Effective Date: January 25, 2025

Privacy Policy

Your privacy matters to us. This policy explains how we collect, use, and protect your personal information in compliance with Philippine law.

Privacy Policy

Plinthia ("we", "us", "our") is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform.

Data Privacy Act Compliance

This Privacy Policy is designed to comply with Republic Act No. 10173, the Data Privacy Act of 2012 ("DPA"), and its Implementing Rules and Regulations (IRR). We are committed to upholding your rights as a data subject under Philippine law.

For inquiries regarding this policy or to exercise your data privacy rights, contact our Data Protection Officer at [email protected].

Key Points Summary

  • We collect only information necessary to provide our services
  • Your data is stored securely using industry-standard encryption
  • We do not sell your personal information to third parties
  • You have the right to access, correct, and delete your data
  • We use SMS and email for essential communications
  • Venue Owners have access to booking-related customer data only

Scope

This Privacy Policy applies to all users of the Plinthia platform, including:

  • Customers who book facilities through the platform
  • Venue Owners who list and manage facilities
  • Staff Members who operate venues
  • Visitors who browse the platform without accounts

Information You Provide

Customer Account Information

  • Full name (first name, last name)
  • Email address
  • Phone number (Philippine mobile format)
  • Date of birth (optional)
  • Address (optional)

Venue Owner Application Information

  • Full name and contact details
  • Company/business name
  • Business type (sports facility, coworking, event venue, etc.)
  • Business description
  • Business address (street, city, province, postal code)
  • Requested subdomain
  • Expected monthly bookings
  • How you heard about Plinthia
  • Business registration documents (if requested)

Booking Information

  • Customer name, email, and phone for each booking
  • Booking date, time, and duration
  • Selected facility and resources
  • Payment information (amount, method, status)
  • Special requests or notes
  • Cancellation reasons (if applicable)

Information Collected Automatically

Technical Information

  • IP address
  • Browser type and version
  • Device type and operating system
  • Referral URLs
  • Pages visited and time spent
  • Click patterns and interactions

Local Storage Data

We store certain data in your browser's local storage:

  • Authentication tokens - For keeping you logged in
  • User preferences - Calendar view, theme settings
  • Draft bookings - Temporarily saved for 30 minutes
  • Recent facilities - Your last 5 viewed facilities
  • Last selected date - For convenience (24-hour expiry)

Sensitive Personal Information

We do NOT intentionally collect sensitive personal information as defined by the Data Privacy Act, including:

  • Race, ethnic origin, marital status, age, color, or religious affiliation
  • Health, education, genetic or sexual life information
  • Legal proceedings or government-issued IDs
  • Membership in trade unions or professional associations

If you inadvertently provide such information, we will delete it unless legally required to retain it.

Under the Data Privacy Act, we process your personal information based on the following legal bases:

Contract Performance

Processing necessary to fulfill our agreement with you:

  • Creating and managing your account
  • Processing and managing bookings
  • Facilitating payments and refunds
  • Sending booking confirmations and reminders
  • Providing customer support
  • Enabling communication between Customers and Venues

Consent

Processing based on your explicit consent:

  • Sending promotional emails and marketing communications
  • Sharing your data with partner venues for special offers
  • Collecting feedback and testimonials
  • Personalizing your experience based on preferences

You may withdraw consent at any time without affecting past processing.

Legitimate Interests

Processing based on our legitimate business interests:

  • Improving and optimizing the platform
  • Analyzing usage patterns and trends
  • Preventing fraud and ensuring security
  • Enforcing our Terms of Service
  • Responding to legal requests and protecting our rights

Legal Obligations

Processing required by law:

  • Tax reporting and compliance (BIR requirements)
  • Responding to court orders or subpoenas
  • Cooperating with law enforcement investigations
  • Complying with data breach notification requirements

Specific Uses

  • SMS Communications: Sending OTP verification codes, booking confirmations, reminders, and critical account notifications
  • Email Communications: Sending application updates, booking details, and support responses
  • Account Security: Verifying identity through OTP (5-minute expiry), detecting suspicious activity, preventing unauthorized access
  • Platform Analytics: Understanding usage patterns, measuring feature adoption, improving user experience

We Do NOT Sell Your Data

Plinthia does not sell, rent, or trade your personal information to third parties for marketing purposes. We only share information as described in this policy.

