Privacy Policy

Cardhaus (“the Platform”) is operated by [Your Legal Entity Name] (“we”, “us”, “our”), a business registered in the Republic of the Philippines. This Privacy Policy explains how we handle personal data in accordance with the Data Privacy Act of 2012 (Republic Act No. 10173) and its implementing rules.

We collect information you provide directly when you create an account or use the Platform:

• Account information: email address, username, and password (stored as a secure hash).
• Profile information: your chosen avatar and any optional profile details you provide.
• Facebook identity (optional): if you sign in or link your account via Facebook, we receive your Facebook user ID and name from Facebook to verify your identity.
• Transaction data: your bidding history, deal history, and reputation scores generated from completed transactions.
• Communications: messages sent in deal chats and listing comments, including any images you upload.

The Platform does not currently collect payment details or process payments. Buyers and sellers coordinate payment directly through the deal chat.

We use the information we collect to:

• Operate the auction platform and facilitate transactions between buyers and sellers.
• Display your public profile, reputation score, and listing history to other users.
• Send you notifications about auctions you have bid on, deals you are involved in, and other Platform activity.
• Maintain the integrity of the reputation system and detect fraudulent behaviour.
• Comply with legal obligations.

Your username, avatar, reputation score, trade count, and listing history are public and visible to all users of the Platform.

Messages you send in deal chats are visible to your deal counterparty (buyer or seller). Messages you post as listing comments are publicly visible.

We use the following third-party services to operate the Platform:

• Supabase: our database, authentication, and file storage provider. Your data is stored on Supabase infrastructure. See Supabase's Privacy Policy.
• Facebook (Meta): used for optional OAuth sign-in and identity verification. See Meta's Privacy Policy.
• Vercel: our hosting provider. See Vercel's Privacy Policy.

We do not sell your personal information to any third party.

We retain your personal data only for as long as necessary for the purposes described in this Policy or as required by law. Specific retention periods:

• Account data: retained while your account is active, and for 30 days after account closure to allow recovery.
• Transaction records (bids, deals, ratings, payment confirmations): retained for five (5) years from the date of completion to comply with tax, audit, and commercial record-keeping obligations under Philippine law.
• Deal chat messages and listing comments: retained for two (2) years from posting, or until explicitly deleted by the author.
• Uploaded images (avatars, card photos, rating photos): stored in Supabase Storage and deleted when the associated content or account is deleted.
• Reputation data (trade counts, default records) derived from transactions may be retained beyond account closure to preserve the integrity of the Platform's trust system.

Under the Data Privacy Act of 2012, you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or outdated personal data.
• Object to processing for specific purposes (where applicable).
• Request deletion of your account and personal data, subject to the retention periods in Section 5.
• Data portability — request a copy of your personal data in a commonly used electronic format.
• File a complaint with the National Privacy Commission (NPC) at privacy.gov.ph if you believe your data privacy rights have been violated.

To exercise these rights, contact our Data Protection Officer using the details in Section 10 below. We will respond within 30 calendar days.

Note that reputation records tied to completed transactions may be retained even after account deletion, as they form part of the Platform's trust system.

We use cookies and similar technologies solely to operate the Platform:

• Authentication cookies (set by Supabase) keep you signed in between sessions.
• Session cookies (invite code, device session) remember your state during a visit and expire when you close the browser.

We do not use cookies for advertising, cross-site tracking, or third-party analytics. You may disable cookies in your browser settings, but this will prevent you from signing in.

The Platform is not intended for users under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that we have done so, we will delete that information promptly.

We may update this Privacy Policy from time to time. We will notify you of significant changes via the Platform. Continued use after changes are posted constitutes acceptance of the updated policy.

For privacy-related questions, data access requests, or complaints, contact our Data Protection Officer:

• Data Protection Officer: [Your DPO Name]
• Email: privacy@cardhaus.ph
• Mailing address: [Your Business Address, Philippines]

If you are unsatisfied with our response, you may file a complaint with the National Privacy Commission at privacy.gov.ph.