This privacy statement applies to all services, websites and products of Valleys & Bytes where this document is referenced. We process your personal data in a lawful, fair and minimised way โ designed to protect your rights while delivering intelligent functionality.
I act as a data controller for the information collected from you. This policy is governed by the Philippines Data Privacy Act of 2012 (Republic Act No. 10173) and its Implementing Rules and Regulations. For questions or to exercise your rights, see the Contact section at the bottom of this page.
I collect only what is necessary for the purposes described. The categories below reflect our current data map โ intelligent by design, not by excess.
Name, email, phone, organisation โ to communicate, authenticate and provide support.
retention: 24 moIP address, browser data, session interactions, anonymised analytics to improve our services.
retention: 13 moBilling address, transaction ID โ never raw payment details, processed by PCI-DSS compliant partners.
retention: 7 yrs (legal)Records of correspondence, preferences, and opt-in choices โ to respect your inbox.
retention: active + 2yI do not request or process sensitive personal data (racial origin, political opinions, health, biometrics) unless you voluntarily provide it within a support ticket โ in which case we ask you to avoid sharing it, and if received, we will delete or anonymise it within 7 days in accordance with RA 10173 Section 13.
Under the Philippines Data Privacy Act of 2012 and its Implementing Rules and Regulations, we rely on the following criteria for lawful processing:
I do not sell your personal data. We share only with trusted subprocessors under strict data processing agreements. Categories of recipients:
๐ international_transfers: Data may be processed outside the Philippines but always under National Privacy Commission (NPC) guidelines, contractual safeguards, or equivalent protections. You may request a copy of the applicable transfer mechanism by contacting us.
Full transparency: below is our current list of third-party subprocessors. All are bound by a Data Processing Agreement (DPA) and must meet our security and privacy standards. We update this list whenever a subprocessor is added or removed.
| Processor | Purpose | Country | Safeguard |
|---|---|---|---|
| Amazon Web Services | Cloud hosting, storage, compute | Singapore / Sydney | NPC-aligned DPA |
| Zendesk | Customer support ticketing | United States | Contractual Safeguards |
| SendGrid (Twilio) | Transactional & marketing email | United States | Contractual Safeguards |
| Stripe | Payment processing (PCI-DSS L1) | United States | Contractual Safeguards |
| Plausible Analytics | Privacy-first web analytics (self-hosted) | Philippines (self-hosted) | Local Instance |
| PagerDuty | Incident response & on-call alerting | United States | Contractual Safeguards |
| 1Password | Secrets & credential management | Canada | DPA + Encryption |
Last reviewed: 26 Feb 2026. To be notified of subprocessor changes, contact us via the Contact section.
I believe in explainable, human-supervised AI. This section details how automated processing and profiling operates within our platform โ and where humans always remain in the loop.
Automated signals flag unusual login patterns or potential fraud. No account is suspended solely by algorithm โ a human agent reviews all flags.
โ Human reviewFeature recommendations are generated from aggregated usage patterns, not individual profiling. You can opt out in account settings.
โ Opt-out availableAutomated classifiers scan uploaded content for policy violations. Decisions triggering access restrictions are always reviewed by a human within 24 h.
โ 24 h review SLASubscription tier recommendations use usage volume only. No profiling based on demographics, location, or identity attributes is used for pricing.
โ No demographic dataโ๏ธ RA 10173 โ Automated Decision Rights: You have the right to object to decisions made solely on the basis of automated processing that significantly affect you. Contact us and we will conduct a manual review within 5 business days.
Under the Philippines Data Privacy Act of 2012 (RA 10173), you have the following rights as a data subject:
To exercise your rights, use the contact details in the Contact section. We respond within 15 business days as required under RA 10173.
I use cookies and local storage to make our sites work, analyse traffic, and personalise content. You can manage your preferences using the panel below. Categories:
Privacy is not an afterthought โ it is baked into our engineering and organisational culture from day one. Below are the concrete technical and organisational measures (TOMs) we operate.
TLS 1.3 in transit. AES-256 at rest. Keys managed with annual rotation and per-key access auditing.
FIPS 140-2No implicit trust for any internal service. Every request is authenticated, authorised, and logged โ regardless of network origin.
mTLS + SPIFFECustomer data is accessed only via audited, time-limited procedures. All access is logged and reviewed quarterly.
SOC 2 Type IIAnnual third-party penetration tests plus continuous Dynamic Application Security Testing. Critical findings are patched within 48 h.
OWASP Top 10My data lifecycle engine auto-deletes or pseudonymises records when retention windows close โ no manual intervention required.
Cron-verifiedEvery new feature or vendor that touches personal data undergoes a Privacy Impact Assessment (PIA) before release, per NPC guidelines.
NPC PIAI operate a documented incident response plan. In the event of a personal data breach:
I apply modern cryptographic controls (TLS 1.3, AES-256 at rest), regular access audits, and penetration tests. Our retention policy deletes or anonymises data when the purpose ends โ unless Philippine law requires longer retention.
In the event of a notifiable breach, we will inform affected individuals and the NPC within 72 h as required by NPC Circular 16-03. See the Privacy by Design section above for the full SLA.
Too long to read right now? Here's the short version โ tap any question to expand.
No. Never. We do not sell, rent, or share personal data with third parties for their own commercial use. Our business model does not depend on your data.
Primarily your name, email, and usage patterns needed to run the service. Payment details are handled entirely by Stripe (PCI-DSS Level 1) โ we never see or store your card number. Request a full export via the Contact section.
Yes. Go to Settings โ Account โ Delete account. All personal data is purged within 30 days. We retain anonymised billing records for 7 years as required by Philippine tax law โ these cannot be linked back to you.
Automated systems flag anomalies (e.g., suspicious logins), but no significant decision is made by algorithm alone. A human reviews all flags before any action is taken. You have the right to request human review under RA 10173.
Primary storage is on AWS servers in the Singapore (ap-southeast-1) region, with failover to Sydney (ap-southeast-2). All data is encrypted at rest (AES-256) and in transit (TLS 1.3). We operate a zero-trust network and conduct annual penetration tests.
Every marketing email has a one-click Unsubscribe link in the footer. You can also manage preferences at any time in Settings โ Notifications. Transactional emails (receipts, security alerts) cannot be disabled as they are required for service delivery.
Under RA 10173, you have the right to be informed, access, object, erase, rectify, port your data, claim damages, and file a complaint with the National Privacy Commission (NPC) at privacy.gov.ph. See the Your Rights section above for the full list.
My services are not directed to individuals under 18 years of age. Under Philippine law, minors cannot give valid consent to data processing without parental or guardian authority. If we become aware that we have collected data from a minor without verifiable parental consent, we will delete it promptly โ typically within 48 hours of discovery โ and notify the NPC if required. Parents or guardians may contact us via the Contact section to request deletion.
I may revise this page to reflect legal or product changes. Material updates will be notified via email or prominent website notice at least 14 days before they take effect. The __version__ date at the top reflects the latest revision. We keep an archived changelog of past versions โ request it from us via the Contact section.
If you have any concerns, wish to exercise your data subject rights, or need to speak with our Data Privacy Officer, reach out through any of the following channels. We aim to respond within 15 business days.
โก try: intelligent_design() except: transparency โ This notice is governed by the Philippines Data Privacy Act of 2012 (RA 10173). I am committed to protecting your personal information as a fundamental right. We minimise collection at the source โ the best privacy control is one you never had to grant in the first place. If anything here is unclear, contact us and we will always respond.