Privacy Policy

Effective date: April 29, 2025  ·  Last updated: April 29, 2025

This Privacy Policy describes how the Service Provider ("I", "me", or "the Service Provider"), operating through this website or similar platforms and channels, handles personal and business information in connection with the automation, software development, and technology services I provide to clients and partners.

Core commitment: I do not collect, store, or retain the personal data of my clients' customers or end-users. My role in any client engagement is that of a technical service provider — I build and operate systems on behalf of my clients, but the personal data those systems handle belongs to the client and their users. I access it only to the extent required to deliver the agreed service, never to profile, analyze, or retain it for my own purposes.

This policy is written in compliance with the Philippine Data Privacy Act of 2012 (Republic Act No. 10173) and its Implementing Rules and Regulations (IRR), as enforced by the National Privacy Commission (NPC). Where clients operate internationally, I also observe applicable data protection principles consistent with standards such as the GDPR.

1. Scope

This policy covers:

  • Personal and business information I collect directly — from clients, partners, and website visitors
  • Personal data I process on behalf of clients as part of delivering automation, software, data engineering, or platform services

It does not govern the privacy practices of third-party websites or services linked from this site — those parties have their own policies.

It also does not apply to personal data held by my clients about their own customers. Clients are the Personal Information Controllers for that data under RA 10173. I act only as a Personal Information Processor — building and operating the technical systems that handle it, under the client's instruction.

2. My Role: Controller vs. Processor

Understanding my role is important for knowing who is responsible for what:

As a Personal Information Controller

I am the controller for data I collect directly for my own business purposes — such as contact information from clients and inquiries from website visitors. I decide how and why that data is used, and I am directly accountable for it under RA 10173.

As a Personal Information Processor

When I build or operate systems that process the personal data of a client's customers or end-users, I act as a processor under the client's instruction. In this capacity:

  • I process personal data only as directed by the client and only to the extent required to deliver the agreed service
  • I do not use, analyze, copy, or retain that data for any purpose beyond immediate service delivery
  • I do not store end-user personal data in any system or storage I own or control, beyond what is strictly necessary during active processing
  • Responsibility for obtaining lawful bases for processing (e.g., user consent, legitimate interest) rests with the client as the controller
  • Any data processing I perform on behalf of clients is governed by a written agreement (service contract, data processing agreement, or NDA) that imposes equivalent privacy and security obligations on me

3. What Information I Collect

From clients and partners (direct collection)

To engage and deliver services, I collect only the minimum information necessary:

  • Contact details — name, email address, phone number, company name, and job title, used solely to communicate and manage our working relationship
  • Project and business information — requirements, system specifications, workflows, and operational context shared to scope and deliver the work
  • Access credentials — system logins, API keys, or environment variables shared temporarily for integration or deployment work; handled under strict confidentiality, stored only in encrypted vaults, and deleted upon project completion or upon request
  • Communications — emails, messages, and documents exchanged during an engagement, retained only for the duration of the project and a reasonable post-project period

I do not collect personal data about my clients' customers, end-users, or employees beyond what is incidentally encountered during system access for delivery purposes — and even then, I do not record, copy, or retain it.

From website visitors

  • Inquiry data — name, email, and message content voluntarily submitted via email or any contact form, used only to respond to the inquiry
  • Server logs — standard request metadata (IP address, browser type, pages visited, referrer) retained temporarily for security and performance monitoring, not linked to any individual identity

This website does not use cookies, behavioral tracking, or third-party analytics scripts. No visitor profiling takes place.

4. How I Use Information

Information is used only for the specific purpose it was collected and for no other purpose without your knowledge:

  • Client information — to scope, deliver, and support the agreed service; to communicate about project status; and to meet legal or contractual obligations
  • Website inquiry data — to respond to your message and, if an engagement follows, to manage the working relationship
  • Server logs — to monitor uptime, detect abuse, and maintain site security; not used for profiling or marketing

I do not sell, rent, trade, or monetize any personal data. I do not use client or visitor data for advertising, profiling, or any purpose unrelated to the service.

5. Legal Basis for Processing

Under RA 10173, I process personal information only when at least one of the following conditions is met:

  • Consent — you have freely, specifically, and informedly given consent (e.g., by submitting an inquiry)
  • Contractual necessity — processing is necessary to fulfill a service agreement or to take pre-contractual steps at your request
  • Legal obligation — processing is required to comply with Philippine law or a lawful regulatory requirement
  • Legitimate interests — processing is necessary for the legitimate interests I pursue as a service provider (e.g., maintaining project records, securing systems), provided those interests do not override your fundamental rights

6. Data Minimization

I apply a strict data minimization principle across all engagements:

  • I request and collect only the data that is directly necessary for the task at hand — no more
  • When building automation or integration systems, I design pipelines to process and pass through data without persisting it in intermediate stores I own or control, unless the client's architecture explicitly requires it and it is covered by a written agreement
  • If access to a production environment containing personal data is required for troubleshooting or deployment, I use the minimum level of access needed, for the minimum time needed, and I do not extract or copy any personal records
  • Sample or test data used during development is anonymized or synthetically generated wherever possible; real personal data is never used as development fixtures

7. Data Retention

I keep data only for as long as there is a clear, legitimate reason to do so. When that reason no longer exists, data is deleted or anonymized promptly.

