Privacy Policy

Last updated: May 2026

1. Introduction

Toleds ("we", "us", "our") is a hyperlocal platform serving Toledo City, Cebu, Philippines. This Privacy Policy explains how we may collect, use, store, share, and protect your personal information when you use the Toleds mobile application, website, and related services (the "Platform"). This Policy applies to all users — buyers, riders, business owners, staff, and visitors.

By using the Platform, you acknowledge and consent to the practices described in this Policy. This Policy is governed by Republic Act No. 10173 (Data Privacy Act of 2012) and its Implementing Rules and Regulations.

2. Categories of Data We May Collect

We may collect the categories of data described below. The Platform is evolving, and the specific data fields collected may change as we add features, services, payment methods, and integrations. Material changes are communicated as described in Section 13.

2.1 Information You Provide

  • Account credentials (email address, password)
  • Profile information (name, profile photo, home barangay, contact details)
  • Phone number and other contact information
  • Delivery and pickup addresses, including geographic coordinates
  • Order content, special instructions, errand checklists, and shopping lists
  • Payment information, wallet activity, and transaction history (when applicable)
  • Identity and verification documents, including government-issued IDs and selfies (riders, business owners, and other roles requiring verification)
  • Business information, menu items, pricing, photos, and operating hours (business owners)
  • Vehicle information, driver's license, and registration documents (riders)
  • Posts, comments, reactions, reviews, ratings, polls, and other community content
  • Messages exchanged with businesses, riders, support, or other users through the Platform
  • Survey responses, feedback, and customer support communications
  • Referral codes, raffle entries, voucher redemptions, and promotional activity

2.2 Information Collected Automatically

  • Device information (model, operating system, language, time zone, unique device identifiers, advertising identifiers)
  • App and browser information (version, build, crash reports, performance metrics)
  • Network information (IP address, carrier, connection type)
  • Session identifiers, authentication tokens, and push notification tokens
  • Usage data (pages and screens viewed, features used, search queries, taps, scroll behavior, timestamps, in-app navigation paths)
  • Location data, including approximate location (from IP or coarse signals) and precise geolocation when you grant permission and use location-dependent features (such as address picking, delivery, and live rider tracking)
  • Cookies, local storage, SDK identifiers, and similar technologies on our website and embedded web views

2.3 Information from Third Parties

We may receive information about you from third parties such as service providers, payment processors, identity verification partners, government registries, public records, marketing partners, and platforms you use to authenticate (where applicable). We may combine this information with data we collect directly.

3. Lawful Basis for Processing

We process personal data on one or more of the following lawful bases under the Data Privacy Act of 2012:

  • Consent — where you have given specific, informed consent (for example, to use precise location, receive marketing, or submit verification documents).
  • Contractual necessity — to provide the services you request (account, orders, deliveries, payouts, communications).
  • Legitimate interest — to operate, secure, develop, analyze, market, and improve the Platform; to prevent fraud and abuse; and to pursue commercial activities consistent with applicable law.
  • Legal obligation — to comply with Philippine law, regulatory requirements, tax and accounting rules, court orders, and lawful government requests.
  • Vital interests — to protect the life or safety of a person.

4. How We May Use Your Data

We may use personal data for purposes including, but not limited to, the following. As the Platform expands, additional purposes consistent with the categories below may be added.

  • Creating, authenticating, and managing your account and verifying identity
  • Operating the Platform and providing the services you request, including matching customers, businesses, and riders
  • Routing, dispatching, and tracking deliveries and errands
  • Processing orders, payments, payouts, refunds, vouchers, raffles, and referral rewards
  • Communicating with you (transactional notifications, service announcements, support, and — where permitted — marketing and promotional messages)
  • Personalizing content, search results, recommendations, and offers
  • Performing analytics, research, market analysis, business intelligence, and product development
  • Preventing, detecting, and investigating fraud, abuse, security incidents, and violations of our Terms
  • Enforcing our agreements, exercising legal rights, and complying with legal and regulatory obligations
  • Generating de-identified, anonymized, aggregated, statistical, or pseudonymized datasets for analytics, research, partnerships, reports, and commercial uses, including sale or licensing where permitted by law
  • Training, evaluating, and improving algorithms and automated systems used by the Platform
  • Supporting business operations such as accounting, audit, insurance, and corporate transactions
  • Other purposes that are compatible with the categories above and disclosed at the time of collection

5. Automated Processing and Decision-Making

The Platform uses automated systems for tasks such as rider dispatch and matching, order routing, fraud detection, content moderation, ranking, and personalization. These systems operate using rules, scoring, and algorithms based on the data described in Section 2. Where an automated decision significantly affects you, you may request human review by contacting our Data Protection Officer.

6. How We May Share Your Data

6.1 With Other Users to Deliver the Service

  • Riders may receive your name, contact details, delivery address, order details, and pickup location to fulfill your order.
  • Businesses may receive your name, contact details, and order details for orders placed with them.
  • Other users may see information you choose to share publicly (for example, display name, avatar, public posts, ratings, reviews, and barangay).
  • Customers and businesses may receive a rider's display name, photo, vehicle information, contact number, and live location during active deliveries.

