Personal Data Protection Policy | Green SM

1.1. Personal Data: means information in the form of symbols, letters, digits, images, sounds, or similar forms in the electronic environment that are associated with a specific natural person or help identify a specific natural person. Personal Data includes basic Personal Data and sensitive Personal Data. 1.2. Personal Data Subject: means the individual reflected by the Personal Data, including all individual customers who are using the Company's products and services, the Company's employees and collaborators, the Company’s apprentices and trainees; the Company’s partners; users of the Company’s website and application platforms, shareholders and/or other individuals who have a legal relationship with the Company or whose Personal Data is processed by the Company. 1.3. Personal Data Processing: means one or more activities affecting Personal Data, such as: collection, recording, analysis, confirmation, storage, correction, disclosure, combination, access, retrieval, recalling, encryption, decryption, copying, sharing, transmission, provision, transfer, deletion, destruction of Personal Data or other related actions. 1.4. Whenever the Personal Data of any related person of the Personal Data Subject (including but not limited to information of dependents, related persons in accordance with the law, spouse, children and/or parents and/or guardians, friends, beneficiaries, authorized persons, partners, emergency contacts or other individuals of the Personal Data Subject) is provided to the Company, the Personal Data Subject and the related persons of the Personal Data Subject represent, warrant and take responsibility that the information has been fully provided and has been legally agreed/approved by the Personal Data Subject to be processed for the purposes set out in this Policy. The Personal Data Subject and the related persons of the Personal Data Subject agree that the Company is not responsible for verifying the legality and validity of this consent/approval and the storage of evidence proving that is the responsibility of the related persons of the Personal Data Subject and the Personal Data Subject. The Company is exempt from liability and entitled to request compensation for related damages and expenses when the Personal Data Subject or/and related persons of the Personal Data Subject fail to comply with the contents specified herein. 1.5. Unless otherwise notified to the Company in writing, by registering to use the Company’s products and services, entering into contracts, and/or allowing the Company to conduct Personal Data Processing, the Personal Data Subject shall be deemed to have read, clearly understood, and unconditionally accepted all contents set out in this Policy (including any amendments, modifications, and updates, if any, from time to time). 1.6. This Policy may be updated, amended, supplemented, or replaced by the Company from time to time and shall be published on the Company’s official website (https://www.greensm.com/). The Personal Data Subject may access and regularly review the Company’s official website to stay informed of the latest changes. If the Personal Data Subject does not agree with any amendment, supplement, or replacement of this Policy, the Personal Data Subject has the right, by written notice to the Company, to withdraw consent to this Policy and/or terminate any transaction, agreement, or contract entered into with the Company. 1.7. The Company undertakes to comply with the following principles when conducting Personal Data Processing: (i) The Company processes and protects Personal Data in accordance with the provisions of the laws of Lao People’s Democratic Republic (“Lao PDR”); fully complies with contracts, agreements, and other documents established with the Personal Data Subject; (ii) The Company collects Personal Data for specific, explicit and lawful purposes, within the scope of the purposes stated in Section 3 of this Policy and in accordance with the provisions of the laws of the Lao PDR; (iii) The Company always applies and updates technical measures in accordance with the provisions of the laws of the Lao PDR to ensure the safety of Personal Data, including measures to protect against unauthorized access and/or destruction, loss or damage to Personal Data; (iv) The Company stores Personal Data appropriately and to the extent necessary for processing in accordance with the provisions of the laws of the Lao PDR; (v) The Company undertakes to comply with provisions related to the protection of children's data.

