Definitions
For the purposes of this Privacy Policy, the following terms are defined in accordance with RA 10173 and its Implementing Rules and Regulations:
Personal Information
Any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained, or when put together with other information would directly and certainly identify an individual.
Sensitive Personal Information
Personal information about an individual's race, ethnic origin, marital status, age, color, religious, philosophical or political affiliations, health, education, genetic or sexual life, or any proceeding for any offense committed or alleged to have been committed.
Data Subject
An individual whose personal, sensitive personal, or privileged information is processed. In the context of GalaGrid, this includes celebrants, suppliers, guests, and all Platform users.
Processing
Any operation or set of operations performed upon personal information including collection, recording, organization, storage, updating, modification, retrieval, consultation, use, consolidation, blocking, erasure, or destruction of data.
Data Protection Officer (DPO)
The individual designated by GalaGrid to be accountable for the organization's compliance with RA 10173, its IRR, and other applicable laws and regulations. The DPO can be reached at privacy@galagrid.app.
Information We Collect
We collect information necessary to provide, maintain, and improve the GalaGrid Platform. The types of information we collect depend on how you interact with our services.
2.1 Account Information
When you create a GalaGrid account, we collect:
- •Full name
- •Email address
- •Phone number
- •Address (city/municipality, province)
2.2 Profile Information
Depending on your role on the Platform, we may collect additional profile details:
- •Suppliers: Business name, service categories, portfolio images, service descriptions, pricing information, and business location
- •Celebrants: Event type, event date, venue preferences, guest count estimates, and event-specific details
- •All users: Profile photos and display preferences
2.3 Payment Information
Payments on GalaGrid are processed through Symph Pay, our third-party payment processor. GalaGrid does not store your credit card numbers, bank account details, or other sensitive financial information on our servers. Symph Pay handles all payment data in accordance with applicable PCI-DSS standards.
2.4 Usage Data
We automatically collect certain information when you access or use the Platform:
- •Pages visited and features used
- •Search queries and filter selections
- •Device information (browser type, operating system, screen resolution)
- •IP address and approximate geolocation
- •Referring URLs and access timestamps
2.5 Communications
We collect and store messages exchanged between celebrants and suppliers through the Platform's messaging system, as well as any communications you have with our support team, including support tickets and email correspondence.
How We Use Your Information
We use the information we collect for the following purposes:
- •Provide and improve Platform services: To operate, maintain, and enhance the GalaGrid marketplace, including search functionality, supplier matching, and booking management.
- •Process bookings and payments: To facilitate transactions between celebrants and suppliers, send booking confirmations, and process refunds where applicable.
- •Communicate with you: To send booking-related notifications, service updates, and promotional communications (marketing communications are sent only with your consent and you may opt out at any time).
- •Verify identity and prevent fraud: To authenticate users, detect and prevent fraudulent activity, and ensure the safety and integrity of the Platform.
- •Comply with legal obligations: To meet our obligations under Philippine law, including RA 10173, tax regulations, and lawful requests from government authorities.
- •Generate anonymized analytics: To produce aggregate, non-identifiable insights about Platform usage, market trends, and service demand to improve the overall experience for all users.
Legal Basis for Processing
In accordance with Republic Act No. 10173 (Data Privacy Act of 2012), we process your personal information based on the following lawful criteria:
Consent
You have given your consent to the processing of your personal information for one or more specific purposes, such as receiving marketing communications or sharing your profile information with other users.
Contract Performance
Processing is necessary for the performance of a contract to which you are a party, including the provision of Platform services, booking management, and payment processing.
Legitimate Interest
Processing is necessary for the purposes of our legitimate interests, such as improving Platform functionality, preventing fraud, and ensuring security, provided these interests are not overridden by your rights and freedoms.
Legal Obligation
Processing is necessary for compliance with a legal obligation to which GalaGrid is subject, including tax reporting, responding to lawful court orders, and cooperating with the National Privacy Commission.
Information Sharing
We share your information only in the limited circumstances described below and always in accordance with applicable data protection laws.
