DRAFT DOCUMENT — For demo purposes only. This document is subject to review and approval by the designated Data Protection Officer (DPO) before official publication. Prepared in compliance with Republic Act No. 10173 (Data Privacy Act of 2012) and National Privacy Commission (NPC) guidelines.
Effective Date: [To be determined upon official release]
VoxP Technologies ("we," "us," or "our"), the operator of Utang Na Load ("the Service"), is committed to protecting your personal data privacy in compliance with Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012 (DPA), its Implementing Rules and Regulations (IRR), and all relevant issuances of the National Privacy Commission (NPC).
This Privacy Policy describes how we collect, use, store, disclose, and protect your personal information when you use our Service. We adhere to the general data privacy principles of Transparency, Legitimate Purpose, and Proportionality in all our data processing activities.
We collect the following personal data from you in the course of providing the Service:
| Data Type | How Collected | Purpose |
|---|---|---|
| Mobile phone number | Manually entered by user | Identity verification via OTP |
| OTP verification status | Automated (Twilio Verify) | Authentication and security |
| Device/browser information | Automated (web analytics) | Service improvement and security |
| SMS consent preference | User opt-in selection | Communication preference management |
| Cookie consent preference | User selection on consent banner | Compliance with privacy regulations |
| IP address and web traffic data | Automated (analytics, if consented) | Anonymous usage statistics |
We process your personal data based on the following lawful criteria under Section 12 of the DPA:
(a) Consent — You provide explicit consent when you: enter your phone number for OTP verification; opt in to SMS notifications; and accept cookies through our consent banner.
(b) Contractual necessity — Processing is necessary to provide the Service you have requested, including facilitating load lending eligibility checks and USSD transactions.
(c) Legitimate interest — We process certain data (e.g., device information, usage patterns) to maintain the security, integrity, and performance of the Service, provided such processing does not override your fundamental rights and freedoms.
We may share your personal data with the following third parties, strictly for the purposes stated:
| Recipient | Data Shared | Purpose |
|---|---|---|
| Twilio Inc. | Mobile phone number | OTP delivery and SMS notifications |
| Telecommunications provider (via USSD) | USSD code dialed | Load lending transaction execution |
| Analytics provider (Umami, if consented) | Anonymized usage data | Service improvement |
We do not sell, rent, or trade your personal information to any third party for marketing or commercial purposes. Disclosure to government authorities will only be made when required by law or pursuant to a lawful court order.
Your personal data is stored in secure cloud-based servers with encryption at rest and in transit. We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable laws and regulations. Specifically: (a) OTP verification records are retained for thirty (30) days; (b) SMS communication logs are retained for ninety (90) days; (c) anonymized analytics data may be retained indefinitely. Upon expiration of the retention period, personal data shall be securely disposed of through digital anonymization or deletion.
We implement reasonable and appropriate organizational, physical, and technical security measures to protect your personal data, including: (a) end-to-end encryption for data in transit (TLS/HTTPS); (b) encryption at rest for stored data; (c) access controls limiting data access to authorized personnel only; (d) regular security assessments and vulnerability testing; (e) secure session management with HTTP-only cookies; and (f) compliance with industry-standard security practices. However, no method of transmission over the internet or electronic storage is completely secure, and we cannot guarantee absolute security.
Under the Data Privacy Act of 2012, you have the following rights:
(a) Right to be Informed — You have the right to be informed of the collection and processing of your personal data, including the purpose, extent, and method of processing.
(b) Right to Access — You have the right to obtain confirmation on whether your personal data is being processed and to access such data.
(c) Right to Rectification — You have the right to have inaccurate or incomplete personal data corrected.
(d) Right to Erasure or Blocking — You have the right to request the removal or blocking of your personal data from our systems.
(e) Right to Object — You have the right to object to the processing of your personal data, including processing for direct marketing.
(f) Right to Data Portability — You have the right to obtain your personal data in a structured, commonly used, and machine-readable format.
