Privacy Policy

Last Updated: January 21, 2026

This Privacy Policy describes how Mabookhay under Lahat Group (“Mabookhay,” “we,” “us,” or “our”) collects, uses, stores, shares, and protects personal data in compliance with applicable Philippine laws and regulations, including:

• Republic Act No. 8792 – Electronic Commerce Act of 2000 (E-Commerce Act)

• Republic Act No. 11967 – Internet Transactions Act of 2023 (ITA)

• Republic Act No. 7394 – Consumer Act of the Philippines

• General Data Protection Regulation (EU) (GDPR), where applicable to individuals in the European Economic Area (EEA)

• Relevant issuances, circulars, and advisories of the National Privacy Commission (NPC)

By accessing or using our website, products, services, or platforms (collectively, the “Services”), you acknowledge that you have read, understood, and agree to this Privacy Policy.

1. Data Controller and Contact Information

Lahat Group is the Personal Data Controller responsible for the collection and processing of personal data under this Privacy Policy, in accordance with the Data Privacy Act of 2012.

Business Address: 16F Unit 12 High Street South Corporate Plaza Tower 1, Bonifacio Global City, Taguig City

Contact Number: +63 917 169 1777 / +63 917 164 0777

2. Scope and Application

This Privacy Policy applies to all personal data collected from:

• Website visitors and users

• Customers and prospective customers

• Vendors, suppliers, and business partners

• Employees, contractors, and job applicants

• Any other individuals whose personal data we process in connection with our business operations

3. Definition

• Personal Data – Any information from which the identity of an individual is apparent or can be reasonably and directly ascertained, or when put together with other information would directly and certainly identify an individual.
• Data Subject – An individual whose personal data is processed.
• Processing – Any operation or set of operations performed upon personal data, including collection, recording, organization, storage, updating, modification, retrieval, consultation, use, consolidation, blocking, erasure, or destruction.
• Consent – Any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal data about and/or relating to him or her.

4. What Personal Data We Collect

We collect personal data when you interact with our website, create an account, place an order, contact us, subscribe to our communications, or otherwise use our Services.

4.1 Information You Provide Directly

• Identifying Information: Full name, username, date of birth, gender
• Contact Information: Email address, phone number, billing address, shipping address
• Account Information: Login credentials, password (stored in encrypted form), order history, preferences
• Transaction Information: Order details, purchase history, product preferences
• Payment Information: Payment method details (processed and stored by third-party payment processors; we do not store complete credit card information)
• Communication Data: Correspondence with customer service, feedback, reviews, survey responses
• Professional Information: Company name, job title, business contact details

4.2 Information Collected Automatically

• Technical Data: IP address, browser type and version, device type, operating system, time zone settings, browser plug-in types and versions
• Usage Data: Information about how you use our website and Services, including pages viewed, time spent on pages, links clicked, search queries
• Location Data: Approximate geographic location based on IP address
• Cookies and Tracking Data: Information collected through cookies, web beacons, and similar technologies

4.3 Information from Third Parties

We may receive personal data about you from third parties, including

• Payment processors and financial institutions

• Delivery and logistics partners

• Social media platforms (if you choose to link your account)

• Marketing and analytics service providers

• Publicly available sources

5. How we use Personal Data

We use personal data only for legitimate business purposes and in accordance with applicable laws. Personal data may be used to:

5.1 Service Delivery and Account Management

• Process and fulfill orders, payments, deliveries, and refunds
• Create and manage user accounts
• Authenticate users and maintain account security
• Provide customer support and respond to inquiries
• Send order confirmations, shipping notifications, and service updates

5.2 Business Operations and Improvement

• Improve website functionality, performance, and user experience

• Conduct research, analysis, and testing to develop and improve our Services

• Monitor and analyze trends, usage, and activities

• Personalize and customize your experience

5.3 Communication and Marketing

• Send promotional materials, special offers, and marketing communications (with your consent where required)

• Conduct surveys and request feedback

• Administer contests, promotions, and loyalty programs

5.4 Legal and Security

• Prevent fraud, abuse, unauthorized transactions, and security incidents

• Detect and investigate violations of our Terms of Service

• Comply with legal, tax, accounting, and regulatory requirements

• Respond to legal requests from government authorities

• Protect our legal rights and interests

• Establish, exercise, or defend legal claims

6. Legal Bases for Processing

We process personal data based on the following lawful grounds:

• Consent: You have given clear consent for us to process your personal data for specific purposes
• Contract Performance: Processing is necessary to fulfill our contractual obligations to you
• Legal Obligation: Processing is required to comply with applicable laws and regulations
• Legitimate Interests: Processing is necessary for our legitimate business interests, provided such interests do not override your fundamental rights and freedoms
• Vital Interests: Processing is necessary to protect your vital interests or those of another person

For EU/EEA residents, we comply with GDPR requirements and rely on appropriate legal bases as outlined above.

7. Disclosure and Sharing of Personal Data

We do not sell, rent, or trade personal data to third parties. However, we may disclose personal data to the following categories of recipients when necessary and lawful:

7.1 Service Providers and Business Partners

• Payment processors and financial institutions

• Shipping and delivery service providers

• Website hosting and cloud storage providers

• IT support and maintenance providers

• WooCommerce and e-commerce platform providers

• Email and communication service providers

• Marketing and analytics service providers

• Customer relationship management (CRM) providers

7.2 Professional Advisers

• Government agencies, regulators, law enforcement, and courts when disclosure is required by law, court order, or legal process
• National Privacy Commission or other regulatory authorities in connection with investigations or compliance matters

7.3 Government and Legal Authorities

7.4 Business Transfers

In connection with any merger, sale of company assets, financing, acquisition, or transfer of all or a portion of our business to another company

7.5 With Your Consent

• Other third parties with your explicit consent or at your direction

All third-party recipients are contractually required to:

• Protect personal data with appropriate security measures
• Use personal data only for the specified purposes
• Comply with applicable data protection laws
• Not disclose personal data to unauthorized parties

8. International Data Transfers

Personal data may be transferred to, stored, or processed in locations outside the Philippines, including countries that may have different data protection standards.

When we transfer personal data internationally, we ensure appropriate safeguards are in place, including:

• Standard contractual clauses approved by relevant authorities
• Adequacy decisions recognizing equivalent data protection standards
• Binding corporate rules or other approved mechanisms
• Your explicit consent where required

For transfers involving EU/EEA personal data, we comply with GDPR requirements for international transfers.

9. Data Retention

9.1 Retention Periods

• Account Data: Retained while your account is active and for one (1) year after account closure or inactivity, unless a longer period is required by law
• Transaction Data: Retained for at least seven (7) years to comply with tax, accounting, and legal requirements
• Marketing Data: Retained until you withdraw consent or opt out, plus reasonable administrative processing time
• Technical and Usage Data: Typically retained for one (1) to two (2) years for analytical purposes

9.2 Secure Disposal

After the retention period expires, personal data will be securely deleted, destroyed, or anonymized in accordance with data protection standards. Anonymized data may be retained indefinitely for statistical and analytical purposes.

10. Data Protection and Security Measures

We implement reasonable and appropriate organizational, physical, and technical security measures to protect personal data against unauthorized access, disclosure, alteration, or destruction.

10.1 Security Measures Include

• Access Controls: Role-based access restrictions and authentication requirements
• Encryption: SSL/TLS encryption for data transmission; encryption of sensitive data at rest
• Secure Infrastructure: Firewalls, intrusion detection systems, and regular security monitoring
• Employee Training: Confidentiality obligations and data protection training for employees and contractors
• Vendor Management: Security requirements for third-party service providers
• Incident Response: Procedures for detecting, investigating, and responding to security incidents
• Regular Assessments: Periodic security audits and vulnerability assessments

10.2 Data Breach Notification

In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify you and the National Privacy Commission within seventy-two (72) hours of becoming aware of the breach, in accordance with the Data Privacy Act and NPC regulations.

11. Cookies

Our website uses cookies and similar tracking technologies to enhance user experience, analyze website performance, and deliver personalized content.

12. Rights of Data Subjects

In accordance with the Data Privacy Act of 2012 and, where applicable, GDPR, you have the following rights:

12.1 Right to be Informed

You have the right to be informed whether personal data pertaining to you is being processed, including the purposes of processing and the identity of recipients.