In order to conduct Personal Data Processing for the purposes set out in Section 3 of this Policy, the Company may process the following types of Personal Data: 2.1 Basic Personal Data includes: (i) Family name, middle name and last name, other names (if any); (ii) Date of birth; date of death or disappearance; (iii) Gender; (iv) Place of birth, place of birth registration, place of permanent residence, place of temporary residence, current place of residence, hometown, contact address; (v) Nationality; (vi) Individual image (including information obtained from security systems, including video recordings of the Personal Data Subject captured by the camera systems and surveillance cameras at the Company's business/transaction locations, and on vehicles used to provide the Company’s services); (vii) Telephone number, identity card number, citizen identification number, personal identification number, passport number, driver's license number, license plate number, personal tax identification number, social insurance number, health insurance card number; (viii) Occupation and workplace; (ix) Marital status; (x) Information about family relationships (parents, children); (xi) Information about the individual's digital account; Personal Data that reflects interests and history of activities in cyberspace; (xii) Other information that is associated with a specific natural person or helps to identify a specific natural person not falling within the scope of sensitive Personal Data as set out in Section 2.2 below. 2.2. Sensitive Personal Data includes the following key data: (i) Political views, religious views; (ii) Health status and private life recorded in medical records, excluding information about blood type; (iii) Information related to racial origin, ethnic origin; (iv) Information about an individual's inherited or acquired genetic characteristics; (v) Information about distinctive physical attributes, biological characteristics of individuals; (vi) Data on crimes and criminal acts collected and stored by law enforcement agencies; (vii) Information about the bank accounts, bank cards, e-wallets, and other payment instruments of the Personal Data Subject; (viii) Data about the Personal Data Subject’s location determined through the location service; (ix) Other Personal Data that is specified by law as specific and requires necessary security measures.

Personal Data may be processed for one or more of the following purposes: 3.1. Evaluating the capability to provide products, services and/or enter into contracts with the Personal Data Subject, including the following purposes: (i) Identifying and verifying information of the Personal Data Subject; (ii) Evaluating, reviewing and approving the provision of products and services according to the registration documents, applications, contracts of the Personal Data Subject and/or related persons of the Personal Data Subject; (iii) Considering providing or continuing to provide any of the Company's products and services to the Personal Data Subject. 3.2. Fulfilling obligations in contracts, agreements, terms, conditions and other documents between the Company and the Personal Data Subject, supporting Personal Data Subject including but not limited to the purposes as follows: (i) Performing obligations under contracts, agreements and providing products and services to Personal Data Subjects; (ii) Updating and processing information of Personal Data Subjects; (iii) Taking care of and settling complaints and lawsuits of/or relating to the Personal Data Subjects; (iv) Using and transferring to partners Personal Data and relevant information to identify and fix problems of products and services; repairing products; (v) Contacting and notifying the Personal Data Subject; (vi) Implementing promotional programs, exchanging gifts, awarding, delivering gifts; (vii) Performing other customer care and support activities. 3.3. Improving the quality of the Company's products and services, including to: (i) Providing information when requested or when Company finds it useful; (ii) Improving technology, interface of websites, social networks, and applications to ensure convenience for the Personal Data Subject and/or the customers; (iii) Managing the Personal Data Subject and/or customers‘ accounts and loyalty programs; (iv) Statistics and data analysis for research, creation, development and improvement of products and services; improving the Personal Data Subject and/or the customer experience; (v) Developing and providing new products and services that are personalized according to the actual needs and conditions of the Personal Data Subject and/or the customers; (vi) Introducing and providing promotions and incentives for the Company’s and its partners’ products and services; (vii) Proposing products and services that the Personal Data Subject and/or the customers may be interested in through identifying Personal Data Subject and/or the customers‘ preferences. 3.4. Serving the Company's business, operation and development activities of the Company including but not limited to the fulfillment of reporting, financial, accounting and tax obligations, auditing, compliance purposes, human resources development, improvement of work quality other related activities serving the Company's legitimate business in cases that the Company deems necessary. 3.5. Restructuring and transfer of projects/enterprises: In the course of business, the Company may sell or acquire enterprises or restructure corporate entities or transfer other projects or services in accordance with the provisions of law. Accordingly, Personal Data and the right to use information in general are among the transferred assets. In all cases, the transfer and processing of data will be carried out by the parties in accordance with the provisions of the law and this Policy. 3.6. Developing marketing, advertising, and trade promotion campaigns for products and services, including the creation of campaigns based on the Personal Data Subject’s preferences; 3.7. To prevent, combat, deter, investigate, and detect violations of the Company’s regulations and applicable laws; 3.8. To protect public order and social safety, and to safeguard the lawful rights and interests of the Personal Data Subject, the Company, and other related parties. 3.9. Compliance with the provisions of law and international treaties to which the Lao PDR is a party, Including but not limited to: (i) To provide to competent state agencies in accordance with law; (ii) In order to fulfill its obligations in accordance with the provisions of law, international treaties that the Company must comply with (if any). 3.10. Other purposes subject to the consent of the Personal Data Subject

