Privacy Policy

1. Scope and Identity of the Personal Information Controller

This Policy applies to all personal information collected through the Salag website and web application accessible at salag.app, including all sub-pages, tools, and services offered therein.

The Personal Information Controller (PIC) for the purposes of the Data Privacy Act of 2012 is:

2. Personal Information We Collect

2.1 Information You Provide Directly

• Account registration: Name, email address, password (stored in hashed form), and Google account details if you sign in via Google OAuth.
• Business profile: Business name, business email, payment terms, default invoice notes, and other details you optionally enter for billing purposes.
• Client information: Names, email addresses, phone numbers, and project details of your clients that you store within Salag for project management purposes.
• Financial data: Payment method details (e.g., bank account name, account number, payment link URLs) and invoice data including amounts, descriptions, and payment status. We do not process or store credit card numbers.
• Tool inputs: Text messages, project descriptions, scope details, and client communications you submit to Salag tools for analysis and response generation.
• Email subscriptions: Email address if you subscribe to newsletters or product updates.

2.2 Information Collected Automatically

• IP address: Collected for security, rate limiting, abuse prevention, and session management.
• Browser and device information: Browser type, operating system, and device type, collected via usage logs and audit logs.
• Browser fingerprint: A hashed combination of browser and device characteristics used to enforce anonymous usage limits and detect abuse. This is not used to personally identify you.
• Session tokens: Unique identifiers to maintain authenticated sessions.
• Usage events: Which tools are used, when, and how often, for the purpose of service improvement and usage limit enforcement.
• Analytics data: General usage patterns collected via Google Analytics 4. This data is aggregated and not personally identifiable at the analytics level.

Salag does not collect precise geolocation data.

3. Legal Basis for Processing

Under Section 12 and 13 of the Data Privacy Act of 2012, we process your personal information on the following lawful bases:

• Consent: Where you have expressly agreed to the collection and processing of your personal data, including upon account registration and when using our tools.
• Contractual necessity: Processing is necessary for the performance of a contract to which you are a party, specifically the Salag Terms of Service.
• Legitimate interests: Processing for purposes of fraud prevention, security monitoring, abuse detection, and service improvement, provided these interests do not override your fundamental rights.
• Compliance with legal obligations: Where processing is required under Philippine law or lawful orders of courts and government agencies.

4. How We Use Your Personal Information

We use the information we collect for the following purposes:

• To create and manage your Salag account
• To provide, operate, and maintain the Salag platform and its tools
• To process and deliver AI-generated responses through our Conversation Risk Engine
• To enforce usage limits, access controls, and subscription plan entitlements
• To detect and prevent fraud, abuse, account sharing, and unauthorized access
• To send transactional emails (account verification, password resets, invoice delivery)
• To send service-related communications and, with your consent, product updates
• To improve tool reliability, accuracy, and user experience
• To maintain audit logs required for security and dispute resolution
• To comply with applicable Philippine laws and regulations

5. Client Content and Sensitive Information

Salag tools may process text you submit that contains sensitive business communications, such as client messages, project scope details, payment disputes, and financial arrangements. Regarding this content:

• We do not claim ownership of any content you submit.
• We do not display your content to other users.
• We do not sell or commercially exploit your submitted content.
• Content submitted to AI tools is transmitted to OpenAI for processing and is subject to OpenAI's data use policies (see Section 6).
• We do not use your submitted content to train or fine-tune any publicly accessible AI model.

Your content remains yours.

6. Third-Party Processors and Cross-Border Data Transfers

Salag engages the following third-party service providers (Personal Information Processors) who may receive or process your personal data. These providers are located outside the Philippines, and the transfer of personal data to them constitutes a cross-border transfer under Section 21 of the Data Privacy Act of 2012 and NPC Circular No. 16-01.

We require that all processors implement adequate security measures and process your data only for the purposes we specify.

We do not sell your personal information to any third party, and we do not share your data with parties for their own advertising or marketing purposes.

7. Data Retention

We retain your personal information only for as long as necessary for the purposes for which it was collected, or as required by applicable law.