6.2 With Service Providers and Processors

We share data with third-party processors who perform services on our behalf. We require these processors to protect personal data and use it only for the purposes we direct. Our current categories and named processors include:

  • Backend infrastructure, database, authentication, file storage, and serverless functions — Nhost (data hosted on AWS infrastructure in Singapore, ap-southeast-1).
  • Web hosting and content delivery — Cloudflare.
  • Transactional email delivery — Postmark.
  • Push notifications — OneSignal.
  • Mobile app distribution — Apple App Store and Google Play.
  • Map data — self-hosted tile infrastructure operated by Toleds.

The list of processors may change as the Platform evolves. We will update this Policy or maintain a current list when changes occur.

6.3 With Partners and Affiliates

We may share data with our affiliates, partners, advisors, auditors, insurers, professional advisers, and counterparties to corporate transactions (such as financing, mergers, acquisitions, or asset sales), subject to appropriate confidentiality obligations and applicable law.

6.4 With Government and Legal Authorities

We may disclose personal data to comply with Philippine law, tax authorities, regulators, court orders, subpoenas, lawful government requests, and to protect rights, property, safety, the integrity of the Platform, and to investigate or prevent fraud or unlawful activity. We may notify affected users where permitted by law and operationally feasible.

6.5 Aggregated and De-Identified Data

We may create, use, share, license, sell, or publish aggregated, de-identified, anonymized, or pseudonymized data derived from Platform activity. Such data does not, on its own, identify individual users and is not treated as personal information under the Data Privacy Act.

7. Cross-Border Data Transfers

Your personal data may be processed and stored in the Philippines and in other jurisdictions where our processors operate, including Singapore (where Nhost hosts our backend on AWS) and other countries used by our service providers, content delivery network, email and push notification providers, and mobile app distribution partners. Where personal data is transferred outside the Philippines, we take reasonable measures to ensure that recipients are bound by data protection obligations consistent with the Data Privacy Act and its Implementing Rules.

8. Cookies and Similar Technologies

Our website and embedded web pages may use cookies, local storage, pixels, SDK identifiers, and similar technologies to operate the site, remember preferences, authenticate sessions, measure usage, and improve the experience. You can control cookies through your browser settings, but disabling them may affect functionality.

9. Data Storage, Security, and Retention

9.1 Storage

Personal data is stored on cloud infrastructure located in the Asia-Pacific region (primarily Singapore via AWS) and on systems operated by the processors listed in Section 6.2. Data in transit is encrypted using HTTPS/TLS.

9.2 Security

We implement reasonable administrative, technical, and physical safeguards designed to protect personal data, including hashed password storage, role-based access control, encrypted connections, access logging, and limited admin access. No system is fully secure; we cannot guarantee absolute security and disclaim liability for unauthorized access not caused by our gross negligence or willful misconduct.

9.3 Retention

We retain personal data for as long as necessary to fulfill the purposes described in this Policy, comply with legal obligations (including tax, commerce, AML, and regulatory retention rules), resolve disputes, enforce agreements, and pursue legitimate business interests. Specifically:

  • Account data is retained while your account is active.
  • Transaction, financial, payout, and order records may be retained for at least five (5) years after the relevant transaction, in line with Philippine tax, commerce, and audit requirements.
  • Verification and KYC documents may be retained while your account is active and for up to five (5) years following deactivation, for fraud, dispute, regulatory, and audit purposes.
  • Backups, audit logs, and security records may be retained for additional periods consistent with our security and compliance practices.
  • Following a deletion request, we will delete or de-identify personal data within thirty (30) days, subject to retention required or permitted by law.

10. Your Rights as a Data Subject

Under the Data Privacy Act of 2012, you have the rights below. To exercise any of them, contact our Data Protection Officer at the details in Section 14.

  • Right to be informed about the collection and processing of your personal data.
  • Right to access your personal data we hold.
  • Right to rectification of inaccurate or incomplete personal data.
  • Right to erasure or blocking, subject to legal retention requirements and other lawful grounds for continued processing.
  • Right to object to processing for specific purposes, including direct marketing.
  • Right to data portability, where the data is processed by automated means and based on consent or contract.
  • Right to damages for inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of your personal data.
  • Right to file a complaint with the National Privacy Commission.

We may verify your identity before responding to a request and may decline or limit a request where permitted by law.

11. Data Breach Notification

We will notify the National Privacy Commission and affected data subjects of a personal data breach in accordance with Section 38 of the Data Privacy Act and NPC Circular 16-03, including notification within seventy-two (72) hours where required. Notifications will describe the nature of the breach, the data affected, and the measures taken or recommended.

12. Children

The Platform is intended for users 18 years of age and older. Persons under 18 may use the Platform only with the consent and supervision of a parent or legal guardian, and only where permitted by law. Riders, business owners, and other roles requiring verification must be 18 or older. We do not knowingly collect personal data from a person under 18 without the required guardian consent and will delete such data upon discovery.

13. Changes to This Policy

We may update this Policy from time to time. The "Last updated" date reflects the most recent revision. Material changes will be communicated through the Platform, in-app notifications, email, or other reasonable means. Continued use of the Platform after the effective date constitutes acceptance.

14. Data Protection Officer and Contact

Toleds — Data Protection Officer

Email: hello@toleds.app

Address: Toledo City, Cebu, Philippines

For questions, requests, or complaints about your personal data, contact our Data Protection Officer at the address above. You may also file a complaint directly with the National Privacy Commission.

15. Governing Law

This Policy is governed by the laws of the Republic of the Philippines, including the Data Privacy Act of 2012 and its Implementing Rules and Regulations.