UNIKSMART Privacy Policy

The Policy applies globally to the following categories:

1. Merchants / Tenants – Business customers (companies, organisations, sole proprietors) that subscribe to and use DSP.one.
2. Authorised Users – Individuals authorised by a Merchant to access the Services under the Merchant’s account (employees, contractors, agents, collaborators).
3. End‑Users / Consumers – Individuals whose personal data is collected, stored or analysed by Merchants via the Services (for example, buyers, leads, website visitors, social‑media audiences).
4. Visitors – Individuals who browse our public websites, marketing pages or contact us through forms, chat or email.

The scope of this Policy covers all DSP.one modules and products unless a specific service has its own dedicated privacy notice that supplements or overrides this Policy.

2.1 Identity of the data controller

For most processing activities related to operating and improving the DSP.one ecosystem, the data controller is:

We act as data controller for:

• Account registration data and billing information of Merchants and Authorised Users;
• Technical and usage data about how the Services are used;
• Our own sales, marketing and customer‑relationship activities.

2.2 DSP.one as data processor

When Merchants use DSP.one to manage their customers, leads, employees and other individuals, the Merchant is the primary data controller and DSP.one acts as data processor. This includes, for example, order data, CRM contact lists, CDP events and social‑media leads that the Merchant imports or collects via the Services. In this role we process data strictly on the Merchant’s documented instructions.

Where required by data‑protection law (for example under GDPR or Vietnam PDP Decree 13/2023/ND‑CP), we may enter into a separate Data Processing Agreement (DPA) with Merchants that supplements this Policy.

2.3 Data Protection Officer and contact

For questions, requests or complaints about privacy or data protection, you may contact our Data Protection Officer (DPO):

For the purposes of this Policy:

• “Personal data” means any information relating to an identified or identifiable natural person (for example, name, email, phone number, address, online identifiers, transaction history).
• “Customer Data” means data that a Merchant or its Authorised Users submit to, store on, or collect through the Services in the context of their own business operations (such as product catalogues, order history, CRM contact lists, employee records, tickets, invoices).
• “Platform Data” means data retrieved from external platforms (e.g. Meta / Facebook, Instagram, Google, TikTok, Shopee, Lazada, Tiki, shipping carriers, payment gateways) via APIs that you authorise us to connect to the Services.
• “Usage Data” means telemetry, log and analytics data about how the Services are accessed and used, including device identifiers, browser type, navigation patterns, feature usage and timestamps.
• “Generative AI Content” or “AI Output”means content such as text, images, ideas or campaign structures produced by the AI Marketing module based on prompts or instructions supplied by the Merchant.
• “Processing” has the meaning given in applicable data‑protection laws and includes any operation performed on personal data, such as collection, storage, access, use, disclosure, transfer or deletion.

We collect information in three primary ways: (1) information you provide directly, (2) information we collect automatically when you use the Services, and (3) information we obtain from integrated third‑party sources.

4.1 Data you provide directly

Depending on how you interact with us, this may include:

1. Account and registration data

   Merchant name, legal entity information, tax code, industry vertical.

   Contact details of the account owner or administrator (name, email, phone, role).

   Login credentials (username, hashed password).

2. Billing and financial data

   Billing address, contact person for invoices.

   Bank account details or payment‑method information provided to our payment processors (we do not store full card numbers on our own servers).

3. Customer and operational data

   Product catalogues, price lists, inventory data, promotions.

   Customer and lead lists, including names, contact details and segmentation tags.

   Orders, invoices, shipping details and transaction values.

   Employee profiles, attendance data, performance assessments and payroll‑related information when using HRM modules.

4. Support and communication data

   Content of messages you send to us, such as support requests, survey responses or feedback.

   Files or attachments you choose to upload when contacting support.

4.2 Data we collect automatically

• IP address, approximate location derived from IP, browser type and language, operating system, device type and identifiers.
• Date and time of access, URLs visited, referrer/exit pages, clickstream data and session duration.
• Log events (for example, login attempts, API calls, errors) to monitor system performance and security.
• When using mobile applications (such as SDO Agent App), we may collect device identifiers and, with appropriate permission, geolocation data.

4.3 Data from third‑party and integrated sources

With your permission and configuration, we connect to various external systems and ingest Platform Data into DSP.one. Examples include:

• e‑commerce marketplaces and sales channels – Shopee, Lazada, TikTok Shop, Tiki and others: order information, buyer details, product and pricing data, shipping and payment status.
• Social‑media platforms – Meta (Facebook Pages, Instagram Business accounts), YouTube and Google Ads: page and account identifiers, posts and creatives, campaign performance statistics, lead forms and engagement metrics.
• Shipping and logistics providers – GHN, GHTK and other carriers: sender and receiver information, parcel details, tracking numbers and status updates.
• Payment gateways – Information necessary to confirm successful or failed transactions (amount, currency, masked card details, transaction IDs).
• Email and messaging services – Email addresses, delivery and open‑rate statistics, chat logs, depending on the integration.

