Draft — for legal review. Not legal advice. Full text is being finalized.
Meikei← Back to shop
Legal

Privacy Policy

How we handle your personal data, aligned with the Philippine Data Privacy Act of 2012 (RA 10173) and the National Privacy Commission.

What we collect

Account and contact details, order and delivery information, payment confirmations (via our processor), waitlist email, and device/usage data for security and analytics. To protect the invite gate and storefront from abuse, we also process a one-way hashed version of your IP address (HMAC; we never store your IP in the clear) for rate-limiting redemption attempts, and a Cloudflare Turnstile token together with your IP address for bot defense. When you sign in, we process your account email and authentication identity.

Why and our lawful basis

We fulfil orders, run the beta and waitlist, keep the site secure, and meet legal obligations. The hashed-IP rate-limiting and Cloudflare Turnstile checks rest on our legitimate interest in preventing abuse of the invite gate and storefront. You may object to processing based on legitimate interest; note that bot and abuse defense is necessary for us to provide the service, so we may continue this limited processing where it is required to keep the service running. Processing your account email and authentication identity is based on the performance of a contract, namely giving you access to your account.

Who we share data with

We do not sell your data. We share it with couriers, payment processors, sales channels, and the service providers (processors) we rely on to run the service. Cloudflare provides our Turnstile bot-protection and processes your visitor IP address on infrastructure outside the Philippines, under [Cloudflare Data Processing Addendum / SCCs — confirm]. Supabase provides our authentication and database and processes your account email and authentication identity on infrastructure in Southeast Asia (Singapore), outside the Philippines, under [Supabase DPA / SCCs — confirm]. DigitalOcean provides our hosting infrastructure under [DigitalOcean DPA / SCCs — confirm]. These cross-border transfers rely on the contractual safeguards noted for each provider, consistent with RA 10173 and, where applicable, GDPR Articles 44 to 49.

How long we keep it

We keep abuse-prevention data, namely the hashed IP address and Turnstile records, for no more than 48 hours, after which it is deleted. We retain your account email and authentication identity for as long as your account is active, and delete it when your account is closed [closure process — coming with account management]. Other categories are kept only as long as needed for the purpose collected or as required by law.

Your rights

Access, correction, erasure/blocking, objection, and portability under the Data Privacy Act. Contact our DPO, or complain to the NPC.

Questions? Email [contact email]. See also Privacy and Trust.