Privacy Notice

Effective date: May 23, 2026

DISKARTE-NEGOSYANTE (“namin”, “kami”) ang Personal Information Controller (PIC) ng personal data na kinokolekta sa pamamagitan ng platform na ito. Sumusunod kami sa Republic Act No. 10173 (Data Privacy Act of 2012), sa mga IRR nito, at sa mga circular ng National Privacy Commission (NPC).

1. Anong data ang kinokolekta namin

• Account data: email, username, full name, password (hashed).
• Authentication data: kapag nag-sign in via Google, kinukuha namin ang email at name na ibinibigay ng Google.
• Usage data: chat prompts at responses, pages viewed, timestamps, IP address, browser, device identifiers.
• Billing data: kinokolekta at iniimbak ng Paddle.com Market Ltd. bilang aming Merchant of Record. Hindi namin nakikita o iniimbak ang full card number o CVV mo.
• Support data: anumang ipinadala mo sa email/contact form.

2. Bakit namin ito ginagamit (purposes & legal basis)

• Pag-deliver ng serbisyo (contract performance) — account, AI chat, rescue assessment.
• Billing at subscription management (contract performance) — via Paddle.
• Security at fraud prevention (legitimate interest at legal obligation).
• Product improvement & analytics (legitimate interest).
• Customer support (contract performance).
• Marketing (consent lang — opt-in, may unsubscribe).

3. Sino ang nakaka-access (data sharing)

• Paddle.com Market Ltd. — Merchant of Record, payments, tax, invoicing, refunds (Paddle Privacy).
• Lovable Cloud / Supabase — database at authentication hosting.
• Lovable AI Gateway (Google Gemini, OpenAI) — para sa AI chat responses. Prompts ay pinoproseso para sumagot lang, hindi ginagamit para mag-train ng public models.
• Cloudflare — hosting at CDN.
• Government & law enforcement — kapag legally required (subpoena, court order).
• Professional advisers — legal, accounting (under confidentiality).

4. International transfers

Ang ilan sa mga vendors namin (Paddle, Cloudflare, Google, OpenAI, Supabase) ay nag-pro-process ng data sa labas ng Pilipinas. Sinisiguro namin na may appropriate safeguards (standard contractual clauses o equivalent) na naka-set up.

5. Retention

• Account data: hangga't aktibo ang account mo, plus 1 year after deletion request (para sa tax/audit).
• Billing records: 10 taon (BIR / NIRC requirement).
• Chat logs: 12 months para sa abuse detection at improvement; pwedeng i-delete ng user anytime.
• Marketing logs: hanggang mag-opt out ka.

6. Mga karapatan mo (Data Subject Rights — RA 10173 §16)

• Right to be informed.
• Right to access — humingi ng copy ng data mo.
• Right to object — sa processing para sa marketing.
• Right to erasure / blocking — i-delete ang account mo.
• Right to rectification — itama ang maling info.
• Right to data portability.
• Right to file a complaint sa National Privacy Commission.
• Right to damages para sa violations.

Para gamitin ang mga karapatang ito, mag-email sa privacy@diskartenegosyante.ph. Sasagutin ka namin sa loob ng 15 working days.

7. Security measures

Encryption in transit (TLS 1.2+), encryption at rest, role-based access control, Row Level Security sa database, password hashing (bcrypt/argon), at least-privilege service accounts, audit logging, at regular vulnerability scanning. Subscription gating at admin operations ay server-side validated.

8. Cookies

• Essential: authentication session, CSRF — required.
• Functional: theme, language preference.
• Hindi kami gumagamit ng cross-site advertising cookies.

9. Children

Hindi para sa mga wala pang 18 ang serbisyo. Hindi kami sadyang nangongolekta ng data ng mga bata.

10. Changes

Aabisuhan ka namin via email o in-app notice 30 days bago magpatupad ng material changes sa notice na ito.

11. Data Protection Officer

Email: privacy@diskartenegosyante.ph
Subject line: “Data Privacy Request”