CTCP Savian – Chính sách Bảo mật
Cập nhật lần cuối: February 2026
Welcome to Savian! This Privacy Policy explains how Savian Joint Stock Company ("Savian JSC", "we", "us", or "our") collects, uses, shares, and protects your personal data when you use our website or services (collectively, the "Platform"). By using the Platform, you agree to this policy.
CTCP Savian – Chính sách Bảo mật
Applies to savian.ai.vn and all Savian products and services.
Chúng tôi là ai
Savian Joint Stock Company ("Savian JSC") is an AI technology company incorporated in Vietnam. We develop and operate AI-powered products including SAVI (our conversational AI assistant), the Savian LMS Plugin for learning management systems, and related software services. Our website is savian.ai.vn.
This policy applies to all users of savian.ai.vn and Savian products. For data collected specifically through the LMS Plugin, see Part B of this policy.
1. Dữ liệu chúng tôi thu thập
Information you provide directly:
- Account information: name, organisation, and role when you register or contact us.
- Communications: messages you send us via email or contact forms.
- Product usage: any content you submit when using our services (e.g. prompts, documents, chat messages).
Information collected automatically:
- Technical data: IP address, browser type and version, device type, operating system.
- Usage data: pages visited, features used, time spent on the Platform, click interactions.
- Log data: server logs recording access events, error reports, and timestamps.
Cookies and similar technologies:
- Session cookies to maintain your login state.
- Preference storage via localStorage for UI settings such as language and theme.
- We do not currently use third-party advertising or cross-site tracking cookies. See Section 8 for details.
2. Cách chúng tôi sử dụng dữ liệu của bạn
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Providing and operating our services | Art. 6(1)(b) — Performance of a contract |
| Creating and managing your account | Art. 6(1)(b) — Performance of a contract |
| Responding to enquiries and support requests | Art. 6(1)(b) — Performance of a contract / Art. 6(1)(f) — Legitimate interests |
| Improving and developing our Platform | Art. 6(1)(f) — Legitimate interests |
| Analytics and usage monitoring | Art. 6(1)(f) — Legitimate interests |
| Giao tiếp: Để gửi các bản cập nhật, bản tin, v.v. | Art. 6(1)(a) — Consent (you may unsubscribe at any time) |
| Complying with legal obligations | Art. 6(1)(c) — Legal obligation |
Where we rely on legitimate interests, we have balanced those interests against your rights. You may object to processing based on legitimate interests — see Section 7.
4. Chia sẻ dữ liệu
We do not sell, rent, or trade your personal data to third parties for commercial purposes.
- Dịch vụ We may share data with carefully selected third-party providers who help us deliver the Platform (e.g. hosting, email delivery, analytics). These providers act as data processors and are bound by contractual obligations to protect your data.
- Legal compliance: We may disclose data to competent authorities if required by Vietnamese law, court order, or other legal obligation.
- Trợ lý kinh doanh In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity, with advance notice provided to you.
Phân tích dữ liệu
We retain your personal data only for as long as necessary to fulfil the purposes described in this policy or as required by applicable law.
- Account data: Retained while your account is active and for up to 12 months after account closure, to handle any outstanding queries or legal obligations.
- Usage and log data: Typically retained for up to 90 days for operational purposes.
- Tự Động Hóa Retained for up to 3 years to maintain a record of our interactions.
- Marketing consent records: Retained until you withdraw consent.
You may request deletion of your personal data at any time — see Section 7 for your rights.
6. International Data Transfers
Savian JSC is based in Vietnam. Your data is primarily processed and stored on servers located in Vietnam.
If you are located in the EU, EEA, or UK, transferring personal data to Vietnam may involve a transfer to a country without an EU adequacy decision. In such cases, we rely on appropriate safeguards including:
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- Data Processing Agreements (DPAs) with our service providers.
To request a copy of the applicable transfer safeguards, contact us at info@savian.ai.vn.
5. Quyền của bạn
Depending on your location, you may have the following rights regarding your personal data:
- Right of access (Art. 15 GDPR): Request a copy of the personal data we hold about you.
- Right to rectification (Art. 16 GDPR): Ask us to correct inaccurate or incomplete data.
- Right to erasure (Art. 17 GDPR): Request deletion of your personal data (the "right to be forgotten"), subject to legal retention obligations.
- Right to restrict processing (Art. 18 GDPR): Ask us to pause processing of your data in certain circumstances.
- Right to data portability (Art. 20 GDPR): Receive your data in a structured, machine-readable format.
- Right to object (Art. 21 GDPR): Object to processing based on legitimate interests, including direct marketing.
- Right not to be subject to automated decisions (Art. 22 GDPR): Request human review of any significant decision made solely by automated means. See Section 11.
- Right to withdraw consent: Where processing is based on your consent, you may withdraw it at any time without affecting prior processing.
Under Vietnam's Decree 13/2023/ND-CP, Vietnamese residents also have the right to access, correct, and delete their personal data.
To exercise any of these rights, contact us at info@savian.ai.vn. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.