Sharing with Venue Owners

When you make a booking, we share the following with the Venue Owner:

  • Your name, email, and phone number
  • Booking details (date, time, facility, special requests)
  • Payment status (but NOT payment card details)

Venue Owners are contractually obligated to use this information solely for fulfilling your booking and must comply with the Data Privacy Act.

Legal Disclosures

We may disclose your information when required by law or to:

  • Comply with legal processes (court orders, subpoenas)
  • Respond to government or regulatory requests
  • Protect the rights, property, or safety of Plinthia or others
  • Investigate potential Terms of Service violations
  • Prevent fraud or security threats

Business Transfers

If Plinthia is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and your choices regarding your information.

Where Your Data is Stored

Your data is stored on secure cloud infrastructure. Data may be stored in data centers located outside the Philippines but is protected by appropriate safeguards as required by the Data Privacy Act.

Security Measures

We implement industry-standard security measures to protect your data, including encryption for data in transit and at rest, secure authentication mechanisms, and data isolation between users and venues.

Your Security Responsibilities

You can help protect your data by:

  • Using a strong, unique password (minimum 8 characters)
  • Never sharing your account credentials
  • Logging out from shared devices
  • Reporting suspicious activity immediately
  • Keeping your contact information up to date

Data Breach Notification

In the event of a personal data breach, we will:

  • Notify the National Privacy Commission (NPC) within 72 hours of discovery
  • Notify affected data subjects if the breach poses real risk
  • Provide details of what data was affected and remediation steps
  • Take immediate action to contain and remediate the breach

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, or as required by law.

Account Information

Retained while your account is active and for 3 years after account deletion for legal and audit purposes.

Booking Records

Retained for 7 years after the booking date for tax, legal, and dispute resolution purposes.

Payment Records

Retained for 10 years as required by BIR and tax regulations.

Communication Logs

Email and SMS logs retained for 2 years for support and compliance purposes.

Technical Logs

Server and access logs retained for 90 days for security monitoring.

OTP Records

Deleted automatically after 5 minutes (expiry) or successful verification.

Deletion Upon Request

When you request account deletion, we will:

  • Delete or anonymize your personal data within 30 days
  • Retain only data required by law (with restricted access)
  • Cancel any pending bookings
  • Send confirmation of deletion via email

Under the Data Privacy Act of 2012, you have the following rights as a data subject:

Right to Be Informed

You have the right to be informed of the nature, purpose, and extent of processing of your personal data, including the risks and safeguards involved.

Right to Access

You may request access to your personal data, including the sources, recipients, manner of processing, and any automated decision-making.

Right to Rectification

You may request correction of inaccurate, incomplete, outdated, or false personal data.

Right to Erasure (Deletion)

You may request deletion of your personal data when it is no longer necessary, when you withdraw consent, or when processing is unlawful.

Right to Object

You may object to processing of your personal data for direct marketing, profiling, or processing based on legitimate interests.

Right to Data Portability

You may request a copy of your personal data in a structured, commonly used, machine-readable format.

Right to File a Complaint

You may file a complaint with the National Privacy Commission (NPC) if you believe your data privacy rights have been violated.

How to Exercise Your Rights

To exercise any of these rights:

  1. Email our Data Protection Officer at [email protected]
  2. Provide your full name and account email for verification
  3. Specify which right(s) you wish to exercise
  4. We will respond within 30 days of receiving your request

Requests are free of charge. We may request additional information to verify your identity.

We primarily use browser local storage rather than traditional HTTP cookies. This provides better security and user control.

