |
| Data after termination of the Agreement | Up to 90 (ninety) days to support Customer data export, then fully deleted |
| Security logs, audit logs | 12 (twelve) months |
| Marketing contact (lead) data | 24 (twenty-four) months from the last interaction |
| Contract and invoice data | According to accounting and tax regulations (minimum 10 years) |
7.2. Data Deletion Mechanism
- Upon Customer request for data deletion, Filum performs a soft delete immediately and a hard delete within 30 days;
- For data on backups, deletion is performed according to the backup rotation cycle (up to 90 days);
- Filum provides tools enabling the Customer to export data prior to deletion.
8. Sensitive Personal Data and Children's Data
8.1. Sensitive Personal Data
Filum does not actively collect sensitive personal data (including data on health status, private life, religion, ethnicity, political views, sexual orientation, biometric data, etc.). The Customer is responsible for not configuring the Platform to process such data without the explicit consent of the Data Subject and prior notification to Filum.
In cases where Filum detects inappropriate processing of sensitive personal data, Filum reserves the right to suspend the service and require the Customer to take remedial measures.
8.2. Children's Personal Data
Filum does not design the Platform to process the personal data of children (under 16 years of age according to the PDPL). If the Customer discovers or suspects that the Platform is processing children's data, please notify Filum immediately at [email protected] for appropriate handling.
9. Commitment Not to Sell Personal Data
Filum makes the following absolute commitments:
- Not to sell, rent, or exchange personal data with any third party in any form;
- Not to use End-Customer personal data to train AI models of Filum or of any third party;
- Not to use Customer data for any purpose outside the scope of the signed Agreement.
10. Policy Updates
Filum reserves the right to update this Policy from time to time to reflect changes in legal regulations, technology, or operational practices.
- For substantial changes, Filum will notify Customers and Users via email and post a notice on the website at least 30 days before the effective date;
- The current version of the Policy and its change history are published at https://filum.ai/privacy-policy;
- Continued use of the Services after the updated Policy takes effect constitutes the Customer's and User's acceptance of the updated version.
11. Contact Filum
If Customers, Users, or Data Subjects have any questions, requests, or complaints relating to personal data or the content of this Policy, please contact us via the following channels:
| Channel | Information |
|---|---|
| [email protected] | |
| Registered Office | 3rd Floor, No. 67 B4 Street, An Khanh Ward, Ho Chi Minh City |
| Website | https://filum.ai |
| Privacy Policy Page | https://filum.ai/privacy-policy |
Filum commits to responding to all personal data-related requests within 30 (thirty) business days from the date of receipt of a valid request.
12. Governing Law and Dispute Resolution
This Policy shall be construed, interpreted, and applied in accordance with the laws of the Socialist Republic of Vietnam.
Any disputes arising from or related to this Policy shall first be resolved by the parties through negotiation. If no agreement is reached, the dispute shall be submitted to the competent Court in Ho Chi Minh City, Vietnam.
