legal
Privacy and personal data protection policy
This policy describes how Mmoall collects, uses, stores and protects the personal data of the people who use the platform. It is written under the Personal Data Protection Law 2025 (Law No. 91/2025/QH15) and Decree 356/2025/NĐ-CP, together with the other Vietnamese laws referenced below.
Data controller
For the personal data of Mmoall platform users, the data controller is the company that operates Mmoall:
The operator's legal details — company name, tax code, registered address and the mailbox of the personal data protection contact — are being finalised and will be published here. We do not publish details we have not confirmed.
Once the contact details are published, you will be able to send every question, request and complaint about personal data to that address. In the meantime, use the support channel in the footer — we still receive and act on your request.
Scope
This policy covers the personal data of Mmoall users: visitors to the website, people who register and use an account, paying customers, and anyone who contacts us for support or advice.
It does not cover Customer Content — the source code, environment variables, artifacts, logs and end-user data of the apps you deploy on Mmoall. That is covered by our Data policy.
The data we process
We only collect what we need in order to provide the service:
- Account: email address, password in hashed form, display name, interface language, when you registered and when you signed in.
- Payments and invoices: your plan, transaction history, and the invoicing details you give us (company name, tax code, address). We do not store full card numbers — card transactions are handled by the payment provider.
- Technical and log data: IP address, browser and device type, time of access, the paths called, error codes, and a record of account actions such as creating a project or running a deploy.
- GitHub integration: when you connect a repo we receive your GitHub account name, the list of repos you allow, and an access token limited to the scope you granted. You can revoke it in GitHub at any time.
- Support: the content of emails, support tickets and other correspondence between you and us.
- Cookies and browser storage: see the Cookies section.
Basic data and sensitive data. Everything listed above is basic personal data. Mmoall does not set out to collect sensitive personal data — for example health data, private life, political opinions, religion or biometric data. We advise you not to put sensitive data into a support ticket, or into any field on the platform.
Purposes and legal grounds
We process personal data only for the purposes below, and each purpose rests on a legal ground:
- Performing our contract with you: creating and running your account, providing the deploy, VPS and domain services, issuing invoices, taking payment and giving technical support.
- Meeting our legal obligations: keeping accounting and tax records, answering lawful requests from the competent state authorities, and complying with the Cybersecurity Law 2018 and Decree 53/2022/NĐ-CP.
- Keeping the system safe and secure: detecting and stopping unauthorised access, fraud and resource abuse, and keeping the service stable. We weigh this processing so that it does not override your rights and legitimate interests.
- Your consent: sending launch announcements or marketing email, and setting non-essential cookies. You can withdraw your consent at any time.
We do not use your personal data for purposes beyond those listed. If a new purpose arises, we will tell you and ask for your consent first, unless the law allows the processing without consent.
Consent and withdrawing consent
Your consent must be given clearly, through an affirmative action — ticking the consent box when you register, or pressing the button to sign up for emails. Silence or no reply is not consent. Consent you give through the platform is valid under the Law on Electronic Transactions 2023.
You can withdraw your consent at any time: send a request to the personal data protection contact, or use the unsubscribe link at the bottom of any marketing email.
Withdrawing consent does not affect the lawfulness of processing already carried out. If the withdrawal means we can no longer provide part or all of the service, we will tell you that consequence before you confirm.
Advertising email follows Decree 91/2020/NĐ-CP: we only send it if you have consented, every email carries a way to refuse further email, and we stop sending as soon as you refuse.
Transfers outside Vietnam
We have not yet published where our storage systems sit. The storage region table in the Data policy is still empty, and we will publish it before the service goes into commercial operation. Until then, do not assume your data is stored inside Vietnam.
If some data is transferred abroad — for example because we use a provider whose systems sit outside Vietnam — we do so under the Personal Data Protection Law 2025 and Decree 356/2025/NĐ-CP: we file the dossier the law requires, bind the recipient by contract, and apply matching safeguards.
The processor table above names where each provider's systems sit, so you can see whether your data leaves Vietnam. An empty table means the list is not published yet; we will publish it before the service goes into commercial operation.
