Privacy Policy
* Effective Date: August 11, 2025
* Last Updated: August 11, 2025
1. Scope & Acceptance
1.1 This policy governs all data processed through:
– Primary domain: sulitstation.com
– Mobile applications (iOS/Android). If any
– Social media integrations (Facebook, TikTok, Instagram)
– Offline channels (phone orders, physical kiosks) If any
1.2 By accessing our services, you expressly consent to data practices outlined herein. Withdrawal requires cessation of service use.
2. Data Collection: Categories & Sources
2.1 A. Directly Collected Data
|
Category |
Specific Data Points |
Purpose Examples |
|
Identity Data |
Full name, birthdate, government ID (PhilSys ID/Passport copy for ≥₱20k transactions |
Fraud prevention, warranty activation |
|
Contact Data |
Email, phone (mobile/landline), billing/shipping address (including barangay) |
Order fulfillment, delivery coordination |
|
Financial Data |
Credit card (PAN, expiry, CVV), e-wallets (GCash/PayMaya), bank account (for refunds) |
Payment processing, refunds |
|
Transactional Data |
Order history, invoice numbers, serial numbers, warranty claims, return requests |
Tax compliance, inventory management |
|
Technical Data |
IP address, device ID (IMEI/MEID), browser fingerprint, OS version |
Fraud analysis, system diagnostics |
|
Profile Data |
Username, password, preferences (brands/price alerts), wishlists, product reviews |
Personalization, account security |
2.2 B. Automatically Collected Data
– Cookies: Session (shopping cart), persistent (login), third-party (Google Analytics, Meta Pixel).
– Log Files: Clickstream data, page response times, download errors.
– Device Sensors: Geolocation (for store locator), camera (AR product preview).
2.3 C. Third-Party Sources
|
Source Type |
Data Received |
Purpose |
|
Payment Gateways |
Transaction status, masked card details |
Reconciliation, dispute resolution |
|
Logistics Partners |
Delivery status, recipient signature |
Customer support, loss prevention |
|
Credit Bureaus (e.g., CIBI) |
Credit score, fraud flags |
High-risk transaction assessment |
|
Social Media |
Public profile, friend lists (if connected) |
Targeted advertising |
3. Processing Purposes & Legal Bases
3.1
|
Purpose |
Legal Basis (RA 10173) |
Data Categories Used |
|
Order fulfillment |
Contractual necessity |
Identity, Contact, Financial, Transactional |
|
Fraud prevention |
Legitimate interest |
Technical, Identity, Financial |
|
Marketing communications |
Consent (opt-in required) |
Contact, Profile |
|
Warranty support |
Legal obligation (Consumer Act) |
Identity, Transactional, Technical |
|
Tax reporting (BIR) |
Legal obligation |
Identity, Financial, Transactional |
|
Product development |
Legitimate interest |
Technical, Profile |
4. Data Sharing & Disclosure
4.1 A. Strictly Necessary Sharing
– Payment Processors: Paymongo, Maya pay, GCash etc – *only transaction-specific data*.
– Logistics: LBC, J&T Express, DHL etc – *name, address, phone, order value*.
– IT Infrastructure: AWS (Singapore), Google Cloud (Taiwan) – *encrypted data*.
4.2 B. Conditional Sharing
– Law Enforcement: Upon valid subpoena under Philippine Rules of Court.
– Business Transfers: Data portability during M&A per NPC Advisory No. 2017-03.
– Warranty Partners (e.g., Samsung, Apple): Serial numbers, purchase date – *only with customer consent*.
4.3 C. Anonymized Sharing
Aggregated sales trends shared with suppliers (e.g., “65% of Manila buyers prefer smartphones priced ₱10k-₱15k”).
5. Data Security Protocols
5.1 Encryption: AES-256 for data at rest, TLS 1.3+ for data in transit.
5.2 Access Controls: Role-based permissions, biometric authentication for admin systems.
5.3 Network Security: Web Application Firewalls (WAF), DDoS mitigation, SOC 2-compliant hosting.
5.4 Payment Security: PCI-DSS Level 1 certification; card data tokenized via Braintree.
5.5 Breach Response:
*Internal escalation within 1 hour of detection.
*NPC/affected users notified within 72 hours per NPC Circular 16-03.
6. Data Retention Schedule
6.1
|
Data Type |
Retention Period |
Justification |
|
Account profiles |
2 years post-account deletion |
Customer re-engagement |
|
Financial records |
10 years |
BIR Revenue Regulations |
|
Server logs |
90 days |
Security forensics |
|
Marketing consents |
Until withdrawal |
NPC Circular 16-02 |
|
Warranty claims |
5 years post warranty expiry |
Consumer Act defense periods |
6.2 Deletion methods: Cryptographic shredding for digital data; pulping for physical documents.
7. Your Rights & How to Exercise Them
7.1 Submit verifiable requests to the DPO:
– Access: Receive CSV report of your data.
– Rectification: Update inaccurate addresses/contact details.
– Erasure: “Right to be forgotten” (excludes tax data).
– Portability: Data exported in machine-readable JSON.
– Objection: Opt-out of profiling for loans/insurance.
7.2 Response Time: 15 working days (extendable under NPC rules).
7.3 ID Required: Two valid IDs (e.g., PhilID + driver’s license).
8. Cookies & Tracking Technologies
8.1
|
Cookie Type |
Provider |
Purpose |
Opt-Out Mechanism |
|
Essential |
Platform |
Cart functionality, login security |
None (required for service) |
|
Analytics |
Google Analytics 4 |
Traffic source analysis |
Browser settings or GA Opt-Out |
|
Advertising |
Meta Pixel |
Retargeting ads |
Facebook Ad Preferences |
|
Performance |
Cloudflare |
CDN routing optimization |
Browser settings |
9. Cross-Border Data Transfers
9.1 Data Destinations: Singapore (AWS), USA (Google), EU (Meta).
9.2 Safeguards:
– EU Standard Contractual Clauses (SCCs).
– APEC Cross-Border Privacy Rules (CBPR).
– Vendor DPAs requiring ISO 27001 certification.
10. Special Processing Cases
10.1 Trade-In Devices: Secure data wiping per NIST SP 800-88; certificate provided.
10.2 Biometric Data: Facial recognition for high-risk transactions – separate consent required.
10.3 Sensitive Data: Health information (e.g., for medical devices) stored in isolated encrypted vaults.
11. Children’s Privacy
11.1 Strict age gating:
– Account creation requires age declaration (≥18).
– Third-party age verification (DigiCO) for age-restricted items (e.g., vaping devices).
12. Policy Updates
12.1 Material changes (e.g., new data sharing) notified via email 30 days pre-effective date.
12.2 Version history will bbe archived at this page.
13. Contact & Complaints
13.1 You can contact our data Protection Officer (DPO) electronically or by writing at the following:
– Email: ph.sulitstation@gmail.com
– Physical address: Unit 25D 2/F Zeta II Building 191 Salcedo St, San Lorenzo Legaspi Village Makati 1223
13.2 NPC Complaints: National Privacy Commission, 5/F Delegation Building, PICC Complex, Pasay City.
This policy integrates requirements from:
> NPC Circulars 16-01 to 16-03
> BSP Circular 1108 (e-payments)
> International frameworks: GDPR (Recitals 6, 47), CCPA
* Jurisdiction: Republic of the Philippines
* Governing Law: Data Privacy Act of 2012 (RA 10173), NPC Issuances
Sulit Station team
August 11, 2025