Privacy Policy
* Effective Date: August 11, 2025
* Last Updated: August 11, 2025
1. Scope & Acceptance
1.1 This policy governs all data processed through:
– Primary domain: sulitstation.com
– Mobile applications (iOS/Android). If any
– Social media (Facebook, TikTok, Instagram)
– Offline channels (phone orders, physical kiosks) If any
1.2 By accessing our services, you expressly consent to data practices outlined herein. Withdrawal requires cessation of service use.
2. Data Collection: Categories & Sources
2.1 A. Directly Collected Data
Category | Specific Data Points | Purpose Examples |
Identity Data | Full name, birthdate, government ID (PhilSys ID/Passport copy for ≥₱20k transactions | Fraud prevention, warranty activation |
Contact Data | Email, phone (mobile/landline), billing/shipping address (including barangay) | Order fulfillment, delivery coordination |
Financial Data | Credit card (PAN, expiry, CVV), e-wallets (GCash/PayMaya), bank account (for refunds) | Payment processing, refunds |
Transactional Data | Order history, invoice numbers, serial numbers, warranty claims, return requests | Tax compliance, inventory management |
Technical Data | IP address, device ID (IMEI/MEID), browser fingerprint, OS version | Fraud analysis, system diagnostics |
Profile Data | Username, password, preferences (brands/price alerts), wishlists, product reviews | Personalization, account security |
2.2 B. Automatically Collected Data
– Cookies: Session (shopping cart), persistent (login), third-party (Google Analytics, Meta Pixel).
– Log Files: Clickstream data, page response times, download errors.
– Device Sensors: Geolocation (for store locator), camera (AR product preview).
2.3 C. Third-Party Sources
Source Type | Data Received | Purpose |
Payment Gateways | Transaction status, masked card details | Reconciliation, dispute resolution |
Logistics Partners | Delivery status, recipient signature | Customer support, loss prevention |
Credit Bureaus (e.g., CIBI) | Credit score, fraud flags | High-risk transaction assessment |
Social Media | Public profile, friend lists (if connected) | Targeted advertising |
3. Processing Purposes & Legal Bases
3.1
Purpose | Legal Basis (RA 10173) | Data Categories Used |
Order fulfillment | Contractual necessity | Identity, Contact, Financial, Transactional |
Fraud prevention | Legitimate interest | Technical, Identity, Financial |
Marketing communications | Consent (opt-in required) | Contact, Profile |
Warranty support | Legal obligation (Consumer Act) | Identity, Transactional, Technical |
Tax reporting (BIR) | Legal obligation | Identity, Financial, Transactional |
Product development | Legitimate interest | Technical, Profile |
4. Data Sharing & Disclosure
4.1 A. Strictly Necessary Sharing
– Payment Processors: Paymongo, Maya pay, GCash etc – *only transaction-specific data*.
– Logistics: LBC, J&T Express, DHL etc – *name, address, phone, order value*.
– IT Infrastructure: AWS (Singapore), Google Cloud (Taiwan) – *encrypted data*.
4.2 B. Conditional Sharing
– Law Enforcement: Upon valid subpoena under Philippine Rules of Court.
– Business Transfers: Data portability during M&A per NPC Advisory No. 2017-03.
– Warranty Partners (e.g., Samsung, Apple): Serial numbers, purchase date – *only with customer consent*.
4.3 C. Anonymized Sharing
Aggregated sales trends shared with suppliers (e.g., “65% of Manila buyers prefer smartphones priced ₱10k-₱15k”).
5. Data Security Protocols
5.1 Encryption: AES-256 for data at rest, TLS 1.3+ for data in transit.
5.2 Access Controls: Role-based permissions, biometric authentication for admin systems.
5.3 Network Security: Web Application Firewalls (WAF), DDoS mitigation, SOC 2-compliant hosting.
5.4 Payment Security: PCI-DSS Level 1 certification; card data tokenized via Braintree.
5.5 Breach Response:
*Internal escalation within 1 hour of detection.
*NPC/affected users notified within 72 hours per NPC Circular 16-03.
6. Data Retention Schedule
6.1
Data Type | Retention Period | Justification |
Account profiles | 2 years post-account deletion | Customer re-engagement |
Financial records | 10 years | BIR Revenue Regulations |
Server logs | 90 days | Security forensics |
Marketing consents | Until withdrawal | NPC Circular 16-02 |
Warranty claims | 5 years post warranty expiry | Consumer Act defense periods |
6.2 Deletion methods: Cryptographic shredding for digital data; pulping for physical documents.
7. Your Rights & How to Exercise Them
7.1 Submit verifiable requests to the DPO:
– Access: Receive CSV report of your data.
– Rectification: Update inaccurate addresses/contact details.
– Erasure: “Right to be forgotten” (excludes tax data).
– Portability: Data exported in machine-readable JSON.
– Objection: Opt-out of profiling for loans/insurance.
7.2 Response Time: 15 working days (extendable under NPC rules).
7.3 ID Required: Two valid IDs (e.g., PhilID + driver’s license).
8. Cookies & Tracking Technologies
8.1
Cookie Type | Provider | Purpose | Opt-Out Mechanism |
Essential | Platform | Cart functionality, login security | None (required for service) |
Analytics | Google Analytics 4 | Traffic source analysis | Browser settings or GA Opt-Out |
Advertising | Meta Pixel | Retargeting ads | Facebook Ad Preferences |
Performance | Cloudflare | CDN routing optimization | Browser settings |
9. Cross-Border Data Transfers
9.1 Data Destinations: Singapore (AWS), USA (Google), EU (Meta).
9.2 Safeguards:
– EU Standard Contractual Clauses (SCCs).
– APEC Cross-Border Privacy Rules (CBPR).
– Vendor DPAs requiring ISO 27001 certification.
10. Special Processing Cases
10.1 Trade-In Devices: Secure data wiping per NIST SP 800-88; certificate provided.
10.2 Biometric Data: Facial recognition for high-risk transactions – separate consent required.
10.3 Sensitive Data: Health information (e.g., for medical devices) stored in isolated encrypted vaults.
11. Children’s Privacy
11.1 Strict age gating:
– Account creation requires age declaration (≥18).
– Third-party age verification (DigiCO) for age-restricted items (e.g., vaping devices).
12. Policy Updates
12.1 Material changes (e.g., new data sharing) notified via email 30 days pre-effective date.
12.2 Version history will bbe archived at this page.
13. Contact & Complaints
13.1 You can contact our data Protection Officer (DPO) electronically or by writing at the following:
– Email: ph.sulitstation@gmail.com
– Physical address: 2/F Zeta II Building 191 Salcedo St, San Lorenzo Legaspi Village Makati 1223
13.2 NPC Complaints: National Privacy Commission, 5th Floor Delegation Building, PICC Complex, Pasay City.
This policy integrates requirements from:
> NPC Circulars 16-01 to 16-03
> BSP Circular 1108 (e-payments)
> International frameworks: GDPR (Recitals 6, 47), CCPA
* Jurisdiction: Republic of the Philippines
* Governing Law: Data Privacy Act of 2012 (RA 10173), NPC Issuances
Sulit Station team
August 11, 2025