We only access Platform Data that you explicitly authorise through OAuth flows, API keys or other authentication mechanisms.

DSP.one is modular and supports multiple business functions. Depending on your subscription, some or all of the following processing activities may apply.

5.1 Sales & Distribution (Omisell and SDO)

Purpose: To centralise omnichannel sales, manage orders and inventory, and support field‑sales agents.

• Buyer contact details (name, phone number, email, shipping address).
• Order details (products purchased, quantities, prices, discounts, payment method, timestamps).
• Warehouse and inventory data (SKU information, stock levels, storage locations).
• Field‑force data such as route plans, check‑in/check‑out times, and geo‑coordinates of SDO agents, if location tracking is activated.
• Photos or notes attached by field agents when visiting outlets.

5.2 Corporate governance modules (HRM, CRM, Accounting)

5.3 Affiliate & referral systems

When you use our affiliate or referral modules, we process:

• Affiliate profile information (name, contact, payment details).
• Referral links, campaign identifiers and tracking parameters.
• Click and conversion events associated with affiliate links.
• Commission calculations, payout history and tax documentation, where applicable.

Tracking is typically performed using cookies, unique link parameters and, in some cases, non‑intrusive fingerprinting techniques, in line with applicable law and platform policies.

5.4 AI Marketing, CDP and automation

The AI Marketing and CDP modules enable you to:

• Plan campaigns and content strategies.
• Generate AI‑assisted content (captions, ad copy, email sequences, blog posts).
• Orchestrate automation flows (welcome journeys, cart‑abandonment reminders, win‑back sequences).
• Analyse cross‑channel performance across social networks, websites, email and messaging platforms.

These modules rely on Customer Data and Platform Data such as contact lists, event streams (page views, add‑to‑cart, purchases), interactions with campaigns and metadata from connected channels.

This section provides transparency for both users and platform reviewers (e.g. Meta App Review) about the permissions we request and how we use the data.

6.1 Meta (Facebook & Instagram) permissions

When you connect your Meta Business account, we may request the following permissions (exact names may evolve as Meta updates its APIs):

1. pages_show_list and instagram_basic

   Data accessed: List of Facebook Pages and Instagram Business accounts you administer (Page/Account name, ID, profile picture).

   Purpose: To display an account selector inside DSP.one so you can choose which Page(s) or Instagram account(s) to connect for publishing and analytics.

   Minimisation: We only persist identifiers for Pages/Accounts you explicitly connect. Pages you do not choose are not stored.

2. pages_manage_posts, pages_manage_metadata, instagram_content_publish

   Data accessed: Content drafts (captions, media, hashtags) that you create or that are generated by our AI based on your prompts.

   Purpose: To publish and schedule posts on your behalf when you click Publish, Schedule or configure an automation rule.

   Guarantees: We never post to your Pages or profiles without a direct action from you or a scheduled automation you configured. You can view, modify or cancel queued posts from within the DSP.one interface.

3. pages_read_engagement and read_insights

   Data accessed: Aggregated metrics such as reach, impressions, post clicks, reactions, comments, shares and follower statistics.

   Purpose: To power campaign dashboards and content performance reports inside DSP.one so you can see which posts and ads perform best without leaving our platform.

   Retention: We cache key metrics for performance and refresh them periodically (for example every 24 hours). We do not use this data for user‑profiling unrelated to your account, and we do not sell it to third parties.

4. leads_retrieval (where applicable)

   Data accessed: Lead forms submitted by individuals via your Facebook or Instagram Lead Ads (e.g. name, email, phone, custom questions).

   Purpose: To push leads into your CRM or CDP in real time so your sales team can follow up promptly.

   Handling: Leads are stored as part of your Customer Data and are subject to your own privacy notices towards the individuals.

You may revoke these permissions at any time via Facebook’s Business Integrations settings or from within DSP.one’s integration settings.

6.2 Google and YouTube services

6.3 Generative AI and content ownership

• We leverage advanced large‑language models (LLMs) and related AI technologies to generate marketing content.
• Your prompts may include high‑level descriptions of your products, target audience and campaign goals.
• We do not use your proprietary business data (such as private customer lists or financial records) to train any public AI models. Where we rely on external AI providers, we configure them, where available, not to retain your data for model training.
• As between you and us, you retain any rights you may have in AI Output generated for your campaigns. You are responsible for reviewing AI Output before publication and ensuring it complies with advertising laws, platform policies and your internal guidelines.

