Site Policy

1. CERTAIN DISCLAIMERS

NITORI FURNITURE (hereinafter the Company) strives to ensure the information on this website is accurate but does not guarantee its completeness or accuracy. The Company is not liable for any direct or indirect damages from using this website.
Information on the website may be changed without notice.

2. Copyrights and Trademarks

All content on our website, including texts, illustrations, logos, photos, videos, and software, is copyrighted by the Company or the Company’s parent company (NITORI HOLDINGS CO., LTD.) or third parties. You may not use this content without prior permission from the copyright holder, unless allowed by law.
The Company’s products or services mentioned on our website are trademarks of the Company or the Company’s parent company. Unauthorized use of these logos and marks, or linking them, is prohibited without permission.

3. Links to Our Website

Links to our website are generally unrestricted. However, please avoid creating links if the site falls or may fall under any of the following categories:

  • Sites that contain content which slanders or undermines the credibility of the Company or others.
  • Sites that infringe or are likely to infringe intellectual property rights, property rights, privacy rights, or any other rights such as copyrights of the Company or any other person.
  • Sites that place our website within a frame or otherwise cause misunderstanding among third-party visitors (Please set the screen to completely switch to the home page or open a new browser window so that our website is displayed).
  • Sites that may violate laws, ordinances, regulations, or public order or morals, or interfere with the operation of our website services in addition to the above items.

We also request that links are not created in a manner that would mislead visitors about the source of information like being from the Company. Please note that our website URLs may change without notice, and the Company is not responsible for any complaints related to these links.

4. Handling of Information

The Company shall adhere to our Privacy Policy.

Personal Data Privacy Policy

5. Governing Law and Jurisdiction

Vietnamese law governs the use of our website. Accessing andusing our website is the user’s responsibility.

Privacy policy personal data protection

NITORI FURNITURE VIETNAM EPE, based in Quang Minh Industrial Park I, Hanoi (“Company”), will process Personal Data of relevant individuals (“Data Subjects”). The Company values lawful and proper data processing, committing to confidentiality. This Data Protection Policy informs Data Subjects about the purposes, scope, methods, and procedures for collecting, using, and processing Personal Data, ensuring compliance with legal regulations on data protection.

This policy applies to the following subjects:

  • Employees who are currently/formerly under probation/employment contracts/ training agreements with the Company.
  • Candidates for positions that the Company requires recruitment for; and
  • Contractors/Suppliers with a business relationship with the Company. This Policy applies within the scope of the Company, where the Company assumes the role of Data Controller and Processor for the Personal Data collected from the applicable

Personal Data: Information in the form of symbols, writing, numbers, images, sounds, or similar formats in electronic environments associated with a specific individual or aiding in the identification of a specific individual. Personal data includes basic personal data and sensitive personal data.

Information Aiding in the Identification of a Specific Individual: Information obtained from an individual’s activities, which, when combined with other stored data, can identify that individual.

Data Subject: An individual whose Personal Data is included.

Data Processing/Processing: Activities that affect Personal Data, including collecting, recording, analyzing, confirming, storing, modifying, disclosing, combining, accessing, retrieving, revoking, encrypting, decrypting, copying, sharing, transmitting, providing, transferring, deleting, erasing personal data, or other related actions.

The Company processes various types of Personal Data, including basic personal data and sensitive personal data.

Basic personal data includes:

(a) First name, middle name, last name, other names (if applicable);
(b) Date, month, year of birth; date, month, year of death or disappearance;
(c) Gender;
(d) Place of birth, place of birth registration, permanent residence, temporary residence, current address, hometown, contact address;
(e) Nationality;
(f) Images of individuals;
(g) Phone number, national identification number, personal identification number, passport number, driver’s license number, vehicle registration number, personal tax identification number, social insurance number, health insurance number;
(h) Marital status and dependent information;
(i) Family relationship information (parents, children), information about relatives, emergency contact;
(j) Information about individual’s account numbers, personal data reflecting online activities;
(k) Salary records and tax status information;
(l) Salary and benefit information;
(m) Recruitment information (including reference documents and other information in the CV or job application as part of the recruitment process);
(n) Employment records (including employment contracts, job titles, work history, promotions/demotions, training, disciplinary actions, etc.);
(o) Other information associated with a specific individual or aiding in the identification of a specific individual not covered by the above regulations.

Sensitive personal data includes health status (including any medical conditions, health records, an illnesses), ethnicity, religion, information about criminal records/accusations and criminal activities, detailed bank account information, as defined under the Data Protection Regulations.

