Privacy Policy

1 Introduction & Scope

This Privacy Policy ("Policy") describes how Coreza ("Company," "we," "us," or "our") collects, uses, stores, discloses, and protects personal data submitted to or generated through our SaaS platform and associated services (collectively, the "Service").

This Policy applies to:

Subscribers — businesses and individuals who register and maintain a Coreza workspace;
Authorized Users — team members and employees who access the Service under a Subscriber's account;
Visitors — individuals who visit our website or marketing pages without registering; and
Third-party data subjects — customers, vendors, and other individuals whose personal data is uploaded to the Service by Subscribers.

This Policy does not apply to personal data processed by third-party services that Subscribers may integrate with Coreza. Those services are governed by their own privacy policies.

⚠️

Subscriber as Personal Information Controller (PIC) When Subscribers upload or input personal data of their own customers, employees, or vendors into Coreza, the Subscriber acts as the Personal Information Controller (PIC) under RA 10173, and Coreza acts as the Personal Information Processor (PIP). Subscribers are solely responsible for ensuring their data collection and processing activities are lawful and properly consented.

2 Data Controller Information

For the purposes of Republic Act No. 10173 (Data Privacy Act of 2012) and its Implementing Rules and Regulations, the Personal Information Controller for data collected directly from Subscribers and Authorized Users is:

🏢

Coreza — Personal Information Controller

Business Name: Coreza
Service: Cloud-based Business Management Platform (SaaS)
Jurisdiction: Republic of the Philippines
Contact: legal@coreza.app

Coreza has registered with the National Privacy Commission (NPC) as required under RA 10173 and its IRR for organizations processing personal data of a sensitive nature or of a significant volume.

3 Data Protection Officer (DPO)

In compliance with Section 21 of RA 10173 and NPC Circular No. 17-01, Coreza has designated a Data Protection Officer (DPO) who is responsible for ensuring compliance with this Policy and the DPA. The DPO serves as the primary point of contact for all data privacy matters, NPC communications, and data subject rights requests.

🛡️

Data Protection Officer — Coreza

Role: Data Protection Officer (DPO)
Email: dpo@coreza.app
For: Privacy complaints, data subject rights requests, breach reports, and NPC correspondence.

You may also contact the National Privacy Commission (NPC) directly at https://www.privacy.gov.ph for any unresolved data privacy concerns.

4 Personal Data We Collect

We collect personal data that you provide directly, that is generated through your use of the Service, and (in limited cases) from third parties. We apply the principle of data minimization — we collect only what is necessary for the purposes stated in this Policy.

4.1 Account & Registration Data

Full name and email address (required for account creation and OTP verification);
Company or business name and company slug;
Password (stored as a one-way bcrypt hash — never in plaintext);
Account role and permissions; and
Email verification status and timestamps.

4.2 Profile & Usage Data

Avatar or profile image (optional);
Phone number (optional);
Last login date and time;
IP address and browser user-agent (for session security, fraud prevention, and audit logging);
Features accessed and actions taken within the Service (activity logs); and
Session tokens (stored as SHA-256 hashes — raw tokens are never persisted).

4.3 Billing & Payment Data

Subscription plan and billing cycle;
Payment method details (processed by our payment processor — Coreza does not store raw card numbers); and
Invoice and payment history.

4.4 Customer Data (Subscriber-Controlled)

Subscribers may upload or input personal data of their own customers, vendors, and other individuals into the Service (e.g., customer names, contact details, billing information). This data is processed by Coreza on behalf of the Subscriber (as PIP). Coreza does not use this data for its own purposes beyond providing the Service.

4.5 Technical & Diagnostic Data

API request logs (method, endpoint, response code, timestamp);
Error logs and crash reports (anonymized where possible); and
Server performance metrics.

4.6 Communications Data

Content of support requests and correspondence; and
Email communication history for transactional emails (invoices, OTPs, password resets).

5 Legal Basis for Processing

Consistent with Sections 12 and 13 of Republic Act No. 10173, Coreza processes personal data only when a lawful basis exists. The following legal bases apply to our processing activities:

Processing Activity	Legal Basis RA 10173
Account creation and authentication	Performance of contract (§12(b)); Consent (§12(a))
Providing and operating the Service	Performance of contract (§12(b))
Billing and payment processing	Performance of contract (§12(b)); Legal obligation (§12(c))
Email OTP and transactional emails	Performance of contract (§12(b)); Legitimate interest (§12(f))
Security monitoring and fraud prevention	Legitimate interest (§12(f)); Legal obligation (§12(c))
Activity and audit logging	Legitimate interest (§12(f)); Legal obligation (§12(c))
Compliance with NPC and legal obligations	Legal obligation (§12(c))
Marketing communications (opt-in only)	Consent (§12(a)) — you may opt out at any time
Processing Customer Data on behalf of Subscribers	Performance of contract with Subscriber (PIP role, §14)
Service improvement and analytics (aggregated, anonymized)	Legitimate interest (§12(f)) — no individual re-identification

