Privacy Policy

PinoyISP ("we," "us," or "our") is a Software-as-a-Service (SaaS) platform that provides billing, subscriber management, and network operations tools for Philippine Internet Service Providers (ISPs).

For purposes of the Data Privacy Act, PinoyISP acts as a Personal Information Processor (PIP) — we process personal data on behalf of our ISP clients, who are the Personal Information Controllers (PICs) responsible for their subscribers' data.

Contact: [email protected]

When ISP administrators use PinoyISP to manage their subscribers, the following personal data may be stored on our platform:

• Subscriber information: Full name, address, barangay, email address, phone number
• Account information: Account number, PPPoE username (connection credentials are encrypted at rest)
• Billing records: Invoices, payment history, outstanding balances, payment proof photos
• Connection data: Online/offline status, MikroTik profile, optical signal readings
• Location data: GPS coordinates (latitude/longitude) when entered by the ISP for subscriber mapping
• Communication records: Support ticket messages, live chat conversations
• Social media: Facebook profile URL, if voluntarily provided by the ISP

For ISP administrators and staff, we collect: name, email address, hashed password, role, and activity logs.

We process personal data solely for the following purposes:

• Providing the PinoyISP platform and its features to our ISP clients
• Generating and managing billing invoices and payment records
• Enabling ISP staff to manage subscriber accounts and MikroTik configurations
• Operating the customer self-service portal for subscribers
• Sending transactional notifications (invoices, payment confirmations, account alerts)
• Providing customer support to ISP administrators
• Ensuring platform security and preventing unauthorized access

We do not sell, rent, or use subscriber data for advertising or third-party marketing.

We process personal data under the following lawful bases as defined in Section 12 and 13 of the Data Privacy Act:

• Contractual necessity: Processing is required to perform our service agreement with ISP clients
• Legitimate interests: Security monitoring, fraud prevention, and platform integrity
• Compliance with legal obligations: Retaining billing records for tax and regulatory compliance

ISP clients (as Personal Information Controllers) are responsible for obtaining proper consent from their subscribers before entering subscriber data into PinoyISP.

We do not share personal data with third parties except in the following limited circumstances:

• Infrastructure providers: Our hosting provider (for servers and data storage) under strict confidentiality agreements
• Legal requirements: If required by Philippine law, court order, or government authority
• Business transfer: In the event of a merger or acquisition, data would be transferred with appropriate notice

We do not transfer personal data outside the Philippines except to infrastructure providers who maintain equivalent data protection standards.

We implement the following technical and organizational measures to protect personal data:

• Encryption in transit: All data transmitted via HTTPS (TLS 1.2+) with Cloudflare SSL
• Encryption at rest: Sensitive credentials (PPPoE passwords, router passwords) encrypted using AES-256-GCM
• Access control: Role-based permissions; staff can only access data within their authorized scope
• Authentication: Password hashing (bcrypt), optional two-factor authentication (TOTP)
• Tenant isolation: Each ISP's data is strictly isolated — no cross-organization access is possible
• Audit logging: All administrative actions are logged with timestamp and user identity
• Brute-force protection: Login rate limiting (5 attempts → 15-minute lockout)

We retain personal data for as long as the ISP's subscription is active and as required by law:

• Active subscriber records: Retained while the ISP account is active
• Archived/deleted subscribers: Soft-deleted (flagged as archived), retained for audit purposes
• Billing records: Retained for a minimum of 5 years for tax compliance under Philippine law
• Chat and support records: Retained for 2 years after account closure
• Audit logs: Retained for 2 years

When an ISP account is permanently closed, all associated personal data will be deleted within 90 days, except where retention is required by law.

Under the Data Privacy Act of 2012, individuals whose data is processed have the following rights:

• Right to be informed: Know what data is collected and how it is used
• Right to access: Request a copy of your personal data held by us
• Right to correction: Request correction of inaccurate or incomplete data
• Right to erasure: Request deletion of your data (subject to legal retention requirements)
• Right to object: Object to the processing of your data for specific purposes
• Right to data portability: Receive your data in a structured, commonly used format
• Right to damages: Seek compensation for damages caused by privacy violations

Subscribers of ISPs using PinoyISP should direct their data rights requests to their ISP first. ISP administrators may contact us at [email protected] to exercise rights on behalf of their subscribers.

In the event of a personal data breach that poses a real risk of serious harm, we will:

• Notify the National Privacy Commission (NPC) within 72 hours of discovery
• Notify affected ISP clients and, where appropriate, their subscribers
• Document the breach, its scope, and the remediation steps taken

The PinoyISP platform uses essential session cookies for authentication purposes only. We do not use third-party analytics cookies or advertising trackers.

We may update this Privacy Policy from time to time. We will notify ISP administrators of material changes by email and by posting the updated policy on this page with a new effective date. Continued use of the platform after the effective date constitutes acceptance of the updated policy.

For privacy-related questions, data subject requests, or to report a concern:

• Email: [email protected]
• Subject line: "Data Privacy Request"

If you are not satisfied with our response, you have the right to lodge a complaint with the National Privacy Commission of the Philippines at privacy.gov.ph.