EmBox

Privacy Policy

Last updated: May 18, 2026

Your privacy matters to us. This page explains what data the Embox App collects, why we collect it, and how we protect it.

1. Introduction

This Privacy Policy describes how EMBOX (“we”, “us”, or “our”) collects, uses, and shares information about you when you use our mobile application (“Embox App”) and related services. By using our App you agree to the practices described in this policy. If you have questions, contact us at support@embox.vn.

2. Information We Collect

Account Data

Phone number (required for registration and SMS OTP verification), and optionally: full name, email address, and delivery address stored in your profile.

Device & Operational Data

Vending machine serial number, slot status, and hardware heartbeat data (battery level, temperature, WiFi connectivity state) that are reported automatically by the physical device you claim and manage.

Transaction Data

Purchase records, order history, and wallet balance snapshots (top-up, sales, commission). We do not store end-user bank card numbers or full bank account credentials for customers purchasing from your vending machine.

Partner Payout Account Data

If you are a partner (operator), the bank account number and bank name you provide for commission payouts are stored and protected with HMAC-SHA256 integrity verification to prevent unauthorised modification.

3. How We Use Your Information

  • Create and manage your account, including SMS OTP-based identity verification.
  • Process vending machine claim, transfer, and configuration operations.
  • Generate VietQR payment codes and record sales transactions.
  • Calculate and track partner wallet balances and commission payouts.
  • Display real-time device status (battery, temperature, slot inventory) in the App.
  • Fulfil B2B product orders placed through the App.
  • Provide technical support and respond to your inquiries.
  • Maintain security audit logs of critical actions (login, device claim, payment changes).

4. Permissions We Request

The App requests the following device permissions. We request only the permissions necessary for the stated purpose.

Bluetooth — BLUETOOTH, BLUETOOTH_CONNECT, BLUETOOTH_SCAN

Required to configure your vending machine's WiFi credentials via Bluetooth Low Energy (BLE / BluFi protocol). Bluetooth data is transmitted only to the paired physical device and is never sent to third parties or stored on our servers.

Location — ACCESS_FINE_LOCATION, ACCESS_COARSE_LOCATION

Android requires location permission when an app scans for nearby BLE devices. This permission is used solely to discover your vending machine over Bluetooth. We do not collect, store, or transmit your geographic location to our servers.

5. Data Sharing

VietQR Payment Processor

When a customer initiates a purchase at your vending machine, we send the transaction amount and a unique reference code to VietQR to generate a payment QR code. No bank card numbers or personal customer data are shared with VietQR beyond what is required to process the payment.

No Sale of Personal Data

We do not sell, rent, lease, or trade your personal data to any third party for their own marketing or commercial purposes.

Legal Disclosure

We may disclose your data if required to do so by law or in response to a valid legal request (e.g. court order or government authority).

6. Data Security

We implement industry-standard security measures to protect your data, including:

  • HTTPS encryption for all data in transit.
  • Password hashing with bcrypt (cost factor 12).
  • Short-lived JWT access tokens (15 minutes) and secure refresh tokens (7-day expiry).
  • HMAC-SHA256 integrity verification for stored payment account information.
  • Automatic account lockout after 5 consecutive failed login attempts (15-minute cooldown).
  • Rate limiting on sensitive endpoints to prevent brute-force attacks.

No method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

7. Data Retention

  • Refresh tokens are invalidated after 7 days.
  • Password reset tokens expire after 1 hour; phone verification tokens after 24 hours.
  • Transaction records and audit logs are retained as required by applicable Vietnamese law and accounting regulations.
  • Account and profile data is retained for the lifetime of your account and deleted upon a verified account deletion request.

8. Your Rights

You have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your account and associated personal data.
  • Withdraw consent for optional data processing at any time.

To exercise these rights, contact us at support@embox.vn. We will respond within 30 days.

9. Children's Privacy

The Embox App is intended for use by hotel and business operators aged 18 and above. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal information, please contact support@embox.vn and we will promptly delete the data.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last Updated” date at the top of this page and, where appropriate, notify you via the App or email. Your continued use of the App after any changes constitutes your acceptance of the updated policy.

11. Contact Us

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at: support@embox.vn

Questions? support@embox.vn