Biyahe Buddy Privacy Policy

1. Classification of Collected Personal Data

In compliance with the Data Privacy Act of 2012, we collect and process different categories of personal data, which are classified under Philippine law as follows :

A. Personal Information (PI)

Under the DPA, "Personal Information" refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained :

  • Identity Data: Full name, gender, nationality, and place of residence.
  • Contact Data: Email address, mobile phone number, physical mailing address, and telecommunications carrier.
  • Account Credentials: Username, password, and security access logs.
  • Device and Technical Data: IP address, unique device identifiers, hardware model, operating system version, and mobile network information.
  • Log and Activity Data: System configurations, crashes, hardware settings, location preferences, and date/time stamps of transactions.
  • Behavioral and Preference Data: number of subscriptions purchased, travel frequency, manner or attitude with communicating with our customer service, and the like.
  • Cookies and Tracking Data: We use cookies (such as Google Analytics) to personalize the Services, compile usage reports, and market our services.

B. Sensitive Personal Information (SPI)

Under Section 3(l) of the DPA, we may process specific categories of data that require strict security measures and explicit consent :

  • Demographic Data: Date of birth, age, and marital status.
  • Government-Issued Identifiers: SSS, GSIS, TIN, PhilHealth, Pag-IBIG, passport numbers, or other government IDs.
  • Financial and Banking Data: bank account numbers, e-wallet numbers
  • Other Information: vehicle registration number, make, model information

2. Legal Basis and Purpose of Processing

In compliance with the principles of Transparency, Legitimate Purpose, and Proportionality , we process your personal data under the following legal bases :

A. Explicit Consent of the Data Subject

We obtain your written, electronic, or recorded consent prior to the collection and processing of your Personal Information and SPI. This consent covers:

  • Identity Verification and KYC: Validating your identity, verifying your financial status, and assessing medical risks for underwriting.
  • Policy Administration: Issuing digital policies, updating account details, managing premium payments, and processing benefits claims.
  • Direct Marketing and Personalization: Sending updates about promotional offers, products, and benefits customized to your profile. You have the right to object to processing for direct marketing at any time.
  • Service Improvement and AI/ML Development: we collect and anonymize data about behaviors and preferences, such as number of subscriptions purchased, travel frequency, manner or attitude with communicating with our customer service, and the like, for the purpose of improving our services and technology.

B. Performance of a Contract

Processing is necessary to fulfill our obligations under the Terms of Use, service agreements, or insurance contracts executed on our platform.

C. Compliance with Legal Obligations

Processing is necessary to comply with regulatory mandates, including rules issued by the Insurance Commission , the Bangko Sentral ng Pilipinas , the Bureau of Internal Revenue (BIR) , and anti-money laundering laws.

The specific data types and processing operations are summarized in Section 1(B) 

3. Data Sharing, Outsourcing, and International Transfers

We do not disclose, share, or transfer your personal data to third parties without your consent, except in accordance with the following legal parameters :

A. Data Sharing with Third-Party Personal Information Controllers

When sharing data with other independent PICs (such as licensed insurance underwriters or financial partners), we act in accordance with the guidelines of NPC Advisory No. 2025-01. While formal Data Sharing Agreements (DSAs) are optional under this advisory, we execute DSAs as a matter of best practice to demonstrate transparency, mutual accountability, and compliance.

B. Data Outsourcing (Subcontracting)

When we engage service providers (such as IT hosting partners, cloud storage providers, payment gateways, or customer service platforms) to process data on our behalf, they act as Personal Information Processors (PIPs). All such arrangements are governed by strict Subcontracting Agreements. These agreements mandate that the PIP must:

  • Process data strictly under our written instructions.
  • Implement physical, organizational, and technical security measures comparable to our own standards and those required by the DPA.
  • Maintain the absolute confidentiality of the processed data.

C. Cross-Border Data Transfers

In the event that personal data is transferred, stored, or processed outside the Philippines, such as on our cloud servers based in Singapore, we ensure that:

  • You have provided explicit consent for the cross-border transfer.
  • The recipient country provides a standard of protection at least comparable to the Philippine DPA.
  • Contractual safeguards, such as binding corporate rules or standard contractual clauses, are implemented to protect the transferred data.

4. Technical, Physical, and Organizational Security Measures

To protect your personal data from accidental destruction, unauthorized access, alteration, or disclosure, we implement a robust security framework :

  • Organizational Measures: We designate a Data Protection Officer (DPO) to oversee compliance, conduct Privacy Impact Assessments (PIAs) for new platforms, and enforce confidentiality obligations across all personnel.
  • Physical Measures: We restrict physical access to servers, workstation consoles, and paper-based records through biometric controls, security monitoring, and secure disposal protocols.
  • Technical Measures: We employ high-level encryption standards (such as AES-256 for data at rest and TLS 1.3 for data in transit) , multi-factor authentication (MFA), regular vulnerability scans, and AI-powered real-time fraud verification systems.

5. Mandatory Breach Notification Procedure

5.1. In accordance with Section 20 of the DPA IRR, a personal data breach occurs when there is a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. 

5.2. The 72-Hour Rule: In the event of a security incident or suspected breach that involves Sensitive Personal Information or data that may enable identity fraud, and where we reasonably believe that the breach is likely to pose a real risk of serious harm to any affected data subject, we shall notify both the National Privacy Commission and the affected data subjects within seventy-two (72) hours of our knowledge of the incident. 

5.3. The notification shall contain a description of the nature of the breach, the categories of data compromised, the measures taken to mitigate the risks, and the contact details of our Data Protection Officer.

6. Rights of the Data Subject

Under the Philippine Data Privacy Act, you possess the following statutory rights, which you may exercise at any time :

  • Right to be Informed: The right to know whether your personal data is being processed, for what purposes, and by whom.
  • Right to Access: The right to obtain reasonable access to your personal data and understand the logic involved in any automated decision-making or profiling.
  • Right to Object: The right to withhold consent or object to the processing of your data, including processing for direct marketing, profiling, or automated decisions.
  • Right to Rectification: The right to dispute and request the immediate correction of any inaccuracy or error in your personal data.
  • Right to Erasure or Blocking: Unlike under Singapore law, you have a fundamental statutory right to request the suspension, withdrawal, blocking, or erasure of your personal data from our filing systems if the data is no longer necessary for the purposes collected, if consent is withdrawn, or if the data was processed unlawfully.
  • Right to Data Portability: The right to obtain a copy of your personal data in a structured, commonly used, and machine-readable electronic format to facilitate its transfer to another controller.
  • Right to Damages: The right to be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of your personal data.
  • Right to File a Complaint: The right to file a formal complaint with the National Privacy Commission if you believe your privacy rights have been violated.

7. Data Retention and Secure Disposal

7.1. We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, to satisfy the active duration of your transactions or insurance policies, or to comply with statutory retention periods under Philippine tax, insurance, and corporate laws. 

7.2. Once the retention period expires, or upon your valid request for erasure, your data shall be securely disposed of through physical shredding (if applicable), secure declassification, or permanent digital overwriting, rendering the data unrecoverable and unidentifiable.

8. Contact Information and Regulatory Recourse

If you wish to exercise any of your rights, ask questions about our data processing activities, or request the contact details of our designated Data Protection Officer, you may contact us at kamusta@gigacover.com 

Company
About UsTerms of UsePrivacy PolicyContact
Resources
My BenefitsPurchase Biyahe BuddyFAQs
Copyright © All Rights Reserved