We process personal data for the following purposes and under the legal bases described below (depending on which law applies in your jurisdiction):

• Providing and operating the Services

  Creating and managing accounts, authenticating users, providing customer support, enabling core features (order management, HRM, CRM, accounting, AI Marketing, dashboards, APIs).

  Legal basis: Performance of a contract with the Merchant; legitimate interests in operating our platform.

• Processing transactions and fulfilling legal obligations

  Issuing invoices, recording payments, maintaining tax and accounting records, complying with anti‑fraud and auditing requirements.

  Legal basis: Performance of contract; compliance with legal obligations.

• Analytics, service improvement and product development

  Analysing Usage Data to understand how the Services are used, identify problems, improve user experience and develop new features. Generating anonymous or aggregated statistics for internal reporting and benchmarking.

  Legal basis: Legitimate interests in improving and securing our Services.

• Marketing and communication

  Sending product updates, feature announcements, newsletters or promotional offers to Merchant contacts, where permitted.

  Legal basis: Legitimate interests in promoting our Services, or consent where required by electronic‑communications laws. You can opt‑out at any time.

• Security, fraud prevention and compliance

  Monitoring for suspicious activity, abuse or policy violations, detecting and preventing fraud, spam and unauthorised access and cooperating with lawful requests from regulators or law‑enforcement agencies.

  Legal basis: Legitimate interests in securing our systems; compliance with legal obligations.

• Processing on behalf of Merchants

  When acting as a processor, we handle Customer Data strictly to perform the Services requested by the Merchant (for example, syncing orders, running campaign automations, generating reports).

  Legal basis: Performance of contract with the Merchant; the Merchant itself is responsible for identifying the legal basis vis‑à‑vis its end‑users.

Where we rely on consent (e.g. for certain cookies or marketing communications), you may withdraw your consent at any time via the mechanisms provided in the Services or by contacting us.

We do not sell personal data to third parties. We only share information in the limited situations described below:

• Sub‑processors and service providers

  We engage trusted third parties to help us operate the Services, such as Cloud infrastructure providers (e.g. AWS, Google Cloud Platform); AI service providers (e.g. OpenAI) to generate AI Output; workflow automation tools (e.g. n8n); and email delivery, SMS, analytics and monitoring vendors. These providers may access personal data only to perform services on our behalf and are bound by contractual confidentiality and security obligations.

• User‑directed third‑party integrations

  When you choose to connect DSP.one with external services (shipping carriers, payment gateways, CRM tools, marketing platforms), we share only the data necessary for the integration to function (for example, order details with a carrier to create a label). You control which integrations are enabled.

• Corporate transactions

  In the context of a merger, acquisition, restructuring or sale of assets, personal data may be transferred as part of the transaction. In such cases we will ensure that the receiving entity is bound by privacy commitments substantially similar to this Policy.

• Legal requirements and protection of rights

  We may disclose information to competent authorities where we believe it is necessary to comply with a legal obligation, court order or regulatory request, or to protect our rights, safety of users or the public.

• Aggregated and de‑identified data

  We may share anonymised or aggregated insights that do not identify you or any individual, for example to publish benchmark reports or demonstrate patterns in ecommerce or marketing performance.

Our Services are designed for a global user base and may involve transferring personal data to countries other than the one in which the data was originally collected (for example, to data centres in Singapore, the EU or the United States).

When transferring data across borders, we take appropriate steps to ensure a level of protection consistent with applicable law, which may include:

• using Standard Contractual Clauses approved by regulators;
• relying on adequacy decisions where applicable; and/or
• ensuring that our sub‑processors implement robust technical and organisational security measures and maintain relevant certifications (such as ISO/IEC 27001).

We retain personal data only for as long as reasonably necessary to fulfil the purposes described in this Policy or as required by law.

In general:

• Active merchant accounts: Data is kept for the duration of the subscription and for a reasonable period thereafter to handle queries, backups and legal obligations.
• Access tokens for social‑media and other integrations: Stored only while the integration is active. When a token is revoked or expires, we remove or render it unusable.
• Financial and accounting records: Retained for the period required by applicable tax and accounting laws (for example up to 10 years in Viet Nam).
• Logs and security records: Retained for periods appropriate to support security investigations and system integrity.

When data is no longer needed, we will delete it or anonymise it so that individuals can no longer be identified. Following account termination, we may keep limited information in backup archives for a short period before it is overwritten, consistent with our backup policies.

We implement a defence‑in‑depth security strategy to safeguard personal data against unauthorised access, loss, misuse or alteration, including:

• Encryption of data in transit using up‑to‑date TLS protocols, and encryption of sensitive data at rest (such as passwords and API tokens) using strong algorithms like AES‑256.
• Role‑based access control (RBAC) and, where applicable, multi‑factor authentication (MFA) for internal systems.
• Principle of least privilege for employees and contractors, with access granted only where necessary for their role.
• Network‑level protections, firewalls and intrusion‑detection / monitoring systems.
• Secure development practices, vulnerability management and regular security reviews.
• Physical security protections offered by our data‑centre providers, such as restricted access controls and 24/7 surveillance.