Personal data will be collected directly from candidates through the registration and recruitment process, as well as from recruitment support service providers and other third parties (e.g., previous employers, legal background check agencies, local authorities). Additionally, personal data may be obtained through contact forms on this website.

During the period of employment or collaboration with the company, further personal data will be collected in the context of work-related activities and business transactions.

Personal data will be maintained confidentially in accordance with the company’s internal rules. Personal data will only be processed for legitimate purposes, as outlined in this policy, and will not be used in a manner inconsistent with those purposes. Personal data processed must be accurate and current. Other principles adhere to data protection regulations.

Except for personal data processing that does not require the data subject’s prior consent in accordance with the Data Protection Regulation, after obtaining consent from the data subject, the company shall process personal data and share the results of data processing for the following purposes:

  • To fulfill a contract involving the data subject, or to perform tasks necessary before or during the conclusion of such a contract.
  • For the company’s personnel management, human resources, administrative and tax activities, or for the benefit of the data subject.
  • To comply with the company’s legal obligations, internal rules of Nitori Holding Group, or requests from competent government agencies.
  • To respond to emergency situations to protect the health, life, or safety of the data subject or other individuals.

If personal data needs to be processed for other purposes or at the request of the data subject, the company will seek consent and inform the data subject before proceeding with the processing.

  • Data subjects are to be informed of the processing activities related to their personal data, except as otherwise stipulated in the Data Protection Regulation.
  • Data subjects possess the right to consent to or object to the processing of their personal data, except as otherwise stipulated in the Data Protection Regulation.
  • Data subjects have the right to access their personal data and to request amendments to their personal data by submitting a written request to the company, except as otherwise stipulated in the Data Protection Regulation.
  • Data subjects may revoke their consent by submitting a written request to the company, except as otherwise stipulated in the Data Protection Regulation. The revocation of consent does not affect the lawfulness of the data processing activities conducted prior to the withdrawal of consent.
  • Data subjects have the right to request the erasure of their personal data by submitting a written request to the company, except as otherwise stipulated in the Data Protection Regulation.
  • Data subjects can request the restriction of the processing of their personal data by submitting a written request to the company, except as otherwise stipulated in the Data Protection Regulation. The restriction of data processing shall be implemented within 72

    hours of receiving the request from the data subject, unless otherwise provided for in the Data Protection Regulation.

  • Data subjects have the right to request that their personal data be provided to them by submitting a written request to the company, unless otherwise provided for in the Data Protection Regulation.
  • Data subjects may object to the processing of their personal data and restrict its use for advertising or marketing purposes by submitting a written request to the company, unless otherwise provided for in the Data Protection Regulation. The company shall fulfill the request within 72 hours of receiving it, unless otherwise stipulated in the Data Protection Regulation.
  • Data subjects have the right to lodge a complaint, report or initiate legal action in accordance with the provisions of the Data Protection Regulation.
  • Data subjects are entitled to claim damages in accordance with the applicable law in the event of a violation of the Personal Data Protection Regulation, unless an alternative agreement or provision exists within the Data Protection Regulation.
  • Other rights as provided for within the Data Protection Regulation.
  • Adhere to the laws, regulations, and guidelines of the Company concerning the processing of personal data.
  • Furnish complete, truthful, and accurate personal data and other required information, and promptly update this information in case of any changes. The Company ensures the security of personal data based on the provided information. Consequently, the Company shall not be liable for any inaccurate information that affects or limits the rights of the data subject. If inaccurate, incorrect, or incomplete information is provided, or if timely updates about changes are not communicated to the Company, the data subject shall bear responsibility in the event of any risk or loss.
  • Collaborate with the Company, competent authorities, or third parties in addressing issues affecting the security of personal data.
  • Safeguard their own personal data and assume responsibility for information created, provided in the network environment, or compromised due to their own negligence.
  • Respect and protect the personal data of others.

  • Fulfill additional responsibilities in accordance with current data protection regulations.

  • We process the personal data of the data subject in accordance with the purposes, scope, and other terms to which the data subject has consented.
  • We will make any necessary amendments to this policy periodically and notify the data subject prior to implementation.
  • We will implement appropriate measures to protect personal data.
  • All other rights will be upheld in accordance with the provisions of the Data Protection Regulation.
  • We adhere to the Data Protection Regulation when processing personal data.
  • We implement information security measures to prevent unauthorized access, modification, use, or disclosure of personal data.
  • We provide mechanisms for individuals to exercise their rights concerning their personal data.
  • We comply with any other legal obligations.
  • The company reserves the right to determine the appropriate means and methods of processing personal data for the intended purposes.
  • The company is continuously vigilant about safeguarding the data subject’s personal data against leakage, disclosure, destruction, or unintended misuse. Multiple processes have been implemented to ensure the protection of the data subject’s personal data from these risks.

