Data Safety — MyApp Studio

1. Overview

MyApp Studio is a custom mobile application development company operating in the Philippines under MyApp Studio (myappstudio.site). This Data Safety page explains what personal information we collect, how it is used, where it is stored, and your rights as a data subject under Philippine law.

This disclosure covers three groups of users:

Intake leads — prospective clients who submit a project inquiry through our intake form.
Portal clients — active clients with accounts in the MyApp Studio client portal, used to track project progress, exchange files, and manage billing.
Internal staff — MyApp Studio employees and contractors including developers, sales managers, and technicians who use internal tools to manage and deliver client projects.

Our data practices are governed by the Philippine Data Privacy Act of 2012 (RA 10173) and its implementing rules and regulations (IRR), enforced by the National Privacy Commission (NPC). Where applicable, we also comply with cross-border data transfer guidelines issued by the NPC.

2. Data Collected and Why

We collect only the personal information necessary to scope, deliver, and support the services we provide. The following describes each category of data, what specific fields are collected, and the purpose for which they are processed.

Intake Lead Information Leads

Business name, contact person name, email address, phone number, industry or business category, app concept description, optional logo file upload, and optional color or brand preferences.

Purpose: To evaluate, scope, and respond to project inquiries; to prepare proposals; and to initiate the client onboarding process if the project proceeds.

Portal Account Credentials Portal clients

Email address, password (stored as a bcrypt hash — the plaintext password is never retained), and active session tokens issued by Supabase Auth.

Purpose: Authentication and access control. Session tokens are used to maintain a secure, authenticated session within the client portal.

Project and Communication Data Portal clients

Messages sent through the portal, files and documents uploaded during the project (such as brand assets, app content, or reference materials), and milestone or task progress records.

Purpose: Project delivery — to coordinate work, track deliverables, and maintain a shared record of all project communications and materials.

Payment Records Portal clients

Payment intent IDs, payment status (e.g., paid, pending, failed), invoice amounts, and payment reference numbers provided by PayMongo. Card numbers, CVV codes, and full bank account details are never transmitted to or stored by MyApp Studio — these are handled exclusively by PayMongo under PCI-DSS standards.

Purpose: Billing records, reconciliation, and audit trail for project payments. PayMongo is a BSP-licensed payment processor subject to Bangko Sentral ng Pilipinas oversight.

Staff Account Information Internal staff

Full name, work email address, and assigned role (e.g., developer, sales manager, technician).

Purpose: Internal account management, access control, and accountability for actions performed within the platform.

3. Data We Do Not Collect

MyApp Studio does not collect, process, or transmit the following categories of data at any point through our website or client portal:

Device identifiers (IDFA, GAID)

Precise or approximate location data

Contacts or phonebook data

Camera or microphone access

Biometric data

Advertising IDs

Browsing or search history

Crash logs sent to third parties

Health or fitness data

Messages from other apps

Card numbers or CVV codes

Government-issued ID numbers

Our website and client portal do not use third-party advertising networks, behavioral tracking pixels, or cross-site tracking technologies. We do not sell personal information to any party.

4. Google Play Data Safety Answers

The following responses correspond to the questions in the Google Play Console Data Safety form. These answers apply to the MyApp Studio client portal application distributed through the Google Play Store.

Play Store Question	Answer	Detail
Is data collected from this app?	Yes	Name, email address, phone number, business information, project files, app activity (project tracking), and payment status records.
Is data shared with third parties?	Yes	Supabase (cloud infrastructure and database hosting), PayMongo (payment processing), and Resend (transactional email delivery). See Section 6 for details.
Can users request that data be deleted?	Yes	Users may request deletion of their personal data by emailing hello@myappstudio.site. Requests are processed within 30 days. See Section 7 for retention details.
Is data encrypted in transit?	Yes	All data transmitted between the app and our servers is encrypted using TLS 1.2 or higher.
Does the app collect data from children under 13?	No	The app is intended for business clients and professionals. We do not knowingly collect data from individuals under 13 years of age.
Data types collected — Contact info	Yes	Name, email address, phone number. Linked to the user. Used for app functionality (account management and project communication).
Data types collected — User content	Yes	Business name, logo files, app content and reference files, and project messages. Linked to the user. Used for app functionality (project delivery).
Data types collected — App activity	Yes	Project milestone progress, portal login activity. Linked to the user. Used for app functionality (project tracking and access control).
Data types collected — Financial info	Yes	Payment status and transaction reference IDs only. Full card or bank details are not collected. Linked to the user. Used for billing records.
Data types collected — Location	No	Not collected.
Data types collected — Device or other IDs	No	Not collected.

5. Apple App Store Privacy Nutrition Labels

The following disclosures correspond to the App Privacy section in App Store Connect. These apply to the MyApp Studio client portal application distributed through the Apple App Store.

Data Linked to You — Collected and linked to your identity

Privacy Category	Data Types	Use
Contact Info	Name, email address, phone number	App Functionality — account creation, portal access, and project communication
User Content	Business name, uploaded logo and brand files, project reference files, portal messages	App Functionality — project scoping and delivery
Financial Info	Payment status, payment reference IDs, invoice amounts	App Functionality — billing records and payment reconciliation

Data Not Collected

The following App Store privacy categories are not applicable because MyApp Studio does not collect this data:

Location (precise or coarse)
Health and fitness
Sensitive info
Browsing history
Search history
Identifiers (device ID, advertising ID)
Diagnostics (crash data, performance data)
Contacts
Photos or videos (beyond client-uploaded project files)
Audio data

Passwords are not reported under "Sensitive Info" in App Store privacy labels because they are entered by users for the purpose of authentication. They are stored by Supabase Auth as bcrypt hashes and are never readable or transmitted in plaintext.