4.1. Collection methods Personal Data is collected as follows: (i) From the Company's websites and applications: Personal Data is collected when the Personal Data Subject fills in the forms posted on the Company's websites and applications on mobile devices. (ii) From the provision of products and services, the performance of obligations under contracts and agreements of the Company: Personal Data is collected when the Personal Data Subject purchases, registers to use, uses any products and services, signs a contract with the Company. (iii) From communications with the Personal Data Subject: Personal Data is collected through interaction between the Company and the Personal Data Subject (in-person meeting, by mail, telephone, online, call center system, electronic communication or any other means) including surveys. (iv) From social networks: The Company's official social networks and/or official social networks that the Company cooperates with partners. (v) From audio and video recording devices: located at stores, business locations or places where part or all of the Company's business activities are carried out that the Personal Data Subject meets, appears or interacts with the Company; (vi) From interactions or automated data collection technologies: The Company may collect automatically recorded information from the connection: - Cookies, pixel tags, and other similar technologies; - Any technology capable of tracking personal activity on devices or websites; - Other data or information provided by a device. (vii) Other means: The Company may collect Personal Data through public and official sources of information or through the receiving necessary data shared from the parent company, subsidiaries, affiliates, and partners in the process of cooperating with the Company in accordance with the applicable provisions of law. 4.2. Storage methods Personal Data is stored in Lao PDR at the Company's database system or wherever we or our parents, branches, subsidiaries, affiliates, partners or service providers have facilities. The storage period of Personal Data is determined based on the purpose of use as stated in this Policy and in accordance with the applicable provisions of law. 4.3. Data transfer/share methods The Company will not sell Personal Data to any party. The Company uses the necessary security measures to ensure that the transfer/sharing of Personal Data is secure. The Company will share Personal Data to (i) the Company's parent company, subsidiaries, affiliates; (ii) individuals/organizations involved in the Personal Data Processing as set out in this Policy; or (iii) competent state agencies or other cases in accordance with the applicable provisions of law. If the recipient of Personal Data is headquartered outside the territory of the Lao PDR, when providing/transferring Personal Data abroad (including but not limited to the use of cyberspace, equipment, electronic means or other forms to transfer Personal Data outside the territory of Laos), the Company will require the receiving party to ensure the safety and security of the Personal Data provided/transferred. The Company undertakes to fully comply with the regulations and compliance requirements of the laws of the Lao PDR to protect the safety of Personal Data. 4.4. Analysis methods Personal Data is analyzed based on the Company's internal processes, data security principles and information security for information technology systems. 4.5. Data encryption methods When necessary, collected Personal Data is encrypted in accordance with appropriate encryption standards during data storage or transfer and processing to ensure that the data is protected at all times. 4.6. Data deletion methods When the contractual relationship is terminated, or when the use of the Company’s products or services ceases, or upon a valid request from the Personal Data Subject, the Company shall delete the stored Personal Data, except in the following cases: (i) The law does not allow data deletion or requires mandatory data storage; (ii) Personal Data is processed by competent state agencies for the purpose of serving the activities of state agencies in accordance with the provisions of law; (iii) Personal Data has been disclosed in accordance with the provisions of law; (iv) Personal Data is processed to serve legal requirements, scientific research and statistics in accordance with the provisions of law; (v) In case of national defense and security emergencies, social order and safety, major disasters, dangerous epidemics; when there is a risk of threatening national security and defense but not to the extent of declaring a state of emergency; prevention and combat of riots, terrorism, crime and law violations; (vi) Responding to an emergency situation that threatens the life, health, or safety of the Personal Data Subject or other individuals. Throughout the Personal Data Processing, security is the highest priority of the Company. The Company takes appropriate technical measures to prevent unauthorized access to and use of Personal Data. The Company also regularly collaborates with security experts to update the latest cybersecurity techniques to ensure the safety of Personal Data. The Personal Data Subject’s payment card data issued by financial institutions is protected by the Company on the principle that important payment card data (card number, full name, CVV number) is not recorded on our system. The Personal Data Subject’s payment transaction is made on the system of the relevant bank.

