Privacy Policy

Effective Date: March 9, 2026

Introduction

Pamana.ph ("we," "us," or "our") operates the pamana.ph website and provides online estate planning services for Filipino families. This Privacy Policy explains how we collect, use, store, and protect your personal information in compliance with the Data Privacy Act of 2012 (Republic Act No. 10173), its Implementing Rules and Regulations, and applicable circulars of the National Privacy Commission (NPC). This Privacy Policy applies to our website, related services, and communications (collectively, the "Services"), and is governed by applicable Philippine laws and regulations.

Data Controller

Pamana.ph is the Personal Information Controller (PIC) responsible for your data. Our contact address is 764 Calamansi Street, Juna Subdivision, Matina Crossing, Talomo District, Davao City, Davao del Sur 8000, Philippines. For questions or concerns about your personal information, contact our Data Protection Officer at [email protected].

Information We Collect

We collect the following categories of information:

Account Information

Name, email address, and password when you create an account.

Sensitive Personal Information

Civil/marital status and date of birth. Under Section 3(l)(1) of RA 10173, marital status and age are sensitive personal information; because your date of birth reveals your age, we treat your date of birth with the same level of protection as sensitive personal information. We collect these because they are necessary for the Service’s Civil Code–based computation of compulsory heir shares (legitime) under Philippine Civil Code Articles 886–909. We collect and process only the minimum information necessary to provide the Services and comply with applicable succession law requirements.

Family and Estate Planning Information

Details about your family members (spouse, children, parents), beneficiaries, guardians, executors, property, final wishes, and personal messages. This information is necessary to generate your will document.

Payment Information

Payment transactions are processed by PayMongo. We do not store your credit card numbers, GCash, or Maya account details. We receive only transaction confirmations (amount, status, reference number).

Technical Information

IP address, browser type, device information, and pages visited. We use essential cookies (httpOnly, signed) for authentication. We also collect anonymized product-usage events from the in-app Help system (e.g. which educational tips you open or dismiss) keyed by a per-tab session identifier. No form answers, names, or other personal information are included in these events. Separately, for advertising measurement we use limited third-party analytics technologies (Google Analytics 4 and Meta), described under "Marketing measurement and analytics" below, which you can opt out of as described there.

Information About Others

When you designate beneficiaries, executors, or guardians, you provide their names and contact information. You confirm that you have the authority to share this information and that you have informed them of this privacy policy. By providing another person’s personal information, you represent and warrant that you have lawful authority and/or have obtained any necessary consent to disclose such information to us, and that you have informed them of this Privacy Policy.

Legal Basis for Processing

We process your information under the following lawful bases:

  • Consent (Sections 12(a) and 13(a), RA 10173) — When you create your account, you tick a box agreeing to this Privacy Policy, which describes the personal and sensitive personal information we collect (such as civil status and date of birth) and why. This is your recorded consent to that processing. Where you use our questionnaire as a guest, your answers stay on your own device and are only sent to our servers when you register. Much of this processing is also necessary to provide the will-generation service you requested (see Contractual Necessity, below). You may withdraw your consent at any time, though doing so may prevent us from completing or maintaining your will.
  • Contractual Necessity (Section 12(b), RA 10173) — Processing is necessary to fulfill our service agreement with you: generating your will document, computing heir shares, and delivering your PDF.
  • Legal Claims (Section 13(f), RA 10173) — Where applicable, processing of sensitive personal information may be necessary for the establishment, exercise, or defense of legal claims (for example, a dispute over a will or estate). Routine generation of your will relies on your consent and on contractual necessity, described above.
  • Legal Obligation (Section 12(c), RA 10173) — We may process data when required by law, court order, or government authority. This may include compliance with applicable tax, audit, or regulatory requirements, or lawful requests from government authorities.

How We Use Your Information

We use your information to: generate your will documents based on Philippine succession law; compute compulsory heir shares using our legitime engine; process your payments; send transactional emails (account confirmation, payment receipts, will-ready notifications); provide customer support; improve our platform and fix technical issues; and comply with legal obligations. We never sell your personal data to any third party.

Data Sharing and Third-Party Processors

We share your data with the following service providers, who act as Personal Information Processors (PIPs) under our instruction (other recipients — such as our analytics and advertising-measurement providers and lawful or compelled disclosures — are described elsewhere in this Policy):

  • PayMongo — Payment processing (GCash, Maya, credit/debit cards). PayMongo's privacy policy governs payment data they collect directly.
  • Resend — Transactional email delivery. Receives only your email address and email content.
  • DigitalOcean — Cloud infrastructure and storage. Hosts our application and database in the Singapore (SGP1) region.
  • We may disclose information when required by law, subpoena, court order, or to protect our legal rights.

For the service providers that process personal data on our behalf (such as our payment, email, and hosting providers), we require appropriate contractual security and confidentiality protections, and we remain accountable for the personal data we entrust to them under Philippine data privacy law. Our analytics and advertising-measurement providers (such as Google and Meta) act as independent recipients and handle data under their own privacy policies. We do not sell your personal data, and we do not share it for unrelated commercial purposes.

