1. Introduction & Company Information
Welcome to TindahanGo. We are committed to protecting the privacy and security of your personal data. This Privacy Policy describes how TindahanGo (“we,” “us,” or “our”), operated by TindahanGo Technologies, Inc. (a corporate placeholder entity), processes personal data in connection with our multi-tenant inventory and point-of-sale (POS) tracking system.
Under the Philippine Data Privacy Act of 2012 (Republic Act No. 10173) and its Implementing Rules and Regulations (IRR), TindahanGo acts as a **Personal Information Processor (PIP)** when hosting and processing transactional, cashier, and debtor data on behalf of our Store Owners. The Store Owner acts as the **Personal Information Controller (PIC)** for their respective branch, cashier, and customer datasets.
2. Definition of Terms
- Data Subject refers to any individual whose personal, sensitive personal, or privileged information is processed.
- Personal Information (PI) refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained.
- Sensitive Personal Information (SPI) includes details regarding an individual's race, marital status, age, religious affiliations, education, health, financial credit status, or any government-issued identification numbers.
- Processing refers to any operation performed on personal data, including collection, recording, organization, storage, retrieval, modification, erasure, or destruction.
3. Information We Collect
We collect and process various categories of information to provide the TindahanGo services. These categories are split into:
A. Personal Information (Store Owners & Managers)
During registration and onboarding, we collect your full name, username, email address, mobile phone number, business/company name, and physical business address.
B. Cashier Profile Information
When Store Owners create cashier profiles, we collect the cashier's full name, username, branch assignment, and a hashed 4-digit security PIN.
C. Customer & Debtor Information (Utang Ledger)
At the discretion of the Store Owner, the system allows recording customer credit profiles for the "Utang" tracking feature. This collects the customer's full name, mobile number, physical address, outstanding balance, payment history, and manual credit notes.
D. Store Transactional & Inventory Data
We process records of items in your inventory, low stock thresholds, supplier names, invoice numbers, purchase costs, selling prices, sales slip sequences, void audit logs, cashier shift reconciliations, and cash drawer breakdowns.
E. Device, Cookie, and Log Information
We collect device details (OS version, device identifiers), IP addresses, access log timestamps, session tokens (via secure cookies), and usage metadata. This information is vital for security monitoring, debugging, and session authentication.
4. Purpose and Legal Basis of Processing
We process personal data based on the following legal bases:
- Contractual Necessity: To fulfill our obligation to provide the POS, inventory, and subscription billing systems under the Terms of Service.
- Consent: Where store owners, cashiers, or customers have provided explicit consent for specific operations (e.g., opting in to SMS alerts or manual photo uploads).
- Legitimate Interest: For fraud detection, preventing cashier cash drawer discrepancies, maintaining robust tenant isolation database queries, and auditing void events.
5. Data Security & Encryption
We employ strict administrative, technical, and physical security measures to safeguard your information:
- Passwords and cashier security PINs are protected using one-way cryptographic hashing (bcrypt).
- Data transit is secured using HTTPS/TLS encryption layers.
- Database access is restricted on a strict "need-to-know" basis, isolated dynamically at the SQL query level by tenant company identifiers.
- Sentry tracking logs capture technical errors without embedding raw user passwords or payment card details.
6. Data Retention & Backups
We retain your data for as long as your subscription is active, or as required by Philippine laws (e.g., BIR rules for tax record retention):
- Active Accounts: All store and transaction logs are maintained continuously to populate historical analytics.
- Cancelled Accounts: If a subscription expires or is cancelled, store data shifts to a read-only state.
- Deleted Accounts: Upon a validated account deletion request, personal profile data is scrubbed or anonymized. Backup files are overwritten on a rolling daily cycle, meaning deleted data is purged from all backups within 30 days.
- Backups: Compressed database snapshots are created daily, encrypted, and stored in secure offsite servers for recovery purposes.
7. Subprocessors & International Transfers
We process data primarily on secure cloud servers. In the future, we may utilize third-party infrastructure providers (subprocessors) for functions like email delivery (SMTP services), SMS alerts, or payment gateways. Any transfer of personal data outside the Philippines complies with cross-border regulations, ensuring equivalent protection levels under standard contractual clauses.
8. Data Subject Rights
Under the Data Privacy Act (DPA), you possess the following rights regarding your personal data:
- Right to be Informed: Knowing whether your data is being processed, and receiving details on the processing parameters.
- Right to Access: Requesting a copy of your personal data held in our systems.
- Right to Correction: Disputing and correcting inaccurate or outdated records.
- Right to Deletion: Demanding the suspension, withdrawal, blocking, or removal of your personal data from our databases.
- Right to Data Portability: Requesting your data in a structured, commonly used electronic format.
- Right to Object: Objecting to processing based on direct marketing or profiling.
- Right to Complain: Filing a formal complaint before the National Privacy Commission (NPC) if your privacy rights have been violated.
9. Contact Us
If you have any questions, concerns, or wish to exercise any of your rights under the Data Privacy Act, please contact our Designated Data Protection Officer (DPO) at:
Email: legal@tindahango.ph
Office Address: TindahanGo Technologies, Inc., Unit 102, Ground Floor, East Tower, One Plaza, Ayala Avenue, Makati City, Metro Manila, Philippines
Contact Number: +63 2 8123 4567