Policies

HomeSafe Privacy Policy

Privacy Policy

Security

Terms of Service

HomeSafe Privacy Policy

Last updated: 05:28 10-06-2026

CyStack HomeSafe (hereinafter referred to as "We", "Us", or "the Application") understands that your family’s privacy and data security are of the utmost importance. This Privacy Policy outlines the privacy rules applicable to all information collected when you access, install, or use our services.
This Privacy Policy is an integral part of CyStack’s Terms of Service, which you—as the user of the service and the parent or legal guardian of the child—must read and accept before using our services. If you do not agree with how we Collect, Store, Process, Use, and Share data (as specified in Section 2 of this Policy), please do not use the service.
When referring to "children", we mean individuals under the age of 16 (in accordance with Vietnamese law). If you are a child between the ages of 7 and under 16, you must read (or have your parents/legal guardians explain) and accept the contents of Section 6.

1. Terms and Definitions

  • "Personal Data": refers to information in the form of symbols, letters, numbers, images, sounds, or similar forms in the electronic environment that is associated with a specific individual or helps identify a specific individual. Personal Data includes basic personal data and sensitive personal data.
  • "Sensitive Personal Data": refers to personal data associated with an individual's privacy which, if violated, will directly affect the legitimate rights and interests of that individual.
  • "Parents/Legal Guardians" (hereinafter collectively referred to as "Parents"): refers to the biological parents, adoptive parents, or legal guardians (under Vietnamese law) of a Child under 16 years old.
  • "Child/Children": refers to individuals under the age of 16 (under Vietnamese law).
  • "Processing of Personal Data" (or "Data Processing"): refers to any operation or set of operations performed on personal data by our application, including but not limited to: collecting, recording, analyzing, verifying, storing, modifying, disclosing, combining, accessing, retrieving, recovering, encrypting, decrypting, copying, sharing, transmitting, providing, transferring, deleting, or destroying personal data.

2. Data Collection and Purposes of Processing

We limit data collection to the minimum necessary to provide services to users. All data we collect is listed below; children's personal data is marked with an asterisk (*) for differentiation.

2.1 For Parent or Legal Guardian Accounts

Data provided by you:

  • Email Address: We require your email address for the account creation process. This data is necessary for identity verification, account setup, system notifications, and technical support contact.
  • Child's Age (*): The child's age helps determine if your child is the appropriate target audience for the Services we provide. You are required to provide the accurate age of your child and bear full legal responsibility for the authenticity of the information provided.

Data collected automatically via technology:

  • Device and Browser Data: Operating system, browser type and version, device identifiers, and IP address. This is used for account security, service optimization, and legal compliance (e.g., displaying regional notifications based on IP).
  • Usage Data: Pages visited, features used, timestamps, and interaction behavior. This is used to improve service performance and user experience.
  • Cookies and Similar Technologies: We use essential cookies for core functionality, analytical cookies (such as Google Analytics) to measure performance, and affiliate cookies to track referral partners. You can manage your cookie preferences through your browser settings or the cookie consent mechanism on our website (if available).

Data received from Third Parties:
If you log into the application through other single sign-on (SSO) gateways such as Google, Apple, etc., the only information we request is the Default Public Profile Information, which includes your email and/or profile picture.

2.2 For Children's Devices

Data on children's devices is collected automatically via technology. Except for device specifications, all other data is retained on the system for a maximum of 7 consecutive days, after which the system will automatically perform a permanent, irreversible deletion process.

  • Software Inventory (*): A catalog of all applications that have been and are currently installed on the child's device. This information allows parents to view, manage, set time limits, or lock/unlock specific applications to protect children from inappropriate content.
  • Application Usage Logs (*): The start time, end time, and total duration of the child's usage of each specific software. This data helps parents understand their child's digital habits, allowing for corresponding adjustments if necessary.
  • Search and Website Access Logs (*): Browser search keyword history and the URLs of websites the child has accessed or attempted to access. This data is cross-referenced with our safety filters to block malicious websites and to inform parents about the content their child has encountered.
  • Location Data (*): GPS coordinates, nearby cell tower info, or Wi-Fi networks surrounding the child's device. Note: This is Sensitive Personal Data under Vietnamese law. Parents/legal guardians can disable this feature if they do not want this data to be collected.

