Introduction

At SaleSnap, we’re revolutionizing how brands, affiliates and buyers connect, offering real-time compensation and powerful tools for scalable, effective partnerships. To make this possible, we need to collect and use certain information. This Privacy Policy explains what information we collect, why we collect it and how we use and protect it.

Purpose and Scope

This Privacy Policy outlines the data privacy principles and practices of SaleSnap (“SaleSnap”) in compliance with Republic Act No. 10173 or the Data Privacy Act of 2012 (DPA) and its Implementing Rules and Regulations. It applies to all personal data we collect, process, and store in connection with the use of our services and platform that connects brands and affiliates through digital and mobile platforms.

This Policy governs data handling in all stages of the data lifecycle: collection, processing, sharing, storage, retention, and disposal.

Definition of Term

• Personal Data – Any information that identifies or can reasonably identify an individual, including name, contact details, identification documents, account information, and payment details.
• Data Subject – Any individual whose personal data is processed, including users, clients, affiliates, and brand representatives.
• Processing – Any operation performed on personal data, whether automated or manual.
• DPO – Data Protection Officer appointed by the Company to ensure compliance with the DPA.

Data We Collect

We collect personal data necessary for the delivery of our services:

1. From Buyers

• Full name, contact number, and email address
• Shipping address
• Government-issued ID or other proof of identity
• Bank or digital wallet account details for payments
• Uploaded content (photos, videos, profile information)

2. From Affiliates/Influencers:

• Full name, contact number, and email address
• Government-issued ID or other proof of identity
• Social media profiles and metrics
• Bank or digital wallet account details for payments
• Uploaded content (photos, videos, profile information)

3. From Brands/Sellers/Business Clients:

• Company name and authorized representative’s details
• Business permits or verification documents
• Contact information (email, phone number, position)
• Billing and payment details

4. Automatically Collected Data:

• IP address, browser type, device information
• Activity logs, session data, clickstreams
• Cookies and similar technologies

Purpose of Processing

We collect and process personal data for the following purposes:

• To enable account creation and onboarding
• To verify identity and conduct due diligence
• To match brands with suitable affiliates/influencers
• To manage and track campaign activities
• To facilitate communication between parties
• To process payments to affiliates/influencers
• To generate analytics and improve platform functionality
• To send service announcements and updates
• To comply with lawful orders and regulatory requirements

Legal Bases for Processing

Processing is conducted based on one or more of the following:

a. Consent

• We process your data when you voluntarily provide it, such as when you sign up, link your social media accounts, or agree to participate in a campaign. Consent also applies when you allow us to use your data for communications, marketing updates, or platform analytics. You may withdraw your consent at any time, subject to legal or contractual restrictions.

b. Contractual Necessity

• Your personal data is necessary for us to fulfill our contractual obligations, such as creating your account, matching you with partner brands, generating affiliate links, processing real-time payouts, and managing campaign activities. Without this data, we cannot provide you with full access to our services.

c. Compliance with Legal Obligations

• We may process and retain your data to comply with legal requirements, such as tax reporting, anti-fraud checks, and regulatory obligations. We may also disclose your data to government authorities in response to lawful orders, subpoenas, or regulatory audits.

d. Legitimate Interest

• We process data to support our legitimate business interests, which include improving our services, detecting suspicious activity, maintaining platform security, conducting analytics, and developing new features. We ensure that these interests do not override your fundamental rights and freedoms.

Use of Information

Data collected is used to:

• Provide and maintain our services to operate, maintain, and improve our platform, facilitate connections between brands and affiliates, and enable real-time compensation.
• Create and manage your account to tailor our services and content to your preferences and interests, whether you are an affiliate, brand, or partner, including storing your profile and preferences.
• Verify your identity and credentials to ensure eligibility for real-time compensation and secure transactions.
• Enable real-time payouts and manage financial operations, including generating payment records and audit logs.
• Match you with suitable campaigns, automate partnership workflows, and support end-to-end campaign tracking and performance management.
• Generate and monitor affiliate links, track conversions, clicks, and commissions tied to your promotional efforts.
• Communicate essential updates, such as payment notifications, policy changes, updates, security alerts, and platform announcements tailored to your activity.
• Fulfill legal and regulatory requirements, including those related to taxation, anti-fraud measures, and data protection laws.
• Analyze platform behavior and optimize features, including improving campaign recommendations, compensation models, and user experience.

Data Sharing and Disclosure

Data collected is shared with trusted third parties when necessary to operate the platform, fulfill services, or to comply with legal obligations. These include:

• Brands and Affiliates: To facilitate partnerships and campaign execution, relevant personal data will be shared between brands and affiliates.
• Service providers: We may share your date with third-party vendors (list of third-party vendors[link]), consultants and other service providers who perform services on our behalf, such as payment processors, cloud hosting providers, analytics providers, and customer support. These service providers are obligated to protect your data and are only authorized to use it for the purposes for which we provide it for.
• Government agencies or regulators: We may disclose your data if required to do so by law or in response to valid requests by public authorities.
• Professional advisors, such as legal counsel or auditors, for the purpose of compliance, risk management, or resolving disputes.

We make sure that any third party we work with, such as partner brands, service providers, or payment platforms, follows strict confidentiality standards, puts proper data protection safeguards in place, and respects privacy rights in line with applicable data privacy laws. We use written agreements and other measures to monitor their compliance with this Policy. These third parties are only allowed to use personal data for authorized purposes and must follow our instructions to keep information secure.

Your Data Privacy Rights

Subject to the Data Privacy Act and other applicable laws, you have the right to access or correct your personal information held by us, object to its processing, or request its deletion, blocking, or portability. You may also inquire about our data protection practices or file a complaint with the National Privacy Commission to protect your rights as a data subject.