6 How We Use Your Personal Data

We process personal data only for the purposes for which it was collected (purpose limitation). Specifically, we use your data to:

Create, verify, authenticate, and manage your Account and workspace;
Deliver, operate, maintain, and improve the Service;
Process payments, issue receipts, and manage billing;
Send transactional emails, including OTP verification codes, password resets, invoice notifications, and system alerts;
Detect, investigate, and prevent unauthorized access, fraud, security incidents, and breaches;
Maintain activity logs and audit trails for security and compliance purposes;
Respond to your support requests, complaints, and inquiries;
Comply with applicable Philippine laws and regulations, including NPC orders, tax obligations, and court orders;
Enforce our Terms of Service and protect Coreza's legal rights; and
Send service announcements and critical notices (non-marketing) about the Service.

ℹ️

We do not sell your personal data. Coreza does not sell, rent, or trade your personal data to any third party for advertising or marketing purposes. Your data is never monetized. This commitment applies to all Subscribers, Authorized Users, and third-party data subjects.

7 Data Sharing & Disclosure

Coreza does not share personal data except in the following limited circumstances, and only to the extent strictly necessary:

7.1 Service Providers (Sub-processors)

We share data with trusted third-party vendors who process data strictly on our behalf and under written data processing agreements:

Category	Purpose	Data Shared
Email delivery provider (SMTP)	Transactional emails (OTP, invoices, resets)	Email address, name, email content
Payment processor	Subscription billing and payments	Billing name, payment method details
Cloud hosting & infrastructure	Server, database, and file storage	All data stored in the Service
Security monitoring tools	Intrusion detection, uptime monitoring	Log data, IP addresses

All sub-processors are contractually bound to process data only as instructed by Coreza, to implement appropriate security measures, and to comply with applicable data privacy laws.

7.2 Legal Compliance & Law Enforcement

We may disclose personal data if required by:

A valid court order, subpoena, or legal process issued by a Philippine court;
A lawful order of the National Privacy Commission (NPC) or other competent Philippine regulatory authority;
An investigation by the National Bureau of Investigation (NBI), Philippine National Police (PNP), or other authorized law enforcement agency; or
Any other mandatory disclosure obligation under Philippine law.

Where legally permissible, Coreza will provide reasonable advance notice to the affected data subject before disclosure.

7.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of all or substantially all of Coreza's assets, personal data may be transferred to the successor entity, subject to the same level of protection as described in this Policy. You will be notified of any such transfer and of any material changes to your privacy protections.

7.4 With Your Consent

We may share personal data with third parties not described above where we have obtained your explicit, prior, informed consent, which you may withdraw at any time.

7.5 Aggregated & Anonymized Data

Coreza may share aggregated, anonymized statistical data (from which no individual can be identified) for research, product improvement, or industry reporting purposes. This is not considered personal data under RA 10173.

8 Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. Applying the principle of storage limitation, our retention periods are as follows:

Data Category	Retention Period	Basis
Account and profile data	Duration of Account + 30 days post-termination for export	Contract performance
Customer Data (uploaded by Subscriber)	Duration of Subscription + 30 days post-termination	Contract performance
Billing and payment records	10 years from transaction date	NIRC / Tax Code obligation
Activity and audit logs	2 years from creation	Security & compliance
API access logs	90 days (rolling)	Security monitoring
Email OTP records	24 hours after expiry or use	Security; minimal retention
Password reset records	24 hours after use or expiry	Security
Session tokens (hashed)	Duration of session; purged on logout or expiry	Security
Support communications	3 years from last interaction	Legitimate interest
Data subject rights requests	5 years (NPC compliance evidence)	Legal obligation

When the retention period expires, personal data is securely deleted or anonymized using industry-standard methods. Physical media containing personal data is destroyed in accordance with NPC-recommended secure disposal procedures.

9 Data Security

Coreza implements a comprehensive, multi-layered security program to protect personal data against unauthorized access, disclosure, alteration, and destruction, consistent with Section 20 of RA 10173 and NPC security standards.

