Data Protection & Your Rights

Last updated: June 13, 2026

1. Our Commitment to Data Protection

[LEGAL_ENTITY_NAME] ("Camps PH," "we," "us," or "our") is the Personal Information Controller (PIC) of all personal data collected through the Camps PH platform. As a PIC, we are bound by Republic Act No. 10173, the Data Privacy Act of 2012 (RA 10173), its Implementing Rules and Regulations (IRR), and all relevant issuances of the National Privacy Commission (NPC), including NPC Circulars 2022-04, 2023-04, 2023-06, and Advisory No. 2024-01.

This page is the operational hub for your data privacy rights at Camps PH. It tells you what rights you have, how to exercise them, who our Data Protection Officer (DPO) is, our NPC registration status, the security measures we apply, our data breach commitment, how long we keep your data, who we share it with, and how to escalate a complaint to the NPC.

We treat data privacy as a core responsibility — not a compliance checkbox. Every product decision at Camps PH applies privacy-by-design and privacy-by-default principles, and our Data Protection Officer has the mandate and resources to enforce that commitment.

2. Your Eight Data Subject Rights (RA 10173, Sec. 16)

The Data Privacy Act of 2012 grants you eight fundamental rights over your personal data. Each right is described below in plain language, together with how to exercise it at Camps PH and the response timeline you can expect.

Response timeline: We will acknowledge every Data Subject Request (DSR) within 5 business days and provide a substantive response within 15 calendar days of identity verification. If more time is required, we will notify you in advance with an estimated completion date.

Right 1 of 8

Right to Be Informed

You have the right to know when and why your personal data is being collected. Before or at the time we collect your information, we will tell you who we are, what data we collect, why we collect it, the legal basis for processing, who we share it with, how long we keep it, and what rights you have.

How to exercise this right: This right is fulfilled by our Privacy Policy and this page. For specific questions about how a particular piece of data is used, email our DPO at [DPO_EMAIL].

Right 2 of 8

Right of Access

You have the right to obtain a copy of the personal data we hold about you, along with information about how it has been processed, the sources from which it was collected, and who it has been shared with.

How to exercise this right: Submit a Data Subject Request (DSR) selecting "Access" as the request type. We will provide a structured summary of your data within 15 calendar days of identity verification.

Right 3 of 8

Right to Object

You have the right to object to processing of your personal data where we rely on legitimate interests as the legal basis, and at any time to object to processing for direct marketing purposes. Upon a valid objection to direct marketing, we will stop immediately.

How to exercise this right: To object to direct marketing, use the unsubscribe link in any marketing email or submit a DSR selecting "Objection." For other objections, submit a DSR explaining the specific processing you object to.

Right 4 of 8

Right to Erasure or Blocking

You may request that we delete or block your personal data when it is incomplete, outdated, falsely obtained, or unlawfully processed, or when the purpose for which it was collected has already been fulfilled. Where deletion is not immediately possible (e.g., due to a legal retention obligation), we will block the data from further processing pending resolution.

How to exercise this right: Submit a DSR selecting "Erasure / Blocking." Note that certain data may be retained where required by law (e.g., BIR tax records, AMLA obligations). We will inform you of any applicable exceptions.

Right 5 of 8

Right to Rectification

You have the right to request correction of any personal data we hold about you that is inaccurate, incomplete, or out of date. We will correct the data promptly and, where applicable, notify third parties who received the incorrect data.

How to exercise this right: For basic profile information (name, phone, email), you may update it directly in your account settings. For other records (e.g., booking history, KYC records), submit a DSR selecting "Rectification."

Right 6 of 8

Right to Data Portability

You have the right to receive a copy of the personal data you provided to us in a structured, commonly used, and machine-readable electronic format (such as JSON or CSV), and to transmit that data to another service provider where technically feasible.

How to exercise this right: Submit a DSR selecting "Data Portability." We will prepare and deliver your data export within 15 calendar days of verified identity confirmation.

Right 7 of 8

Right to Damages

If you suffer damage as a result of inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorised use of your personal data, you have the right to claim compensation from Camps PH as the Personal Information Controller. This right is without prejudice to any criminal liability under RA 10173.

How to exercise this right: Submit a written claim to our DPO at [DPO_EMAIL] describing the nature of the harm and the data processing you believe caused it. You may also file a complaint directly with the NPC.

Right 8 of 8

Right to File a Complaint

If you believe that your data privacy rights have been violated and are unsatisfied with our response, you have the right to lodge a complaint with the National Privacy Commission (NPC), the independent government body that enforces RA 10173.

How to exercise this right: See the "How to Escalate to the NPC" section below for full NPC contact details and the online complaint portal.

