Privacy Policy
Effective date: 28 April 2026 · Last updated: 28 April 2026
This Privacy Policy describes how Condopo ("we", "us", "our") collects, uses, stores, shares, and protects your personal information when you use the Condopo mobile application and the website at condopo.com (together, the Service).
Condopo operates in the Republic of the Philippines and complies with Republic Act No. 10173, the Data Privacy Act of 2012 ("DPA"), its Implementing Rules and Regulations, and the issuances of the National Privacy Commission ("NPC"). If you are not a resident of the Philippines, you must not use the Service.
1. Who we are (Personal Information Controller)
For the purposes of the DPA, the Personal Information Controller is Condopo, with offices in Makati City, Philippines. You may contact our Data Protection Officer ("DPO") at any time:
- Email: dpo@condopo.app
- Subject line: "Privacy Inquiry — [your concern]"
- Response time: within fifteen (15) working days, consistent with NPC guidance
2. What we collect
We only collect data we genuinely need to operate the Service. Categories below.
2.1 Account & identity
- Federated sign-in identifier (Google or Apple user ID, email address, profile name, profile photo URL) — required to authenticate.
- Display name, age range, gender, short bio, optional contact handles (Viber, WhatsApp, Messenger) — provided by you in the app.
2.2 Residency verification
- Selected condominium (chosen from a list of 429 verified buildings).
- Verification photo — one image of a key card, HOA receipt, move-in clearance, or unit door, used solely to confirm you live in the building you selected.
- Verification photos are reviewed by our admin team and permanently deleted from our servers within thirty (30) days of admin review by an automated process. We do not require, request, or store unit numbers.
2.3 Content you create
- Posts, comments, marketplace listings, photos attached to any of these, likes, reports.
- For Premium users: marketplace listing duration, price, and contact-handle preferences.
2.4 Technical & usage data
- Firebase Authentication tokens, Firebase Cloud Messaging tokens (for push notifications), device platform (iOS / Android), app build version.
- Anonymized crash reports and basic stability telemetry (only if you opt in).
2.5 Payment data
- If you purchase Premium, the transaction is processed entirely by Apple App Store or Google Play Billing. We never receive your card number, bank details, or full billing address. We only receive a server-validated receipt token confirming the purchase, the product identifier, and the validity period.
2.6 What we do not collect
- Phone numbers (unless you explicitly enter a Viber/WhatsApp handle as a marketplace contact).
- Precise GPS location.
- Contacts, photos library beyond what you select, microphone, camera (unless you tap "take a photo").
- Your unit number.
3. Lawful basis & your consent
Under Section 12 of the DPA, our processing relies on one or more of: (a) your consent, (b) the necessity of fulfilling our contract with you, or (c) our legitimate interest in operating a safe community platform. Required consents are collected before sign-in via a clearly-labelled bottom sheet on the login page; optional consents (analytics, marketing, business transfer) default to OFF and may be toggled at any time in Settings → Notification & Privacy preferences.
| Consent | Required? | Default |
|---|---|---|
| Terms of Service | Yes | Off — you check to proceed |
| Privacy Policy | Yes | Off — you check to proceed |
| You are 18 years or older | Yes | Off — you check to proceed |
| You are a real resident of the building you select | Yes | Off — you check to proceed |
| Anonymized usage analytics | No | Off |
| Marketing communications | No | Off |
| Business-transfer (sale, merger, acquisition) | No | Off |
4. How we use your data
- Operate the Service — render your home feed, deliver posts and listings to other verified residents of the same building, send push notifications you have enabled, and process payments through Apple/Google.
- Verify residency — review your verification photo to confirm building membership; the photo is then deleted within 30 days.
- Prevent abuse — enforce posting cooldowns, evaluate user reports, suspend accounts that violate the Terms.
- Improve the Service — aggregated, anonymized stability and usage analytics, only if you opted in.
- Comply with law — respond to lawful requests from the NPC or other Philippine authorities.
5. Who can see your content
- Verified residents of your building only. Your posts, listings, and comments are visible exclusively to other verified members who selected the same condominium. No cross-building browsing is possible.
- Building Admins (if applicable) may post building-wide announcements; their posts carry a verified badge.
- The Condopo team may view content reported by users for moderation.
- The public never sees your content unless you choose to share it outside Condopo.