You can learn more about your data privacy rights by visiting the National Policy commission’s website at https://privacy.gov.ph/data-subject-rights/

You may exercise these rights by contacting our Data Protection Officer at [email protected]. We may need to request specific information from you to help us confirm your identity and ensure your rights. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Data Retention

We retain personal data only for as long as:

• Required to fulfill the purposes stated above
• Necessary to comply with applicable laws (e.g., tax, accounting, audit)
• Required to establish, exercise, or defend legal claims
• As a rule, personal data shall be retained for a maximum period of five (5) years from the date of the last transaction or interaction, unless a longer retention period is required by applicable laws or justified by a legitimate business interest.
• While users may delete their accounts through the dashboard, some personal information may be retained for a specific duration to comply with legal obligations or for legitimate business purposes.

Disposal of Data

After the retention period, or when the data is no longer necessary or relevant to the declared purpose, personal data shall be securely disposed of or anonymized through appropriate methods to prevent unauthorized access, disclosure, or use. Disposal shall be carried out in accordance with industry standards and applicable data protection regulations.

We conduct regular reviews of stored data and implement disposal schedules to ensure compliance with our data retention policy.

Data Protection and Security Measures

SaleSnap implements stringent technical and organizational measures to protect personal data from unauthorized access, alteration, disclosure, or destruction. Employees must adhere to these measures:

a. Access Control: Access to personal data is strictly controlled based on your job function and "need-to-know" basis (Role-Based Access Control - RBAC). Multi-factor authentication (MFA) is mandatory for all admin and developer accounts.

b. Secure Systems: Only authorized personnel can access production databases and storage systems.

c. Data Encryption:

• Data in Transit: All data transmitted across our networks is encrypted using HTTPS/TLS 1.2 or higher.
• Data at Rest: While data at rest encryption is part of our upcoming security roadmap, employees must ensure data stored locally on company devices (laptops, external drives) is adequately secured.

d. Sensitive Financial Data Handling: Sensitive financial data, such as bank details, are never stored directly on our servers. Instead, they are tokenized and securely handled by our PCI-compliant payment partners (e.g., VeryGoodSecurity - VGS). Employees must never ask for or store unencrypted financial details.

e. Backups: Automated backups for our database are being implemented, with secure, geo-redundant storage planned for improved data resilience. Employees must follow all backup procedures for data they manage.

f. Employee Device Security: All company-issued devices (laptops, phones) must have up-to-date security software, firewalls, and be password-protected. Personal devices used for work must also comply with company security guidelines.

g. Physical Security: Ensure physical access to systems and documents containing personal data in our offices is secure.

Data Subject Rights

In accordance with Section 16 of the DPA, data subjects are entitled to the following:

• Right to be informed about processing activities
• Right to object to processing
• Right to access their personal data
• Right to correct inaccurate data
• Right to erasure or blocking
• Right to data portability
• Right to damages
• Right to lodge a complaint with the National Privacy Commission

The data subject may exercise any of the rights provided under the Data Privacy Act by contacting our Data Protection Officer at [email protected]. To verify the identity of the requesting party and to protect the confidentiality of personal data, we may request specific information. This security measure ensures that personal data is not disclosed to any individual who is not authorized to receive it. We may also request additional information, if necessary, to clarify the request and facilitate a timely and appropriate response.

Data Breach Management

In the event of a data breach, the DBMT shall perform the following actions in accordance with NPC Circular No. 16-03 and relevant laws:

• Notification. The DBMT shall assess whether the breach is likely to result in serious harm to the affected data subjects. The DBMT will notify affected data subjects and the NPC within 72 hours from discovery of the breach, as required by law.
• Containment and Mitigation. Immediate steps shall be taken to contain the breach, prevent further unauthorized access, and reduces the risk of harm. This may include isolating affected systems, disabling compromised accounts, or resetting credentials.
• Documentation. All details of the breach—including its nature, scope, impact, response measures, and outcomes—shall be recorded in our Data Breach Management Register in compliance with accountability and documentation requirements.
• Cooperate and Remediation. The organization shall fully cooperate with the NPC and other relevant authorities. Appropriate remedial actions shall be implemented, including reviews of security protocols, staff training, and long-term risk mitigation strategies.

Training and Awareness

All new employees will receive mandatory data privacy training during onboarding. Regular refresher training will be provided to ensure all employees remain aware of:

• The principles of data protection.
• Their responsibilities under this Policy.
• Best practices for handling personal data securely.
• How to identify and report potential privacy incidents.

Third-Party Services and Cross-Border Data Transfers

Some features of our platform may integrate with third-party services such as payment processors, analytics tools, cloud providers, or social media platforms. These services operate independently and have their own privacy policies and data handling practices, which are beyond our control. We encourage users to review their privacy policies, as we do not assume responsibility for how they collect, use, or share personal data.

Where necessary, data may be transferred to third parties, provided that:

• Adequate data protection measures are in place;
• Contracts include standard data protection clauses; and,
• The transfer complies with NPC Circulars and Advisory Guidelines.

Data Protection Officer (DPO)

If you have questions or concerns about this Policy or your rights as a data subject, you may contact our DPO at:

Data Protection Officer
[email protected]
OP123-B, One Paseo, Cebu, Maria Luisa Road, Paseo Saturnino, Banilad, Cebu City, Cebu, Philippines

Policy Review and Updates

This Privacy Policy may be updated periodically to reflect changes in regulations or practices. Updates will be posted on our website or notified to users through email or in-app messages, where appropriate.