3. How to Submit a Data Subject Request (DSR)

You may submit a Data Subject Request for any of the eight rights listed above. Follow these steps:

  1. Step 1 — Prepare your request. Identify the right(s) you wish to exercise (access, erasure, rectification, portability, objection, damages, or complaint). Be as specific as possible about the data concerned.
  2. Step 2 — Verify your identity. To prevent unauthorised disclosure, we must confirm you are the account holder. Include the email address associated with your Camps PH account. For requests involving sensitive personal information (e.g., host KYC documents) or deletion of an account, we may ask for a copy of a government-issued ID. Identity documents submitted for verification purposes will not be retained beyond the DSR process.
  3. Step 3 — Submit your request. Send your DSR by email to [DPO_EMAIL]with the subject line "Data Subject Request — [Your Name] — [Request Type]." Alternatively, send a written request by post to [BUSINESS_ADDRESS], Attention: Data Protection Officer.
  4. Step 4 — Receive acknowledgement. We will acknowledge your DSR within 5 business days, confirm the request type, and advise of any additional information needed.
  5. Step 5 — Receive substantive response. We will complete the action or provide a detailed response within 15 calendar days of identity verification. If we require an extension, we will notify you with a revised timeline before the 15-day period expires.

What to include in your DSR email

  • Full name as registered on Camps PH
  • Email address linked to your account
  • Type of request (access, erasure, rectification, portability, objection, damages, complaint)
  • Description of the specific data or processing concern
  • Any supporting information that helps us locate your records

4. Data Protection Officer

Camps PH has designated a Data Protection Officer (DPO) as required under NPC Circular No. 2022-04. The DPO is responsible for overseeing our Privacy Management Program, ensuring compliance with RA 10173, and serving as the primary point of contact for data subjects and the NPC.

Data Protection Officer

Name: [DPO_NAME]

Email: [DPO_EMAIL]

Phone: [DPO_PHONE]

Postal address: [BUSINESS_ADDRESS], Attn: Data Protection Officer

Organisation: [LEGAL_ENTITY_NAME]

5. NPC Registration

Registered Personal Information Controller

Camps PH ([LEGAL_ENTITY_NAME]) is registered with the National Privacy Commission of the Philippines as a Personal Information Controller under the NPC Registration System (NPCRS). Our Registration Number is [NPC_REGISTRATION_NO].

Registration was completed in accordance with NPC Circular No. 2022-04 on the Registration of Data Processing Systems and Data Protection Officers. Our registered data processing systems include the camper account and profile system, the host KYC system, the booking and payment system, the messaging system, and our analytics and logging infrastructure. Registration is renewed annually, and new systems are registered within 20 working days of commencement.

6. How to Escalate a Complaint to the NPC

If you are not satisfied with our response to your DSR or believe that your data privacy rights under RA 10173 have been violated, you have the right to file a complaint directly with the National Privacy Commission.

National Privacy Commission (NPC)

Website: www.privacy.gov.ph

Complaints email: complaints@privacy.gov.ph

General email: info@privacy.gov.ph

Address: 5th Floor Delegation Building, PICC Complex, Pasay City, Metro Manila

Online complaint portal: privacy.gov.ph/file-a-complaint

Before filing with the NPC, we encourage you to contact our DPO first so we can attempt to resolve the concern directly and promptly. However, this is not a prerequisite — you may escalate to the NPC at any time.

7. Security Measures

Camps PH implements organisational, physical, and technical security measures consistent with NPC Circular No. 2023-06 (Security of Personal Data in the Government and Private Sector, in full effect from 30 March 2025).

Technical MeasuresShow
  • Encryption in transit: All data transmitted between your browser and Camps PH is encrypted using TLS 1.3 (minimum TLS 1.2). HTTP is not served.
  • Encryption at rest:Personal data stored in Supabase (PostgreSQL) and cloud file storage is encrypted at rest using AES-256 or equivalent, managed by Supabase's SOC 2-certified infrastructure.
  • Role-based access control: Access to personal data is restricted to authorised personnel on a least-privilege basis. Supabase Row Level Security (RLS) policies enforce data isolation between users.
  • Multi-factor authentication (MFA): MFA is mandatory for all administrative accounts with access to production personal data systems.
  • Audit logging and monitoring: Access to personal data is logged and monitored. Anomalies trigger automated alerts for investigation.
  • Vulnerability management: We conduct regular vulnerability assessments and penetration testing. Security patches are applied on a priority basis.
  • Secure software development lifecycle (SSDLC): Privacy-by-design and security reviews are embedded in our development process. Dependency scanning is performed on every build.
  • Pseudonymisation and anonymisation: Where operationally feasible, personal identifiers are pseudonymised in analytics and logging pipelines.
Organisational MeasuresShow
  • Designated Data Protection Officer: [DPO_NAME] serves as DPO and is registered with the NPC.
  • Privacy Management Program: A documented PMP with executive sponsorship governs all data privacy activities.
  • Data Privacy Impact Assessments (DPIA): DPIAs are conducted for high-risk processing activities, including host KYC collection and payment data handling, before deployment.
  • Staff training: All staff with access to personal data complete data privacy training at onboarding and periodic refresher training annually.
  • Sub-processor due diligence: Written Data Processing Agreements are in place with all third-party processors before they handle Camps PH user data.
  • Retention and disposal schedule: A documented schedule (see Section 9 below) governs how long each data category is kept and how it is securely disposed of.
  • Business continuity and disaster recovery: Our BCP and DRP cover all systems that process personal data, with tested recovery procedures.
Physical MeasuresShow
  • SOC 2-certified infrastructure: All personal data is hosted on Supabase (SOC 2 Type II certified) and Clerk (SOC 2 Type II certified) cloud infrastructure. No personal data is held on-premises without equivalent physical controls.
  • PCI-DSS-compliant payment processing: Payment card and e-wallet data is handled exclusively by PCI-DSS-certified payment processors. Raw payment credentials are never stored on Camps PH servers.
  • Clean-desk and screen-lock policies: Staff are required to lock screens when unattended and maintain clean-desk practices when handling personal data.
  • Secure media disposal: Any physical media containing personal data is disposed of via certified shredding or cryptographic erasure.

