Privacy Policy

• Personal Information (PI): Data that identifies you (e.g., name, address, email, contact numbers).
• Sensitive Personal Information (SPI): Data about race, ethnicity, marital status, age, health, education, government IDs, etc.
• Privileged Information: Data covered by legal privilege (e.g., attorney-client communications).
• Processing: Any operation on Personal Data (collection, recording, storage, use, disclosure, etc.).
• Personal Information Controller (PIC): TechnoByte AI Innovation—determines purposes and means of processing.
• Personal Information Processor (PIP): Third parties processing data on behalf of TechnoByte AI Innovation under contract.
• Data Subject: An identified or identifiable natural person to whom the data relates.
• DPO: Data Protection Officer designated by TechnoByte AI Innovation to oversee compliance.

This Policy covers all websites, mobile apps, SaaS platforms, APIs, CRM and loyalty modules, analytics dashboards, AI/ML features (e.g., recommendation engines, anomaly detection), on-premise systems, support channels, CCTV within facilities, and any service operated by TechnoByte AI Innovation. It also applies to employees, job applicants, contractors, vendors, hotel partners, customers/guests, and site visitors who interact with our services.

• Consent: Granted via forms, checkboxes, signed contracts, or opt-in mechanisms; revocable anytime.
• Contract: Necessary to perform pre-contractual steps or a contract with you.
• Legal Obligation: Compliance with laws/regulations, lawful orders, or regulatory reporting.
• Vital Interests: To protect life/health/safety of you or others.
• Legitimate Interests: Reasonable business purposes balanced against your rights and expectations.

• Identifiers & Contact: Name, alias, address, email, phone, username, role, organization.
• Sensitive Data: Government IDs (e.g., TIN, SSS, UMID), nationality, civil status, health data if required, educational records.
• Transactional & Financial: Reservation details, invoices, payment tokens, card brand/last 4 digits, refunds, chargebacks.
• Online Identifiers: IP address, device IDs, cookies/SDK, session logs, crash reports, geolocation, OS/browser.
• Usage & Preference: Pages viewed, search queries, clickstream, feature interactions, loyalty usage.
• Employment/Contractor: Resume/CV, credentials, background checks, payroll/benefits (employees), accreditation (contractors).
• Multimedia & CCTV: Photos, video/audio, CCTV footage for safety/security and incident documentation.

• Directly from you via forms, sign-ups, bookings, check-ins, KYC/CDD, support channels.
• Automatically via cookies, web beacons, app telemetry, SDKs, and analytics tools.
• From third parties (e.g., payment gateways, ID verification providers) with your consent or as allowed by law.
• From CCTV/access control systems within facilities (if applicable).

• Provide, operate, and support reservations, CRM, loyalty, and property-related services.
• Identity verification, fraud prevention, and service eligibility checks.
• Customer support, incident response, complaints handling, and dispute resolution.
• Product improvement, analytics, A/B testing, and service personalization.
• Communications: service updates, notices, billing; marketing/promotions with opt-out.
• Regulatory compliance, audits, accounting, and lawful reporting.
• Safety and security operations (including CCTV monitoring and access logs).
• Research and statistical analysis using aggregated/de-identified data where feasible.

• CRM: Profile management, stay history, preferences, communication logs.
• Loyalty: Tiering, points accrual/redemption, targeted offers.
• Messaging: Email/SMS/push notifications; you can opt-out of marketing messages anytime.
• Payments: Processing via gateways; we store minimal payment artifacts (e.g., masked card data, tokens) as required.

We may use models to detect anomalies (fraud/abuse), segment audiences, or recommend content/offers. Decisions with legal or similarly significant effects will include avenues for human review upon request. You may object to profiling where permitted by law; some features may be unavailable without certain processing.

• Strictly Necessary: Authentication, session, security.
• Functional: Preferences, localization, accessibility.
• Analytics: Traffic stats, performance, crash analytics.
• Marketing: Campaign attribution (only with consent where required).

You may manage cookies via your browser or in-app settings. Disabling some cookies may limit functionality.

We do not sell Personal Data. We may disclose data to:

• Service Providers (PIPs): Cloud hosting, security, analytics, support, payments—bound by contracts, confidentiality, and security controls.
• Affiliates/Partners: For service delivery and customer experience, subject to this Policy.
• Regulators/Law Enforcement: As required by law, lawful orders, or to protect rights/safety.
• Corporate Transactions: Due diligence and transfer with safeguards in mergers, acquisitions, or reorganization.

Personal Data may be processed in other jurisdictions by providers under data processing agreements that ensure adequate protection (encryption, access controls, audit rights). We align with NPC advisories on cross-border data flows.

• Defense-in-depth architecture, firewalls, and network segmentation.
• Encryption in transit (TLS) and at rest where applicable.
• Least-privilege, role-based access, and multi-factor authentication.
• Secure development lifecycle, code reviews, and dependency scanning.
• Logging, monitoring, vulnerability management, and incident response playbooks.
• Employee confidentiality undertakings and periodic privacy/security training.

