Privacy Policy
Last updated: June 10, 2026
This Privacy Policy explains how BuddyStall (the “Service”) collects, uses, shares, and protects personal data. We process personal data in a manner consistent with the Philippine Data Privacy Act of 2012 (Republic Act No. 10173), its implementing rules, and the issuances of the National Privacy Commission (NPC).
1. Who We Are
BuddyStall is operated by an individual based in the Philippines (the “Operator”, “we”, “us”). You can contact the Operator at buddystallph@gmail.com. The Operator’s full legal name and registered address are available on request and will be provided to data subjects and to authorities where required by law.
2. Our Roles
For account information we collect about you directly (such as your email and name), we act as a personal information controller. For the business records that a store owner enters into the Service about other people — for example employee names, wages, attendance, and payroll — the store owner is the controller and we act as a personal information processor, handling that data on the owner’s behalf and instructions. Store owners are responsible for having a lawful basis to enter such data and for informing the individuals concerned.
3. Information We Collect
Account information
- Email address, name, and account role (owner, manager, or staff).
- Authentication data managed through our identity provider (see Subprocessors).
Business data you enter
- Store details, including name, address, phone number, and an optional map location (latitude/longitude) that the owner sets manually.
- Employee records, including names and hourly wages.
- Attendance records (clock-in and clock-out times) and payroll records.
- Sales transactions, menu, inventory, expenses, suppliers, and related operational data.
Technical and diagnostic data
- Error and reliability logs that may include your browser/user-agent string, app version, network status, timestamps, and a snapshot of the operation that failed, used to diagnose and fix problems.
- Server and connectivity logs generated automatically when you use the Service.
We do not track device GPS location, we do not send web push notifications, and we do not use third-party advertising trackers. On our public marketing pages and the sign-up page, we use a third-party product and website analytics provider (see Subprocessors) to measure traffic and understand how visitors find and sign up for the Service. These analytics run only after you consent through the cookie banner, and you can decline.
4. How We Use Information
- To provide, operate, secure, and improve the Service.
- To measure website traffic and understand how visitors find and sign up for the Service (analytics), where you have consented.
- To authenticate users and protect accounts.
- To diagnose errors and maintain reliability.
- To process subscriptions and billing, if and when paid plans are offered.
- To respond to support requests and send service-related notices.
- To comply with legal obligations.
5. Legal Basis for Processing
Depending on the situation, we process personal data on the basis of your consent, the performance of our contract with you, our legitimate interests in operating and securing the Service, and compliance with legal obligations under applicable law.
6. Franchise Data Sharing
The Service includes an optional franchise feature. A store owner may choose to link their account to a franchise organization (a “Franchisor”). Linking is initiated and controlled by the store owner, and the owner can unlink at any time, which ends the Franchisor’s future access. By linking, the owner authorizes us to share the data described below with that Franchisor.
While a link is active, the Franchisor can access:
- The linked owner’s name and email address.
- The names and map locations (where set) of the owner’s active stores.
- Aggregated sales information for franchise-branded products only — for example revenue totals, store-level net sales, and item- and add-on-level sales trends.
- Orders the store places to the Franchisor and related recipe-compliance information.
The Franchisor does notreceive line-item details of the store’s own non-franchise products, nor unrelated business records. Each Franchisor is an independent organization that acts as a separate controller for the data it receives and uses it for its own franchise-management purposes; its handling of that data is governed by its own practices. We facilitate the sharing as instructed by the store owner.
7. Subprocessors and Third Parties
We rely on trusted providers to operate the Service. They process data on our behalf under appropriate safeguards and are not permitted to use it for their own purposes:
- Supabase — authentication, database, and hosting infrastructure that stores your account and business data.
- Map services (MapLibre, OpenStreetMap, and a geocoding provider)— used only when an owner views or sets a store’s map location. Map and address-lookup queries are sent to these services for that purpose.
- PostHog — product and website analytics for our public marketing pages and sign-up. It processes pageview, device and browser information, and usage events to help us measure traffic and the sign-up funnel, only after you consent via the cookie banner.
We may also disclose information when required by law, to enforce our terms, or to protect the rights, safety, and security of users and the Service.
8. Cookies and Local Storage
We use cookies and similar technologies that are strictly necessary to keep you signed in and to operate the Service. We do not use advertising cookies. With your consent, we also set third-party analytics cookies (PostHog) on our public marketing pages and sign-up page to measure traffic and the sign-up funnel. You can decline through the cookie banner, in which case no analytics cookies are set, and your choice is remembered on your device. If you decline, we may still measure aggregate, anonymous traffic without storing anything on your device or identifying you (cookieless analytics).
To support offline use in the staff portal, the Service stores data on your device (for example in your browser’s local database and service-worker cache), including a cached copy of your session and pending operations. A cached session may allow continued offline use for a limited period (up to approximately 48 hours) before re-authentication is required. You can clear this data through your browser or by signing out.
9. International Transfers
Your information may be processed or stored on servers located outside the Philippines by our subprocessors. Where required, we put appropriate safeguards in place for such transfers.
10. Data Retention
We retain personal and business data for as long as your account is active or as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. When data is no longer needed, we delete or anonymize it.
11. Security
We implement reasonable technical and organizational measures, including access controls and encryption in transit, to protect your information. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.
12. Your Rights
Subject to applicable law, you have the right to be informed about, to access, and to correct your personal data, to object to or restrict certain processing, to data portability, to erasure or blocking, and to damages for violations of your rights. You may also lodge a complaint with the National Privacy Commission. To exercise these rights, contact us using the details on our Contact page. If your request concerns data that a store owner controls (such as employee records), we may direct you to, or coordinate with, that owner.
13. Children’s Privacy
The Service is intended for business use and is not directed to children. We do not knowingly collect personal data from children.
14. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will provide notice through the Service or by other reasonable means, and we will update the date above.
15. Contact
For questions about this Privacy Policy or your personal data, contact the Operator at buddystallph@gmail.com or visit our Contact page.