8. Data Breach Notification Commitment

72-Hour Notification Commitment

In compliance with NPC Circular 16-03 (Personal Data Breach Management), Camps PH commits to the following upon discovery of, or reasonable belief that, a personal data breach has occurred:

Within 72 hours of discovery: Notify the NPC and, where required, affected data subjects. Notification to data subjects is mandatory without delay when: (a) 100 or more individuals are affected; or (b) sensitive personal information is involved and disclosure is likely to cause harm.

Within 5 calendar days: Submit a full written report to the NPC including the nature of the breach, the personal data categories and approximate number of data subjects involved, the likely consequences, and the measures taken or proposed to address the breach. An extension may be requested from the NPC.

Breach notifications to data subjects will include a clear description of the incident, the types of data affected, the steps we are taking, recommended protective actions you can take, and DPO contact details for follow-up inquiries.

Camps PH maintains an internal Breach Register and a documented breach response procedure. All suspected breaches — including near-misses — must be escalated internally to the DPO immediately. For urgent breach-related inquiries, contact the DPO at [DPO_EMAIL].

9. Data Retention Schedule

Personal data is retained only for as long as necessary for the declared purpose or any applicable legal or regulatory requirement. The table below summarises our retention schedule; the full schedule is published in our Privacy Policy.

Data TypeRetention PeriodLegal Basis
Account data (active accounts)Duration of account + 1 year post-closureContractual necessity; consumer protection obligations
Booking and payment records5 yearsBIR tax record requirement (Revenue Regulations No. 17-2003)
Host KYC documents (government ID, selfie)5 years from end of business relationshipAMLA and regulatory obligations
Support and messaging records2 yearsLegitimate interests (dispute resolution)
Server and access logs1 year minimum; 3 years maximumSecurity monitoring and incident response
Cookie consent records3 yearsConsent accountability (NPC Circular 2023-04)

When the retention period expires, personal data is securely disposed of using cryptographic erasure for digital records and certified shredding for any physical media. Data processed solely on the basis of consent is deleted promptly upon withdrawal of consent, unless another lawful basis applies.

10. Sub-Processor and Data Sharing List

Camps PH does not sell personal data. We share personal data only with the third-party processors listed below, who are bound by written Data Processing Agreements that require them to maintain the same level of data protection as RA 10173. Data transfers outside the Philippines are covered by NPC Model Contractual Clauses (MCCs) per NPC Advisory No. 2024-01, Standard Contractual Clauses, or equivalent safeguards.

ProcessorCountryServiceData ProcessedSafeguard
ClerkUSAAuthentication & user managementEmail, name, phone number, session tokens, sign-in historyData Processing Agreement + Standard Contractual Clauses / NPC Model Contractual Clauses
SupabaseConfigurable (Asia-Pacific available)Database & file storageAll user profile data, booking records, messages, KYC documents, access logsData Processing Agreement; SOC 2 Type II certified; data residency options available
MapboxUSAMapping & geocodingUser location queries, map tile requestsData Processing Agreement + NPC Model Contractual Clauses
Payment processors (TBC)VariousPayment processing & fraud screeningPayment method tokens, transaction amounts, billing detailsData Processing Agreement + PCI-DSS compliance; NPC MCCs for cross-border transfers

We keep this list current. When we add or change a sub-processor that materially affects how your data is handled, we will update this page and notify registered users in advance. You may object to a new sub-processor by submitting a DSR to [DPO_EMAIL]; we will advise whether an objection can be accommodated or whether continued use of the platform requires acceptance of the change.

Any sharing of personal data with parties who are not processors (e.g., government authorities, insurance partners) is governed by a separate Data Sharing Agreement compliant with NPC Circular 16-02 and is disclosed in our Privacy Policy.

Related Policies

  • Privacy Policy — Full detail on data collection, purposes, legal bases, and your rights
  • Cookie Policy — Cookie inventory, consent categories, and how to manage your preferences
  • Terms of Service — Contractual framework governing use of the Camps PH platform