1. Introduction

This Privacy Policy explains how we collect, use, disclose, and protect personal data when you access and use the ERPat System, our Enterprise Resource Planning (ERP) Software-as-a-Service (SaaS) platform (the “Service”). We are committed to protecting personal data in compliance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and the Philippine Data Privacy Act of 2012 (RA 10173).

In the context of the ERPat System:

• Our customers act as Data Controllers for personal data processed within the ERPat System.
• We act as a Data Processor when processing personal data on behalf of our customers, and as a Data Controller for data related to our own operations (e.g., account administration, billing, and website usage).

2. Personal Data We Process

Depending on how the ERPat System is used, we may process the following categories of personal data:

• Account information (name, email address, role, login credentials)
• Business and operational data entered by customers (e.g., employee, customer, vendor data)
• Usage and system data (audit logs, access logs, activity records)
• Support-related information submitted through support channels

3. Purpose and Legal Basis for Processing

We process personal data for the following purposes and legal bases:

• Performance of a contract: to provide, operate, and maintain the ERPat System
• Legal obligations: payroll, accounting, taxation, and compliance-related processing
• Legitimate interests: security monitoring, audit logs, system improvement, and fraud prevention
• Consent: where required, such as for optional communications or marketing

For Philippine law compliance, processing is based on the legitimate purposes outlined in RA 10173, including contractual necessity, legal obligations, legitimate interests, and consent when required.

4. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected:

• Customer account data is retained while the account is active
• Customer-entered data is retained until deleted by the customer or upon contract termination
• System logs and audit records are retained for a limited period for security and compliance purposes
• Backup data is retained for a defined retention period and securely deleted thereafter

Specific retention periods may vary based on legal, regulatory, or contractual requirements under GDPR and the Philippine Data Privacy Act.

5. Data Subject Rights

Individuals whose personal data is processed through the ERPat System have rights under applicable data protection laws, including the right to access, correct, delete, restrict processing, and obtain a copy of their personal data.

Our customers act as the data controllers for personal data processed within the ERPat System. Requests to exercise data subject rights should generally be directed to the relevant customer.

Where a request relates to system-level data or requires our assistance as a data processor (such as audit logs, backups, or support records), requests may be submitted through our official support channels. We will act on such requests in coordination with the customer, in accordance with GDPR and the Philippine Data Privacy Act.

6. Security Measures

We implement appropriate technical and organizational measures to protect data, including access controls, encryption, secure authentication and audit logging.

7. Sub-processors

We may engage third-party service providers (sub-processors) to support the delivery of the ERPat System, such as hosting and email providers. All sub-processors are contractually bound to comply with GDPR and the Philippine Data Privacy Act obligations.

8. Cookies

The ERPat System uses only strictly necessary cookies required for authentication, session management, and core functionality. These cookies do not require user consent but are disclosed for transparency.

9. Contact Information

For privacy-related inquiries or data protection requests, you may contact us through our official support channels or designated privacy contact.