Privacy Policy

Seven Trent Petroleum Corporation operates the Seven Trent App.

Business Name: Seven Trent Petroleum Corporation

Business Address: 818 Fr. N.Y. Patangan St, Santa Isabel, Dipolog City, 7100 Zamboanga del Norte, Philippines

Data Protection Officer: Winefredo Sailes

DPO Support Email: winefredo.stpc@gmail.com

DPO Contact Number: +639531157199

For purposes of Republic Act No. 10173, also known as the Data Privacy Act of 2012, Seven Trent Petroleum Corporation acts as the Personal Information Controller for personal data processed through the Seven Trent App, unless otherwise stated. Philippine privacy guidance requires privacy notices to describe the personal data collected, purposes of processing, recipients, identity and contact details of the controller, retention period, and rights available to data subjects.

This Privacy Policy applies to personal data processed through the Seven Trent App, related backend systems, APIs, support channels, account management workflows, ordering, supporting file submission, service address onboarding, document upload, delivery tracking, legal consent records, and operational communications.

The Seven Trent App is designed for authorized business Users and their authorized representatives. It is not intended for minors or for personal household use.

We collect only the personal data that is reasonably necessary for the purposes described in this Privacy Policy.

3.1 Account and Profile Data

We may collect:

• Name, first name, last name, full name, role, User ID, verification status
• Email address and phone number
• Business or service-related address information
• Contact number and alternative contact number
• Birthdate, where required for account verification, eligibility, identity validation, fraud prevention, or legal/compliance purposes
• Password and password reset information

3.2 Authentication, Security, and Device Data

We may collect:

• Login identifiers, password verification data, OTP events, and account recovery data
• Access token, refresh token, session ID, token expiry, and refresh expiry
• Device ID, platform, device model, operating system, browser or user agent, IP address, and session metadata
• Trusted-device records, security logs, and audit records

The Seven Trent App enforces OWASP security fundamentals across the app and server.

3.3 Social Login Data

When Users choose to sign in or link an account using supported third-party login services, we may process:

• Google ID token, Google account ID, email, name, and related profile claims

Social login is optional where available. If a third-party login provider is unavailable, Users may need to use another supported sign-in method.

3.4 Service Address, Location, and Business Site Data

We may collect:

• Business name
• Address type, address lines, city, province, postal code, and country
• Latitude and longitude
• Google place ID, place name, formatted address, search query, and geocoding data
• Storage capacity, storage type, capacity unit, designation, brand, dispenser count, and notes
• Information needed to review whether a service address is eligible for ordering and delivery

The Seven Trent App may use device location, maps, Places, Geocoding, and related location services to help Users search, confirm, and manage service addresses. For operational purposes we may collect business/address metadata, coordinates, place metadata, storage data, and supporting documents.

3.5 Uploaded Documents, Images, and Files

Users may upload files for service address verification, order confirmation, and related operational purposes. These may include:

• COC, mayor’s permit, DTI/SEC/CDA documents, ECC/CNC documents, site photos, and other supporting documents
• Supporting images or PDFs
• File name, file type, MIME type, file size, upload status, upload slot ID, and related metadata

Uploaded files may contain personal data, business-sensitive data, supporting file attachments, government permit information, signatures, addresses, site imagery, or other sensitive information depending on the contents. Users should upload only the files requested by the Seven Trent App and should avoid including unnecessary personal data.

3.6 Order and Ledger Data

We may collect and process:

• Service address, products ordered, and quantities.

3.7 Delivery and Tracking Data

We may collect and process:

• Delivery status, delivery details, route overview, route polyline, distance, duration, ETA, service address location, proof or signature URLs, driver name/phone, and vehicle information
• Optional driver location where enabled for delivery visibility
• WebSocket or realtime event data needed to refresh delivery status

3.8 Legal Consent and Contract Records

We may collect and retain:

• Accepted legal document ID, document type, version, title, and content linkage
• Acceptance timestamp
• IP address and user agent at the time of consent
• Order-contract consent records

Legal consent records help us prove which version of a Privacy Policy, Terms of Service, or order contract was accepted.

3.9 Communications, Support, and Announcements

We may collect and process:

• Support messages, requests, complaints, attachments, and related correspondence
• Email or SMS OTP delivery information
• Operational email or SMS notification details
• In-app announcements, visibility rules, and related metadata

We use these records to respond to Users, maintain account security, provide order and delivery updates, and document support actions.

3.10 Local App Data

The Seven Trent App may store certain data locally on the User’s device, such as:

• Access token, refresh token, session ID, expiry timestamps, User ID, and role in secure storage
• Device ID in device preferences
• Short-lived cached payloads used for performance and app responsiveness

Users may clear some local data by logging out, uninstalling the app, or clearing app data through device settings, but server-side records must be managed through support as described below.

The Seven Trent App is not designed to request unnecessary sensitive personal information. However, some information processed through the app may be sensitive or may become sensitive depending on context, including birthdate, government permits, business registration documents, uploaded images, signatures, location data, and documents that may contain government-issued identifiers.

