Data Privacy Policy

Tarkie Data Privacy Policy

Last Updated: May 18, 2025

1. Introduction

MobileOptima, Inc. (“Tarkie”, “we”, “us”, “our”) is committed to providing you the Tarkie fieldwork automation platform (the “Service”).

We process Personal Data in accordance with Republic Act No. 10173 (“Data Privacy Act of 2012”, “DPA”), its Implementing Rules and Regulations, and the issuances of the National Privacy Commission (“NPC”) while implementing safeguards to protect your privacy and keep your personal data safe and secure

By accessing or using the Service, you acknowledge that you have read and understood this Policy and our Cookie Policy.

2. Definitions

Personal Information (PI) - any information from which the identity of an individual is apparent or can be reasonably and directly ascertained.
Sensitive Personal Information (SPI) - information about an individual's race, ethnic origin, marital status, age, color, religious, philosophical or political affiliations, health, education, genetic or sexual life, government-issued identifiers (e.g., SSS, TIN), and location data when linked to an identifiable person.
Privileged Information - any data that constitutes privileged communication under the Rules of Court and other laws.

Other terms such as Processing, Personal Information Controller (PIC), and Personal Information Processor (PIP) have the meanings set out in the DPA.

3. Personal Data We Collect

Category	Specific Data Points
Identifiers	Name, email address, user IDs, phone number
Personal circumstances (provided by some clients)	Address, birthday, gender
Location	Precise location, approximate location (cell, WiFi) collected while app is in use and in the background
Device & telemetry	Battery level, device IMEI and other IDs, installed apps list, operating system version, crash logs
Media & files	Photos taken through the Tarkie app, photos selected from device gallery, uploaded files/documents
Usage	App interactions, timestamps, clickstream data

4. How We Collect Your Data

We collect your data:

• Directly from you when you create an account, complete forms, upload photos, or communicate with us
• Automatically through the applications via sensors (GPS), cookies, and similar technologies
• From your employer or another organization that subscribes to Tarkie and designates you as a user

5. Table of Processing Activities

#	Data Category	Purpose of Processing	Lawful Basis (DPA §12/13)	Retention	Key Security Controls
1	Identifiers	Account creation, authentication, user support	Contract performance (§12(b))	Contract term + 1 yr	Hash-salted passwords, MFA for admin
2	Precise & approximate location	Fieldwork validation, route optimization, proof of visit	Legitimate interest (§12(f)); In-app consent toggle	12 mos., then aggregated	TLS 1.3; AES256 at rest
3	Photographs & uploaded files	Evidence of task completion, client reporting	Contract (§12(b)); defense of legal claims (§13(f))	24 mos. unless dispute	Secure S3 bucket w/ object lock
4	Device telemetry (battery, IMEI, crash logs, installed apps)	Debugging and service improvement	Legitimate interest (§12(f))	12 mos. rolling	Pseudonymized device IDs; least-privilege IAM
5	Customer data uploaded by subscriber	SaaS hosting & processing on subscriber’s instructions. Client is solely responsible for the accuracy and lawfulness of all master data it uploads.	Tarkie acts as PIP; subscriber is PIC	As instructed by subscriber	Tenant isolation, server-side encryption
6	Marketing emails (name, email)	Updates, newsletters	Consent (§12(a)) / Opt-out	Until withdrawal or 6 months after last engagement	Suppression list to enforce opt-out

LegitimateInterest Assessment: For items processed under §12(f), Tarkie has balanced its business purposes against the privacy impact on data subjects in accordance with NPC Advisory 202402. Data subjects may object at any time.

6. How We Use Your Data

We use Personal Data only for the purposes listed above or those compatible with them, such as improving the Service, performing analytics, complying with legal obligations, and preventing fraud or abuse.

7. Sharing and Disclosure

We do not sell your Personal Data. We disclose it only:

• Within the Tarkie group on a need-to-know basis;
• To authorized third party processors that help us deliver the Service, under data processing agreements that meet DPA standards:

Processor	Function	Location
Amazon Web Services	Cloud hosting	USA (Oregon), Singapore (backup)
Mixpanel	Product analytics	USA
SendGrid	Transactional email	USA
Go High Level	Marketing automation	USA
M360 Text	SMS gateway	Philippines
MapTiler	Map tiles & geocoding	Switzerland

• When required by law or a valid legal process.

8. International Data Transfers

Primary servers are hosted in AWS us west 2 (Oregon, USA) with encrypted backups in AWS ap southeast 1 (Singapore) .

Cross-border transfers are governed by the Philippine Standard Contractual Clauses (SCCPH1). A copy is available on request.

9. Security Measures

We implement reasonable and appropriate organizational, physical, and technical security measures for the protection of personal data that we have collected. The security measures shall aim to maintain the availability, integrity, and confidentiality of personal data and are intended for the protection of personal data against any accidental or unlawful destruction, alteration, and disclosure, as well as against any other unlawful processing.