Where data is stored, and for how long
The Cybersecurity Law 2018 and Decree 53/2022/NĐ-CP require certain data to be stored in Vietnam for a period set by law, and we are subject to that obligation. Where the data actually sits is not published yet; we will publish it in the storage region table in the Data policy before the service goes into commercial operation.
The general rule: we keep data only as long as the stated purpose needs, or as long as the law requires — accounting and tax records, for example. We have not yet set an automatic deletion period for technical logs, and we have not published a period for each class of data. The table below will be filled in before the service goes into commercial operation.
We have not published this yet. It will appear here as soon as we do.
When you delete your account we delete your personal data, except what we must keep to meet a legal obligation; what we keep is used only for that obligation.
Security
We apply appropriate technical and organisational measures to protect personal data, under the Law on Cyberinformation Security 2015 and the personal data protection rules:
- Connections to the platform are served over TLS 1.2/1.3 at the edge. Automatic certificates for custom domains are not available yet, and the system does not force a redirect from HTTP to HTTPS — always use the HTTPS address.
- Passwords are hashed with BCrypt, never stored in readable form.
- Project environment variables and secrets are encrypted at rest with AES-256-GCM at the application layer, and are decrypted only for your own project.
- The admin console is open only to accounts holding an admin role.
- Least privilege: each member of staff reaches only the data their job needs. This is a commitment about how we work.
No system is perfectly secure. We do not promise absolute safety; we commit to appropriate measures, and to handling incidents openly.
The platform is still being built, and some measures you would normally expect are not in place yet: there are no scheduled backups, no audit log of staff access, and no per-project virtual machine isolation. We spell each one out in the Data policy, and we will build them before the service goes into commercial operation.
Your rights
Under Điều 4 of the Personal Data Protection Law 2025, as a data subject you have the following rights:
- The right to know how your personal data is processed.
- The right to consent or refuse consent to the processing of your personal data, and to withdraw consent you have given.
- The right to view and correct, or to ask us to correct, your personal data.
- The right to ask for a copy of your personal data, and to ask us to delete it or restrict its processing.
- The right to object to the processing of your personal data.
- The right to complain, denounce, sue and claim damages as provided by law.
- The right to request that protective measures be applied to your personal data.
To exercise these rights, email us your request with your full name, the email address on your account, and what you are asking for. We may ask for more information to verify that you are the data subject — that step protects you.
The mailbox for these requests is being set up and will be published here. In the meantime, send your request through the contact channel in the footer; we still receive and act on it.
Exercising your rights is free. We respond within the time limit set by law. If we cannot meet part or all of a request, we will give our reasons in writing.
Data of people under 16
Mmoall is infrastructure for developers, organisations and businesses. We do not aim the service at children and do not set out to collect data about people under 16.
Personal data of a person under 16 may only be processed with the consent of a parent or guardian, as the law requires.
If we find we have collected data about someone under 16 without valid consent, we will stop processing it and delete it. If you are a parent or guardian and believe your child has given us data, contact us and we will deal with it.
Personal data breaches
When we detect a breach or loss of personal data, we contain it immediately, assess the scope and the cause, and fix it so it does not happen again.
We notify the competent state authority and the affected data subjects as required by the Personal Data Protection Law 2025 and Decree 356/2025/NĐ-CP.
The notice we send you will say: what happened, which data was affected, what could follow from it, what we have done and are doing, and what you should do to protect yourself.
Complaints
If you believe we are processing your personal data improperly, complain to us first, at the personal data protection contact. We will receive it, look into it and reply.
If you disagree with how we handle it, you may complain or denounce to the competent state authority — the specialised personal data protection agency under the Ministry of Public Security — or bring a lawsuit and claim damages as provided by law.
As a consumer, you are also protected by the Law on Protection of Consumer Rights 2023.
Changes to this policy
When we amend this policy we update the version number and effective date at the top of this page. The version you are reading is always the one in force.
Where a change materially affects your rights, we will tell you by email or on the platform before it takes effect.
note
This document is for reference and does not replace advice from a lawyer licensed to practise in Vietnam. The operator must have counsel review, amend and approve the whole text before the platform goes into commercial operation.