3. Our Personal Data Processing Measures

We commit to implementing the necessary technical and organizational measures to protect the personal data of Parents and Children from accidental loss, destruction, or unauthorized disclosure. Our data processing practices are as follows:

3.1 Confidentiality and Disclosure

We commit to strictly securing all collected personal data in accordance with Vietnamese law. Data disclosure is only executed in the following cases: i) Sharing with third-party service providers (under Section 3.7 below); ii) Mandatory requests under Vietnamese law.

3.2 Data Collection

We commit to only collecting personal data directly as displayed on the application installed on the Parent’s and Child’s devices, and we do not collect hidden data outside the scope of serving the application's monitoring features. The list of collected data is specified in Section 2 of this Policy.

3.3 Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this Policy:

  • Active accounts: Data is retained for the duration of your account or service agreement.
  • After account deletion: Data belonging to your account is deleted or anonymized after 14 days of account deletion, except where longer retention is required for legal, tax, or accounting obligations.
  • General limit: Where no specific retention requirement applies, we do not retain personal data for longer than two (2) years after your last interaction with us.
  • Request for deletation: You can request to delete your account or all your data via email address support@cystack.net. The deletation is processed as stated in Section 4 of this Policy.

3.4 Data Usage

We commit to using the collected data solely for the purposes clearly stated in Section 2 of this Policy.

3.5 Data Security

We implement technical and organizational measures to protect your data, including encryption in transit (TLS 1.2+) and at rest (AES-256), access controls based on the principle of least privilege, regular internal and external security assessments, and continuous monitoring with real-time alerting.

For a detailed description of our security practices, see our Security page.

3.6 Data Sharing

CyStack does not sell, rent, or trade your personal data.

We may share data in the following limited circumstances:

  • Service providers: With trusted third-party vendors who assist in operating our Services (e.g., cloud infrastructure, payment processing, analytics), bound by data processing agreements requiring equivalent data protection.
  • Legal obligations: When required by applicable law, regulation, court order, or governmental authority.
  • Business transfers: In connection with a merger, acquisition, or asset sale, your data may transfer to the successor entity under equivalent privacy protections. We will notify you before such transfer takes effect.

3.7 Cross-Border Data Transfers

CyStack is headquartered in Vietnam with operations in Canada, and engages service providers in various countries. When personal data is transferred outside your jurisdiction, we ensure appropriate safeguards are in place.
For transfers from the European Economic Area (EEA), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission.
For transfers of Vietnamese citizens' data, we comply with the cross-border data transfer requirements under Vietnam's Law on Personal Data Protection (Law No. 91/2025/QH15), including conducting Data Protection Impact Assessments (DPIA) and filing transfer dossiers with the Ministry of Public Security as required.

3.8 Compliance with Vietnamese Law

CyStack complies with Vietnam's data protection framework, including:

  • Law on Personal Data Protection (Law No. 91/2025/QH15), effective January 1, 2026, which establishes comprehensive rights for data subjects and obligations for data controllers and processors.
  • Decree No. 356/2025/NĐ-CP on Personal Data Protection, effective January 1, 2026, which introduced foundational requirements for consent, data processing, impact assessments, and cross-border transfers.
  • Law on Cybersecurity (Law No. 24/2018/QH14) and its implementing Decree No. 53/2022/NĐ-CP.

Under these regulations, CyStack fulfills the following obligations:

  • Obtaining clear, informed consent before collecting and processing personal data, in compliance with statutory requirements for consent form and content.
  • Distinguishing between basic personal data and sensitive personal data, and applying enhanced protections for sensitive data categories.
  • Maintaining Data Protection Impact Assessment (DPIA) records for data processing activities as required.
  • Appointing a designated data protection function responsible for overseeing compliance.
  • Notifying the competent authority (Ministry of Public Security) in the event of a personal data breach, within the timeframe prescribed by law.
  • Complying with cross-border data transfer requirements, including impact assessments and regulatory filings when transferring Vietnamese citizens' data outside Vietnam.

