Privacy Policy

Effective date: 2026-04-30 · Policy version: 2026-04-30

This Privacy Policy explains how Dalipila collects, uses, shares, and protects your personal data when you use our booking platform (the “Service”), including the Dalipila mobile app, website at dalipila.app, and any branded business pages we host. We are committed to processing your data in compliance with the Philippine Data Privacy Act of 2012 (Republic Act No. 10173) and its implementing rules.

1. Who we are

The Service is operated by RJ&C Software Development Services, a sole proprietorship registered in the Philippines with DTI, operating from Cebu. We act as a Personal Information Controller (PIC) under the Data Privacy Act for data collected through the Service.

Our Data Protection Officer (DPO) can be contacted at dpo@dalipila.app.

2. What data we collect

2.1 Personal information you provide

• Name (first name; last name is optional)
• Mobile phone number
• Email address
• Profile photo (optional)
• Booking notes you write or that businesses add to your record
• For business owners: business name, address, contact details, tax registration documents (BIR, Mayor’s Permit, ID) for payment processor verification

2.2 Sensitive personal information

When you book wellness, massage, or spa services, the booking record and any associated notes (e.g., pressure preference, areas to focus on) may qualify as sensitive personal information under the Data Privacy Act, because they relate to your health or physical condition. We process this category only with your explicit consent and apply additional safeguards described below.

2.3 Information collected automatically

• Device information (device type, operating system, app version)
• IP address and approximate location (for nearby-business search)
• Usage events (pages viewed, bookings made, errors encountered)
• Cookies and similar technologies on the website (see Section 9)

2.4 Information from third parties

• Payment status from PayMongo (we do not see your full card number, only payment method, last 4 digits, and status)
• SMS delivery status from Semaphore for messages we send to you

3. Why we collect it (purposes)

• To create and authenticate your account
• To facilitate bookings, payments, and communication with the business you book with
• To send transactional messages: booking confirmations, reminders, cancellations, payment receipts, account-security messages
• With your separate, explicit opt-in consent: marketing messages (birthday offers, win-back promotions). You can withdraw this consent at any time
• To provide nearby-business search results based on your approximate location
• To recommend businesses or staff based on your service history and preferences (only with your sensitive-PI consent for the preference component)
• To detect and prevent fraud, abuse, and unauthorized access
• To comply with legal obligations and respond to lawful requests

4. Legal bases for processing

We process your personal data on the following legal bases under the Data Privacy Act:

• Consent — for sensitive personal information, marketing communications, and any non-essential processing
• Contractual necessity — to deliver the booking service you have requested
• Legal obligation — to comply with tax, anti-money-laundering, and other regulatory requirements
• Legitimate interests — to operate, secure, and improve the Service, where these interests are not overridden by your privacy rights

5. Who we share it with

We share personal data only with the following categories of recipients, and only to the extent necessary:

5.1 Businesses you book with

When you book a service, the business and its assigned staff receive your name, contact details, booking time, service selected, any notes you provide, and the payment status. The business is a separate Personal Information Controller for the data it receives, governed by its own privacy obligations under the Data Privacy Act.

5.2 Service providers (Personal Information Processors)

5.3 Legal and regulatory recipients

We may disclose personal data when required by law, court order, or lawful regulatory request, including to the National Privacy Commission, the Bureau of Internal Revenue, the Anti-Money Laundering Council, and law enforcement agencies of the Philippines.

6. Cross-border data transfers

Some of the providers listed above process data outside the Philippines (Singapore, United States). We rely on contractual safeguards (Data Processing Agreements with each provider) to ensure your data receives a level of protection comparable to that required by Philippine law. The list of jurisdictions in Section 5.2 reflects the providers as of the effective date and may be updated when we change processors.

7. How long we keep it

• Account profile — kept while your account is active. After deletion request, removed within 30 days.
• Booking records — kept for up to 5 years for tax and statutory record-keeping, then deleted or anonymized.
• Booking notes (sensitive PI) — kept for up to 24 months after your last booking with that business.
• Payment records — kept for the period required by tax law and PayMongo’s retention policy (typically 5 years).
• SMS / email logs — kept for up to 12 months for delivery troubleshooting and regulatory inquiry response.
• Error logs — typically 90 days, with personal data redacted where possible.

8. Your rights as a data subject

Under the Data Privacy Act, you have the right to:

• Be informed about how your data is processed
• Access your personal data we hold
• Correct inaccurate or outdated data
• Object to processing or request that processing be stopped
• Request erasure or blocking of your data when it is no longer necessary, when consent is withdrawn, or when there has been unlawful processing
• Receive a copy of your data in a structured, commonly used format (data portability)
• Withdraw your consent for processing based on consent
• File a complaint with the National Privacy Commission if you believe your rights have been violated
• Be compensated for damages caused by unlawful or negligent processing

To exercise any of these rights, contact our DPO at dpo@dalipila.app. We will respond within the timelines required by law.

9. Cookies and tracking on the website

The Dalipila website uses cookies and similar technologies to keep you signed in, remember your preferences, and measure how the Service is used. You can disable cookies in your browser, though some features of the website may not function correctly without them. The mobile app does not use third-party tracking cookies; it stores authentication tokens in secure on-device storage.

10. Children

The Service is intended for users 18 years of age or older. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact our DPO and we will delete it.

11. Security

We protect your data with administrative, physical, and technical safeguards including: encryption in transit (TLS) and at rest, role-based access controls, row-level security policies on our database, audit logging, and regular review of third-party processor security posture. No system is perfectly secure, and we will notify the National Privacy Commission and affected data subjects of any qualifying personal data breach within the timelines required by the Data Privacy Act.

12. Changes to this Privacy Policy

We may update this Privacy Policy as the Service evolves or as legal requirements change. When we make material changes, we will: (a) update the policy version and effective date at the top of this document, (b) notify registered users by email or in-app message, and (c) where required by law, request renewed consent. The current version is always available at this URL.

13. Contact

Data Protection Officer: dpo@dalipila.app
General contact: hello@dalipila.app
Mailing address: RJ&C Software Development Services, Cebu, Philippines

To file a complaint with the regulator: National Privacy Commission, privacy.gov.ph.

See also: Terms of Service