6. Sharing & third-party processors
We do not sell, rent, or trade your personal information. We share limited data with the following processors strictly to operate the Service:
| Processor | Purpose | Data shared | Region |
|---|---|---|---|
| Google Firebase (Auth, Firestore, Cloud Functions, Cloud Messaging, Cloud Storage) | Backend, authentication, push notifications, image hosting | Account identifiers, content you post, device tokens, residency proof until deletion | asia-southeast1 (Singapore) |
| Google Sign-In | Federated authentication | Google account ID, email, name, profile photo | Global |
| Apple Sign-In | Federated authentication | Apple user ID, optional email relay | Global |
| Apple App Store / Google Play Billing | In-app purchases | Receipt tokens for Premium validation | Global |
Each processor is contractually bound to handle your data only for the purposes set out above and to apply security measures consistent with the DPA.
7. Cross-border transfer
Your personal data is stored on Google Firebase servers located in asia-southeast1 (Singapore). By using the Service, you acknowledge that your data may be transferred outside the Philippines for processing, in accordance with Section 21 of the DPA. We ensure equivalent levels of protection through Google's standard data-processing addenda.
8. Retention
| Data | Retention period |
|---|---|
| Account profile | Until you delete your account, then irretrievably purged within 30 days |
| Posts, comments, listings | Until you delete them or your account; immediate hard-delete cascade on your action |
| Verification photo | Within 30 days of admin review (auto-purged by Cloud Function) |
| Marketplace listings | Default 30 days unless removed earlier; soft-delete + storage purge on deletion |
| Audit logs (admin actions, suspensions) | 90 days for compliance, then auto-purged |
| Aggregated analytics | Indefinitely, in non-identifiable form |
9. Security
- All traffic to and from the Service is encrypted in transit (TLS 1.2+).
- Data at rest is encrypted on Google Firebase infrastructure.
- Access controls follow the principle of least privilege; production credentials are rotated on a defined schedule.
- Firestore security rules enforce per-building visibility and per-author write authority at the database layer.
- App Check (Firebase) protects backend endpoints from abuse on production.
No method of transmission or storage is 100% secure. In the event of a personal data breach that creates a real risk of serious harm, we will notify the National Privacy Commission and affected users within seventy-two (72) hours, in accordance with NPC Circular 16-03.
10. Your rights under the DPA
You have the following rights, exercisable at any time by emailing dpo@condopo.app:
- Right to be informed — about how your data is processed (this Policy serves that purpose).
- Right to access — request a copy of the personal data we hold about you.
- Right to object — to specific processing activities, including marketing.
- Right to erasure or blocking — request deletion of your data; you may also self-serve via Delete Account.
- Right to damages — for any inaccurate, incomplete, outdated, false, or unlawfully obtained or processed personal data.
- Right to rectify — correct inaccurate or incomplete information.
- Right to data portability — receive your data in a structured, commonly-used, machine-readable format.
- Right to lodge a complaint — with the NPC at privacy.gov.ph if you believe your rights have been violated.
11. Withdrawing consent
You may withdraw any optional consent at any time in Settings → Notification & Privacy preferences inside the app, or by emailing the DPO. Withdrawing required consents will end your access to the Service. Your historical content posted in good faith remains visible to your building's residents until you or your account are deleted.
12. Minors
The Service is restricted to users eighteen (18) years of age or older. We do not knowingly collect personal information from anyone under 18. If we become aware that an underage user has registered, we will delete their account immediately and erase any associated data.
13. Cookies & tracking on the website
The website at condopo.com is a static informational site. We do not use advertising cookies, third-party analytics cookies, or cross-site tracking. The site sets only the strictly necessary cookies required to deliver content (e.g., the Firebase Hosting CDN session cookie).
14. Business-transfer disclosure (Section 19)
If Condopo is acquired by, sold to, or merged with another company, your personal data may be transferred to the successor entity, but only if you have explicitly opted in to the optional "business transfer" consent. If you have not opted in, we will offer you a right to delete before transfer: a notice will be sent at least thirty (30) days before any transfer, with a one-tap deletion option.
15. Updates to this Policy
We may update this Policy from time to time. Material changes will be announced inside the app and on this page at least seven (7) days before they take effect. If a change requires renewed consent under the DPA, you will be asked to confirm.
16. Governing law and venue
This Policy is governed by the laws of the Republic of the Philippines. Any dispute arising from or relating to this Policy shall be brought before the proper courts of Makati City, to the exclusion of all other venues.
17. Contact
Data Protection Officer — dpo@condopo.app
Condopo · Makati City, Philippines
For NPC complaints: National Privacy Commission