Privacy Policy
Effective date: 2026-05-13
Version: 2026-05-13
This Privacy Policy explains how Property Technology Solutions Inc. (“Collo”, “we”, “us”) collects, uses, shares, retains, and protects your personal data when you use the Collo platform — including the Collo HOA, Collo Condo, Collo Resident, and white-labelled resident apps and websites (collectively, the “Service”).
This policy is issued in compliance with Republic Act No. 10173 — the Data Privacy Act of 2012 (DPA) — its Implementing Rules and Regulations, and the issuances of the National Privacy Commission (NPC).
1. Who we are (Data Controller)
| Data Controller | Property Technology Solutions Inc. |
| SEC Registration No. | 2022090067404-01 |
| Office Address | Kalayaan Ave., Taguig City, Philippines |
| support@collo.ph | |
| Website | https://collo.ph |
Data Protection Officer (DPO)
| Name | Carlo Miguel Dimapasoc |
| dpo@collo.ph | |
| Phone | +63 917 832 7166 |
The DPO is your point of contact for privacy questions, access requests, complaints, and consent withdrawal.
2. Personal data we collect
We collect the following categories of personal data:
2.1 Identity & contact data
Full name, date of birth, gender, civil status, nationality, government-issued ID photos (for resident verification), email address, mobile and landline numbers, emergency contact details.
2.2 Property & occupancy data
Unit number, ownership records, lease/occupancy status, move-in/move-out dates, household members, pets, vehicles.
2.3 Financial & billing data
Association dues, utility charges, invoices, payment records, payment proof images, reference numbers, payment channels used.
2.4 Operational data
Visitor logs, gate passes, delivery records, work permits, maintenance and incident reports, facility bookings, announcements you interact with, chat messages within the app.
2.5 Device & technical data
Device push-notification tokens, device type and OS version, IP address, user-agent string, login timestamps, session identifiers, audit log entries.
2.6 Sensitive personal information (DPA §3(l))
Government-issued ID images and numbers are treated as sensitive personal information and processed only where strictly necessary to verify residency, ownership, or identity.
We do not knowingly collect personal data from children under 18. The Service is intended for adult unit owners, residents, staff, and authorised household representatives.
3. Why we process your data (Purposes & Legal Basis)
DPA processing requires a lawful basis under §12 (personal data) or §13 (sensitive personal data). We rely on the following:
| Purpose | Legal Basis (DPA) |
|---|---|
| Provide condominium / HOA management services (billing, payments, gate passes, maintenance, facility bookings) | Contract — necessary for the agreement between you and your association/property |
| Verify your identity, ownership, and residency | Legal obligation and legitimate interest in preventing fraud and unauthorised access |
| Send transactional notifications (bill issued, payment received, visitor arrival) | Contract and legitimate interest |
| Send announcements from your association | Legitimate interest of the association |
| Generate financial and regulatory reports | Legal obligation under BIR, SEC, and other Philippine regulations |
| Detect and prevent fraud, abuse, and security incidents | Legitimate interest |
| Marketing communications about new Collo features | Consent — you may opt out at any time |
| Cookies and analytics on collo.ph | Consent (for non-essential cookies); legitimate interest (for strictly necessary cookies) |
| Sharing data with your association's board, staff, and authorised property managers | Contract and legitimate interest |
We do not sell your personal data. We do not use your data for automated decision-making that produces legal effects on you.
4. Who we share your data with
4.1 Within your community
- Your association/property management entity (the data controller for your community's operations)
- Authorised board members and staff (security, maintenance, accounting) on a need-to-know basis
- Other residents only when you initiate contact (e.g., posting in a community channel, listing in the resident directory if enabled)
4.2 Our processors and service providers
We use the following service providers (“Personal Information Processors” under the DPA). Each is bound by a written agreement to process your data only on our instructions and to implement reasonable and appropriate security measures.
| Processor | Purpose | Region |
|---|---|---|
| Supabase, Inc. | Primary database, authentication, file storage | Singapore (ap-southeast-1) |
| Google Cloud Platform (Cloud Run, Cloud Build, Cloud Storage) | Application hosting and build pipeline | Singapore (asia-southeast1) |
| Resend | Transactional email delivery | United States |
| Sentry | Error monitoring and crash reporting | United States |
| Expo Application Services (EAS) | Mobile app push notifications and over-the-air updates | United States |
| Rakuten Viber | OTP delivery and transactional notifications via Viber | European Union / Global |
| Xendit | Payment processing (cards, e-wallets, QRPH) | Philippines / Singapore |
4.3 Disclosures required by law
We may disclose your data to government authorities, courts, or regulators when required by a valid subpoena, court order, or written demand under Philippine law (e.g., NBI, BIR, AMLC, NPC).