9.1 Technical Safeguards

Encryption in transit: All data transmitted between your browser and Coreza servers is encrypted using TLS 1.2 or higher (HTTPS enforced across all endpoints);
Password security: All passwords are hashed using bcrypt (cost factor 12) — raw passwords are never stored, logged, or accessible;
Token security: Session refresh tokens are stored as SHA-256 hashes — raw tokens are never persisted in the database;
OTP security: One-Time Passwords are stored as SHA-256 hashes with a 15-minute expiry and a maximum of 3 verification attempts before invalidation;
Authentication: JWT-based authentication with short-lived access tokens (1 hour) and single-use rotating refresh tokens;
Rate limiting: API endpoints are rate-limited to prevent brute-force, enumeration, and denial-of-service attacks;
IP logging: Login IP addresses and user agents are logged for session security and anomaly detection;
SQL injection prevention: All database queries use parameterized statements (PDO prepared statements);
File upload restrictions: File uploads are restricted by type, validated server-side, and stored outside the web root; and
Security headers: HTTP security headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options) are enforced.

9.2 Organizational Safeguards

Access to production systems and personal data is restricted to authorized Coreza personnel on a need-to-know basis;
All personnel with access to personal data are bound by confidentiality obligations;
Regular security reviews, vulnerability assessments, and dependency audits are conducted;
A designated DPO oversees compliance with this Policy and RA 10173; and
Incident response procedures are in place for security breaches.

9.3 Your Responsibility

Security is a shared responsibility. You are responsible for maintaining the confidentiality of your credentials, implementing appropriate access controls for your Authorized Users, and promptly notifying Coreza of any suspected security breach.

⚠️

No system is 100% secure. While we implement industry-standard security measures, no electronic system is completely immune to intrusion. In the event of a confirmed data breach affecting your personal data, Coreza will notify you and the NPC as required under Section 20(f) of RA 10173 and NPC Circular 16-03.

10 Cross-Border Data Transfers

Coreza's servers are operated within the Philippines. However, certain sub-processors (e.g., cloud infrastructure providers, email delivery services) may store or process data outside Philippine territory.

In accordance with Section 21 of RA 10173 and NPC Advisory No. 2017-01 on Cross-Border Data Flows, Coreza ensures that any cross-border transfer of personal data is subject to:

Contractual data processing agreements (DPAs) that require the receiving party to provide a level of protection at least equivalent to RA 10173;
Transfer only to countries or organizations recognized as providing adequate data protection; and
Your prior consent, where required by NPC regulations.

By using the Service, you acknowledge that your personal data may be processed by sub-processors in jurisdictions outside the Philippines, subject to the safeguards described above.

11 Your Rights as a Data Subject

Under Section 16 of Republic Act No. 10173 (Data Privacy Act of 2012), you have the following rights as a data subject. Coreza is committed to facilitating the exercise of these rights promptly and without undue burden:

📋

Right to be Informed (§16(a))

You have the right to know whether Coreza holds your personal data, the purposes for which it is processed, and how it is being used — before or at the time of collection.

🔍

Right to Access (§16(b))

You have the right to request a copy of your personal data held by Coreza, including information on the sources from which it was obtained, the recipients to whom it has been disclosed, and the purposes of processing.

✏️

Right to Rectification (§16(c))

You have the right to request correction of inaccurate, incomplete, or outdated personal data. Many corrections can be made directly within your Account settings.

🚫

Right to Object (§16(d))

You have the right to object to the processing of your personal data, including processing for direct marketing or where processing is based on legitimate interest. Objection may limit your ability to use certain features.

🗑️

Right to Erasure / Blocking (§16(e))

You have the right to request the deletion or blocking of your personal data where it is no longer necessary for the purpose collected, or where processing is unlawful, subject to legal retention obligations.

⚡

Right to Data Portability (§16(f))

You have the right to obtain a copy of your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.

🛑

Right to Damages (§16(g))

You have the right to be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of your personal data.

📢

Right to File Complaint with NPC

If you believe your data privacy rights have been violated, you may file a complaint with the National Privacy Commission at privacy.gov.ph without prejudice to any civil or criminal action.

How to Exercise Your Rights

To exercise any of the above rights, submit a written request to our Data Protection Officer at dpo@coreza.app. Please include:

Your full name and registered email address;
The specific right(s) you wish to exercise;
Sufficient information to identify your Account; and
A copy of a valid government-issued ID for identity verification.

Coreza will respond to verified requests within fifteen (15) working days of receipt, or within the timeline specified by the NPC for complex requests. Where an extension is required, we will notify you within the initial period. Requests may be declined only where permitted by law, with a written explanation provided.

12 Cookies & Tracking Technologies

Coreza uses session-based authentication (server-side PHP sessions and JWT tokens stored in sessionStorage) rather than persistent tracking cookies for core application functionality. We do not use third-party advertising cookies or behavioral tracking technologies.

12.1 Session Management

PHP sessions are used to maintain authenticated state between page requests. Sessions expire automatically when you close your browser or after a period of inactivity.

