Privacy Policy

[KABUHAYAN FINTECH] ("Company," "we," "us") is committed to protecting the privacy and personal information of all users of our Platform. This Privacy Policy explains how we collect, use, store, share, and protect your personal data in compliance with the Philippine Data Privacy Act of 2012 (RA 10173), its Implementing Rules and Regulations, and applicable international data protection standards.

This policy applies to all users of the Platform, including Borrowers, Investors, SaaS Partners, Collectors, website visitors, and applicants.

Our Data Protection Officer (DPO) can be contacted at:

Email: dpo@kabuhayan.ph

Address: Naga City, Camarines Sur, Bicol Region, Philippines

NPC Registration Number: [TO BE OBTAINED from the National Privacy Commission]

3.1 Information You Provide: Full name, phone number, email address, home address, date of birth, government ID type and number, stall/business name and location, business type, daily gross sales estimates, bank/e-wallet account details, payment method preferences (card, GCash, Maya, bank transfer), loan purpose, photos (ID photo, stall photo, profile photo), and any information submitted through application forms.

3.2 Information We Generate: Loan records, payment history, Agimat XP scores, CBU balances, credit investigation scores, collector performance data, transaction logs, audit trails, subscription billing records, seat usage counts, overage calculations, account activity timestamps, payment streak data, idempotency keys for transaction deduplication, and GPS geofence verification logs.

3.3 Information Collected Automatically: Device information, browser type, IP address, geolocation data (with your consent, for GPS geofencing features), access logs, and session data.

3.4 Sensitive Personal Information: We may collect sensitive personal information as defined under RA 10173, including government-issued ID numbers. Such data is processed only with your explicit consent and subject to heightened security measures.

We process your personal data based on one or more of the following legal grounds under RA 10173:

(a) Consent — you have given explicit consent for the specific purpose (e.g., loan application, account creation);

(b) Contract performance — processing is necessary to perform a contract with you (e.g., loan agreement, investment agreement, SaaS subscription);

(c) Legitimate interest — processing is necessary for our legitimate business interests (e.g., fraud prevention, platform improvement), provided such interests do not override your fundamental rights;

(d) Legal obligation — processing is required to comply with Philippine law (e.g., anti-money laundering regulations, tax reporting).

We use your personal data to: (a) process loan applications and manage active loans; (b) facilitate daily payment collection and receipt generation; (c) calculate and maintain Agimat XP scores and tier classifications; (d) manage CBU savings accounts and interest calculations; (e) process investor deposits, deployments, and trickle-back returns; (f) provide SaaS services to Partners; (g) communicate important account updates via SMS, email, or in-app notifications; (h) conduct credit investigations and risk assessments; (i) prevent fraud and ensure platform security; (j) improve our services through anonymized analytics; (k) comply with legal and regulatory requirements; (l) process subscription payments and seat-based billing for SaaS Partners via third-party payment processors.

5.2 CLIP / Alaga Shield Data. If you enroll in the CLIP program, we additionally collect and process: CLIP tier selection, contribution amounts per loan, health service reimbursement requests (including service type, receipt details, and payout method), withdrawal requests, and interest credits. Health reimbursement receipts may be shared with our verification staff to confirm eligibility. CLIP enrollment data is retained for the same period as your loan records.

We do not sell your personal data. We may share your information with:

(a) Authorized Collectors — limited to information necessary for payment collection (borrower name, stall location, daily payment amount, day number);

(b) Investors — aggregated, anonymized loan performance data. Investors can see borrower first names in connection with their funded loans but not full personal details;

(c) SaaS Partners — Partners access only the data of their own borrowers within their isolated tenant instance;

(d) Service Providers — cloud hosting (Supabase/Vercel), SMS providers, payment processors (Stripe for card payments, Dragonpay for GCash, Maya, and bank transfers) — bound by data processing agreements. Payment processors receive only the minimum data necessary to process transactions (amount, currency, payer reference) and do not have access to your full profile, loan history, or Agimat XP data. Stripe is PCI-DSS Level 1 certified. Dragonpay operates under BSP regulations. Neither processor stores your credentials on Kabuhayan servers;

(e) Legal Authorities — when required by law, court order, or to protect against fraud or threats to safety;

(f) Clinic/Medical Partners — limited health voucher verification data for Alaga Shield beneficiaries (with consent).

Your data is stored on secure cloud infrastructure (Supabase, hosted on AWS infrastructure in the Asia-Pacific region) with the following safeguards:

(a) Encryption at rest (AES-256) and in transit (TLS 1.3); (b) Row-Level Security (RLS) ensuring users can only access their own data; (c) Automated daily backups with 30-day retention; (d) Access controls with role-based permissions; (e) Audit logging of all data access and modifications; (f) Regular security reviews and vulnerability assessments.

While we implement industry-standard security measures, no system is completely immune to breaches. In the event of a data breach, we will notify affected users and the National Privacy Commission within 72 hours as required by RA 10173.

We retain your personal data for the following periods:

(a) Active accounts — data is retained for the duration of your account's existence plus 5 years after account closure;

(b) Loan records — retained for 10 years after loan completion (per BSP and BIR requirements);

(c) Transaction logs — retained for 5 years;

(d) Application data (rejected/withdrawn) — retained for 2 years, then permanently deleted;

(e) SaaS Partner data — exported and deleted within 30 days of subscription termination.

After the retention period, data is permanently and irreversibly deleted from our systems.

Under RA 10173, you have the following rights:

(a) Right to be Informed — to know how your data is being processed (this policy);

(b) Right to Access — to request a copy of your personal data held by us;

(c) Right to Object — to object to the processing of your data under certain circumstances;

(d) Right to Erasure or Blocking — to request deletion or blocking of your data when it is incomplete, outdated, falsely obtained, or no longer necessary;

(e) Right to Rectification — to correct inaccurate or incomplete data;

(f) Right to Data Portability — to receive your data in a structured, commonly used format (CSV/JSON);

(g) Right to File a Complaint — to lodge a complaint with the National Privacy Commission (privacy.gov.ph).

To exercise any of these rights, contact our DPO at dpo@kabuhayan.ph. We will respond within 15 business days.

The Platform uses essential cookies for session management and authentication. We do not use advertising cookies or third-party tracking pixels. Analytics data is collected in anonymized, aggregated form only.

The Platform is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a minor, we will delete it immediately.

While our primary operations are in the Philippines, our cloud infrastructure may process data in international data centers. We ensure that any cross-border data transfer complies with RA 10173 and that receiving parties maintain adequate data protection standards as recognized by the National Privacy Commission.

For users or partners in jurisdictions covered by the EU General Data Protection Regulation (GDPR), we commit to meeting GDPR-equivalent standards including lawful basis for processing, data minimization, and breach notification.

We may update this Privacy Policy from time to time. Material changes will be communicated at least 15 days before taking effect via SMS, email, or in-app notification. The "Last updated" date at the top of this page reflects the most recent revision.

For privacy-related inquiries or to exercise your data rights:

Data Protection Officer

[KABUHAYAN FINTECH]

Naga City, Camarines Sur, Bicol Region, Philippines

Email: dpo@kabuhayan.ph

Phone: [TO BE ADDED]

You may also file a complaint with the National Privacy Commission at privacy.gov.ph.