  • When sharing the data subject’s personal data with a third party, the company requires written assurance that they will securely store the data subject’s personal data and comply with applicable legal requirements.

Unintended damage may arise from, but is not limited to, the following circumstances:

  • Hardware or software errors that occur during data processing, resulting in the loss of personal data of data subjects.
  • Security vulnerabilities beyond the Company’s control, leading to system breaches and subsequent leakage of personal data.
  • Voluntary disclosure or leakage of personal data by data subjects for subjective reasons.
  • Natural disasters, fires, and other force majeure events.

Start time: When the data subject signs a personal data processing agreement or consents to data processing, unless consent is not required as per the Data Protection Regulation.

End time: Until the data subject requests to end data processing or as specified by the Data Protection Regulation and company policy. The Company processes personal data for the necessary period—while the data subject is an employee, candidate, customer, or partner of the company. Processing time may be extended after the relationship ends, depending on the purpose of data processing.

  • We have established and maintain a robust system to ensure the appropriate protection of personal information.
  • Additionally, we have implemented a compliance program that is consistently updated and enforced to guarantee adherence to personal information protection by all relevant parties.

  • We are committed to safely managing personal information during processing whenever feasible and ensuring that necessary security measures are in place to prevent unauthorized disclosure, leakage, or access.

The Company shall retain only the Personal Data necessary for the purposes specified in this Policy, unless (i) reasonably requested by the Data Subject, or (ii) required by relevant Company policies or data protection regulations.

  • Upon receiving a written request from a data subject to delete personal data, the Company shall delete the personal data at the earliest opportunity or delegate the deletion to an appropriate party. This action must be completed no later than 72 hours after receiving the request from the data subject, except as specified in the following paragraph.
  • Requests for the deletion of personal data will be denied under the following circumstances: (a) if the Data Protection Regulation prohibits the deletion of the data; (b) if the personal data is processed by a competent national authority for purposes regulated by the Data Protection Regulation; (c) if the personal data has been made public in accordance with the Data Protection Regulation; (d) if the personal data is processed for legal requirements, scientific research, or statistical purposes in compliance with the Data Protection Regulation; (e) in situations involving national defense, national security, public order and safety, severe disaster emergencies, dangerous epidemics, threats that do not reach the level of declaring a state of emergency but pose a threat to security and defense, riots, terrorism, crimes, and the prevention of legal violations; (f) to respond to an emergency that endangers the life, health, or safety of the data subject or other individuals.

Upon receiving a written request from a data subject to correct personal data, the Company will either correct the personal data promptly or delegate the correction to another relevant party. If correction is not feasible, the Company will inform the data subject within 72 hours of their request.

  • The Companyshall not disclose personal data to third parties or personnel not involved in the processing of personal data unless prior authorization has been obtained from the data subject.
  • Upon receiving a written request from the data subject for access to their personal data, the Companyshall comply as soon as possible, but no later than 72 hours after receipt of the request, except as provided herein, or transfer the data to another relevant party.
  • The Company is prohibited from disclosing other personal data under the following circumstances: (a) if it would be detrimental to national defense, national security, public order, and safety; (b) if the disclosure may impact the safety, physical health, or mental well-being of others; (c) if the data subject does not consent to, authorize, or delegate the disclosure of their personal data.

From the start of personal data processing, the Company shall (i) prepare, publish and store a record of the impact assessment of personal data processing in the form and with the content required by the Data Protection Regulation, (ii) submit the impact assessment record of personal data processing, including any amendments, to the competent government authorities within the prescribed period, and (iii) update and provide the impact assessment record of personal data processing to the government authorities (if necessary).

  • The Company shall transfer personal data overseas only in compliance with Data Protection Regulation requirements.
  • Before transferring personal data overseas, the Company shall:

(a) Prepare, publish, and store an impact assessment record as required by the Data Protection Regulation.
(b) Submit this record, including amendments, to the authorities on time.
(c) Update and provide this record regularly.

  • Effective August 1, 2023, this policy may be amended and publicly notified as needed within regulatory limits.
  • Matters not covered here will follow the Data Protection Regulation and authority guidance.

End of text

Established February 28, 2025