Users should not upload IDs, bank account details, health information, or other sensitive information unless specifically requested and necessary for the relevant transaction, verification, legal, or support purpose.

Where the Data Privacy Act requires consent or another specific lawful basis for sensitive personal information, we process such information only as permitted by applicable law. The NPC and Data Privacy Act recognize special rules for sensitive personal information and require lawful processing grounds.

We process personal data for the following purposes:

The Data Privacy Act allows processing under lawful criteria such as consent, contract necessity, legal obligation, and legitimate interests that are not overridden by data subject rights.

The Seven Trent App may request access to the following device features:

Location. Used to search, confirm, and display service addresses, maps, and delivery-related information. Location access is used only when needed for app features and according to device permission settings.

Camera. Used to capture service address documents, site photos, supporting images for orders, and other permitted upload types.

Photos, gallery, or file picker. Used to select permitted files such as JPG, PNG, or PDF documents for upload.

Internet/network access. Used to connect to Seven Trent App services, APIs, authentication, maps, uploads, delivery tracking, and support functions.

The app should not be used to upload files or images that are unrelated to the requested business, orders, service address, or support purpose.

For uploads, the Seven Trent App and backend systems apply file validation and sanitization before uploaded files are linked to business records. This includes checking file type, file size, file signature, upload status, and readiness conditions. Confirming an upload may be blocked if validation, sanitization, or security checks fail.

For suspicious files, we may use VirusTotal or similar security services to help detect malware or unsafe content. VirusTotal is not used for every upload; it is used for suspicious files or where security review requires it. When VirusTotal is used, file bytes and related metadata may be submitted to VirusTotal for analysis.

Supporting file uploads currently support JPG, PNG, and PDF files and are capped at 5 MB in the Seven Trent App. Service address document uploads currently support JPG, PNG, and PDF files and are capped at 15 MB.

We share personal data only as necessary for the purposes described in this Privacy Policy, including with:

Authorized personnel and contractors. Operations, finance, dispatch, support, compliance, technical, and management personnel may access personal data only when needed for their assigned functions.

Cloud infrastructure providers. We use Google Cloud Platform for database and backend infrastructure. We may also use caching, object storage and backup services for uploaded files, transaction records, system data, caches, short-lived operational data, session or realtime support, and similar technical purposes.

Network, domain, and security providers. We use Cloudflare for domain, DNS, security, traffic routing, caching, or related network protection services.

Mapping and location providers. We may use Google Maps, Google Places, Google Geocoding, and Google Routes to support service address search, geocoding, maps, routing, ETA, and delivery-related features.

Identity providers. If Users choose social login or account linking, we may share or receive data from Google Identity.

Email and SMS providers. We may use email and SMS providers to send OTPs, account notices, support messages, order updates, and delivery-related messages.

File security providers. Uploaded files and related metadata may be submitted to VirusTotal or a similar malware scanning provider for security analysis.

Professional advisers and auditors. We may share relevant data with accountants, auditors, lawyers, insurers, and other professional advisers where necessary for accounting, audit, compliance, dispute handling, or legal claims.

Regulators and authorities. We may disclose data to government agencies, courts, law enforcement, regulators, or other authorities when required or allowed by law.

The processor register identifies Google, VirusTotal, and related infrastructure as source-visible or production-relevant processor categories.

Personal data may be stored, cached, routed, accessed, or otherwise processed outside the Philippines, including in Google Cloud Platform backend, database infrastructure, caching, and other locations where Cloudflare, Google, VirusTotal, support tools, or other service providers operate.

When we transfer personal data outside the Philippines, we use appropriate safeguards such as contractual controls, access restrictions, role-based access, encryption where applicable, confidentiality obligations, security controls, and vendor due diligence.

We implement reasonable and appropriate organizational, physical, and technical safeguards to protect personal data against unauthorized access, disclosure, alteration, loss, misuse, or destruction. These safeguards include, where applicable:

• HTTPS/TLS for production network communications
• WSS for realtime communication where applicable
• Secure token storage on User devices
• Encrypted storage or encryption where applicable
• Role-based access controls
• Authentication and session validation
• OTP verification and trusted-device controls
• Short-lived upload and download URLs
• File validation, sanitization, and suspicious-file scanning
• Redaction of access tokens for production release
• Logging and monitoring with safeguards for sensitive data
• Access controls for personnel and service providers
• Backup, audit, incident response, and security review processes

No system is completely secure. Users must protect their login credentials, OTPs, devices, and account access, and must immediately report unauthorized access or suspected misuse.

We retain personal data only for as long as necessary for the purposes described in this Privacy Policy, including account management, order fulfillment, supporting file verification, delivery operations, support, security, audit, compliance, dispute handling, and legal claims.

