Privacy Policy

This Privacy Policy explains how Rework Technologies Inc., operating under the brand name Ponkan ("we," "us," or "our"), collects, uses, stores, and protects personal information when you use our commerce platform, including our website, dashboard, APIs, and related services (collectively, the "Platform"). This policy is issued in compliance with the Data Privacy Act of 2012 (Republic Act No. 10173) and its Implementing Rules and Regulations (IRR), as enforced by the National Privacy Commission (NPC) of the Philippines.

By using the Platform, you consent to the collection and processing of your personal information as described in this policy.

1. Definitions

For the purposes of this Privacy Policy:

• "Personal Information" refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably ascertained, as defined under RA 10173.
• "Sensitive Personal Information" includes information about an individual's race, marital status, age, government-issued IDs, health, education, and other categories specified under RA 10173.
• "Merchant" refers to any individual or business entity that registers for and uses the Platform.
• "Customer" refers to any end-user who purchases goods or services through a Merchant's storefront powered by Ponkan.
• "Payment Provider" refers to our third-party payment processors, including Xendit, that handle financial transactions.

2. Information We Collect

2.1 Information You Provide

We collect personal information that you voluntarily provide when using the Platform, including:

• Account Information: Full name, email address, password, mobile number, and business details during registration
• Business Verification: Business name, registration documents, Tax Identification Number (TIN), and valid government-issued identification as required for merchant verification and payouts
• Banking Information: Bank name, account holder name, and account number for payout settlement
• Product Content: Product listings, descriptions, images, pricing, and digital files that you upload
• Communications: Messages, feedback, and inquiries sent through our support channels

2.2 Information Collected Automatically

When you access or use the Platform, we automatically collect:

• Usage Data: Pages visited, features used, actions performed, and session duration
• Device Information: Browser type, operating system, device identifiers, and screen resolution
• Log Data: IP address, access timestamps, referring URLs, and system activity
• Cookies and Similar Technologies: We use cookies and similar tracking technologies to maintain your session, remember preferences, and understand usage patterns

2.3 Information From Third Parties

We may receive information from:

• Payment Providers: Transaction status, payment method details (last four digits of card number), and settlement information from Xendit and other payment partners
• Authentication Providers: Basic profile information when you sign in using third-party services, including Google Sign-In (such as your name, email address, and profile picture)
• Analytics Partners: Aggregated data that helps us understand Platform usage

2.4 Customer Information Processed on Behalf of Merchants

When Customers make purchases through the Platform, we process the following on behalf of Merchants:

• Customer name and email address
• Billing address
• Payment method details (handled directly by the Payment Provider)
• Order history and transaction records

3. Legal Basis for Processing

Under the Data Privacy Act of 2012, we process your personal information based on the following lawful criteria:

• Consent: You provide consent when creating an account and agreeing to this Privacy Policy
• Contractual Necessity: Processing is necessary to fulfill our obligations under the Terms and Conditions and to provide you with Platform services
• Legitimate Interest: We process data for fraud prevention, platform security, service improvement, and analytics, where such interests are not overridden by your data privacy rights
• Legal Obligation: We process data as required to comply with Philippine laws and regulations, including anti-money laundering (AMLA), tax reporting, and regulatory requirements

4. How We Use Your Information

We use the personal information we collect to:

• Provide Platform Services: Operate the dashboard, process merchant onboarding, manage products, generate checkout links, create invoices, and facilitate order management
• Process Payments and Payouts: Coordinate with Payment Providers to process customer payments and settle funds to your bank account
• Verify Identity: Conduct know-your-customer (KYC) checks as required by applicable regulations
• Communicate With You: Send service-related notices, security alerts, payout notifications, and respond to support inquiries
• Ensure Platform Security: Detect, prevent, and investigate fraud, unauthorized access, and other security incidents
• Improve the Platform: Analyze usage patterns, identify bugs, and develop new features
• Comply With Legal Obligations: Meet regulatory requirements, respond to lawful requests from government authorities, and fulfill tax and financial reporting obligations

5. How We Share Your Information

We do not sell your personal information. We share your information only in the following circumstances:

5.1 Payment Providers

We share necessary transaction and merchant information with our Payment Provider(s), including Xendit, to facilitate payment processing, settlement, and fraud prevention. Payment Providers process this data under their own privacy policies and in compliance with applicable financial regulations.

5.2 Service Providers

We engage trusted third-party service providers for hosting, analytics, email delivery, and customer support. These providers are contractually bound to process your data only as directed by us, implement appropriate security measures, and comply with applicable data protection laws.

