StickShop ("we", "us") operates stickshop.ph and complies with the Philippine Data Privacy Act of 2012 (RA 10173) and its IRR. This policy explains the personal data we collect, why we collect it, who we share it with, how long we keep it, and how to exercise your rights.
1. Personal data we collect
- Identity & contact: name, email, phone number.
- Shipping data: address line 1/2, city, province, postal code.
- Payment data: handled entirely by PayMongo. We see only the last-4 digits of cards and a reference ID — never full PANs or CVVs.
- Custom artwork: images, logos, sketches you upload to the AI Design Studio. Stored on Cloudinary while we produce your order.
- Conversation history: chat, email, FB Messenger, IG DM, SMS messages you send us, plus our replies.
- Browsing & usage: cookies, page views, IP, user-agent — only what you consent to via the cookie banner.
2. Why we collect it (lawful basis)
- Contract performance: processing and shipping the orders you place.
- Legal obligation: issuing BIR-compliant Official Receipts, retaining transaction records.
- Legitimate interest: fraud prevention, site security, customer support.
- Consent: marketing email/SMS, analytics cookies, retargeting cookies — only with explicit opt-in.
3. Who we share data with
We share the minimum data necessary with these third-party processors:
- PayMongo (Philippines) — payment processing.
- Vograce (Wuhan, China) — sticker production. Receives shipping address + design files only.
- 4PX, J&T Express, LBC, NinjaVan, Air21 — courier services for delivery.
- Resend — transactional email delivery.
- Movider or Semaphore (Philippines) — SMS gateway.
- Cloudinary — image hosting for design files and product images.
- Anthropic — AI processing (chat, design generation, support replies). Anthropic does not retain customer data for model training.
- Recraft — sticker image generation.
- Meta & TikTok (with consent only) — advertising pixel for retargeting.
- Supabase (Singapore region) — primary database hosting.
- Vercel — site hosting.
We do not sell, rent, or trade your personal data with anyone else.
4. International data transfers
Some processors (Vograce, Anthropic, Recraft) are located outside the Philippines. We rely on contractual safeguards equivalent to those in RA 10173 with each processor.
5. Retention
- Order & payment records: 10 years (BIR statutory minimum).
- Customer service conversations: 3 years.
- Custom artwork files: 12 months after delivery, then deleted unless you reorder.
- Marketing engagement data: until you withdraw consent or 3 years inactive.
- Cookie data: 12 months max, configurable in the cookie banner.
6. Your rights under RA 10173
- Right to be informed — this page.
- Right to access — request a copy of all data we hold about you.
- Right to correct — fix any inaccurate data.
- Right to erase — delete data we're not legally required to keep.
- Right to object — opt out of marketing or any processing based on consent or legitimate interest.
- Right to data portability — receive your data in a machine-readable format.
- Right to file a complaint with the National Privacy Commission (privacy.gov.ph).
To exercise any right, email hello@stickshop.phwith the subject "Data Request". We respond within 14 days as required by NPC.
7. Security measures
- All connections use HTTPS/TLS.
- Database access uses row-level security so customers can only see their own records.
- Service-role keys are server-only and rotated quarterly.
- Third-party processors are vetted for SOC 2 / ISO 27001 / equivalent.
8. Children
StickShop is intended for users 13 years and older. If you believe we've inadvertently collected data from a minor, email us and we'll delete it.
9. Data Protection Officer
Michael Bell — hello@stickshop.ph.
10. Changes
Material updates to this policy are emailed to active customers and posted here at least 14 days before they take effect.