PASS PRIVACY POLICY
Created March 15, 2020

I. Privacy Notice

This Privacy Notice (“Notice”) details how PASS App Philippines (the “Company”) and its subsidiaries, associate companies, and jointly controlled entities (the “Group”), and recognized partners (“Partners”) use your personal and sensitive personal information.
The Notice specifically states the kind of information to be gathered, processed, and stored, the extent and limit of its use, and the purposes to which the information is utilized. Moreover, the Company guarantees to all data subjects the security of their information in our possession and provides available remedies in case of a serious breach.
Furthermore, the Notice enumerates the respective data privacy rights that every data subject possesses and the appropriate measures to address issues about data privacy and security.
The Company, as the personal information controller, values data privacy and assures all users that information being voluntarily given is gathered, processed, and stored in line with principles of transparency, proportionality, and legitimate purpose.
The Notice is crafted in compliance with the following laws and regulations:
• Data Privacy Act of 2012 and its Implementing Rules and Regulations (IRR)
• All corresponding circulars, memoranda, opinions, and other regulations issued by the National Privacy Commission (NPC)
The Company reserves the right to amend the Notice following the legal developments in this jurisdiction subject to prior notice to every data subject. Consent to any change in the Notice may be signified by the data subject through the continued use of PASS’ services and other forms of engagement with the Company.
In the event of any conflict between the English and other language versions of the Notice, the English version shall prevail.

II. Definitions

• “Consent” refers to freely given, voluntary, specific, and informed indication of will by a data subject by written, electronic or recorded means in collecting and processing his or her personal and sensitive personal information.
• “Data subject” refers to a person whose personal and sensitive personal information is processed by the Company. The term includes the User as well as agent, vendor, supplier, partner, contractor or service provider of the Company.
• “Personal information” refers to any information from which an individual’s identity is apparent or can be reasonably determined by the Company. It also refers to any information that would directly identify an individual when placed together with other information.
• “Personal information controller” refers to the organization that controls the collection, holding, processing, or use of personal information, such as the Company.
• “Processing” refers to any operation performed upon personal and sensitive personal information such as the collection, recording, organization, storage, updating, modification, retrieval, use, consolidation, erasure or destruction of information.
• “Partners” refers to parties with whom the Company collaborates with for certain events, programs and activities.
• “Privileged information” refers to any information which constitutes privileged communication under the Rules of Court and other pertinent laws.
• “Sensitive personal information” refers to personal information below:
• Individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
• Individual’s health, education, relations or activities;
• Government-issued information peculiar to an individual such as social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns;
• Any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings; and
• Those specifically established by an executive order or an act of Congress to be kept classified.
• “Software” refers to PASS’ technologies, website, and/or applications;
• “User” refers to any person who accesses, downloads, register, or utilizes PASS’ Software for purposes of availing its services.

III. Importance and need of consent

Data subjects are required to voluntarily signify their consent in providing their information to the Company. The failure of the data subject to provide necessary information to the Company will preclude the processing of his or her information and the use of services provided by the Company.
Because the processing of sensitive personal information without consent is generally prohibited under the Data Privacy Act of 2012, the data subject consents to allow the gathering, processing, and storing the information for the purposes stated herein.
The data subject acknowledges to have read and understood the Notice and agree to the gathering, processing, and storing of personal information by the Company through the use of services, product purchases, and other forms of communication and engagement by the data subject with the Company.
The data subject consents to receive electronic communications that seek to inform users about the Company, as well as administrative announcements from the sender to its existing users, subscribers or customers.
The Company may process information provided by the data subjects for the following activities:
• Sending of alerts, newsletters, and other materials from the Company, the Group, and other Partners;
• Notifying the data subjects regarding updates, events or activities organized by the Company, the Group, and its Partners; and
• Processing such information for other lawful activities.
Persons who may provide any information about other persons in special circumstances warrant to the Company that they obtained consent in disclosing such information and its processing for the purposes provided in the Notice.
While the Company acknowledges that doubts in the interpretation of the provisions of the Data Privacy Act of 2012 may be resolved in favor of the data subject, consenting to this Notice binds the data subject in agreeing to the terms and conditions set herein.

IV. Withdrawal of Consent

The data subject shall notify the Company via email through support@passapp.ph if he or she wishes to revoke consent from the processing of his or her personal information.

