Privacy Policy

This policy applies to all collection, storage and processing of personal data through the rihs.org.vn website and related services operated by the Research Institute for Health Science.

Data Controller: Research Institute for Health Science, a science & technology unit under the Vietnam Military-Civil Medicine Association, with legal headquarters at Tower B3, Grand Park Premium, Aqua Bay, Ecopark, Hưng Yên Province.

Personal data protection focal point: MSc Nguyễn Thị Thanh Thắm — Vice Director in charge of Digital Transformation. The formal Data Protection Officer (DPO) will be announced after the Institute issues the official appointment decision per Article 28 of Decree 13/2023/NĐ-CP.

Site analytics: we use Cloudflare Web Analytics — no tracking cookies. Only aggregated metadata is recorded (country, page path, referrer), with no personal identification.

Contact form data: full name, email address, phone number (optional), organisation and message — collected only when the user voluntarily submits a form.

Search queries: keywords entered in the on-site search are pseudonymised after 90 days and used to improve content relevance.

Improve user experience and content quality based on aggregated traffic statistics.

Respond to enquiries, research collaboration requests, training and policy advisory proposals within 2 business days.

Analyse topics and reader interests to guide future policy research and Institute publications.

Consent of the data subject — via the opt-in cookie banner and explicit consent checkbox on contact forms, in accordance with Article 11 of Decree 13/2023/NĐ-CP.

Legitimate interest — supporting the Institute's research mission through anonymised aggregate statistics that do not affect individual rights.

Compliance with legal obligations — retention of audit logs to support inspections by competent authorities upon lawful request.

Cloudflare Inc. — provides CDN, DNS and Web Analytics services. Cloudflare servers are located outside Vietnam but do NOT store form contents or personal data — only connection metadata (anonymised IP, country, path) for security and content delivery purposes.

RIHS is finalising the cross-border data transfer impact assessment dossier required under Article 25 of Decree 13/2023/NĐ-CP for submission to the Department of Cyber Security and High-Tech Crime Prevention (A05) — Ministry of Public Security, while applying supplementary technical safeguards (IP anonymisation, no form payload stored on Cloudflare infrastructure).

RIHS does NOT sell, rent or share personal data with third parties for commercial, advertising or marketing purposes.

Contact form data: 24 months from receipt, after which the data is deleted or fully anonymised (per Article 6 of Decree 13/2023).

Search queries: anonymised after 90 days; aggregate patterns retained up to 12 months for trend analysis.

Cloudflare analytics data: 90 days per the provider's policy.

Audit logs: 12 months to support security incident investigations and lawful authority requests.

Transport encryption: TLS 1.2 or higher for all traffic. Let's Encrypt certificates with auto-renewal.

IP pseudonymisation: HMAC-SHA256 combined with a secret pepper is applied to IP addresses before logging.

Data residency: primary servers are located in a Hà Nội (Vietnam) data centre, in line with Articles 26–27 of the 2018 Law on Cybersecurity.

Access control: a selected set of controls from ISO/IEC 27001:2022, role-based permissions and MFA enforced for administrative accounts.

Under Article 9 of Decree 13/2023/NĐ-CP, you have the following rights over your personal data:

Right to be informed, right of access, right to rectification, right to erasure, right to restrict processing, right to withdraw consent, right to data portability and right to object.

Right to complain, denounce and litigate as provided by law — to the Department of Cyber Security and High-Tech Crime Prevention (A05) of the Ministry of Public Security, or to a court of competent jurisdiction.

Send your request to: [email protected] (subject line: "Personal data rights request"). A dedicated [email protected] inbox will be enabled once the Institute completes administrative provisioning.

Your request should clearly state: full name, contact information, the right you wish to exercise and the related data.

RIHS will respond within 72 hours of receiving the request, in accordance with Article 14(4) and Article 11(6) of Decree 13/2023/NĐ-CP. For complex cases, processing will not exceed 15 working days and the data subject will be notified of the reason.

rihs.org.vn is intended for researchers, policy professionals and adults. We do NOT knowingly collect personal data from children under 16 years of age.

If we discover that data has been collected from a child without the consent of a parent or legal guardian under Article 20 of Decree 13/2023, we will delete it immediately and notify the guardian where contact information is available.

If we detect a personal data breach likely to affect the rights and interests of data subjects, RIHS commits to notifying the Ministry of Public Security and affected data subjects within 72 hours of detection, in accordance with Article 23 of Decree 13/2023/NĐ-CP.

The notification will include: a description of the incident, the categories of data affected, the number of subjects, expected impact and remediation measures taken or planned.

Current version: 1.0, effective 28 May 2026. This is the initial version — there is no prior history.

When material changes are made to how we process data, we will display a banner on the website at least 30 days before the changes take effect and update the effective date at the top of the policy.

All questions, requests or complaints relating to privacy should be addressed to the data protection focal point — MSc Nguyễn Thị Thanh Thắm — via [email protected] (subject line: "Privacy").