Client contact and project information

  • Retained for the duration of the active engagement, plus up to 12 months after project completion to cover post-delivery support, follow-up questions, and reasonable business record-keeping
  • After this period, project communications and business documents are deleted or anonymized unless a longer retention period is required by law

Access credentials

  • Deleted or formally returned to the client within 7 days of project completion, or immediately upon request — whichever comes first
  • No credentials are retained after the engagement ends, under any circumstance

End-user and customer personal data (client's data subjects)

  • I do not store this data. Personal data belonging to a client's customers or end-users is processed only in transit — it flows through systems I build or operate and is handled per the client's instructions, but it is not copied, logged, or persisted in any system I own or control
  • Any incidental access to such data during system maintenance or troubleshooting is strictly limited to what is operationally necessary and is not recorded beyond system-level logs required for security

Website inquiry data

  • Retained for up to 6 months from last contact if no engagement follows, then deleted
  • If an engagement results, inquiry data is merged into the project record and follows the client project retention schedule above

Server logs

  • Retained for a maximum of 30 days on a rolling basis for security monitoring, then purged automatically

Legal and financial records

  • Invoices, contracts, and tax-related records are retained for the period required by applicable Philippine law (generally 10 years under the National Internal Revenue Code)
  • These records contain only business-level information (company name, amounts, deliverables) and are not used for any other purpose

8. Data Sharing and Disclosure

I do not share personal data with any third party except in the following limited and controlled circumstances:

  • Operational subprocessors — tools and infrastructure providers I use to deliver services (e.g., cloud hosting, encrypted storage, project communication tools). These are reputable, security-vetted services bound by their own privacy policies, and I share only the minimum data required. I do not pass client or end-user personal data to these services beyond what the service architecture requires
  • Legal obligation — when disclosure is required by a court order, government authority, or applicable Philippine law; I will notify the affected client prior to disclosure where legally permitted
  • Explicit client instruction — when a client specifically authorizes disclosure to a named third party as part of the service delivery

I do not share data with data brokers, advertising networks, or any party for commercial purposes unrelated to service delivery.

9. Data Security

I apply security controls proportionate to the sensitivity of the data I handle:

Technical measures

  • Encryption in transit — all data transmitted between systems uses TLS 1.2 or higher; unencrypted channels are not used for personal data
  • Encryption at rest — credentials, keys, and sensitive project files are stored in encrypted vaults (e.g., password managers with AES-256 encryption), never in plain text or unprotected cloud storage
  • Access controls — least-privilege access is applied to all systems; shared credentials are rotated after engagement and never reused across clients
  • Secure deletion — data scheduled for deletion is wiped securely, not simply moved to trash
  • System isolation — client environments, credentials, and data are isolated from each other; no commingling of client data across projects

Organizational measures

  • All subcontractors involved in client work are bound by written confidentiality agreements that impose equivalent data handling obligations
  • Project documentation containing any personal data is access-controlled and not shared publicly
  • I conduct periodic reviews of data held and delete anything no longer required

Breach response

No system is completely immune to security incidents. In the event of an actual or suspected personal data breach that poses a real risk to data subjects, I will:

  • Contain and assess the breach immediately
  • Notify affected clients without undue delay and within the timeframe required under RA 10173 (no later than 72 hours of becoming aware of a qualifying breach)
  • Report to the National Privacy Commission if required under NPC Circular 16-03 or subsequent issuances
  • Document the incident and the corrective actions taken

10. Your Rights as a Data Subject

If I process personal data about you directly (e.g., as a client or website visitor), you have the following rights under RA 10173:

  • Right to be informed — to know what personal data I hold about you, the purpose of processing, and how it is handled
  • Right to access — to request a copy of the personal data I hold about you in a readable format
  • Right to rectification — to have inaccurate or incomplete data corrected promptly
  • Right to erasure or blocking — to request deletion or restriction of your data where the processing has ended or has no remaining lawful basis; I will comply unless retention is required by law
  • Right to object — to object to processing based on legitimate interests, where your specific situation warrants it
  • Right to data portability — to receive your data in a structured, machine-readable format so you can transfer it to another party
  • Right to damages — to seek compensation through the NPC if your data privacy rights under RA 10173 have been violated

If you are a customer or end-user of one of my clients and wish to exercise your rights regarding data that client's system holds about you, please contact that client directly — they are the controller of your data, and your rights requests should be directed to them.

To exercise rights against data I control directly, contact me at the address in Section 13. I will acknowledge your request within 5 business days and resolve it within the timeframe required by the NPC.

11. Cookies and Tracking

This website does not use cookies, advertising pixels, behavioral analytics scripts, or any form of cross-site tracking. No visitor data is shared with advertising networks or data brokers. The only server-side data collected is standard request log metadata (IP address, browser type, requested URL, referrer, timestamp), retained for 30 days for security purposes only and not linked to any individual identity.

12. International Data Transfers

If a client engagement involves cloud infrastructure or third-party tools hosted outside the Philippines, any personal data that flows through those systems is subject to the privacy and security requirements of those platforms. I use only reputable providers that maintain internationally recognized security standards (e.g., ISO 27001, SOC 2).

Where cross-border data transfer is part of a client's system architecture, I disclose this clearly during scoping. Clients who operate under GDPR or other cross-border frameworks are advised to ensure appropriate transfer mechanisms (e.g., Standard Contractual Clauses) are in place at the controller level.

13. Changes to This Policy

I may update this Privacy Policy to reflect changes in my services, legal requirements, or industry best practices. Material changes — those that affect your rights or how your data is handled — will be communicated via an updated effective date at the top of this page. For active client engagements, I will provide direct notice of material changes. Continued engagement after the updated policy takes effect constitutes acceptance of the changes.

14. Contact and Complaints

For any privacy-related questions, data subject rights requests, or concerns about how your information is handled, please contact:

Service Provider
Personal Information Controller
privacy@rannieollit.com
rannieollit.com

If you believe your data privacy rights have been violated and I have not resolved your concern satisfactorily, you have the right to file a complaint with the National Privacy Commission (NPC) of the Philippines:

www.privacy.gov.ph
NPC Complaints and Investigation Division
5th Floor, Delegation Building, PICC Complex, Pasay City, Metro Manila