12.2 Right to Access

You have the right to obtain confirmation and access to your personal data, along with information about how it is being processed.

12.3 Right to Rectification

You have the right to correct inaccurate or incomplete personal data.

12.4 Right to Erasure or Blocking

You have the right to request deletion or blocking of your personal data when it is no longer necessary for the purposes for which it was collected, or if processing is unlawful.

12.5 Right to Object

You have the right to object to processing of your personal data, including for direct marketing purposes.

12.6 Right to Data Portability

You have the right to obtain and transfer your personal data in a structured, commonly used, and machine-readable format.

12.7 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before withdrawal.

12.8 Right to File a Complaint

You have the right to file a complaint with the National Privacy Commission if you believe your data protection rights have been violated.

12.9 Right to Damages

You have the right to be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of personal data.

12.10 How to Exercise Your Rights

To exercise any of these rights, please contact us using the information provided in Section . We will respond to your request within fifteen (15) days, or as otherwise required by applicable law. We may require verification of your identity before processing your request.

13. Privacy Contact and Data Protection Responsibility

Mabookhay under Lahat Group has designated a Privacy Contact to handle matters relating to personal data protection and privacy compliance. While a formal Data Protection Officer (DPO) has not been appointed, the Company ensures that privacy-related responsibilities are assigned to authorized personnel in accordance with the Data Privacy Act of 2012 and National Privacy Commission (NPC) regulations.

13.1 Contact Information

For any inquiries, requests, concerns, or to exercise your data subject rights, please contact:

Privacy Contact
Email: [To be provided]
Business Address: [To be provided]
Contact Number: [To be provided]

13.2 Response Time

We will respond to data privacy-related requests within fifteen (15) days from receipt, or within the period prescribed by applicable laws and regulations. In complex cases, we may extend this period and will inform you of any delay.

14. WooCommerce and Third-Party Services

Our website is powered by WooCommerce, an e-commerce platform that enables us to sell products and services online.

14.1 Data Processed by WooCommerce

WooCommerce may collect and process personal data necessary to facilitate online transactions, including:

• Customer name, billing and shipping address
• Email address and contact details
• Order details and transaction history
• IP address and device information
• Cookies for cart functionality and session management

14.2 Payment Processing

Payment information is processed securely by third-party payment processors (such as HitPay as local payment gateways). We do not store complete credit card information on our servers. Payment processors handle payment data in accordance with Payment Card Industry Data Security Standards (PCI DSS).

We may retain limited payment information (such as account number, transaction IDs) for order verification, refunds, dispute resolution, and legal compliance.

14.3 Third-Party Privacy Policies

We encourage you to review the privacy policies of:

• WooCommerce: https://woocommerce.com/privacy-policy/
• Payment Processors: Refer to your chosen payment gateway’s privacy policy
• Other third-party service providers integrated with our Services

We are not responsible for the privacy practices of third-party services.

15. Changes to this Privacy Policy

We may update, modify, or revise this Privacy Policy from time to time to reflect:

• Changes in our data processing practices
• Updates to applicable laws and regulations
• Improvements to our Services
• Feedback from users and regulatory guidance

15.1 Notification of Changes

When material changes are made, we will provide reasonable notice through:

• A prominent notice on our website
• Email notification to registered users
• In-app notifications or other appropriate communication channels

The updated Privacy Policy will indicate the “Last Updated” date at the top of this document.

15.2 Acceptance of Changes

Continued use of our Services after the effective date of the revised Privacy Policy constitutes your acceptance of the changes. If you do not agree with the updated Privacy Policy, please discontinue use of our Services.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal data.

16. Governing Law and Jurisdiction

This Privacy Policy shall be governed by and construed in accordance with the laws of the Republic of the Philippines.

Any disputes arising out of or relating to this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of the Philippines, or as otherwise required by applicable law.

For EU/EEA residents, this Privacy Policy also complies with GDPR requirements, and you retain all rights granted under GDPR.

By using our Services, you acknowledge that you have read and understood this Privacy Policy and agree to the collection, use, and disclosure of your personal data as described herein.