We collect and process personal data for the following purposes:

• To verify identity
• To facilitate communication between parties
• To process payments
• To generate analytics and improve platform functionality
• To send service announcements and updates
• To comply with lawful orders and regulatory requirements

Processing is conducted based on one or more of the following:

a. Consent

We process your data when you voluntarily provide it such as when you order or send an inquiry through our website. Consent also applies when you allow us to use your data for communications, marketing updates, or platform analytics. You may withdraw your consent at any time, subject to legal or contractual restrictions.

b. Contractual Necessity

Your personal data is necessary for us to fulfill our contractual obligations, such as identity verification, order confirmation, payment processing and addressing inquiries. Without this data, we cannot provide you with full access to our services.

c. Compliance with Legal Obligations

We may process and retain your data to comply with legal requirements, such as tax reporting, anti-fraud checks, and regulatory obligations. We may also disclose your data to government authorities in response to lawful orders, subpoenas, or regulatory audits.

d. Legitimate Interest

We process data to support our legitimate business interests, which include improving our services, detecting suspicious activity, maintaining platform security, conducting analytics, and developing new features. We ensure that these interests do not override your fundamental rights and freedoms.

Data collected is used to:

• Provide and maintain our services to operate, maintain, and improve our platform, and enable real-time ordering.
• Verify your identity to secure your transactions.
• Enable real-time payouts and manage financial operations, including generating payment records and audit logs.
• Communicate essential updates, such as payment notifications, policy changes, updates, security alerts, and platform announcements tailored to your activity.
• Fulfill legal and regulatory requirements, including those related to taxation, anti-fraud measures, and data protection laws.
• Analyze platform behavior and optimize features to improve user experience.

Data collected is shared with trusted third parties when necessary to operate the platform, fulfill services, or to comply with legal obligations.

We make sure that any third party we work with, such as service providers, or payment platforms, follows strict confidentiality standards, puts proper data protection safeguards in place, and respects privacy rights in line with applicable data privacy laws. We use written agreements and other measures to monitor their compliance with this Policy. These third parties are only allowed to use personal data for authorized purposes and must follow our instructions to keep information secure.

We retain personal data only for as long as it is required to fulfill the purposes stated above, necessary to comply with applicable laws (e.g., tax, accounting, audit) or as may be required to establish, exercise, or defend legal claims

As a rule, personal data shall be retained for a maximum period of two (2) years from the date of the last transaction or interaction, unless a longer retention period is required by applicable laws or justified by a legitimate business interest.

After the retention period, or when the data is no longer necessary or relevant to the declared purpose, personal data shall be securely disposed of or anonymized through appropriate methods to prevent unauthorized access, disclosure, or use. Disposal shall be carried out in accordance with industry standards and applicable data protection regulations.

We conduct regular reviews of stored data and implement disposal schedules to ensure compliance with our data retention policy.

Punched implements stringent technical and organizational measures to protect personal data from unauthorized access, alteration, disclosure, or destruction such as but not limited to strict access controls, secure digital storage, backups, and physical security measures.

The data subject may exercise any of the rights provided under the Data Privacy Act by contacting our Data Protection Officer at privacy@punchedgroup.com. To verify the identity of the requesting party and to protect the confidentiality of personal data, we may request specific information. This security measure ensures that personal data is not disclosed to any individual who is not authorized to receive it. We may also request additional information, if necessary, to clarify the request and facilitate a timely and appropriate response.

In the event of a data breach, the DBMT shall perform actions in accordance with NPC Circular No. 16-03 and relevant laws.

All new employees will receive mandatory data privacy training during onboarding. Regular refresher training will be provided to ensure all employees remain aware of the principles of data protection, their responsibilities under this Policy and best practices in identifying and handling data privacy and privacy incidents.

If you have questions or concerns about this Policy or your rights as a data subject, you may contact our DPO at:

Data Protection Officer
privacy@punchedgroup.com
Mabuhay Tower Cebu Business Park, Cebu City, Philippines

This Privacy Policy may be updated periodically to reflect changes in regulations or practices. Updates will be posted on our website or notified to users through email or in-app messages, where appropriate.