1. Our two roles under the Data Privacy Act
WealthFlow processes two different categories of data, and our role differs for each:
- Your account data — we are the Personal Information Controller (PIC). When you register and use WealthFlow as a financial advisor, we determine how your account information is processed.
- Your clients' and prospects' data — we are a Personal Information Processor (PIP). Any lead, client, prospect, meeting note, or financial detail you enter about other people is processed by us on your behalf and under your instructions. For that data, you are the PIC and are responsible for having a lawful basis (e.g. consent) to collect and input it. We process it only to provide the service to you.
2. Personal data we collect
From you (the advisor)
- Identity & contact: full name, email address, chosen insurance company.
- Authentication data: hashed password, or Google account identifier if you sign in with Google.
- Usage and technical data: log records, device/browser information, and IP address, processed by our infrastructure providers for security and reliability.
- Cookies strictly necessary to keep you signed in and to remember your selected company theme (see Section 8).
That you input about other people (clients/prospects)
- Names, contact details, occupation, employer, location.
- Financial and household information you choose to record (e.g. income range, dependents, coverage needs, budget).
- Meeting notes, call transcripts, and pipeline activity you create.
Some of this may constitute sensitive personal information under the Act (for example, information about health or financial condition). Only record what is necessary, and only where you have the data subject's consent or another lawful basis.
3. How and why we use personal data
- To create and operate your account and authenticate you.
- To provide the CRM, pipeline, proposal, and AI assistant features you request.
- To generate AI output (lead research, summaries, coaching, proposals) from the data you submit.
- To secure the service, prevent abuse, and maintain audit/security logs.
- To comply with legal obligations and respond to lawful requests.
Our lawful bases under Section 12–13 of the Act include your consent, the performance of our contract with you, our legitimate interests in running and securing the service, and compliance with law.
4. Third-party processors and disclosure
We do not sell personal data. We share it only with sub-processors that help us run the service, under confidentiality and data-protection obligations:
- Supabase — database, authentication, and hosting of your records.
- Groq — runs the AI model (Llama 3.3) that processes the text you submit to AI features.
- Tavily — performs live web searches for the Lead Generator and Prospect Research features, using the search terms you provide.
- Google— only if you choose “Continue with Google” sign-in.
Some of these providers process data on servers outside the Philippines. Where personal data is transferred abroad, we take steps consistent with the Act to ensure it remains protected, and we remain accountable for it. We may also disclose data when required by law, court order, or a lawful NPC request.
5. How we protect your data
- Row-Level Security:every record is scoped to your account in the database, so one advisor can never read or modify another's data.
- Encryption of data in transit (HTTPS/TLS) and at rest by our hosting provider.
- Authentication required for all application and AI functions, with enforced security response headers.
- Access to production data is limited and logged.
6. Data retention
We keep your account data for as long as your account is active. Data you enter about clients/prospects is retained until you delete it or close your account. On account closure, we will delete or anonymise personal data within a reasonable period, unless a longer period is required by law (e.g. tax or insurance record-keeping rules).
7. Your rights as a data subject
Under the Data Privacy Act you have the right to:
- Be informed about the processing of your personal data.
- Access the personal data we hold about you.
- Rectify inaccurate or outdated data.
- Object to or withhold consent for processing.
- Erasure or blocking of your data under the conditions set by the Act.
- Data portability — obtain a copy of your data in an electronic format.
- Damages for violations, and to lodge a complaint with the NPC.
To exercise any of these, email [dpo@yourdomain.ph]. We will respond within the timeframes required by the NPC. If your request concerns a client's data that another advisor entered, we will refer you to that advisor as the responsible Personal Information Controller.
8. Cookies
We use only strictly necessary cookies: a session cookie to keep you signed in, and a preference cookie that remembers your chosen company theme. We do not use advertising or third-party tracking cookies. If we add analytics in the future, we will request your consent first as required by the NPC.
9. Children
WealthFlow is a professional tool intended for licensed or affiliated financial advisors and is not directed to children. Do not record data about a minor without the consent of a parent or guardian as required by the Act.
10. Data breach
In the event of a personal data breach that meets the criteria under the Act and NPC Circular 16-03, we will notify the NPC and affected data subjects within the required period.
11. Changes to this Policy
We may update this Policy. Material changes will be posted here with a new “Last updated” date and, where appropriate, notified to you.
12. Contact us / Data Protection Officer
[Registered Business / Entity Name]
[Business Address, City, Philippines]
Data Protection Officer: [Data Protection Officer name] — [dpo@yourdomain.ph]
General inquiries: [contact@yourdomain.ph]
You may also contact the National Privacy Commission at privacy.gov.ph.