5.3 Legal and Regulatory Requirements

We may disclose your personal information when required or permitted by law, including to:

• Comply with a lawful court order, subpoena, or government request
• Cooperate with the National Privacy Commission (NPC), Bangko Sentral ng Pilipinas (BSP), Anti-Money Laundering Council (AMLC), or other regulatory bodies
• Protect the rights, property, or safety of Ponkan, our Merchants, their Customers, or the public
• Investigate or prevent suspected fraud, security breaches, or violations of our Terms

5.4 Business Transfers

In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. We will notify you through the Platform or via email before your information becomes subject to a different privacy policy.

5.5 With Your Consent

We may share your information with third parties when you have provided explicit and informed consent.

6. Data Storage and Retention

6.1 Storage Location

Your personal information is stored on secure servers. Data may be processed in jurisdictions outside the Philippines where our service providers operate. In such cases, we ensure appropriate safeguards are in place, including contractual obligations that provide a level of data protection consistent with RA 10173.

6.2 Retention Period

We retain your personal information for as long as:

• Your account remains active on the Platform
• Necessary to provide Platform services and process payouts
• Required to comply with legal, tax, and regulatory obligations (generally five to ten years for financial records as required by BIR and other Philippine regulations)
• Needed to resolve disputes, enforce agreements, or establish legal claims

When your information is no longer needed for any of these purposes, we will securely delete or anonymize it using industry-standard methods.

7. Data Security

We implement appropriate organizational, physical, and technical security measures to protect your personal information, including:

• Encryption: Data encrypted in transit (TLS/SSL) and at rest
• Access Controls: Role-based access restrictions and multi-factor authentication for internal systems
• Regular Assessments: Periodic security audits and vulnerability assessments
• Incident Response: Established procedures for detecting, responding to, and reporting security breaches in compliance with NPC Circular 16-03

While we take reasonable measures to protect your data, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security but are committed to promptly notifying affected individuals and the NPC in the event of a personal data breach, as required by law.

8. Your Rights Under the Data Privacy Act

As a data subject under RA 10173, you have the following rights:

• Right to Be Informed: You have the right to know how your personal information is being collected, processed, and used
• Right to Access: You may request a copy of your personal information held by Ponkan
• Right to Object: You may object to the processing of your personal information, including for direct marketing purposes
• Right to Erasure or Blocking: You may request the removal, blocking, or destruction of your personal information when it is incomplete, outdated, unlawfully obtained, or no longer necessary for the purpose for which it was collected
• Right to Rectification: You may request the correction of inaccurate, incomplete, or outdated personal information
• Right to Data Portability: You may request your personal information in a structured, commonly used, and machine-readable format
• Right to File a Complaint: You have the right to file a complaint with the National Privacy Commission if you believe your data privacy rights have been violated
• Right to Damages: You may claim compensation for damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of your personal information

To exercise any of these rights, please contact our Data Protection Officer using the information provided below. We will respond to your request within thirty (30) days, as required by law.

9. Cookies and Tracking Technologies

9.1 Types of Cookies We Use

• Essential Cookies: Required for Platform functionality, including authentication and session management
• Analytics Cookies: Help us understand how Merchants and visitors interact with the Platform
• Preference Cookies: Remember your dashboard settings and preferences

9.2 Managing Cookies

You can manage cookie preferences through your browser settings. Disabling essential cookies may affect your ability to use the Platform. We do not use cookies for third-party advertising.

10. Google API Services

Ponkan allows you to sign in using your Google account. When you authenticate through Google Sign-In, we receive your name, email address, and profile picture from Google. This information is used solely to create and maintain your Ponkan account.

Ponkan's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

We do not use Google user data for advertising, and we do not permit any third party to use Google user data obtained through our Platform for purposes unrelated to providing or improving our services.

11. Merchant Responsibilities as Personal Information Controllers

If you are a Merchant, you act as a Personal Information Controller (PIC) under the Data Privacy Act with respect to the Customer data you collect through the Platform. You are responsible for:

• Ensuring that your collection and processing of Customer data complies with RA 10173
• Obtaining appropriate consent from your Customers before collecting their personal information
• Providing your Customers with clear notice about how their data is used
• Implementing your own privacy policy that is accessible to your Customers
• Reporting any personal data breach involving Customer data to the NPC and affected data subjects in accordance with the law

Ponkan acts as a Personal Information Processor (PIP) when processing Customer data on your behalf and will support your compliance obligations as required.

12. Children's Privacy

The Platform is not directed to individuals under the age of eighteen (18). We do not knowingly collect personal information from minors. If we become aware that a minor has provided personal information without parental or guardian consent, we will take steps to delete such information promptly. If you believe a minor has provided us with personal information, please contact us immediately.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Platform, or applicable law. We will notify you of material changes by posting the updated policy on our website, through the Platform dashboard, or via email. The "Last Updated" date at the top of this page indicates when this policy was last revised.

We encourage you to review this policy periodically to stay informed about how we protect your information.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact:

• Data Protection Officer
• Email: [email protected]

You may also file a complaint with the National Privacy Commission of the Philippines:

• Website: privacy.gov.ph
• Email: [email protected]