8. Cookies & Tracking
We use a minimal set of cookies and browser storage:
- Session cookies: Set by our server to maintain your authenticated session. These are deleted when you close your browser.
- localStorage: Used to store UI preferences (e.g. language, theme). This data stays on your device and is never transmitted to our servers.
- CSRF tokens: Short-lived tokens used to protect form submissions from cross-site request forgery.
We do not use advertising cookies, social media tracking pixels, or cross-site tracking technologies. You can disable cookies in your browser settings, though this may affect Platform functionality.
6. Bảo mật
We implement reasonable technical and organisational security measures to protect your personal data, including:
- Encrypted connections (HTTPS / TLS 1.2+) for all data in transit.
- Access controls restricting data access to authorised personnel only.
- Regular review of our security practices.
No security system is completely infallible. In the event of a data breach that poses a risk to your rights, we will notify affected users and relevant authorities as required by law.
10. Children's Privacy
Our Platform is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16 without verifiable parental or guardian consent. If you believe we have inadvertently collected data from a child, please contact us immediately at info@savian.ai.vn and we will delete the data promptly.
11. AI & Automated Decisions
Our Platform uses artificial intelligence to provide features such as conversational assistance, content generation, and writing assessment. We are transparent about how AI is used:
- AI-generated responses: AI suggestions and chat responses are generated by our models. They are tools to assist you — final decisions remain with you or your institution.
- Tác Nhân Viết Nội Dung Our AI may generate CEFR or IELTS scores for submitted writing. Where such scores are used for grading purposes, you have the right to request human review of any AI-generated assessment (GDPR Art. 22).
- No profiling for sensitive decisions: We do not use automated profiling to make decisions about your creditworthiness, employment, or other legally significant matters.
7. Thay đổi Chính sách này
We may update this policy from time to time to reflect changes in our practices or applicable law. We will notify you of significant changes by updating the "Last Updated" date at the top of this page and, where appropriate, by sending an email notification to registered users. We encourage you to review this policy periodically.
Liên hệ
Part B — LMS Plugin Supplementary Privacy Notice
Applies to the Savian AI plugin for Learning Management Systems (LMS) such as Moodle. This notice supplements Part A and takes precedence where it conflicts.
Đổi mới
This notice explains how the Savian AI LMS Plugin ("the Plugin") — available for platforms such as Moodle — collects, processes, stores, and transfers personal data when installed on a Learning Management System. It is intended for:
- LMS administrators (e.g. Moodle site admins) who install and configure the Plugin
- Teachers who use it to create content, monitor analytics, and manage writing tasks
- Students who interact with AI chat, submit writing, and receive feedback
The Plugin is designed to comply with the General Data Protection Regulation (EU) 2016/679 (GDPR), the UK GDPR, and equivalent data protection laws. For Moodle deployments it implements Moodle's Privacy API so that site administrators can export or delete any individual's data through Moodle's built-in Privacy & Policies tool.
B2. Data Controller and Processor Roles
| Role | Party |
|---|---|
| Trung Tâm Điều Hành Savian (Savian Control Tower) | The institution (school, university, or organisation) that operates the LMS |
| 3. Xử lý dữ liệu | Savian AI (processes data on behalf of the controller via its API) |
The institution's LMS administrator is responsible for ensuring appropriate Data Processing Agreements (DPAs) are in place before deploying the Plugin, and that end users have been informed of this notice.
B3. What Personal Data Is Collected
B3.1 Data Stored Locally in the LMS Database
For Moodle deployments, all data is stored within the institution's own LMS database in tables prefixed local_savian_ai_. The categories of personal data stored locally include:
- Chat conversations and messages: Conversation metadata (title, timestamps) and the full text of each chat turn, including any optional feedback ratings or comments left by the user.
- AI content generation records: Logs of who triggered each AI content generation (quiz, course material, etc.), the generation type, and outcome.
- User interface preferences: Widget position and minimised state, linked to user ID.
- Uploaded document metadata: Title, uploader ID, and course association. Document file content is stored in the LMS file system, not in Plugin tables.
- Course configuration and restriction records: Which administrator last modified course AI settings, and when.
- Analytics events and reports: Interaction events (e.g. chat sent, feature used) linked to user and course IDs; cached analytics data uses a pseudonymous (one-way hashed) user identifier.
- Writing tasks and submissions: Writing assignment definitions (teacher ID, title) and student submissions including the AI-generated feedback JSON and word count.
B3.2 Data Sent to the External Savian AI API
When users interact with the Plugin, certain data is transmitted to Savian AI's servers to generate AI responses:
| Data | When transmitted | Sent in identifiable form? |
|---|---|---|
| LMS user ID | Every chat message, writing submission | Yes — used for session tracking |
| Course ID | Every request | Có |
| Liên hệ với chúng tôi | Every chat turn | Có |
| Uploaded document content | On document upload | Có |
| Analytics usage statistics | Periodic background sync | No — anonymised before sending |
| Writing submission text | On writing submission | Có |
Server location: Savian AI's API is hosted in Vietnam. Data transferred outside the EU/EEA is subject to appropriate safeguards (see B7).