5.1 Between Users
When a celebrant books a supplier, certain information is shared to facilitate the transaction:
- •Celebrant's name and event details are shared with the booked supplier
- •Supplier's profile information, including business name, service details, and portfolio, is visible to celebrants browsing the Platform
5.2 Service Providers
We engage trusted third-party service providers to support Platform operations. Each provider is bound by data processing agreements that limit their use of your data:
- •Symph Pay — payment processing and transaction management
- •Resend — transactional and marketing email delivery
- •Supabase — cloud infrastructure and database services
5.3 Legal Requirements
We may disclose your personal information when required to do so by law or in response to valid legal requests, including:
- •Court orders and subpoenas
- •Requests from government agencies with proper legal authority
- •Requests from the National Privacy Commission (NPC) in the exercise of its regulatory functions
5.4 Business Transfers
In the event of a merger, acquisition, reorganization, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Platform before your information is transferred and becomes subject to a different privacy policy.
5.5 We Never Sell Your Data
GalaGrid does NOT sell your personal information to third parties. Your data is never shared for advertising purposes or monetized in any way beyond providing the Platform services described in this policy.
Data Retention
We retain your personal information only for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required by law.
| Data Type | Retention Period |
|---|---|
| Active account data | For as long as your account remains active |
| Closed account data | 5 years (for legal, tax, and regulatory compliance) |
| Payment & transaction records | Per BSP requirements and applicable tax regulations |
| Usage logs & analytics | 1 year, then anonymized for aggregate use |
| Support & communication records | 3 years from last interaction |
Your Rights
Under Republic Act No. 10173 (Data Privacy Act of 2012), you have the following rights as a data subject:
Right to Be Informed
You have the right to be informed of the collection and processing of your personal data, including the purpose, scope, and method of processing.
Right to Access
You have the right to obtain a copy of any personal information we hold about you, as well as information about how it has been used or shared.
Right to Object
You have the right to object to the processing of your personal data, including processing for direct marketing, automated processing, or profiling.
Right to Erasure or Blocking
You have the right to request the suspension, withdrawal, blocking, removal, or destruction of your personal data from our systems.
Right to Rectification
You have the right to dispute and have corrected any inaccuracy or error in your personal data held by GalaGrid.
Right to Data Portability
You have the right to obtain your personal data in an electronic or structured format that allows for further use and transfer to another service.
Right to File a Complaint
You have the right to file a complaint with the National Privacy Commission (NPC) if you believe your data privacy rights have been violated.
How to Exercise Your Rights
Send your request to privacy@galagrid.app. We will acknowledge your request within 72 hours and provide a substantive response within 30 days. We may need to verify your identity before processing your request.
Data Security
We implement appropriate organizational, physical, and technical security measures to protect your personal information from unauthorized access, disclosure, alteration, or destruction. These measures include:
- •Encryption of data in transit using TLS/HTTPS protocols
- •Encryption of sensitive data at rest in our database systems
- •Role-based access controls limiting staff access to personal data on a need-to-know basis
- •Regular security assessments and vulnerability scanning of our systems
- •Incident response procedures to detect, report, and address data breaches promptly
While we take reasonable steps to protect your information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to protecting your data using industry-standard practices.
Children's Privacy
The GalaGrid Platform is not intended for use by individuals under the age of eighteen (18). We do not knowingly collect personal information from children under 18.
If you are a parent or guardian and believe that your child has provided us with personal information without your consent, please contact us immediately at privacy@galagrid.app. We will take steps to remove such information from our systems as quickly as possible.
Third-Party Services
The Platform may contain links to or integrate with third-party websites, services, or applications that are not operated by GalaGrid. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you access through the Platform.
Our key third-party service providers and their privacy policies:
- •Symph Pay / PayMongo — Payment processing
- •Supabase — Cloud database and authentication infrastructure
- •Resend — Transactional and marketing email delivery
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we update this policy, we will:
- •Update the "Last Updated" date at the top of this page;
- •Notify registered users via email at their registered address for material changes;
- •Display a prominent notice on the Platform for a period of at least 30 days following any material update.
Your continued use of the Platform following the effective date of any updated Privacy Policy constitutes your acceptance of the changes. If you do not agree with the updated policy, you must stop using the Platform and may request account deletion.
Contact & DPO
If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact our Data Protection Officer (DPO):
You also have the right to lodge a complaint with the National Privacy Commission (NPC) of the Philippines if you believe your data privacy rights have been violated. The NPC can be reached at www.privacy.gov.ph.