Back

Legal

Privacy Policy

Effective Date: March 13, 2026

1. Introduction

Stashlify ("Company," "we," "us," or "our") operates a cloud-based Software-as-a-Service ("SaaS") inventory management platform. This Privacy Policy explains how we collect, use, store, disclose, and protect information when you access or use our platform, website, APIs, and related services (collectively, the "Services").

Stashlify is a technology provider. We supply software tools for inventory management, order processing, and storefront operations. We do not manufacture, sell, distribute, or fulfill any physical goods. Any transactions between merchants using our platform and their end customers are solely between those parties.

This policy is issued in compliance with the Data Privacy Act of 2012 (Republic Act No. 10173), its Implementing Rules and Regulations (IRR), and applicable issuances of the National Privacy Commission (NPC) of the Republic of the Philippines.

2. Definitions

  • "Account Holder" means any individual or business entity that registers for a Stashlify account to use the Services.
  • "Merchant" means an Account Holder who uses Stashlify to manage inventory, process sales, or operate a storefront.
  • "End Customer" means a consumer who interacts with a Merchant's storefront or places orders through the platform.
  • "Merchant Data" means all data uploaded, entered, or generated by a Merchant through the Services, including inventory records, customer lists, sales data, and business information.
  • "Personal Information" has the meaning ascribed under Section 3(g) of RA 10173: any information from which the identity of an individual can be reasonably and directly ascertained, or which when put together with other information would directly and certainly identify an individual.

3. Our Role: Data Controller and Data Processor

Under the Data Privacy Act, the distinction between a Personal Information Controller (PIC) and a Personal Information Processor (PIP) determines the scope of obligation. Stashlify operates in a dual capacity:

As a Personal Information Controller

We act as the PIC with respect to Account Holder data that we collect directly: registration information, billing details, login credentials, and platform usage analytics. We determine the purpose and means of processing this data.

As a Personal Information Processor

We act as a PIP with respect to Merchant Data, including End Customer personal information that Merchants input into the platform. In this capacity, Merchants are the PICs. We process Merchant Data solely on behalf of and under the instructions of the Merchant. Each Merchant is independently responsible for obtaining proper consent from their End Customers and for complying with the Data Privacy Act with respect to any personal information they input into Stashlify.

4. Information We Collect

4.1 Information You Provide Directly

  • Account Registration: Full name, email address, mobile number, password, business name, and organization details.
  • Subscription and Billing: Payment method details processed through our third-party payment processor (PayMongo). We do not store full credit card numbers on our servers.
  • Staff Accounts: Names, email addresses, assigned roles, and branch assignments of staff members added by a Merchant.
  • Support Communications: Any information you provide when contacting us for support, including email content and attachments.

4.2 Merchant Data (Processed on Behalf of Merchants)

  • Product catalogs, inventory records, and stock levels
  • End Customer names, email addresses, shipping addresses, and order histories
  • Sales records, transaction logs, and financial summaries
  • Consignor information and commission records
  • Product images and media uploaded to the platform

4.3 Information Collected Automatically

  • Log Data: IP address, browser type, operating system, referring URL, pages visited, and timestamps.
  • Device Information: Device type, screen resolution, and unique device identifiers.
  • Usage Analytics: Feature usage patterns, session duration, and navigation paths within the platform.

4.4 Cookies and Similar Technologies

We use strictly necessary cookies for authentication, session management, and security purposes. We use analytics cookies to understand how users interact with our platform. You may control cookie preferences through your browser settings; however, disabling essential cookies may impair the functionality of the Services.

5. How We Use Your Information

We process personal information only where we have a lawful basis under RA 10173. The bases we rely on include:

5.1 Performance of Contract (Section 12(b), RA 10173)

  • Provisioning, operating, and maintaining the Services
  • Processing subscription payments and managing billing cycles
  • Authenticating users and enforcing access controls
  • Providing technical support and responding to service inquiries

5.2 Legitimate Interests (Section 12(f), RA 10173)

  • Improving platform performance, reliability, and user experience
  • Detecting, preventing, and investigating fraud, abuse, or security threats
  • Generating aggregated, anonymized analytics for internal business purposes
  • Sending service-related communications (e.g., maintenance notices, security alerts)

5.3 Legal Obligation (Section 12(c), RA 10173)

  • Complying with tax, accounting, and regulatory requirements
  • Responding to lawful requests from government authorities or courts of competent jurisdiction
  • Maintaining records as required under applicable Philippine law

6. Information Sharing and Disclosure

We do not sell, rent, or trade your personal information to third parties. We share information only in the following circumstances:

6.1 Service Providers (Sub-Processors)

We engage the following categories of third-party service providers who process data on our behalf under contractual obligations of confidentiality and security:

  • Payment Processing: PayMongo (PCI-DSS compliant) processes subscription payments. Payment credentials are handled directly by PayMongo and are not stored on our infrastructure.
  • Cloud Infrastructure: Google Cloud Platform (GCP) hosts our application, database, and storage infrastructure in the Asia-Southeast region.
  • Image Storage: Google Cloud Storage (GCS) stores and delivers product images uploaded by Merchants, hosted within the same GCP infrastructure.
  • Email Communications: Resend handles transactional emails (account verification, password resets, order notifications).

