Privacy Policy

Changes in Version 1.2

This version aligns the policy with the data actually collected and stored by ObraHaus products:

• Clarified that company name and job title are collected only as optional inquiry/contact-form fields (Section 2.1).
• Clarified that automatically collected technical data includes the full HTTP user-agent string and IP address, and that these are written to system audit logs (Section 2.2).
• Added disclosure of the optional Discord account-verification integration and the Discord user ID it collects (Section 2.5; Section 5).
• Added a Sub-Processors and Service Providers section listing each processor, its purpose, the data category involved, and its jurisdiction (Section 7). Subsequent sections renumbered accordingly.

1. Overview

ObraHaus IT Solutions ("ObraHaus," "we," "us," "our") respects your privacy and is committed to protecting your personal data in accordance with the Data Privacy Act of 2012 (Republic Act No. 10173) and the issuances of the National Privacy Commission (NPC).

As a Personal Information Controller (PIC) under the DPA, we are responsible for ensuring that all personal data under our custody is processed lawfully, fairly, and with due respect to your rights.

This policy applies to all visitors of obrahaus.com, clients of ObraHaus custom engagements, and users of any SaaS product developed and operated by ObraHaus.

2. Information We Collect

2.1 Information You Provide Directly

We collect information you voluntarily provide when you contact us, submit a project brief, register for an account, or subscribe to a product. This may include your name, email address, and any details you include in your project brief or communications with us. When you submit an inquiry or contact form, we may also collect optional fields such as company name and job title to better understand your needs. We collect only what is necessary and proportionate for the declared purpose, consistent with Section 11 of the DPA.

2.2 Information Collected Automatically

When you visit obrahaus.com or use any ObraHaus product, we automatically collect technical information including your IP address, the full HTTP user-agent string sent by your client (which contains your browser type and version and your operating system), pages visited, and the date and time of your visit. This information is recorded in our system and audit logs and is used to maintain the security and integrity of our services, to troubleshoot issues, and to improve our products. It is not used to identify you personally unless combined with other data. In accordance with NPC Advisory Opinion No. 2017-063, information such as IP addresses, when combined with other data, may constitute personal information and will be treated accordingly.

2.3 Payment Information

ObraHaus does not store payment card information directly. All payment transactions are processed through trusted third-party payment providers. We retain transaction records such as amounts, dates, and invoice references solely for accounting, legal, and regulatory compliance purposes.

2.4 Information From Third Parties

In some cases, we may receive information about you from third-party platforms or services used in the course of delivering a project or operating a product. Such information is handled with the same care and in accordance with the same principles as information collected directly from you.

2.5 Discord Account Verification (Optional)

If you choose to verify or link your account through our Discord verification bot, we collect your Discord user ID, and your Discord username where available, as part of the verification process. This data is exchanged with Discord in accordance with Discord's own Terms of Service and Privacy Policy. Your Discord identifiers are stored on your ObraHaus profile and are used solely for identity verification, account linking, and granting the corresponding community roles within our applications. You may unlink your Discord account at any time from your account settings, which removes the stored Discord identifiers.

3. How We Use Your Information

ObraHaus processes personal data only when there is a lawful basis for doing so under Section 12 of the DPA. We use your personal data to:

• Respond to inquiries and communicate with prospective and active clients
• Deliver, operate, and improve our services and SaaS products
• Process payments and manage billing
• Send project-related updates, invoices, and service notifications
• Maintain the security and integrity of our systems
• Comply with applicable legal and regulatory obligations

Processing is limited to what is adequate, relevant, suitable, necessary, and not excessive in relation to each declared purpose, consistent with Section 11(c) of the DPA. ObraHaus does not use your information for advertising purposes and does not sell your data to any third party.

4. Legal Basis for Processing

We process personal data on one or more of the following lawful bases:

• Contractual necessity — processing required to fulfill a project agreement, service contract, or provide access to a SaaS product (Section 12(b), DPA)
• Legitimate interest — processing necessary for the ordinary and lawful operation of the studio, including security, fraud prevention, and service improvement, subject to the balancing test under NPC Circular No. 2023-07 (Section 12(f), DPA)
• Legal obligation — processing required to comply with Philippine laws and regulations (Section 12(c), DPA)
• Consent — where you have freely, specifically, and informedly agreed to a particular use of your personal data (Section 12(a), DPA), consistent with NPC Circular No. 2023-04

Where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out prior to such withdrawal.

5. Data Sharing and Disclosure

ObraHaus does not sell, rent, or trade personal information to any third party. We may disclose personal data only in the following limited circumstances:

• Service providers — trusted third-party processors (hosting providers, payment processors, communication tools, and identity-verification services such as Discord) who assist in delivering our services. Any such disclosure is governed by contractual arrangements requiring compliance with applicable data privacy obligations. The specific sub-processors we rely on are listed in Section 7.
• Legal compliance — when required by law, court order, regulation, or lawful instruction of a government authority
• Protection of rights — when necessary for the establishment, exercise, or defense of legal claims, consistent with Section 13(f) of the DPA and NPC Advisory No. 2024-02
• Business continuity — in the event of a merger, acquisition, or transfer of assets, personal data may be transferred as part of that process, with prior notice to affected data subjects

6. Cross-Border Data Transfers

ObraHaus uses third-party hosting and service providers that may process personal data outside the Philippines. By using our services, you acknowledge that your data may be transferred to and processed in jurisdictions outside the Philippines. We ensure that appropriate safeguards are in place when transferring personal data internationally, including contractual obligations with our service providers to maintain data protection standards consistent with the DPA and NPC Circular No. 2020-03 on Data Sharing Agreements.