4. Your Rights Under Vietnamese Law

According to the Personal Data Protection Law (Law No. 91/2025/QH15), Parents (and children aged 7 and older) hold the following rights:

  • Right to be informed: Know what personal data is collected and how it is processed.
  • Right to consent: Provide or withdraw consent for the processing of your personal data.
  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Request correction of inaccurate or incomplete data.
  • Right to erasure: Request deletion of your personal data. If you delete your CyStack account, your data will be deleted as stated below in this section.
  • Right to restrict processing: Request limitation of data processing activities in certain circumstances.
  • Right to object: Object to the processing of your personal data where processing is based on legitimate interests.
  • Right to data portability: Request your personal data in a structured, commonly used, and machine-readable format.

To exercise any of your rights, please contact us at support@cystack.net. We will respond within the timeframes prescribed by law, specifically as follows:

  • Initial Response: Within 02 working days from the receipt of a valid request (regarding withdrawal of consent, deletion, correction, etc.).
  • Completion of Consent Withdrawal: Within 15 days.
  • Completion of Access and Correction Rights: Within 10 to 15 days.
  • Completion of Data Deletion Rights: Within 20 to 30 days

5. Your Rights Under GDPR (EEA Users)

If you are located in the European Economic Area (EEA), the following additional provisions apply:

Data Controller: Vietnam CyStack JSC acts as the data controller for personal data processed through the Services.

Legal Bases for Processing:

  • Performance of contract: Processing necessary to provide you with the Services under our Terms of Service.
  • Legitimate interest: Administering business communications, ensuring service security and reliability, and understanding how our products are used - balanced against your rights and interests.
  • Consent: For marketing communications and any other processing where consent is the applicable legal basis. You may withdraw consent at any time without affecting the lawfulness of prior processing.

Your GDPR Rights:

In addition to the rights listed in Section 10, EEA users may:

  • Object to processing based on legitimate interests (including for marketing purposes).
  • Request data portability (where processing is based on consent and carried out by automated means).
  • Lodge a complaint with a supervisory authority in your member state.

6. Special Provisions for Children

For children (from full 7 to under 16 years old), we have designed this section using simplified language so that the younger members of the family can read, understand, and exercise their autonomy.
KIDS' CORNER!
Hi there! If you are between 7 and under 16 years old, this section is just for you!
Your parents installed this app on your device to act as a "Guardian Knight" to protect you from dangers on the internet (like bad, scammy websites, or violent content). To do this, your Guardian Knight needs your permission to know the following information:

  • Where you are: So if you ever get lost, your parents can find you right away.
  • What apps you use and for how long: To remind you to take a break so your eyes don't get tired.
  • What content you look at online: To block bad websites from reaching you.

Your data is only saved for the last 7 days. We automatically delete everything older than that to make sure your info is never accidentally or intentionally misused.
Our Promise: The app will only send this information to your Mom/Dad to help them protect you better. The app will never send this information to strangers or any other organizations (except for the trusted service providers we use for the app, who protect your data completely).
If you understand and are ready to team up with your Mom/Dad to stay safe, please tap the "I Agree" button on the screen below! You also have the right to ask your parents to turn off the app at any time if you no longer wish to use it.

7. Changes to the Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, products, or applicable laws. When material changes are made, we will update the "Last Updated" date at the top of the page and, when necessary, notify you via email or through an in-product notification. We encourage you to review this Policy periodically.

8. Contact Us

For any questions, concerns, or requests regarding this Policy or your personal data, please contact:

CyStack Vietnam Joint Stock Company
Email: support@cystack.net
Address: Tan Hong Ha Building, 317 Truong Chinh, Hanoi, Vietnam
Phone: (+84) 247 109 9656