1. Who We Are
Aircon.ph is operated by [LEGAL ENTITY NAME TO CONFIRM], doing business as Aircon.ph. This Privacy Policy explains how we collect, use, retain, and protect personal information in compliance with Republic Act No. 10173, the Data Privacy Act of 2012, and the issuances of the National Privacy Commission (NPC).
2. Information We Collect
We collect only the information needed to provide the service. Depending on whether you use the Customer App, the Technician App, or the website, this may include:
- Contact information — name, email address, phone number, address.
- Account information — account status, invite-code status, password hash (we do not store your plain password), and (where used) PIN hash.
- Booking and service details — service requested, preferred schedule, air-conditioning unit details, service history.
- Photos and media uploads — AC unit photos, chat attachments, profile photos. For the Technician App, we also collect verification documents and credential photos that you submit.
- Chat and support messages — in-app chat with your assigned technician and messages to our support team.
- Foreground location — when you tap "Use my location" in the booking flow, your device sends GPS coordinates so we can suggest a nearby technician and pre-fill your address. We do not track location in the background.
- Push notification tokens — needed to send booking and job updates.
- Device, session, and IP metadata — used for login security and abuse prevention (device label, IP address, session timestamps).
- Payment information — GCash payment reference numbers or proof of payment, and admin verification records. We do not store your GCash login, GCash PIN, or full GCash transaction details.
- (Technician App) Verification data — ID and credential photos, professional certifications, areas of service, payout details, and platform ratings/conduct/performance data.
- Audit and security logs — records of important account actions for security, fraud prevention, and compliance.
3. How We Use Your Information
- Account application review and approval.
- Authentication and login (including the invite-code + password flow).
- Booking coordination and technician assignment/matching.
- Service documentation, including job-start, job-completion, and service-report records.
- Manual, admin-side verification of GCash payments.
- Customer support, dispute handling, and quality assurance.
- Fraud prevention, platform safety, and security monitoring.
- Compliance with tax, accounting, and other legal obligations.
- Sending booking updates and reminders through push notifications and transactional email.
We do not sell or rent your personal information. We do not use your personal information for advertising profiling.
4. Legal Basis
We process your personal information on one or more of the following bases under the Data Privacy Act:
- Performance of a contract with you (the service you booked).
- Our legitimate interests in operating, securing, and improving the platform.
- Compliance with legal obligations (for example, tax and accounting record-keeping).
- Your consent, where consent is required (for example, optional location use).
- Protection of the rights, safety, and security of users, technicians, and the public.
5. Service Providers and Sub-Processors
We share personal information with the following service providers strictly as needed to operate the platform. Each provider has its own privacy commitments:
- Cloudflare, Inc. — web hosting (Cloudflare Pages), backend APIs (Cloudflare Workers), database (D1), and file storage (R2) for photos and attachments.
- Supabase, Inc. — database and authentication-token infrastructure. (We do not use Supabase phone OTP.)
- Resend, Inc. — transactional email (booking confirmations, application updates, support emails).
- Expo / Exponent, Inc. — push notification token brokerage for the mobile apps.
- Apple, Inc. — iOS push notification delivery (APNs).
- Google LLC — Android push notification delivery (Firebase Cloud Messaging / FCM).
- OpenStreetMap Foundation — reverse geocoding (turning your GPS coordinates into a readable address) when you tap "Use my location" in the booking flow.
- Google Tag Manager — loaded on the public website only (not in the mobile apps) for basic traffic analytics on aircon.ph.
We do not use PayMongo, Stripe, PayPal, Maya, or any automatic online card or e-wallet processor. We do not use Semaphore or any SMS provider for OTP login.
6. App Permissions
The mobile apps request only the following device permissions:
- Camera — to take photos of AC units, job/service photos, and (for technicians) profile and verification images.
- Photo / media library — to upload photos and attachments you choose.
- Location when in use (foreground) — only when you tap "Use my location" in the booking flow, to suggest a nearby technician and pre-fill your address.
- Push notifications — to deliver booking updates, job updates, and service reminders.
The apps do not currently use microphone recording, SMS permissions, biometric or Face ID authentication, or background / always-on location tracking.
7. Security
Data is transmitted over HTTPS. Passwords are hashed using PBKDF2-SHA-256 with a per-user salt and at least 100,000 iterations. Authentication tokens on mobile devices are stored in the operating system’s secure keystore where supported (iOS Keychain / Android Keystore). Website authentication tokens may be stored in your browser’s local storage unless changed to HttpOnly cookies. Access to personal data is controlled through application-layer permissions and administrative access controls.
In-app chat messages are encrypted in transit and stored on Aircon.ph’s backend. They are not end-to-end encrypted.
Uploaded photos are stored with unguessable random identifiers; access requires the URL we share with you or your assigned counterparty.
8. Retention
We retain personal information only as long as needed for the purposes described in this Policy or as required or permitted by law:
- Active account data — for as long as the account is active.
- Deleted account identifying data — deleted or anonymized after the 30-day grace / restoration period (see Section 10).
- Booking and service records — retained or anonymized as needed for legal, tax, audit, fraud-prevention, dispute, and customer-support purposes.
- Payment records and references — retained as needed for accounting, tax, refund, audit, and dispute purposes.
- Chat and support records — retained for the booking, support, or dispute lifecycle.
- Security and audit logs — retained for a reasonable security and audit period.
- Push notification tokens and active sessions — removed when account deletion is requested.
- Photos and media uploads — deleted or anonymized where technically and legally possible. Some media may persist in storage with anonymized references until a separate cleanup pass removes the files.
9. Your Rights Under the Data Privacy Act
As a data subject under RA 10173, you have the right to:
- Be informed about the processing of your personal data.
- Access the personal data we hold about you.
- Object to the processing of your personal data.
- Request correction of inaccurate or outdated data.
- Request erasure or blocking of your personal data, subject to legal and contractual constraints.
- Claim damages for violations of your data-privacy rights.
- Data portability, where applicable.
- File a complaint with the National Privacy Commission (NPC) at privacy.gov.ph/complaints-assistance.
To exercise any of these rights, contact us using the details in Section 13.
10. Account Deletion
You may delete your account from inside the app: Customer App — Account → Security → Delete my account; Technician App — Settings → I-delete ang account ko. Once a deletion is requested, your account access is disabled and active sessions and push notification tokens are removed.
A 30-day grace / restoration period may apply: during that window, you can contact us to restore the account. After the grace period, identifying account data (name, email, phone, profile photo, password hash) is deleted or anonymized. Booking, payment, audit, dispute, fraud-prevention, security, accounting, and tax records may be retained or anonymized as required or permitted by law.
For step-by-step instructions, see our Account Deletion support page.
11. Breach Notification
For qualifying personal data breaches, Aircon.ph will notify the National Privacy Commission and affected data subjects within the period required by law and applicable NPC issuances.
12. Cross-Border Processing
Some of our service providers (see Section 5) may process or store data outside the Philippines. We use reasonable contractual and organizational safeguards (including data-processing agreements with our providers) for such processing.
13. Children and Minors
The service is intended for users 18 years old and above. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal information, please email us using the contact details below so we can take appropriate action.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, in our service providers, or in the law. The date of the most recent update is shown at the top of this page.
15. Contact & Data Protection Officer
For privacy questions or to exercise any of your rights under the Data Privacy Act, contact us at:
- Data Protection Officer / Privacy Contact: [DATA PROTECTION OFFICER / PRIVACY CONTACT TO CONFIRM]
- Privacy email: [PRIVACY EMAIL TO CONFIRM]
- General contact: [email protected]
You may also delete your account directly from the app (see Section 10).