International Data Transfers

Your data is stored on servers in Singapore operated by DigitalOcean. Under Section 21 of RA 10173 (Principle of Accountability), we remain responsible for your data regardless of where it is stored. We implement appropriate safeguards for cross-border transfers, including contractual protections and security measures, to ensure a level of protection consistent with applicable Philippine data privacy requirements. We use industry-standard security measures to protect your information during transfer and storage.

Data Retention

We retain your personal data for as long as your account is active and you maintain a service relationship with us. When you delete your account, we anonymize your personal information within 30 days. Transaction records may be retained for up to 5 years after account closure for legal compliance purposes. Retention is limited to what is necessary for compliance, audit, tax, or legal purposes. Generated will documents are deleted upon account deletion.

Security Measures

We implement organizational, physical, and technical security measures as required by Section 20 of RA 10173, including: AES-256-GCM field-level encryption at rest for sensitive personal information such as family member details, addresses, asset descriptions, and personal messages — these fields are never stored in plaintext in our database; a multi-key encryption scheme that allows us to rotate encryption keys without downtime; database connections secured with verified TLS certificates in production; encrypted data transmission between your browser and our servers (TLS 1.3); login email lookups protected by a peppered HMAC index so plaintext emails are not directly searchable from a database snapshot; passwords hashed with Argon2id (never stored in plain text); signed, httpOnly authentication cookies with short-lived access tokens and refresh-token rotation; redaction of personal information from application logs and error reports; pseudonymization of personal data within 30 days of account deletion; bot-protection challenges on authentication endpoints; rate limiting to prevent abuse; role-based access controls; and regular security reviews. No method of electronic storage or transmission is 100% secure; we cannot guarantee absolute security but we maintain industry-standard safeguards. We also implement personnel and process safeguards, including confidentiality obligations, privacy and security training, and periodic access reviews on a need-to-know basis.

Your Rights Under the Data Privacy Act

Under Sections 16–18 of RA 10173, you have the following rights:

  • Right to Be Informed — Know what personal data we collect and how we process it.
  • Right to Access — Obtain a copy of your personal data upon reasonable request.
  • Right to Object — Object to the processing of your personal data, including for direct marketing.
  • Right to Erasure or Blocking — Request deletion or blocking of your data if it is incomplete, outdated, false, or unlawfully obtained.
  • Right to Rectification — Dispute inaccuracies and have your data corrected.
  • Right to Data Portability — Obtain your data in a structured, commonly used electronic format. You can export your data from your account settings.
  • Right to Damages — Be indemnified for damages sustained due to inaccurate, unlawfully obtained, or unauthorized use of your personal data.
  • Right to File a Complaint — File a complaint with Pamana.ph or directly with the National Privacy Commission.

Under Section 17 of RA 10173, your lawful heirs and assigns may invoke these rights on your behalf in case of death or incapacity.

To exercise any of these rights, contact us at [email protected]. We will respond within 15 business days.

Cookies

We use only essential cookies required for authentication and session management. These are httpOnly, signed cookies that cannot be accessed by third-party scripts. Beyond these essential cookies, we use limited analytics and advertising-measurement technologies (Google Analytics 4 and Meta), described under "Marketing measurement and analytics" below; browser tracking-protection settings or an ad-blocker can limit browser-side tracking, though some of this measurement is sent server-side and is not affected by those tools. We collect anonymized product-usage events from the in-app Help system (which educational tips you engage with) to improve content quality; these events carry no personal information and are keyed by a per-tab session identifier that is discarded when you close the tab.

Marketing measurement and analytics

To understand how people find Pamana and to measure the effectiveness of our advertising, we use the following third-party services. Browser tracking-protection settings or an ad-blocker can limit browser-side tracking; some of this measurement is sent server-side and is not affected by those tools, as described below.

  • Google Analytics 4 (GA4) measures page views and conversion events. GA4 receives a randomised session identifier and standard browser metadata; we do not send your email or name.
  • Meta Pixel records page views and conversion events in your browser to help us measure ad performance on Facebook and Instagram.
  • Meta Conversions API (server-to-server) sends conversion events directly from our servers to Meta so that ad measurement still works when browser-based tracking is blocked. When this happens, we send your IP address, browser user agent, country (Philippines), and a SHA-256 hash of your email address. The hash is one-way and Meta uses it only to match conversions back to ad-exposed users on their own platforms.

We never sell your personal data.

To object to marketing-measurement processing, including server-side conversion events, contact [email protected].

Children's Privacy

Our services are intended for users aged 18 and above, consistent with the minimum age for making a will under Philippine law (Civil Code Article 797). We do not knowingly collect personal information from individuals under 18. If we learn that we have collected personal information from a person under 18, we will take steps to delete it promptly and disable the account, where applicable.

Data Breach Notification

In the event of a personal data breach involving your information, we will notify the National Privacy Commission and affected data subjects within 72 hours of discovery, as required by Section 20(f) of RA 10173 and NPC Circular No. 2016-03.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email and by posting the updated policy on our website with a new effective date. Continued use of our services after changes constitutes acceptance of the updated policy.

National Privacy Commission

If you believe your data privacy rights have been violated, you may file a complaint with the National Privacy Commission at https://privacy.gov.ph or [email protected].

Contact Us

For privacy questions or to exercise your data rights, contact our Data Protection Officer at [email protected].