• Active account data (name, email, profile, usage history): Retained while your account remains active.
• Invoice and financial records: Retained for a minimum of five (5) years in compliance with applicable Philippine tax and commercial laws.
• Uploaded project delivery files: Retained for 30 to 180 days depending on your subscription plan, after which they are permanently deleted.
• Audit and security logs (IP addresses, user agents, session tokens): Retained for up to 12 months for security and dispute resolution purposes.
• Anonymous usage fingerprints: Reset monthly for rate limiting purposes.
• Email subscriber data: Retained until you unsubscribe. Deletion requests are honored within 30 days.

Upon account deletion, your personal account data and tool-generated content are deleted within 30 days, subject to retention obligations imposed by law.

8. Cookies and Tracking Technologies

Salag uses the following cookies and tracking technologies:

• Session cookies: Necessary for authentication and to maintain your logged-in state. These are deleted when you close your browser.
• Persistent authentication tokens: Used by our authentication system to keep you signed in across sessions if you choose to remain logged in.
• Analytics cookies (via Google Analytics 4): Collect anonymized aggregate data about page visits and tool usage. You may opt out of Google Analytics via browser add-ons or privacy settings.

We do not use advertising cookies, third-party tracking pixels, or cookies for behavioral retargeting.

9. Data Security

We implement reasonable and appropriate organizational, physical, and technical security measures to protect your personal data against unauthorized access, disclosure, alteration, or destruction. These include:

• HTTPS encryption for all data in transit
• Password hashing using industry-standard algorithms
• Role-based access controls limiting internal data access
• Audit logging of all significant account and data actions
• Rate limiting and automated abuse detection
• Encrypted storage for file uploads

No security system is infallible. In the event of a personal data breach that poses a real risk to your rights and freedoms, we will notify affected users and the National Privacy Commission in accordance with NPC Circular No. 16-03.

10. Your Rights as a Data Subject

Under Chapter IV of the Data Privacy Act of 2012, you have the following rights with respect to your personal information:

• Right to be Informed (Sec. 16a): You have the right to know whether we are processing your personal data, and for what purposes.
• Right to Access (Sec. 16b): You may request a copy of the personal data we hold about you.
• Right to Rectification (Sec. 16c): You may request correction of inaccurate or incomplete personal data.
• Right to Erasure or Blocking (Sec. 16d): You may request deletion or blocking of your personal data where it is no longer necessary for the purpose it was collected, or where you have withdrawn consent, subject to legal retention obligations.
• Right to Object (Sec. 34): You may object to the processing of your personal data, particularly for direct marketing or when processing is based on legitimate interests.
• Right to Data Portability (Sec. 18): You may request a copy of your personal data in a structured, commonly used, machine-readable format.
• Right to Damages (Sec. 16f): You may be indemnified for any damages you suffer due to inaccurate, incomplete, outdated, or unauthorized use of your personal data.
• Right to Lodge a Complaint: You have the right to file a complaint before the National Privacy Commission at www.privacy.gov.ph.

To exercise any of these rights, contact us at privacy@salag.app. We will respond within 15 business days.

11. Children's Privacy

Salag is not directed at children under the age of 18. We do not knowingly collect personal information from minors. If we become aware that we have collected personal data from a child without verifiable parental consent, we will delete that information promptly. If you believe a minor has submitted personal data through Salag, please contact us at privacy@salag.app.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes:

• We will update the "Last updated" date at the top of this page.
• We will notify registered users via email or an in-app notice for significant changes.
• Your continued use of Salag after changes have been published constitutes acceptance of the revised Policy.

13. Governing Law and Jurisdiction

This Privacy Policy shall be governed by and construed in accordance with the laws of the Republic of the Philippines, including but not limited to:

• Republic Act No. 10173 (Data Privacy Act of 2012)
• Its Implementing Rules and Regulations
• NPC Circulars and issuances

Any dispute arising from the interpretation or application of this Policy shall be subject to the jurisdiction of the appropriate courts of the Republic of the Philippines, or the National Privacy Commission where applicable.

14. Contact and Data Protection Officer

For all privacy-related inquiries, requests to exercise data subject rights, or reports of potential data breaches, please contact our designated privacy officer: