Prepfolio — Privacy Policy

1. Scope & Data Controller

We are governed primarily by the Philippines' Data Privacy Act of 2012 (RA 10173), its Implementing Rules and Regulations (IRR) and guidelines of the National Privacy Commission (NPC).

• For personal data we determine the purposes and means of processing, we act as controller.
• If at any point we process data on behalf of a business customer (organization) pursuant to a separate agreement, then we may act as processor for that relationship.

2. Information We Collect

We collect personal data in the following categories:

• Account & Profile Data (e.g., name, email, password hash, user‑ID, organisation, preferences);
• User‑Provided Content (your uploads, documents, files, prompts, outputs generated, feedback, communications to us);
• Usage & Device Data (IP address, device type, browser, operating system, crash logs, timestamps, feature usage, UTM/referral parameters, geolocation approximated from IP);
• Payment & Transaction Data (billing name, address/contact, transaction details from our payment processor; credit card numbers are handled by the processor and are not stored by us);
• Cookies & Similar Technologies (cookies, local storage, analytics SDKs, beacons/pixels for service functionality, analytics, and optional marketing);
• Third‑Party Sources (we may receive data from integrations, business partners, analytics or authentication providers);
• Sensitive Data: we do not intentionally collect "sensitive personal information" or "privileged information" as defined by RA 10173 unless you explicitly provide it for a supported feature (and we will obtain any additional required consents).

3. Purposes & Legal Bases

We use your information to:

• provide, maintain, secure, update and improve the Services (contract performance / legitimate interests);
• authenticate and manage user accounts, personalise your experience (contract / legitimate interests);
• process payments and prevent fraud (contract / legal obligation / legitimate interests);
• send administrative, service‑related, security or billing notifications (contract / legitimate interests);
• send optional marketing, surveys and feature updates (with your consent where required);
• comply with laws, protect rights, enforce our policies, respond to lawful requests (legal obligation / legitimate interests).

For Philippine users, we rely on the lawful bases under RA 10173 and the IRR, including consent, contract, legitimate interests and compliance with law.

4. Model Improvement & Human Review

We do not use your content to train foundation models or for reuse for other users unless you expressly opt in. We may use de‑identified or aggregated usage data for analytics and improvement. Limited human review may occur for abuse investigation, support requests or legal compliance.

5. Children

The Services are not directed to children under 13 years of age. We do not knowingly collect personal data from children under 13. If we discover such data, we will delete it. If you are in a jurisdiction that sets a higher age of consent to digital services (e.g., the EEA/UK 13–16), local law may apply.

6. Sharing & Disclosure

We may share information:

• with our service providers/processors (hosting, analytics, payments, communications, support) under confidentiality and data‑processing agreements;
• with business customers, where you use the Services via an organisation plan and the organisation's admins can access your user data;
• in connection with a corporate transaction (merger, acquisition, sale or financing) subject to appropriate safeguards;
• to comply with legal obligations, respond to lawful requests (court, regulatory, law enforcement), prevent fraud or abuse, protect rights, safety or property.

California/US "sale" or "share": We do not "sell" or "share" personal information for cross‑context behavioural advertising as those terms are defined by the California Consumer Privacy Act (CCPA).

7. International & Cross‑Border Transfers

Because we operate globally, your data may be transferred to, stored or processed in countries other than your country of residence.

• From the Philippines: we comply with RA 10173 and IRR regarding cross‑border data transfers.
• From the EEA/UK: we rely on Standard Contractual Clauses (SCCs) and any supplementary measures; for other jurisdictions we use appropriate safeguards.

You accept these international transfers by using the Services.

8. Data Retention

We retain your personal data only for as long as necessary for the purposes described herein, to comply with legal obligations, enforce our rights or resolve disputes. When no longer needed, we securely delete or anonymise the data, except as required for backups or legal hold.

9. Security

We maintain administrative, technical and physical safeguards consistent with industry standards—including encryption in transit, access controls, logging, monitoring and least‑privilege. However, no system is impenetrable. Please notify us of suspected breaches at hi@prepfolio.app.

10. Cookies & Similar Technologies

We use strictly necessary cookies for core functionality (authentication, security), functional/analytics cookies (usage measurement, performance), and optional marketing/advertising cookies (if enabled).

You can control cookies via browser settings, in‑product controls, and recognized universal opt‑out signals (e.g., Global Privacy Control).

11. Your Rights

Depending on your location you may have rights including:

• to be informed about how your personal data is processed;
• to access and obtain a copy of your personal data;
• to correct or update your personal data;
• to erase or block/stop processing of your personal data;
• to object to processing (including direct marketing);
• (Philippines / EEA) to data portability;
• to seek damages for violations of applicable data protection law.

For users in the Philippines, under RA 10173 and IRR you have the rights to be informed, access, correct/update, erase/block and damages.

To exercise these rights contact us at hi@prepfolio.app. We will verify the request and respond within applicable legal deadlines (e.g., 30 days or shorter where required).

If you are a resident in the EEA/UK or certain US states, you may have additional rights — see summary in Section 18 of our Terms.

You also have the right to lodge a complaint with your local supervisory authority (e.g., the NPC in the Philippines; or your national regulator in the EEA/UK).

12. Data Breach Notification

In the event of a data breach or security incident that affects your personal data, we will investigate promptly and will notify you and any required regulator (such as the NPC) without undue delay. Where mandated by the relevant law (for example under the Philippines RA 10173/IRR and NPC guidelines), we will issue notification within 72 hours of becoming aware of the incident.

Notification will include description of the incident, type of data involved, measures taken and contact information for inquiries.

13. Beta & Pre‑Release Features

We may offer experimental or pre‑release Services ("Beta"). Such features may have limited functionality, performance variability or might be changed or removed without notice. Your data collected during Beta will still be protected under this Policy.

14. Third‑Party Links & Services

When you click links or integrate third‑party services (plug‑ins, widgets, API integrations), those third parties' own terms and privacy policies govern their practices. We are not responsible for third‑party data collection or use.

15. Changes to this Policy

We may amend this Privacy Policy from time to time. If we make material changes (e.g., new purposes for data processing, new legal basis, new rights), we will notify you via email or in‑product notice, and post the updated version with a new "Last updated" date.

Contact: hi@prepfolio.app