Retention by Savian AI: Chat messages and document content are processed transiently and are not permanently retained beyond what is needed to generate the response, unless explicitly stated in the API Terms of Service.
3. Xử lý dữ liệu
| Tự động hóa quy trình | Legal basis (GDPR Art. 6) |
|---|---|
| Storing chat history for the user to review | Art. 6(1)(b) — Performance of a contract (educational service) |
| Sending messages to the AI API to generate responses | Art. 6(1)(b) — Performance of a contract |
| Analytics to improve teaching quality | Art. 6(1)(f) — Legitimate interests of the institution |
| Writing assessment and gradebook integration | Art. 6(1)(b) — Performance of a contract |
| UI preference settings | Art. 6(1)(f) — Legitimate interests |
| Audit logs (time-created fields) | Art. 6(1)(c) — Legal obligation / Art. 6(1)(f) — Legitimate interests |
Where the institution relies on consent (e.g. for optional feedback ratings), consent can be withdrawn at any time without affecting other processing.
B5. Data Subject Rights
The Plugin implements the LMS's built-in privacy tools. For Moodle deployments, all data categories are accessible through Moodle's Privacy & Policies interface (Site admin → Privacy and policies):
| Right | How it is fulfilled |
|---|---|
| Right of access (Art. 15) | The LMS's "Export user data" tool exports all data categories |
| Right to erasure (Art. 17) | The LMS's "Delete user data" tool deletes all rows linked to the user |
| Right to data portability (Art. 20) | Export produces JSON files for each data category |
| Right to restrict processing (Art. 18) | Institution can delete local data and revoke API access |
| Right to object (Art. 21) | Users may contact their institution's DPO |
Data subjects should direct requests to the LMS administrator or DPO of their institution — not to Savian AI directly, as Savian AI acts as data processor.
B6. Data Retention
| Phân tích dữ liệu | Default retention |
|---|---|
| Chat conversations & messages | Until the LMS user account is deleted, or until deleted manually by admin |
| Writing submissions & feedback | Until the LMS user account is deleted, or until the task is deleted |
| Analytics events | Subject to the institution's analytics data-retention policy; can be purged via the LMS Privacy API |
| Analytics cache (anonymised) | 90 days (configurable) |
| UI settings | Until the LMS user account is deleted |
| API-side transient data | Cleared after each API response per Savian AI's Terms of Service |
Institutions should define their own retention schedules and use the LMS's scheduled tasks or Privacy API to enforce deletions.
B7. International Data Transfers
The Savian AI API is operated from Vietnam, outside the EU/EEA. Data transferred to the API is subject to:
- The institution's responsibility to ensure an appropriate transfer mechanism is in place (e.g. Standard Contractual Clauses, adequacy decision, or explicit user consent) before deploying the Plugin in EU/EEA contexts.
- Savian AI's commitment to process data only as instructed and to implement appropriate technical and organisational security measures.
Institutions in the EU/EEA are advised to contact Savian AI at info@savian.ai.vn to obtain an executed Data Processing Agreement (DPA) before deployment.
An ninh là ưu tiên hàng đầu
The Plugin implements the following technical safeguards:
- All API calls use HTTPS (TLS 1.2+)
- Analytics data is anonymised before leaving the LMS server — a one-way hash replaces the real user ID
- Capability-based access control — teachers and students only access data they are authorised to see
- CSRF protection on all state-changing operations (e.g.
require_sesskey()in Moodle) - Output escaping on all user-supplied content rendered in HTML
- No raw SQL — all database queries use the LMS's database abstraction layer (parameterised queries)
- API credentials are stored encrypted in the LMS configuration, not in code
The institution is responsible for the security of its LMS server, database, and network infrastructure.
B9. Cookies and Local Storage
The Plugin does not set any additional cookies beyond those set by the LMS itself. It uses the browser's sessionStorage only for transient UI state (e.g. partially typed messages) that is never sent to any server.
B10. Children's Data
The Plugin does not include any age-verification mechanism. Institutions using the Plugin with learners under the age of 16 (or the applicable local age of digital consent) must obtain appropriate parental or guardian consent and ensure that the processing of children's data complies with applicable law (e.g. GDPR Art. 8, COPPA).
Ra quyết định nhanh hơn
The Plugin uses AI to:
- Tạo chiến dịch đầy đủ — AI-generated suggestions deployed by a human teacher; no automated legal or significant decisions are made.
- Assess writing submissions — The AI returns a CEFR level or IELTS band score. This score is recorded in the LMS gradebook and may influence a student's course grade.
7. Thay đổi Chính sách này
Savian AI will publish updated versions of this policy at savian.ai.vn/privacy-policy/ and will notify LMS administrators via the plugin release notes. Continued use of the Plugin after an update constitutes acceptance of the revised terms.
Liên hệ
For data subject requests:
Contact the Data Protection Officer (DPO) or LMS administrator of your institution.
Need detailed compliance documentation?
For detailed technical compliance documentation — including full database schema, Privacy API registration details, field-level data inventory, and DPA templates — please contact us at info@savian.ai.vn. We will respond within 5 business days.
