Privacy Policy

This Privacy Policy describes the personal data practices of Seagi (the "Platform"), operated by Seagi Solutions Inc. (in formation, SEC filing pending), referred to in this document as "Seagi," "we," "us," or "our."

Our registered office is located at Camotes, Visayas, Philippines 6050.

By using our Platform, you ("you," "your," or "user") consent to the practices described in this Policy. If you do not agree, please do not use the Platform.

This Policy applies to personal data collected through:

• The Seagi website at seagi.ph and any subdomains
• The Seagi platform application used by our merchant customers and their staff
• Email, phone, and messaging channels with our team
• Any other touchpoint where you provide personal data to us

This Policy does NOT apply to:

• Websites or services operated by our merchant customers (each merchant operates their own customer relationships)
• Third-party services we link to (their privacy policies govern)

We collect the following categories of personal data:

From merchant account holders (cafe owners, managers, staff):

• Full name
• Email address
• Mobile phone number
• Role within the business (owner, manager, staff)
• Login credentials (password hashed via industry-standard methods; we never see your plaintext password)
• Multi-factor authentication tokens
• IP address and device information at sign-in (for security logging under NPC Circular 16-01)
• Session timestamps and access logs

From end-customers of our merchants (e.g., the cafe customer who orders a coffee):

• First name and last initial (e.g., "Maria S.") as provided by the merchant at the time of order
• Order details (items purchased, total amount, time of order)
• Phone number (optional, only if the customer opts in to order notifications)

What we do NOT collect:

• Credit card numbers, CVV codes, or full payment card data (processed by our payment provider PayMongo; we never store them)
• Government identification numbers (SSS, PhilHealth, TIN, passport, UMID)
• Biometric data
• Health information
• Children's data (Seagi is not directed at users under 18)

We use personal data only for the following specific purposes:

• Service delivery: Operating the Platform, processing orders, generating receipts, calculating reports
• Authentication: Verifying your identity when you log in
• Security: Detecting fraud, abuse, or unauthorized access
• Communication: Sending transactional notifications (receipts, order confirmations); responding to your inquiries
• Compliance: Meeting our legal obligations under Philippine law (including BIR, BSP, and NPC requirements)
• Improvement: Understanding aggregate usage patterns (using anonymized data only) to improve the Platform

We do NOT use your data for:

• Selling, renting, or trading to third parties
• Cross-customer analytics (your business data is never combined with another merchant's business data)
• Targeted advertising
• Training AI models without your explicit, opt-in consent

Under RA 10173, Section 12, we process personal data only when at least one of the following lawful bases applies:

• Consent: You have given clear, freely-given, specific, informed, and evidenced consent (per NPC Circular 2023-06) for us to process your personal data for a specific purpose
• Contract: Processing is necessary to fulfill our service agreement with you or your merchant
• Legal obligation: Processing is required to comply with Philippine law
• Vital interests: Processing is necessary to protect someone's life
• Legitimate interests: Processing serves a legitimate business interest that does not override your rights and freedoms (assessed via balancing test per NPC guidance)

We share personal data with the following third-party processors, each bound by a Data Sharing Agreement (DSA) or Data Processing Agreement (DPA) compliant with RA 10173:

• Supabase — Database hosting, authentication, file storage
  Region: Tokyo, Japan
• Cloudflare — DNS, WAF, DDoS protection, rate limiting
  Region: Global edge network
• Resend — Transactional email delivery (receipts, confirmations)
  Region: United States
• Brevo — Marketing email delivery (opt-in only)
  Region: European Union
• PayMongo — Payment processing (Phase 2, post-launch)
  Region: Philippines

We do NOT sell personal data to advertisers, brokers, or unaffiliated third parties.

Personal data collected through the Platform is stored in Tokyo, Japan (Supabase, AWS ap-northeast-1). Some of our third-party processors (Resend, Brevo) operate in the United States and European Union respectively.

When personal data is transferred outside the Philippines, we ensure transfers comply with RA 10173 §21 (accountability for transfers) and that the receiving jurisdiction provides adequate protection consistent with Philippine law, including through:

• Contractual safeguards (Data Processing Agreements with standard contractual clauses)
• Technical safeguards (encryption in transit via TLS 1.3 and at rest via AES-256)
• Organizational safeguards (access controls, audit logs, periodic review)

We retain personal data only as long as necessary for the purposes set out in this Policy, or as required by Philippine law.

Specifically:

• Active accounts: Retained for the duration of the service relationship
• Transaction records: 3 years from the date of the user's last transaction, after which personal data is anonymized
• Financial records: Retained for at least 10 years per BIR Revenue Regulations No. 17-2013
• Closed accounts: Personal data is anonymized within 90 days of account closure, except where retention is required for legal, tax, or accounting purposes

Upon request, you may exercise your right to request deletion of your personal data (subject to legal retention requirements above) by contacting our Data Protection Officer.

As a data subject under Section 16 of the Philippine Data Privacy Act, you have the following rights:

• Right to be informed — You have the right to know that your personal data is being or will be processed
• Right to access — You may request a copy of your personal data we hold
• Right to object — You may object to the processing of your personal data, including direct marketing or profiling
• Right to erasure or blocking — You may request deletion or suspension of processing where data is incomplete, outdated, false, unlawfully obtained, or no longer necessary
• Right to damages — You may claim compensation under Section 16(f) for damages sustained due to inaccurate, false, or unlawfully obtained personal data
• Right to data portability — You may obtain your personal data in an electronic, structured, commonly-used format (NPC Circular 16-01)
• Right to file a complaint — You may file a complaint with the National Privacy Commission (NPC)

To exercise any of these rights, contact our Data Protection Officer at dpo@seagi.ph. We respond to verified requests within 15 working days, as required by NPC guidance.

We apply the following organizational, physical, and technical safeguards consistent with NPC Circular 16-01:

• Encryption: All data in transit is protected by TLS 1.3. Data at rest is encrypted using AES-256.
• Access control: Row-level security on every database table ensures data is isolated per merchant. Staff access is role-restricted on a least-privilege basis.
• Authentication: Two-factor authentication is required for all administrative accounts.
• Monitoring: All privileged actions are logged in an audit trail.
• Network protection: Cloudflare Web Application Firewall (WAF) and rate limiting protect against attacks.
• Incident response: We maintain a documented incident response plan. Personal data breaches are notified to the NPC within 72 hours of discovery per RA 10173 §20(f) and NPC Circular 16-03.
• Regular review: Security posture is reviewed periodically.

Seagi is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If a parent or guardian believes a child has provided personal data to us, please contact our DPO immediately and we will delete it without undue delay.

We may update this Privacy Policy from time to time. Material changes will be communicated to active account holders via email at least 30 days before the change takes effect.

The current version is dated May 25, 2026.