While we strive to protect personal data, no system can be guaranteed 100% secure. In the event we become aware of a personal‑data breach that is likely to result in a high risk to individuals, we will notify affected Merchants and, where required, relevant authorities, and will cooperate to mitigate the impact.

We and our partners use cookies, web beacons, SDKs and similar technologies on our websites and, where configured by Merchants, on their own websites and landing pages.

12.1 Types of cookies we use

• Strictly necessary cookies – Required for core functionality such as authentication, security and load balancing. These cannot be disabled via cookie banners.
• Functional cookies – Remember user preferences such as language, time zone or interface settings.
• Analytics cookies – Help us understand how visitors use the Services (for example pages visited, time on page, features used) so we can improve user experience. Tools may include in‑house analytics and third‑party services such as Google Analytics.
• Marketing and affiliate cookies – Used in the context of our affiliate/referral programmes and retargeting campaigns to measure performance and attribute conversions.

12.2 Pixels and CDP tracking

The Omisell CDP and AI Marketing modules may use pixels or scripts placed on Merchant websites to track events such as page views, product views, add‑to‑cart, check‑out and purchases. These events feed into automation workflows, segmentation and attribution reporting.

Merchants are responsible for informing their own visitors and customers that such tracking is in place and for obtaining any required consents under applicable laws (for example under ePrivacy or cookie regulations). You can manage cookie preferences through browser settings and, where provided, our cookie banner. Blocking certain cookies may affect functionality.

Depending on your location and applicable law (for example GDPR in the EU/EEA, CCPA in California, PDP Decree 13 in Viet Nam), you may have some or all of the following rights regarding your personal data:

• Right of access – To obtain confirmation whether we process your personal data and, if so, to receive a copy.
• Right to rectification – To request correction of inaccurate or incomplete personal data.
• Right to erasure – To request deletion of personal data in certain circumstances (for example where it is no longer needed, or where you withdraw consent).
• Right to restriction of processing – To request that we temporarily limit processing while a complaint is investigated.
• Right to data portability – To receive personal data you provided in a structured, commonly used, machine‑readable format and to request that we transmit it to another controller, where technically feasible.
• Right to object – To object to processing based on legitimate interests or to direct marketing, including profiling related to such marketing.
• Right to withdraw consent – Where processing is based on your consent, you can withdraw it at any time without affecting the lawfulness of processing carried out before the withdrawal.

To exercise these rights, please contact us using the details in Section 2.3. We may need to verify your identity before acting on your request. If you are an end‑user of a Merchant, we may redirect your request to the relevant Merchant (data controller), and will support them in responding as required.

13.1 Managing third‑party connections (Facebook / Google)

You can control our access to your third‑party accounts at any time: In DSP.one go to Settings → Integrations and disconnect the relevant account (e.g. Facebook Page, Instagram, Google Ads). This will revoke stored tokens and stop further data sync. In the third‑party service use their Apps and Websites or Security → Third‑party access settings to remove DSP.one’s access.

13.2 Data‑deletion requests via Facebook

Remove the DSP.one app from your Facebook settings. Facebook will send us a signed callback notifying us of the removal. Our system will then locate the relevant user ID and schedule deletion of associated personal data within a reasonable period (typically within 24–30 days), retaining only minimal records where needed for legal or security purposes. Alternatively, you can email us directly with the subject "Data Deletion Request" and include sufficient information to identify your account.

Our Services are intended for use by businesses and professionals. We do not knowingly target or collect personal data from children under the age of 13 (or a higher age if required by local law) as primary users of the platform.

Merchants using DSP.one to sell goods or services that may be purchased by minors are responsible for complying with all applicable child‑protection and consent requirements and for configuring their own data‑collection practices appropriately.

If you believe that we have inadvertently collected personal data from a child without appropriate consent, please contact us and we will take steps to delete such data as required by law.

We may update this Policy from time to time to reflect changes in technology, our Services, legal requirements or other factors.

When we make material changes, we will:

• update the “Last Updated” date at the top of this Policy; and
• provide additional notice where appropriate, such as by email to account owners or by prominent notice within the Services.

Your continued use of the Services after the effective date of an updated Policy constitutes your acceptance of the changes. If you do not agree with the updated Policy, you should discontinue use of the Services and, where you are a Merchant, terminate your account in accordance with the Terms of Service.

If you have any questions, concerns or requests relating to this Policy or our handling of personal data, please contact us at:

By using the DSP.one Services, you acknowledge that you have read and understood this Master Privacy Policy and agree that your information may be processed as described herein.