Accounting and transaction records are generally retained for at least five (5) years as required by applicable tax and accounting rules. Where necessary for contracts, collections, disputes, legal claims, or legal obligations, related records may be retained for up to ten (10) years or until the relevant matter is finally resolved. BIR Revenue Regulations No. 17-2013 require books of accounts and other accounting records to be preserved for ten (10) years, with longer preservation where a relevant tax protest or claim remains pending.

Short-lived operational data, such as unlinked uploads and live location cache data, is retained for shorter periods according to system cleanup rules. The upload audit shows that upload URLs are short-lived, pending upload slots older than 24 hours are expired and cleaned up, and soft-deleted upload slots older than 30 days may be permanently deleted under cleanup rules, subject to exclusions.

When data is no longer needed, we delete, anonymize, or securely dispose of it, unless retention is required or allowed by law, contract, legitimate business need, audit, dispute handling, security, or legal claims.

Users may request access, correction, deletion, blocking, withdrawal of consent where applicable, data portability where applicable, or other privacy-related action by contacting support or the DPO using the contact details in this Privacy Policy.

There is no User-facing self-service data management portal for access, correction, export, deletion, or consent withdrawal. Users must contact support, and the support team must validate the User’s identity before processing any request. To protect User accounts and business records, we may ask for account identifiers, registered email or phone number, transaction or order details, business/service address details, proof of authority, or other reasonable verification information.

Account deletion is not immediate self-service deletion. A deletion request may be submitted through the Seven Trent App or support, but it is reviewed and fulfilled by authorized personnel. The in-app deletion action creates or returns a pending request and does not directly delete the account, clear local auth state, export data, or withdraw consent.

We may deny, limit, or delay deletion, blocking, portability, or withdrawal requests where personal data remains necessary for:

• Fulfillment of orders, deliveries, or support requests
• Compliance with tax, accounting, regulatory, or legal obligations
• Fraud prevention, security, audit, and abuse investigation
• Contract enforcement, collections, disputes, or legal claims
• Legitimate business purposes consistent with applicable law

NPC guidance recognizes that a request for erasure or blocking may be denied wholly or partly when personal data remains necessary for the original purpose, legal obligation, legal claims, legitimate business purposes, or other grounds provided by law.

Subject to the Data Privacy Act and other applicable laws, Users may have the right to:

• Be informed whether personal data is being processed
• Access personal data about them
• Request correction of inaccurate or outdated personal data
• Object to or withhold consent for certain processing, where applicable
• Request blocking, removal, or destruction of personal data where legally available
• Request data portability where applicable
• Be indemnified for damages caused by privacy violations, where legally available
• File a complaint with the National Privacy Commission

The Data Privacy Act provides rights to be informed, access, correction, blocking/removal/destruction in certain cases, damages, and data portability.

To exercise these rights, contact:

DPO: Winefredo Sailes

Email: winefredo.stpc@gmail.com

Phone: +639531157199

Address: 818 Fr. N.Y. Patangan St, Santa Isabel, Dipolog City, 7100 Zamboanga del Norte, Philippines

We may send Users transactional and operational communications, including OTPs, account security notices, support replies, service address review updates, order updates, delivery updates, legal notices, and in-app announcements.

Marketing messages, if any, will be handled according to applicable consent and opt-out requirements. Service-related communications may still be sent where necessary for security, account operation, order fulfillment, delivery, support, or legal compliance.

The Seven Trent App may use automated technical checks, such as login validation, trusted-device checks, OTP validation, upload validation, file readiness checks, service address eligibility checks, order availability checks, and system security checks.

We do not use solely automated processing to make decisions that produce legal effects or similarly significant effects on Users without appropriate human involvement, unless such processing is disclosed and permitted by applicable law.

The Seven Trent App may integrate with third-party services such as Google, Cloudflare, VirusTotal and cloud infrastructure providers. These third parties may process data according to their own terms, privacy notices, and service rules where they act as independent controllers, or according to our instructions where they act as processors.

Users should review the privacy notices of third-party login or mapping providers when choosing to use those services.

We maintain security incident management and response procedures. Where a personal data breach requires notification under applicable law, we will notify the National Privacy Commission and affected Users as required. NPC breach guidance requires notification through the NPC system within 72 hours upon knowledge or reasonable belief when notification is mandatory.

We may update this Privacy Policy from time to time to reflect changes in the Seven Trent App, data processing activities, vendors, infrastructure, legal requirements, or operational practices.

When we make material changes, we will provide notice through the Seven Trent App, email, website, or another reasonable channel. The updated Privacy Policy will state its effective date. Continued use of the Seven Trent App after the effective date means Users acknowledge the updated Privacy Policy, subject to any consent requirements under applicable law.

For privacy questions, data management requests, complaints, or concerns, contact:

Seven Trent Petroleum Corporation

818 Fr. N.Y. Patangan St, Santa Isabel, Dipolog City, 7100 Zamboanga del Norte, Philippines

Data Protection Officer: Winefredo Sailes

DPO Support Email: winefredo.stpc@gmail.com

DPO Contact Number: +639531157199