12.2 Functional Cookies

Strictly necessary cookies may be used for CSRF protection, session integrity, and maintaining login state. These cannot be disabled without breaking core functionality.

12.3 Analytics

If Coreza uses third-party analytics tools, this will be disclosed and opt-out mechanisms will be provided. Currently, Coreza relies on server-side log analysis and does not deploy client-side behavioral tracking scripts on authenticated pages.

12.4 Do Not Track

Coreza respects browser "Do Not Track" signals to the extent technically feasible and does not engage in cross-site behavioral tracking.

13 Children's Privacy

The Service is designed and intended for use by businesses and individuals who are at least eighteen (18) years of age or the age of majority in their jurisdiction. Coreza does not knowingly collect personal data from children under eighteen (18) years of age.

If you have reason to believe that a child under 18 has provided personal data to Coreza without appropriate parental consent, please contact our DPO at dpo@coreza.app immediately. We will promptly investigate and delete such data upon verification.

If the processing of data of a minor is legitimately required in a Subscriber's business context (e.g., a minor's customer record), the Subscriber as PIC bears sole responsibility for ensuring that appropriate parental or guardian consent has been obtained as required under Philippine law.

14 Sensitive Personal Information

Under Section 3(l) of RA 10173, certain categories of personal data are classified as Sensitive Personal Information (SPI) and are afforded heightened protection. These include:

Race, ethnic origin, marital status, age, color, religious, philosophical, or political affiliation;
Health, education, genetic, or sexual life information;
Proceedings and judgments involving any offense;
Government-issued identification numbers (SSS, GSIS, PhilHealth, Pag-IBIG, TIN, passport number); and
Specifically established by an executive order or an act of Congress as sensitive.

Coreza's core platform is designed for general business operations and does not intentionally collect Sensitive Personal Information. Subscribers must not upload Sensitive Personal Information to the Service without implementing additional safeguards and ensuring a valid legal basis for processing under Section 13 of RA 10173, which requires:

Explicit consent of the data subject; or
Processing is necessary to protect the life and health of the data subject; or
A specific provision of law mandating the processing.

If your use of the Service involves Sensitive Personal Information, please contact our DPO to discuss appropriate safeguards and compliance requirements.

15 Personal Data Breach Notification

In the event of a personal data breach that is likely to result in serious harm to affected data subjects, Coreza will comply with the mandatory breach notification requirements under Section 20(f) of RA 10173 and NPC Circular 16-03 (Personal Data Breach Management):

NPC Notification: We will notify the National Privacy Commission within seventy-two (72) hours of becoming aware of a breach, where feasible;
Data Subject Notification: We will notify affected data subjects without undue delay when the breach is likely to result in a high risk to their rights and freedoms;
Content of Notification: Breach notifications will describe the nature of the breach, the data involved, the likely consequences, the measures taken or proposed to address the breach, and contact details of the DPO; and
Documentation: All breaches, including those not meeting the notification threshold, will be documented in our internal breach register as required by NPC regulations.

To report a suspected breach or security vulnerability, contact dpo@coreza.app immediately. Responsible disclosure of security vulnerabilities is appreciated and will be acknowledged.

16 Changes to This Privacy Policy

Coreza reserves the right to update this Privacy Policy at any time to reflect changes in our data practices, applicable law, or regulatory requirements. When material changes are made:

We will provide at least thirty (30) days' advance notice via email to the registered account email address;
The updated Policy will be posted at this URL with an updated "Last Revised" date;
Where required by the NPC or RA 10173, we will re-obtain consent before processing your personal data in a materially different manner; and
Where material changes expand our use of your data, you will be given the opportunity to object.

We encourage you to review this Policy periodically. Your continued use of the Service after the effective date of any changes constitutes acceptance of the updated Policy. If you do not agree to the revised Policy, you must cease using the Service and request deletion of your personal data through our DPO.

17 Contact & Data Protection Officer

For all data privacy inquiries, rights requests, concerns, or complaints, please contact our Data Protection Officer. We are committed to responding to all requests within the timeframes mandated by the NPC and RA 10173.

🛡️

Data Protection Officer — Coreza

Email: dpo@coreza.app
Legal inquiries: legal@coreza.app
General support: support@coreza.app

National Privacy Commission (NPC)
If your concern is not resolved by our DPO, you may file a complaint with the NPC:
Website: https://www.privacy.gov.ph
Hotline: 8234-2228
Email: info@privacy.gov.ph

⚖️

Your rights under RA 10173 are protected by law. Exercising your data privacy rights will not result in any penalty, disadvantage, or retaliation in your use of the Service. Coreza is committed to upholding the spirit and letter of the Philippine Data Privacy Act of 2012.