Tarkie maintains a Privacy Management Program aligned with NPC Circular 2023 06 and ISO 27001, including:

• Role-based access control and MFA
• Encryption at rest (AES-256) and in transit (TLS 1.3)
• Quarterly vulnerability scanning and annual penetration testing
• Disaster recovery and business continuity plans (RPO = 30 min; RTO = 4 hrs)
• Annual privacy and security training for all personnel

10. Retention and Disposal

Data	Retention Rule	Legal/Business Driver	Disposal Method
User account data	Contract term + 1 yr	Civil Code (10 yrs)	Secure delete
GPS & telemetry	12 mos.	NPC proportionality principle	Autopurge lifecycle rule
Photographs	24 mos.	Typical client dispute window	Cryptographic wipe
Financial records	10 yrs	BIR Revenue Regs 5-2020	Secure shred / digital purge
HR & recruitment files	5 yrs after separation	DOLE D.O. 174-17	Secure delete
Marketing contact list	Until opt-out or 6 months of inactivity	NPC direct marketing guidance	Suppression list

When retention expires, data are irreversibly anonymized or securely destroyed.

11. Cookies & Tracking Technologies

We use cookies, SDKs, and similar technologies to:

• Maintain session state (essential)
• Analyze product usage (analytics)
• Deliver marketing communications (optional)

A cookie banner lets you reject non-essential cookies. See our separate Cookie Policy for a full list of cookies, providers, and lifetimes.

The Tarkie mobile app requests permission to access GPS, camera, and photo gallery. You may withdraw any permission in your device settings, though certain features may then be unavailable.

12. Automated Decision-Making & Profiling

Tarkie uses Google Maps APIs to suggest optimal delivery routes. This optimization does not make legal or similarly significant decisions about you; human confirmation is always required before routes are finalized.

You may request human review of any decision you believe was made solely by automated means.

13. Confidentiality

Our employees shall operate and hold personal data under strict confidentiality. They are required to sign non-disclosure agreements and have received training on the company's privacy and security policies to ensure confidentiality and security of personal data.

14. Marketing & Publicity

With the Client’s prior written consent (granted within its software agreement), Mobile Optima, Inc. may display the Client’s name and logo on Tarkie’s website, sales decks, or press releases solely to identify the Client as a customer. The Client may revoke this permission at any time by e-mailing privacy@mobileoptima.com

15. Your Rights

You are entitled to the following rights:

A. Be informed on whether your personal information shall be, are being or have been processed;

B. Be furnished with relevant information as indicated below before the entry of your personal information in our processing system, or at the next practical opportunity:

1. Description of the personal information to be entered into the system;
2. Purposes for which they are being or are to be processed;
3. Scope and method of the personal information processing;
4. The recipients or classes of recipients to whom they are or may be disclosed;
5. Methods utilized for automated access, if the same is allowed by the data subject, and the extent to which such access is authorized;
6. Our identity and contact details as the personal information controller or our representative[s];
7. The period for which the information will be stored; and
8. The existence of their rights, i.e., to access, correction, as well as the right to lodge a complaint before the Commission.

Any information supplied or declaration made to you on these matters shall not be amended without prior notification: Provided, That the notification shall not apply should the personal information be needed pursuant to a subpoena or when the collection and processing are for obvious purposes, including when it is necessary for the performance of or in relation to a contract or service or when necessary or desirable in the context of an employer-employee relationship, or when the information is being collected and processed as a result of legal obligation;

C. Reasonable access to, upon demand, the following:

1. Contents of your personal information that were processed;
2. Sources from which personal information were obtained;
3. Names and addresses of recipients of the personal information;
4. Manner by which such data were processed;
5. Reasons for the disclosure of the personal information to recipients;
6. Information on automated processes where the data will or likely to be made as the sole basis for any decision significantly affecting or will affect you;
7. Date when your personal information was last accessed and modified; and
8. Our designation, or name or identity and address as the personal information controller.

D. Dispute the inaccuracy or error in the personal information and have us correct it immediately and accordingly, unless the request is vexatious or otherwise unreasonable. If the personal information has been corrected, we shall ensure the accessibility of both the new and the retracted information and the simultaneous receipt of the new and the retracted information by recipients thereof: Provided that the third parties who have previously received such processed personal.

E. Suspend, withdraw or order the blocking, removal or destruction of your personal information from our filing system upon discovery and substantial proof that the personal information are incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes or are no longer necessary for the purposes for which they were collected; and F. Be indemnified for any damages sustained due to such inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal information.

F. Right to data portability - where personal information is processed by electronic means and in a structured and commonly used format, you have the right to obtain from us a copy of data undergoing processing in an electronic or structured format, which is commonly used and allows for further use.

How to exercise your rights:

1. Submit a request via email to dpo@mobileoptima.com with “Data Privacy” in the subject line.
2. We will acknowledge within 15 calendar days and may ask for proof of identity.
3. We will act on your request within 30 calendar days or explain any lawful grounds for refusal or extension.
4. If you are not satisfied, you may complain to the NPC (https://privacy.gov.ph).

16. Data Protection Officer

MOBILE OPTIMA, INC.'s Data Protection Officer
Unit 810, Citystate Center Bldg., 709 Shaw Blvd., Pasig 1600, Philippines
Tel: +63 2 7758 0677
Email: dpo@mobileoptima.com

17. Changes to This Policy

We may amend this Policy from time to time. Material changes will be announced on our website and, where required by law, we will seek your renewed consent. Previous versions are archived here.

If you continue to use the Service after the effective date of an updated Policy, you are deemed to have accepted the changes.

© 2012 - 2025 MobileOptima, Inc. All Rights Reserved.