We retain Personal Data for the duration of the relationship and generally up to ten (10) years thereafter or longer if required by law/regulation, litigation holds, or legitimate business needs. When no longer necessary, we securely dispose of or anonymize data.

We do not knowingly collect Personal Data from children under 18 without verifiable parental consent. Parents/guardians are encouraged to supervise minors’ online activities. If you believe a child provided data, contact the DPO for assistance.

• Right to be Informed about processing activities.
• Right to Access Personal Data we hold about you.
• Right to Rectification of inaccurate or incomplete data.
• Right to Erasure/Blocking when processing is unlawful or no longer necessary.
• Right to Object to certain processing (e.g., marketing, profiling) subject to applicable exceptions.
• Right to Data Portability for data you provided and processed by electronic means, in a structured, commonly used format.
• Right to Damages for violations of your data privacy rights, as provided by law.
• Right to File a Complaint before the NPC.

Rights may be exercised personally or by an authorized representative with proper documentation (e.g., SPA).

1. Submit Request: Email or write to our DPO (see Contact section). Indicate the right(s) you wish to exercise.
2. Identity Verification: We may request proof of identity/authority to protect your account and data.
3. Evaluation: We assess scope, feasibility, and legal constraints (e.g., retention required by law).
4. Response: We respond within a reasonable timeframe per NPC guidance; complex cases may take longer with notice.
5. Outcome: If granted, we execute corrections, provide copies, or implement erasure/blocking as applicable.

To maintain a safe and secure environment, facilities may be monitored by CCTV in common areas and entry/exit points. Footage is retained for a limited time unless needed for investigations, legal obligations, or incident documentation.

We work with trusted third-party service providers (sub-processors) who process personal data on our behalf. Each provider is bound by confidentiality and data protection obligations consistent with this Policy.

For a complete list of our current sub-processors or to receive notifications of changes, please contact our Data Protection Officer.

We embed privacy requirements in product lifecycles. Where processing presents high risks (e.g., large-scale profiling or use of sensitive data), we perform DPIAs and implement risk mitigations before launch.

We maintain incident response procedures. For personal data breaches that are notifiable under NPC rules, we will notify the NPC and affected Data Subjects within prescribed periods, including required details and recommended protective steps.

You are responsible for providing accurate and updated information. We implement reasonable measures to ensure data accuracy, completeness, and relevance to intended purposes, adhering to data minimization principles.

With your consent (where required), we may send promotional communications (email/SMS/push). You can opt out at any time via in-message links, in-app settings, or by contacting the DPO. Service and transactional messages are not marketing and may still be sent.

Our platforms may link to third-party websites or services that operate independently with their own privacy practices. We do not control and are not responsible for their content or policies. Review their notices before sharing Personal Data.

• Applicants: Evaluate qualifications, contact you, perform background checks where lawful; with consent we may retain profiles for future roles (up to 1 year unless otherwise permitted).
• Employees: HR administration (payroll, benefits, performance, compliance, training, travel, incident management, exit processing).
• Contractors/Vendors: Due diligence, accreditation, contract performance, compliance, payments.

• Reservations, check-in, identity verification, payments, and service personalization.
• Loyalty eligibility, offers, and rewards validation.
• Service quality monitoring, incident handling, safety/security.

For Personal Data you provided that we process by electronic means and in a structured, commonly used format on the basis of consent or contract, you may request a copy in a portable format and (where feasible) the secure transmission to another PIC.

Some requests may be restricted by legal obligations, law enforcement requirements, litigation holds, or the rights and freedoms of others. If we must deny a request, we will provide reasons consistent with applicable law.

Where foreign privacy laws may apply due to user location or services, we endeavor to honor rights that are substantially similar to those in the Philippines, subject to jurisdictional limits and lawful exceptions.

We may modify this Policy to reflect legal, technical, or business developments. Material changes will be posted here with an updated “Last Updated” date and will take effect upon posting unless otherwise indicated.

You may also lodge a complaint with the National Privacy Commission (NPC): https://privacy.gov.ph.

• Data Privacy Act of 2012 (RA 10173) and IRR
• NPC Circulars, Advisories, and Issuances on security, breaches, cross-border transfers, and DPO functions
• Other sectoral laws and regulations applicable to our services

• Asset inventory, configuration management, and change control
• Key management, credential rotation, and secrets vaulting
• Backup strategy, disaster recovery, and business continuity
• Vendor risk management and periodic reassessments
• Secure SDLC with threat modeling and pen testing cadence

PI: Personal Information. SPI: Sensitive Personal Information. PIC: Personal Information Controller. PIP: Personal Information Processor. DPIA: Data Protection Impact Assessment. NPC: National Privacy Commission.

This Policy takes effect upon publication on our website or applications and supersedes prior versions for future processing activities from the date indicated above.