5.1. The Company will conduct Children's Personal Data Processing in accordance with the principle of protecting the rights and best interests of children and in accordance with the provisions of the law. 5.2. The Company only processes the Personal Data of children and provides products and services to children, if the parent or guardian consents to the children using the Company's products and services, consents to the children’s Personal Data Processing by the Company, agree to this Policy and comply with the requirements of relevant laws. In the event that a child aged 7 years or older uses the Company's products and services, in addition to the requirements set forth herein, the Company will only conduct Personal Data Processing of the child with the consent of the child. The parent or guardian is responsible for obtaining the consent of the child before providing the child's Personal Data to the Company.

6.1. The Company uses various information security technologies such as firewalls, access control measures, encryption, etc., to protect and prevent Personal Data from being accessed, used, or disclosed without authorization. However, the Company cannot guarantee absolute security of Personal Data in certain cases, such as: (i) Hardware or software failures occurring during data processing that result in the loss of the Personal Data Subject’s data; (ii) Security vulnerabilities beyond the Company’s control, or systems being attacked by hackers/cybercriminals, leading to data breaches or leakage. 6.2. The Company recommends that Personal Data Subjects keep confidential information related to account login passwords, OTP codes and do not share this content with any other person. 6.3. The Personal Data Subject needs to be aware that at any time when the Personal Data Subject discloses and makes public his/her Personal Data, such data may be collected and used by others for purposes beyond the control of the Personal Data Subject and the Company. 6.4. The Company recommends that Personal Data Subjects preserve personal devices (phones, tablets, personal computers, etc.) during use. The Personal Data Subject should log out of his or her account when not in use. 6.5. In the event that the data storage server is attacked, resulting in the loss, disclosure, or leakage of Personal Data, the Company shall be responsible for promptly notifying the competent authorities for investigation and handling, and for informing the Personal Data Subject in accordance with applicable laws. 6.6. Cyberspace is not an entirely secure environment, and the Company cannot absolutely guarantee that Personal Data shared via cyberspace will always be protected. When transmitting Personal Data via cyberspace, the Personal Data Subject should use secure systems to access websites, applications, or devices. The Personal Data Subject is responsible for keeping their access credentials for each website, application, or device secure and confidential.

7.1. Personal Data shall be processed from the time the Company lawfully obtains such Personal Data and has an appropriate legal basis for processing in accordance with the provisions of the laws. 7.2. Personal Data will be processed until the purposes of the data processing have been completed. 7.3. The Company may be required to store Personal Data even if the contract between the parties has been terminated in order to perform its obligations in accordance with the provisions of law and/or the requirements of the competent state authorities.

8.1. On a case by case basis, the Company may be the personal data controller or the personal data controller cum processor. 8.2. To the extent permitted by laws, the Personal Data Subject clearly understands that the Company may share Personal Data for the purposes stated in this Policy with the following organizations and individuals: (i) Parent companies, subsidiaries and affiliates of the Company; (ii) Organizations, individuals providing services and/or cooperating with the Company, including to: agents, auditors, lawyers, business partners, partners providing information technology solutions, software, applications, operation, management, troubleshooting services, infrastructure development, and services for trade promotion; (iii) Any individual or organization that is a representative, authorized party of the Personal Data Subject, acting on behalf of the Personal Data Subject; The sharing of data will be carried out in accordance with the procedure, manner and current provisions of law. The recipients of Personal Data are obligated to keep Personal Data secured in accordance with this Policy, the Company's internal regulations, standards for the protection of Personal Data and applicable provisions of law. 8.3. The Company may be required to share Personal Data with competent state authorities in accordance with the law.

