1. Introduction
This Data Processing Agreement ("DPA") supplements our Privacy Policy and Terms of Service, providing additional details on how MyBayad processes your personal data in compliance with the Philippines Data Privacy Act of 2012 (RA 10173).
2. Definitions
- "Personal Data" - Any information relating to an identified or identifiable natural person
- "Processing" - Any operation performed on personal data (collection, storage, use, disclosure, erasure)
- "Data Subject" - The individual whose personal data is being processed (you)
- "Personal Information Controller" - MyBayad, which determines the purposes and means of processing
- "Personal Information Processor" - Third parties who process data on our behalf
- "Sensitive Personal Information" - Financial data, health information, and other protected categories
3. Categories of Data Processed
3.1 Personal Information
| Data Category | Examples | Legal Basis |
|---|---|---|
| Identity Data | Name, email, profile picture (via Google) | Contract performance |
| Contact Data | Email address | Contract performance |
| Technical Data | IP address, browser type, device info | Legitimate interest (security) |
| Usage Data | Feature usage, session duration, clicks | Consent / Legitimate interest |
3.2 Sensitive Personal Information
| Data Category | Examples | Legal Basis |
|---|---|---|
| Financial Data | Debt amounts, payment history, bank names, interest rates | Explicit consent + Contract |
Note: We do NOT collect bank account numbers, credit card numbers, or authentication credentials. All payment data is self-reported by users for tracking purposes only.
4. Processing Activities
| Activity | Purpose | Data Used |
|---|---|---|
| Account Creation | Enable access to the service | Identity, Contact |
| Debt Tracking | Core service functionality | Financial Data |
| AI Insights (Gab) | Provide personalized suggestions | Financial Data, Usage |
| Calendar Sync | Payment reminders | Due dates, debt names |
| Household Sharing | Family debt coordination | Shared Financial Data |
| Error Monitoring | Service reliability | Technical Data |
5. Sub-Processors
We engage the following sub-processors to help provide the service:
| Provider | Purpose | Location | Data Processed |
|---|---|---|---|
| Supabase | Database hosting, authentication | Singapore (AWS) | All user data |
| Google Cloud | OAuth, Calendar, Gemini AI | Global (closest region) | Identity, Calendar events, AI queries |
| Railway | Application hosting | US (Oregon) | All requests (in transit) |
| Sentry | Error tracking | US | Technical data, anonymized errors |
All sub-processors are bound by data processing agreements that require them to maintain appropriate security measures and process data only as instructed.
6. Cross-Border Transfers
Your data may be transferred to and processed in countries outside the Philippines. We ensure compliance with the Data Privacy Act's requirements for cross-border transfers through:
- Adequate level of protection in the destination country
- Standard contractual clauses with sub-processors
- Binding corporate rules where applicable
- Your explicit consent for specific transfers
7. Data Security Measures
We implement the following technical and organizational security measures:
Technical Measures
- TLS 1.3 encryption for all data in transit
- AES-256 encryption for data at rest
- Secure password hashing (bcrypt)
- Row-level security in database (Supabase RLS)
- Regular security patches and updates
- Web Application Firewall (WAF)
- DDoS protection
Organizational Measures
- Principle of least privilege for system access
- Audit logging for all data access
- Regular security training for personnel
- Incident response procedures
- Annual security assessments
8. Data Retention
| Data Category | Retention Period | After Account Deletion |
|---|---|---|
| Account Data | While account is active | Deleted within 30 days |
| Financial Data | While account is active | Deleted within 30 days |
| Consent Records | 5 years (legal requirement) | Retained for 5 years |
| Audit Logs | 1 year | Retained for 1 year |
| Anonymized Analytics | Indefinite | Retained (cannot be linked to you) |
9. Data Breach Notification
In the event of a personal data breach that is likely to result in risk to your rights, we will:
- Notify the National Privacy Commission within 72 hours of discovery
- Notify affected users without undue delay
- Provide details on the nature of the breach and remedial measures
- Document all breaches and our response
10. Your Rights
Under the Data Privacy Act, you have the right to:
- Access - Request a copy of your personal data
- Rectification - Correct inaccurate data
- Erasure - Request deletion of your data
- Data Portability - Export your data in machine-readable format
- Object - Object to certain processing activities
- Withdraw Consent - Withdraw consent at any time
- Lodge Complaint - File a complaint with the National Privacy Commission
To exercise these rights, contact privacy@mybayad.com. We will respond within 30 days.
11. Contact Information
Data Protection Officer
Email: dpo@mybayad.com
National Privacy Commission
Website: privacy.gov.ph
This Data Processing Agreement is effective as of the date you accept our Terms of Service.