The Company assures the data subjects to immediately respond to any request to withdraw consent from information processing.
The data subject may also unsubscribe from subscriptions and communications of the Company, whether solicited or not, on which he or she previously consented to. An “Unsubscribe” button found in an electronic mail (e-mail) may be clicked to signify his or her withdrawal of consent from any future communication.
The data subject who does not wish his or her information to be collected via cookies on the Company’s software may simply deactivate cookies in the following manner:
• Adjusting internet browser settings to disable, block or deactivate cookies;
• Deleting your browsing history; and
• Clearing the cache from your internet browser
V. Processing of Information

The Company gathers, processes, and stores fairly and lawfully any information provided by the data subject, including personal and sensitive personal information. The Company obtains information mainly by the use of the data subject of its website and other software. The data subjects are allowed to rectify or supplement any inaccurate or incomplete information provided to the Company.
The Company collects information from the data subject for specified and legitimate purposes only, as determined and declared before, or as soon as reasonably practicable after its collection. The Company also retains such information only for as long as necessary for the fulfillment of the purposes for which the data was obtained.
The data subject consents to the transfer, processing, and storing of information obtained by the Company in a jurisdiction other than the Philippines while using the Company’s software and other services.
The data subject also agrees to the transfer of information to third parties, including Partners of the Company such as authorized government workers, for legal purposes or as required by law, subject to prior notice.
The Company expressly denies any liability from the collection of information from the data subjects by third parties’ websites which may be linked to the Company’s software and other services available online. Any contention about third party websites must be governed by their respective privacy notices.
The Company is not precluded from outsourcing services of other juridical entities or individuals, including personal information processors, to gather, process, and store personal information obtained from the data subjects.
The data subject further consents to the sharing of information already in possession of the Company in cases of official corporation transactions, including but not limited to a sale of a subsidiary or a division, merger, consolidation, or asset sale, or winding-up.

VI. Purposes of Information Processing

A) The Company gathers, processes, and stores your information for the following general purposes:
• Historical, statistical and scientific purposes;
• Protecting vitally important interests, including my life and health;
• Responding to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate;
• Eliciting feedback, suggestions, and comments;
• Responding to questions;
• Auditing, compiling of records, analyzing data, and other internal administrative purposes;
• Preventing and prosecuting crimes
• Complying with obligations required by Philippine laws; and
• Communicating with the data subject for purposes stated in the Notice

B) Specifically, information from the users are utilized for the following purposes:
• Providing and processing services as requested or availed by the user, including any request to download and use the Company’s Software such as the PASS App
• Providing benefits offered to subscribers or users;
• Processing information exchanges;
• Processing participation in Company-led activities, research studies, contests, promotions, polls, or similar events;
• Analyzing customer needs and preferences and other customer-related matters;
• Enhancing products and services; and
• Processing of information for other legal and research purposes

VII. Security of Personal Information

The Company guarantees the data subjects the implementation of proper organizational, physical and technical measures to protect personal information against any accidental or unlawful destruction, alteration and disclosure, and other unlawful processing of information. The Company assures the data subjects that measures are taken to safeguard personal information from natural and human dangers and recognizes its responsibility to determine the appropriate level of security to be maintained in dealing with various forms of information.
The Company has implemented a security policy within its organization in dealing with the collected information. The Company also accounts for foreseeable vulnerabilities in information collection, processing, and retention, monitors compliance with its security policy, and takes preventive measures to avoid a breach of rights of the data subjects.
The Company undertakes to notify the National Privacy Commission (NPC) and affected the data subjects in case of the information breach and other events of similar nature for mitigating purposes.
The Company mandates its employees, agents or representatives involved in the processing of personal information to hold information under strict confidentiality, with such obligation as a continuing one, even if they have officially severed their relations with the Company.
The Company also invokes the principle of privileged communication over privileged information under the Rules of Court as to the information they lawfully control or process.

VIII. Rights of Data Subject

The Company recognizes and takes responsibility for upholding every right of the data subject as mandated by the Data Privacy Act of 2012. The following are the recognized rights of the data subject:
• To be informed whether his or her personal information shall be, are being or have been processed;
• To access the information gathered, processed, or stored upon reasonable and valid demand;
• To dispute the inaccuracy or error in the information;
• To request the Company to correct information immediately and accordingly;
• To obtain from the Company a copy of data undergoing processing in an electronic or structured format;
• To request to limit the processing of information; and
• To make inquiries regarding the information gathered, processed, and used
The Company, however, reserves the right to refuse requests to access or rectify information for valid reasons, such as vexatious and unjustifiable requests.

IX. Supplemental Sources of Data Subject Information

The sources of information, other than those which you directly provide to the Company, to which your information may be gathered, processed and stored your information are the following:
• Registration forms and other similar forms;
• Publicly available sources;
• Social media platforms, including the platforms directly managed by the Company
• Credit reporting agencies;
• Interactions and communications received by the Company at events or activities;
• Company-organized activities;
• Cookies from the data subject’s use of the Company’s software; and
• Other legally available sources of information

X. Special Rule on User’s Personal Information

User confirms that any personal data provided to the Company is true, correct, and updated. He or she must be responsible for informing the Company within 72 hours as to any significant change to the information previously provided to the latter.
User consents the Company to use his or her personal and sensitive personal information to be gathered, processed, and stored for the purposes set forth herein. The information may be readily available and transferred to User for purposes of coordination and transparency.
User grants the Company the authority to compile, store, and update his/her personal information to a reasonable extent within the period that the Company provides its services.
User acknowledges that he or she has read and understood the Notice and consents the same by his or her continuous use of the services provided by the Company.