9.1. Right to know about his/her Personal Data Processing activities, unless otherwise provided by law. 9.2. Right to give, refuse or withdraw consent to his/her Personal Data Processing, unless otherwise provided by law. 9.3. Right to access in order to view, correct or request correction of his/her Personal Data, unless otherwise provided by the law. 9.4. Right to withdraw consent. 9.5. Right to delete data. 9.6. Right to restrict his/her Personal Data Processing in accordance with the provisions of law. 9.7. Right to request the provision of his/her Personal Data to him/her, unless otherwise provided by the law. 9.8. Right to object to data processing. 9.9. Right to complain, denounce and initiate lawsuits. 9.10. Right to claim damages. 9.11. Right to self-protect. The Personal Data Subject may exercise these rights by making a request to the Company. The request form must be sent to the Company and includes basic contents such as the requester's information, detailed request content [for example, the type of data to be provided or deleted, the name of the document or file (if any), the time of provision, and the method of providing the information], reason and purpose when making the request, relevant information depending on the specifics of the request (e.g. whether the requested document needs to be provided in the form of a file or paper format, the address for receiving documents, etc.). All costs (if any) arising from the fulfillment of the requests stated herein including to the cost of printing, photocopying, postage, courier fees for sending the data shall be borne by the requester and must be paid no later than upon receipt of the data or a period set by the Company. The Company will process the requests of the Personal Data Subject in accordance with the provisions of law and consider the legitimate interests of the Personal Data Subject. However, in the event that the Personal Data Subject withdraws his/her consent, requests the deletion of the data and/or exercises other relevant rights with respect to any or all of the Personal Data that affects the Company’s ability to provide/maintain its products, services to the Personal Data Subject or to maintain the contractual relationship, depending on the nature of the Personal Data Subject's request, the Company may consider and decide not to continue to provide the Company's products and services to the Personal Data Subject or terminate the contractual relationship between the Company and the Personal Data Subject. Acts carried out by the Personal Data Subject under this provision shall be deemed to be a unilateral termination by the Personal Data Subject of any relationship between the Personal Data Subject and the Company, which may lead to a breach of obligations or contractual commitments between the Personal Data Subject and the Company, and the Company reserves its legal rights and remedies in such cases. Accordingly, the Company will not be liable to the Personal Data Subject for any losses incurred and the Company's legal rights will be fully reserved. With reasonable efforts, the Company will implement the lawful and valid requests from the Personal Data Subject within a reasonable time in accordance with the applicable provisions of law. However, for security purposes, the Company may require the Personal Data Subject to verify his/her identity before processing the Persona Data Subject's request. The Company has the right to refuse to implement the requests of the Personal Data Subject in certain cases, including but not limited to: (i) The Personal Data Subject does not comply with the guidelines and procedures instructed by the Company in which the content of the request lacks information or is invalid; (ii) The Personal Data Subject fails to provide or provides insufficient papers and documents for identity verification; or (iii) in case the Company assesses that there are signs of fraud or violation of Personal Data protection; or (iv) the applicable provisions of law do not allow the implementation of the request of the Personal Data Subject.

10.1. To self-protect Personal Data; request other relevant organizations and individuals to protect their Personal Data. To promptly notify the Company when detecting any errors, mistakes, leaks of Personal Data or suspicion that Personal Data is being breached. 10.2. To respect and protect the personal data of others. 10.3. To provide complete and accurate Personal Data when giving consent to Personal Data Processing. If there is any false information, the Personal Data Subject shall bear the costs incurred in the event that such information affects or restricts the rights of the Personal Data Subject. 10.4. To comply with the provisions of law on personal data protection and participate in the prevention and combat of violations of regulations on personal data protection. 10.5. Other responsibilities as prescribed by the provisions of law.