Privacy Notice

Last updated: April 26, 2026

1. Data Controller

Margolio ("we," "our") is the data controller for personal information processed through this platform. For questions about data handling, contact our Data Protection Officer at dpo@margolio.com.

2. Personal Information Collected

We collect the following categories of personal information:

  • Account information: Full name, email address, and password (managed by Clerk, our authentication provider).
  • Client business information: Business name, owner name, address, Tax Identification Number (TIN), SSS employer number, and business classification details.
  • Sensitive personal information (TIN): Tax Identification Numbers are classified as sensitive personal information under Republic Act No. 10173 (Data Privacy Act of 2012). TINs are collected solely for the purpose of generating accurate BIR compliance calendars and are stored with encryption at rest.
  • Contact information: Email addresses and optional mobile numbers provided for client reminder configuration.
  • Uploaded documents: Files uploaded by your clients through shareable upload links, including metadata (filename, file size, upload timestamp, uploader IP address).
  • Payment information: Processed by PayMongo Payments, Inc. We do not store or process sensitive card data; all transactions are handled by our BSP-regulated partner, PayMongo.

3. Legal Basis for Collection

  • Contractual necessity: Processing client information is necessary to perform the compliance tracking service you subscribed to.

4. Data Retention

  • Account data: Retained for the duration of your active subscription plus 30 days after account closure.
  • Client profiles and deadlines: Retained for the duration of your subscription. Soft-deleted data is permanently erased after 90 days.
  • Audit logs: Retained for 7 years to comply with BIR record-keeping requirements.
  • Uploaded documents: Retained for 5 years after upload, then permanently deleted.

5. Third-Party Processors

We share personal information with the following third-party processors, each with a specific legal basis:

  • Supabase (database hosting): Contractual necessity. Stores all client data, deadlines, and uploaded documents.
  • Clerk (authentication): Contractual necessity. Manages user identity and session tokens.
  • Resend (email delivery): Contractual necessity. Delivers deadline reminder emails and transactional notifications.
  • Upstash Redis (rate limiting): Contractual necessity. Stores rate-limiting counters. No personal data is retained beyond request processing.
  • PayMongo (payments): Contractual necessity. Processes prepaid Service Access Period payments and handles local transaction compliance.
  • Sentry (error tracking): Legitimate interest. Collects anonymized error reports to identify and fix software bugs affecting service reliability. No personal data or TIN numbers are included in error reports.

6. Your Rights Under RA 10173

As a data subject under the Data Privacy Act of 2012, you have the right to:

  • Be informed about how your data is collected and processed
  • Access your personal data held by Margolio
  • Object to processing of your personal data
  • Request erasure or blocking of your personal data
  • Request rectification of inaccurate personal data
  • Lodge a complaint with the National Privacy Commission
  • Obtain a copy of your data in a portable format
  • Be indemnified for damages sustained due to unauthorized processing

To exercise any of these rights, contact our Data Protection Officer at dpo@margolio.com. We will respond within 15 business days.

7. National Privacy Commission

If you believe your data privacy rights have been violated, you may file a complaint with the National Privacy Commission at complaints@privacy.gov.ph.

8. Data Protection Officer

Our Data Protection Officer can be reached at dpo@margolio.com for any data privacy inquiries or requests.