6. Third-Party Services and Cross-Border Data Transfers

MyApp Studio uses the following third-party processors. Some of these services store or process data outside the Philippines. We have reviewed each provider's data processing agreement and rely on contractual safeguards as the basis for cross-border transfers in accordance with NPC guidelines on cross-border data transfers under RA 10173 Section 21.

Service	Purpose	Data Location	Safeguard
Supabase	Authentication, database storage, file storage	US-East (AWS us-east-1)	Supabase Data Processing Addendum; row-level security policies enforced at the database layer
PayMongo	Payment processing	Philippines (BSP-licensed, PCI-DSS compliant)	BSP Electronic Payment and Financial Services license; PCI-DSS Level 1 certification; PayMongo Data Processing Agreement
Resend	Transactional email delivery (portal notifications, invoice emails, intake confirmations)	United States	Resend Data Processing Agreement; emails contain only data necessary for the transaction

Data transferred to services outside the Philippines (Supabase, Resend) is limited to what is necessary for each service to function. We do not transfer data to jurisdictions without adequate data protection frameworks without ensuring appropriate contractual protections are in place.

7. Data Retention and Deletion

Retention periods

Intake lead data — Retained for 12 months from the date of submission. If a lead converts to an active client, their intake data is merged into the project record and follows the project retention schedule.
Active client project data — Retained for the duration of the project plus 3 years after project completion, to support warranty obligations, legal disputes, and post-delivery support.
Payment records — Retained for 5 years from the date of the transaction, in accordance with Philippine accounting and tax regulations.
Portal account credentials — Retained for as long as the account is active. Dormant accounts (no login for 24 consecutive months) may be deactivated and scheduled for deletion after 30 days' notice.
Staff accounts — Retained for the duration of employment or engagement, plus 1 year after separation, then deleted or anonymized.

How to request deletion

Data subjects may request the deletion of their personal data at any time by sending an email to hello@myappstudio.site with the subject line "Data Deletion Request." The request must include sufficient information to identify your account (such as your registered email address and business name).

We will acknowledge the request within 5 business days and complete the deletion within 30 calendar days, except where retention is required by law (such as payment records subject to tax regulations) or where the data is necessary to resolve an active dispute.

Where full deletion is not possible due to legal obligations, we will notify you of the specific reason and the earliest date on which deletion can occur.

8. Security Measures

MyApp Studio implements the following technical and organizational security measures to protect personal data:

Encryption in transit

All communication between clients and our servers is encrypted using TLS 1.2 or higher. This applies to the client portal web application, API calls, and file uploads. Connections that do not meet minimum TLS requirements are rejected.

Encryption at rest

Data stored in Supabase (database and file storage) is encrypted at rest using AES-256, managed by AWS infrastructure underlying the Supabase platform.

Password security

User passwords are processed through Supabase Auth and stored exclusively as bcrypt hashes. Plaintext passwords are never logged, stored, or transmitted. MyApp Studio staff cannot retrieve or view any user's password.

Row-level security (RLS)

Access to client data in the Supabase database is enforced through row-level security policies. Each client can only access their own records. Staff access is scoped to the roles and projects explicitly assigned to them — developers cannot access data for projects they are not assigned to.

Principle of least privilege

Internal staff accounts are granted only the permissions required for their role. Sales managers can access client communication and project scoping data. Developers can access technical specifications and file uploads for assigned projects. No staff member has unrestricted access to the full database.

Payment security

Card numbers, CVV codes, and bank account details are never transmitted to or stored by MyApp Studio. All payment input is handled directly by PayMongo, a PCI-DSS Level 1 compliant, BSP-licensed payment processor.

Access reviews

Staff access credentials are reviewed when roles change and upon separation. Accounts of former employees and contractors are deactivated on their last working day.

9. Your Rights Under Philippine Law

Under the Philippine Data Privacy Act of 2012 (RA 10173), you have the following rights with respect to your personal data:

Right to be informed — You have the right to know whether your personal data is being processed, the purposes for which it is being processed, and the identity of the entities that have received it.
Right to access — You may request a copy of the personal data we hold about you.
Right to correction — You may request that we correct any inaccurate or incomplete personal data.
Right to erasure or blocking — You may request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, subject to legal retention obligations.
Right to object — You may object to the processing of your personal data in certain circumstances, including direct marketing.
Right to data portability — You may request that your personal data be provided to you in a commonly used, machine-readable format.
Right to lodge a complaint — You have the right to file a complaint with the National Privacy Commission if you believe your rights have been violated.

To exercise any of these rights, contact us at hello@myappstudio.site.

10. Contact and Complaints

MyApp Studio

For questions, data access requests, deletion requests, or privacy concerns related to MyApp Studio's data practices, contact us at:

Email: hello@myappstudio.site
Website: myappstudio.site

We aim to respond to all privacy inquiries within 5 business days.

National Privacy Commission (Philippines)

If you believe that your rights under the Philippine Data Privacy Act have been violated and you are not satisfied with our response, you may file a complaint with the National Privacy Commission:

Website: www.privacy.gov.ph
The NPC accepts complaints from data subjects whose rights have been affected by personal information controllers and processors subject to Philippine jurisdiction.