5. Cross-border transfers
Some of our processors store and process data outside the Philippines (primarily Singapore and the United States). When data is transferred internationally we ensure appropriate safeguards consistent with NPC Circular 16-02 and prevailing NPC guidance, including:
- Written data-processing agreements with binding confidentiality and security obligations
- Use of standard contractual clauses or equivalent legal mechanisms where applicable
- Verification that the processor's home jurisdiction provides adequate data-protection standards
You may request a list of the active safeguards from the DPO.
6. How long we keep your data (Retention)
We keep personal data only for as long as necessary for the purpose for which it was collected, subject to legal retention requirements.
| Category | Retention Period |
|---|---|
| Active account & profile data | While your account is active + 1 year |
| Billing, payments, and financial records | 10 years (per BIR and Philippine accounting rules) |
| Audit logs (access, security events) | 5 years |
| Government ID images | While occupancy/ownership is active + 1 year |
| Visitor logs, gate passes, deliveries | 2 years |
| Maintenance and incident reports | 5 years |
| Marketing consent records | Until consent is withdrawn |
| Chat messages within the app | While the conversation/community exists, then 2 years |
| Backups | Up to 90 days after deletion from primary storage |
After the retention period elapses, we either delete the data securely or anonymise it for statistical use.
7. Your rights under the Data Privacy Act
As a data subject you have the following rights:
- Right to be informed — to be told that your data is being or has been collected and processed.
- Right to access — to request a copy of the personal data we hold about you.
- Right to correction — to ask us to fix inaccurate or outdated information.
- Right to erasure or blocking — to have your data removed or its processing suspended when there is a substantial legal basis under DPA §16(e).
- Right to object — to refuse processing for specific purposes such as direct marketing.
- Right to data portability — to receive your data in a structured, commonly used, machine-readable format.
- Right to damages — to be indemnified for damages sustained from inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorised use of your personal data.
- Right to file a complaint — with the National Privacy Commission.
To exercise any of these rights, email dpo@collo.ph. We will respond within 30 calendar days. We may need to verify your identity before acting on a request.
8. Withdrawing consent
You can withdraw your consent at any time:
- Marketing: tap “Unsubscribe” in any marketing email, or change your notification preferences in the app.
- Service use: open the mobile app → Account → Request Account Deletion, or email dpo@collo.ph.
- Cookies: clear cookies in your browser; disable non-essential cookies via the website cookie banner.
Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal. If you withdraw consent that is necessary to provide the Service, we may have to discontinue your access to the Service.
9. How we protect your data (Security)
We implement organisational, physical, and technical security measures appropriate to the risk of processing, including:
- Access control: role-based access, principle of least privilege, multi-factor login via one-time passcode (OTP).
- Encryption: TLS 1.2+ in transit; AES-256 at rest in our database and object storage.
- Network security: row-level security policies on every database table; API-level multi-tenant isolation; cloud firewall rules.
- Audit logging: every privileged operation is logged with user, timestamp, IP, and user-agent.
- Incident response: documented breach response plan, notification to the NPC and affected data subjects within 72 hours where required by NPC Circular 16-03.
- Vendor management: due-diligence and written agreements with all processors.
- Personnel training: annual data-privacy training for staff who handle personal data.
No system is fully secure. If you become aware of a security issue, please email dpo@collo.ph.
10. Cookies and similar technologies
Our website collo.ph uses cookies and similar technologies for:
- Strictly necessary cookies — session management, security (cannot be disabled).
- Functional cookies — remember language and display preferences.
- Analytics cookies — measure usage and improve the Service. Requires your consent.
The Collo mobile apps and the resident web portal do not use third-party advertising trackers or cross-site tracking pixels.
11. Children
The Service is not directed at children under 18. We do not knowingly collect personal data from minors. If you believe a minor has provided personal data to us, please email dpo@collo.ph and we will delete it.
12. Filing a complaint with the NPC
If you believe your privacy rights have been violated and you are not satisfied with our response, you may file a complaint with the National Privacy Commission:
- Email: complaints@privacy.gov.ph
- Website: https://privacy.gov.ph
- Phone: +63 (2) 8234-2228
- Address: 5th Floor, Philippine International Convention Center, Vicente Sotto Avenue, Pasay City, Metro Manila
13. Changes to this Policy
We may update this Privacy Policy from time to time. The “Version” stamp at the top of this page reflects the current version. When we make material changes, we will:
- Update the Version and Effective date.
- Re-prompt you to review and accept the new policy the next time you log in to the app or website.
- Notify you via email if the changes affect your rights or our use of your data.
Continued use of the Service after the updated policy takes effect constitutes acceptance of the changes (subject to any required new consents).
14. Contact
For any questions, requests, or complaints regarding this Privacy Policy or the way we handle your personal data:
Property Technology Solutions Inc.
Data Protection Officer: Carlo Miguel Dimapasoc — dpo@collo.ph
Support: support@collo.ph
Phone: +63 917 832 7166
Office: Kalayaan Ave., Taguig City, Philippines
Website: https://collo.ph