6.2 Legal and Regulatory Disclosure

We may disclose personal information where required or permitted by law, including:

  • In response to a subpoena, court order, or other lawful process issued by a Philippine court or competent authority
  • To comply with orders of the National Privacy Commission
  • To protect the rights, property, or safety of Stashlify, our users, or the public

6.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the successor entity. We will provide notice before your personal information becomes subject to a different privacy policy.

7. Data Security

We implement reasonable and appropriate organizational, physical, and technical security measures as required under Section 20 of RA 10173 and NPC Circular 2016-01, including:

  • Encryption: All data in transit is encrypted using TLS 1.2 or higher. Data at rest is encrypted using AES-256 via Google Cloud Platform's default encryption.
  • Authentication: JWT-based authentication with bcrypt-hashed passwords. Role-based access controls enforce least-privilege access.
  • Multi-Tenant Isolation: Each organization's data is logically isolated at the database level. All queries are scoped to the authenticated organization's identifier, preventing cross-tenant data leakage.
  • Audit Logging: Administrative and sensitive operations are recorded in immutable audit logs.
  • Infrastructure Security: Services run on Google Cloud with VPC networking, automated backups, and managed database services.

No system is completely secure. While we employ industry-standard safeguards, we cannot guarantee absolute security against all threats. In the event of a personal data breach, we will comply with the notification requirements under Sections 20(f) and 21 of RA 10173 and NPC Circular 2016-03.

8. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, or as required by law:

  • Active Accounts: Account Holder data is retained for the duration of the subscription and active use of the Services.
  • Post-Termination: Upon account termination, Merchant Data is retained for thirty (30) days to allow for data export. After this period, data is scheduled for permanent deletion within ninety (90) days.
  • Legal Retention: Certain records (billing, transaction logs, audit logs) may be retained beyond account termination as required under the Tax Code, the E-Commerce Act (RA 8792), or other applicable Philippine law.
  • Anonymized Data: Aggregated, anonymized data that cannot identify individuals may be retained indefinitely for analytics and service improvement.

9. International Data Transfers

Our primary infrastructure, including application hosting, database, and image storage, is hosted in the Asia-Southeast region (Singapore) via Google Cloud Platform. However, certain sub-processors (e.g., Resend for email delivery) may process data in jurisdictions outside the Philippines.

Where personal information is transferred outside the Philippines, we ensure that adequate safeguards are in place in accordance with Section 21 of RA 10173, including contractual data processing agreements and verification that the receiving jurisdiction provides an adequate level of data protection or that the transfer falls within permitted exceptions.

10. Your Rights Under the Data Privacy Act

As a data subject under RA 10173, you are entitled to the following rights:

  • Right to Be Informed (Section 16(a)): You have the right to be informed of the collection, processing, and storage of your personal data before or at the time of collection.
  • Right to Access (Section 16(b)): You may request access to your personal data held by us, including the manner of processing, identity of recipients, and data retention period.
  • Right to Object (Section 16(c)): You may object to the processing of your personal data, including processing for direct marketing, automated processing, or profiling.
  • Right to Erasure or Blocking (Section 16(d)): You may request the removal or destruction of your personal data from our systems, subject to legal retention requirements.
  • Right to Rectification (Section 16(e)): You may dispute and request correction of inaccurate or incomplete personal data.
  • Right to Data Portability (Section 18): You may obtain a copy of your data in a structured, commonly used, and machine-readable format.
  • Right to File a Complaint: You may lodge a complaint with the National Privacy Commission if you believe your rights have been violated.

To exercise any of these rights, contact our Data Protection Officer at stashlify.team@gmail.com. We will respond within fifteen (15) days of receiving your request, or within the period prescribed by the NPC.

End Customers: If you are an End Customer of a Merchant using Stashlify, please direct your data privacy requests to the Merchant. As the data processor, Stashlify will assist the Merchant in fulfilling such requests as required by law.

11. Children's Privacy

The Services are designed for use by businesses and are not directed at individuals under the age of eighteen (18). We do not knowingly collect personal information from minors. If we become aware that we have inadvertently collected personal information from a minor without verified parental consent, we will take reasonable steps to delete such information promptly. If you believe a minor has provided us with personal information, please contact us immediately.

12. Changes to This Privacy Policy

We may revise this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. We will notify Account Holders of material changes by email or through a prominent notice on the platform at least fifteen (15) days before the changes take effect. The "Effective Date" at the top of this policy indicates the date of the most recent revision. Continued use of the Services after the effective date constitutes acceptance of the revised policy.

13. Contact Information

For questions, concerns, or requests related to this Privacy Policy or your personal data:

Stashlify

Email: stashlify.team@gmail.com

You may also contact the National Privacy Commission of the Philippines at www.privacy.gov.ph for complaints or inquiries regarding data privacy rights.