7. Sub-Processors and Service Providers

We rely on the following sub-processors to operate our services. Each is engaged under terms requiring it to process personal data only on our instructions and to apply protections consistent with the Data Privacy Act of 2012 and NPC issuances.

This list reflects our current sub-processors and may change as our services evolve. Material changes will be reflected in an updated version of this policy. You may request further detail about any sub-processor, including the safeguards applied to cross-border transfers, by contacting hello@obrahaus.com.

8. Data Retention

We retain personal data only as long as necessary for the declared purpose:

• Prospective client inquiries — retained for the duration of pre-engagement communications and securely disposed of if no project agreement is reached within a reasonable period.
• Active client engagement data — retained for the duration of the project and for a minimum of three (3) years following completion, in line with applicable prescription periods under Philippine law, unless a longer period is required.
• SaaS user data — retained for the duration of the active subscription. Upon cancellation, data is retained for thirty (30) calendar days to allow for retrieval requests, after which it is securely disposed of unless the user requests earlier deletion.
• Billing and transaction records — retained for the period required by applicable tax, accounting, and regulatory obligations (including BIR requirements).

We do not retain personal data beyond what is reasonably necessary. Once the purpose has been fulfilled and no legal, regulatory, or contractual obligation requires continued storage, personal data is securely disposed of or anonymized. Data subjects may request deletion prior to the expiration of the retention period, subject to any overriding legal obligations, by contacting hello@obrahaus.com.

9. Data Security

As a sole proprietorship, access to personal data is restricted to the business owner and authorized service providers. We implement appropriate technical and organizational measures to protect personal data, including:

• Encrypting personal data in transit and at rest using industry-standard methods (AES-256)
• Restricting access to systems containing personal data through secure authentication
• Maintaining up-to-date firewall protection, security patches, and malware protection
• Storing data in secured cloud environments with appropriate access restrictions

Security measures are reviewed periodically and updated as needed. In the event of a personal data breach, we will take prompt responsive action and, where required by law or NPC regulations, notify affected data subjects and the National Privacy Commission within 72 hours, in accordance with NPC Circular 16-03 on Personal Data Breach Management.

Data privacy inquiries may be directed to hello@obrahaus.com.

10. Your Rights as a Data Subject

Under the Data Privacy Act of 2012 and NPC Advisory No. 2021-01, you are entitled to the following rights:

• Right to be informed — to be notified of the nature, purpose, and extent of processing of your personal data before or at the time of collection
• Right to access — to obtain a copy of your personal data being processed, upon written request
• Right to rectification — to have inaccurate or incomplete personal data corrected within a reasonable period
• Right to erasure or blocking — to request the blocking or removal of your personal data where processing is unlawful or the data is no longer necessary, subject to applicable legal exceptions
• Right to object — to object to processing based on consent or legitimate interest, including processing for direct marketing or profiling
• Right to data portability — to obtain your personal data in a structured, commonly used, and electronic format
• Right to damages — to be indemnified for damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of your personal data

We will not charge any fee for processing rights requests, except for reasonable fees for providing copies. Valid requests will be acted upon within thirty (30) working days from receipt, subject to a fifteen (15) working day extension if necessary.

To exercise any of these rights, submit your written request to hello@obrahaus.com. We may verify your identity before acting on your request. Account holders may also exercise the rights to access, data portability, and erasure directly from their account settings where self-service tools are provided.

11. Cookies and Tracking

We may use cookies and similar tracking technologies on our website and products to maintain session state, improve user experience, and gather aggregate usage data. In accordance with NPC Advisory Opinion No. 2017-063, cookies that can be combined with other data to identify an individual will be treated as personal information. You may control cookie preferences through your browser settings; disabling cookies may affect certain features.

We do not use cookies for advertising or cross-site tracking purposes and do not sell or share cookie-derived data with third parties.

12. Children's Privacy

Our services are not directed at children. We do not knowingly collect personal data from anyone under the age of 18. If we become aware that personal data has been inadvertently collected from a child, we will take prompt action to delete such data. To report such concerns, contact us at hello@obrahaus.com.

13. National Privacy Commission Registration

ObraHaus will register with the National Privacy Commission in accordance with applicable requirements as its data processing operations scale. Registration status and relevant details will be reflected here once completed.

14. Automated Decision-Making and Profiling

ObraHaus currently does not engage in automated decision-making or profiling that produces legal effects concerning data subjects. Should this change, we will update this policy and provide appropriate notice in accordance with the DPA and NPC issuances.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law and NPC issuances. We will notify affected clients and users of material changes via email or in-product notice before such changes take effect, consistent with the right to be informed under the DPA and NPC Advisory No. 2021-01. Continued use of our services following such notice constitutes acceptance of the updated policy. The most current version is always available at obrahaus.com.

16. Complaints and the NPC

If you believe that ObraHaus has violated your data privacy rights, you may file a complaint with the National Privacy Commission through its official channels at privacy.gov.ph. You are encouraged to first reach out to us directly so we may address your concern promptly.