What We Store

Essential Storage

Required for the platform to function:

  • access_token - Your authentication token
  • user - Your basic profile information

Functional Storage

Improves your experience:

  • plinthia_draft_booking - Unsaved booking drafts (30-min expiry)
  • plinthia_theme_* - Venue theme preferences (1-hour expiry)
  • plinthia_recent_facilities_* - Last 5 viewed facilities
  • plinthia_last_date_* - Last selected booking date (24-hour expiry)
  • plinthia_calendar_view_* - Calendar view preference

Analytics & Tracking

Currently, we do NOT use third-party analytics services like Google Analytics, PostHog, or Mixpanel. If we implement analytics in the future, we will update this policy and obtain appropriate consent.

Managing Storage

You can clear local storage data through your browser settings:

  • Chrome: Settings → Privacy → Clear browsing data → Cookies and site data
  • Firefox: Settings → Privacy → Cookies and Site Data → Clear Data
  • Safari: Preferences → Privacy → Manage Website Data

Note: Clearing storage will log you out and remove saved preferences.

We work with trusted third-party service providers to help us operate the platform. These include services for database hosting, email delivery, SMS notifications, and payment processing.

Each service provider is contractually obligated to protect your data and use it only for the purposes we specify. They maintain their own privacy policies governing their data practices.

Payment Processing - Paddle

We use Paddle.com Market Limited ("Paddle") as our Merchant of Record for processing subscription payments. When you purchase a Plinthia subscription:

  • Paddle collects and processes your payment information directly - we never see or store your full credit card number
  • Paddle acts as the seller of record, meaning your payment relationship is with Paddle, not directly with Plinthia
  • Paddle handles all payment card industry (PCI-DSS) compliance requirements
  • Paddle processes refunds, chargebacks, and billing disputes on our behalf
  • Paddle calculates and collects applicable taxes (VAT, GST, sales tax) based on your location

Data shared with Paddle: Your name, email address, billing address, payment method details, IP address, and transaction history.

For more information, please review Paddle's Privacy Policy and Paddle's Terms of Service.

Categories of Service Providers

  • Infrastructure: Cloud hosting (Supabase, Vercel) and database services for secure data storage
  • Communications: Email delivery (AWS SES) and SMS notification services for transactional messages
  • Payments: Paddle.com as Merchant of Record for subscription billing (PCI-DSS Level 1 compliant)
  • Analytics: If implemented, privacy-focused analytics to improve user experience

What We Do NOT Share

We never share the following with third parties:

  • Your personal information for marketing purposes without your explicit consent
  • Your booking history or venue preferences with advertisers
  • Your contact information with other users except as necessary for bookings
  • Sensitive personal information as defined by the Data Privacy Act

The Plinthia platform is intended for users who are at least 18 years of age. We do not knowingly collect personal information from children under 18.

If We Discover Child Data

If we learn that we have collected personal information from a child under 18 without parental consent, we will:

  • Delete the information immediately
  • Terminate the associated account
  • Notify the parent or guardian if contact information is available

If you believe we have collected information from a child under 18, please contact us immediately at [email protected].

While Plinthia operates primarily in the Philippines, some of our service providers may store or process data in other countries.

Data Transfer Safeguards

When your data is transferred outside the Philippines, we ensure:

  • The receiving country has adequate data protection laws, OR
  • Appropriate contractual safeguards are in place (Standard Contractual Clauses)
  • The service provider is certified under recognized security frameworks
  • Your data remains protected to the standards required by Philippine law

By using our platform, you consent to the transfer of your information to countries outside the Philippines as necessary to provide our services.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service offerings.

How We Notify You

For material changes, we will:

  • Update the "Effective Date" at the top of this policy
  • Send an email notification to your registered address
  • Display a prominent notice on the platform
  • Provide at least 30 days notice before significant changes take effect

Your continued use of the platform after changes take effect constitutes acceptance of the updated policy. If you disagree with changes, you may delete your account.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Data Protection Officer

General Contact

National Privacy Commission

If you are not satisfied with our response to your privacy concerns, you may file a complaint with:

  • National Privacy Commission (NPC)
  • 3rd Floor, Core G, GSIS Headquarters
  • Financial Center, Roxas Boulevard, Pasay City 1308
  • Website: privacy.gov.ph
  • Email: [email protected]

This Privacy Policy was last updated on January 25, 2025.