(g) Right to File a Complaint — If you believe your data privacy rights have been violated, you have the right to file a complaint with the National Privacy Commission (NPC).
We use cookies and local storage technologies to enhance your experience. These are categorized as: (a) Necessary — required for the Service to function (session authentication, security); (b) Functional — remember your preferences (verified phone number, SMS opt-in status, theme); and (c) Analytics — anonymous usage statistics to improve the Service. You may manage your cookie preferences through our consent banner displayed on your first visit. Necessary cookies cannot be disabled as they are essential for the Service to operate.
7.1 Detailed Cookie and Storage Inventory
The following table lists all cookies and local storage items used by the Service, their category, purpose, and retention period:
Necessary (Always Active)
| Name | Type | Purpose | Expiration |
|---|---|---|---|
| app_session_id | HTTP Cookie | Authenticates your session after login. HttpOnly, Secure, SameSite=None. Cannot be accessed by JavaScript. | 1 year |
| unl_cookie_consent | localStorage | Stores your cookie consent preferences (which categories you accepted or declined). | Persistent (until cleared) |
| unl_cookie_consent_ts | localStorage | Records the timestamp when you gave or updated your cookie consent. | Persistent (until cleared) |
Functional (Requires Consent)
| Name | Type | Purpose | Expiration |
|---|---|---|---|
| unl_verified_phone | localStorage | Remembers your last verified phone number so you don't need to re-enter it on return visits. | Persistent (until cleared) |
| unl_last_verified_ts | localStorage | Records when your phone number was last verified, used to determine if re-verification is needed. | Persistent (until cleared) |
| unl_sms_optin | localStorage | Stores your SMS notification preference (opted in or out). | Persistent (until cleared) |
| theme | localStorage | Remembers your display theme preference (light or dark mode). | Persistent (until cleared) |
Analytics (Requires Consent)
| Name | Type | Purpose | Expiration |
|---|---|---|---|
| umami.js (script) | JavaScript | Privacy-focused analytics script. Collects anonymous page views, referrers, browser type, and device info. Does not use cookies itself — data is sessionless. | Session only (no persistent cookie) |
| umami cache | In-memory | Temporary in-memory storage used by Umami to avoid duplicate page view counts within the same session. | Cleared on page close |
Note on localStorage: Items stored in localStorage persist until manually cleared by the user (via browser settings or the app's "Clear Data" option). Unlike HTTP cookies, localStorage items are never sent to the server — they remain entirely on your device and are only read by the app's client-side code.
Certain third-party service providers (e.g., Twilio for SMS/OTP, cloud hosting providers) may process your data outside the Philippines. In such cases, we ensure that adequate safeguards are in place, including contractual obligations requiring the recipient to protect your data to a standard comparable to that required under the DPA, in compliance with NPC Circular No. 2022-01 on cross-border transfer of personal data.
The Service is not intended for use by individuals under eighteen (18) years of age. We do not knowingly collect personal data from minors. If we become aware that we have collected personal data from a minor without appropriate parental consent, we will take steps to delete such information promptly.
We reserve the right to update or revise this Privacy Policy at any time. Any changes will be posted within the Service with an updated effective date. We will provide reasonable notice of material changes through the app or via SMS notification. Your continued use of the Service after such changes constitutes your acceptance of the revised policy.
For questions, concerns, or requests regarding your personal data or this Privacy Policy, you may contact our Data Protection Officer:
You may also file a complaint directly with the National Privacy Commission:
National Privacy Commission (NPC)
Address: 25th-27th Floors, The Upper Class Tower, Quezon Ave. Corner Scout Reyes Street, Quezon City 1103
Email: [email protected]
Website: https://privacy.gov.ph
This is a DRAFT document prepared for demonstration purposes only in compliance with the format prescribed by the National Privacy Commission under Republic Act No. 10173 (Data Privacy Act of 2012). The final version will be reviewed, revised, and approved by the designated Data Protection Officer (DPO) and legal counsel prior to official publication and deployment.