Effective Date: October 2025
Application: After5

PREAMBLE
This Privacy Policy (“Policy”) governs the collection, use, disclosure, retention, and protection of Personal Data by Rock IT Express Inc. (“Company,” “we,” “our,” or “us”) in connection with the After5 mobile application (“App”). This Policy is promulgated pursuant to Republic Act No. 10173 (Data Privacy Act of 2012), its implementing rules and regulations, and other applicable statutes and issuances of the Republic of the Philippines. All-natural persons who access, register with, or otherwise use the app—whether as service recipients or service providers—are herein referred to as “Data Subjects,” “you,” or “your.”

1. DEFINITIONS

1.1 “Personal Data” shall mean any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the Company, or when put together with other information, would directly and certainly identify an individual.
1.2 “Processing” shall mean any operation or set of operations performed upon Personal Data, including but not limited to collection, recording, structuring, storage, use, sharing, disclosure, erasure, or destruction.
1.3 “Data Controller” refers to the Company that, alone or jointly with others, determines the purposes and means of processing personal data.
1.4 “Data Processor” refers to any natural or juridical person, public or private, who processes Personal Data on behalf of the Data Controller.

2. SCOPE AND APPLICATION

2.1 This Policy applies to all processing activities in relation to the App and covers all personal data collected from Data Subjects in the Philippines.
2.2 The Policy is published and made available exclusively within the App. Data Subjects are deemed to have read, understood, and accepted the terms hereof by using or continuing to use the App.

3. PERSONAL DATA COLLECTED

3.1 Identifiers and Contact Information: Full name, email address, and mobile telephone number.
3.2 Location Data: Residential or service address; precise geolocation (GPS) data, subject to your consent.
3.3 Profile Data: Photographic image or avatar, if provided.
3.4 Technical Data: IP address, device type/model, operating system, device identifier, and application usage metrics.
3.5 Financial Data: Payment and transaction information processed exclusively via third-party payment gateways.
3.6 Audio-Visual Records: Video footage captured by body cameras of service providers during active service engagements.

4. PURPOSES OF PROCESSING

4.1 The Company shall process Personal Data solely for the following legitimate purposes:
a. To identify, authenticate, and match Data Subjects with qualified service providers;
b. To facilitate bookings, payment transactions, order status updates, and related service operations;
c. To enable in-app communication features, notifications, and customer support;
d. To verify identities, prevent fraud, and safeguard the integrity of the platform;
e. To investigate and resolve complaints, disputes, and incidents affecting service quality or safety;
f. To ensure compliance with applicable legal and regulatory obligations, including law enforcement requests or judicial orders.

5. DISCLOSURE AND SHARING

5.1 Personal Data shall not be sold, rented, or otherwise traded. Disclosure is strictly limited to:
a. Service Providers: Sharing only such data as is necessary to fulfill a service booking;
b. Payment Processors: Transmission of financial data to third-party payment processors under binding agreements;
c. Authorized Vendors and Partners: Data Processors performing back-office, IT support, or other ancillary functions under confidentiality and data protection undertakings;
d. Government and Regulatory Authorities: When compelled by law, court order, or for reasons of public safety or national interest.

6. BODY CAMERA FOOTAGE

6.1 All verified service providers are required to wear body cameras during service engagements. By scheduling or accepting a service via the App, Data Subjects provide their express consent to such recordings.
6.2 All recordings are encrypted at the point of capture and stored securely. Access is strictly limited to authorized personnel for the sole purpose of investigating incidents, dispute resolution, or compliance matters.
6.3 Recordings are automatically purged thirty (30) days after capture, unless otherwise retained for legitimate legal or investigatory needs, after which secure destruction procedures are applied.

7. DATA SECURITY MEASURES

7.1 The Company implements industry-standard technical and organizational measures to protect Personal Data against unauthorized access, disclosure, alteration, or destruction, including but not limited to:
a. Encryption of data in transit and at rest;
b. Network firewalls, secure intrusion detection systems, and segmented infrastructure;
c. Periodic vulnerability assessments and penetration testing;
d. Role-based access control and strict employee confidentiality obligations.

8. VENDOR DUE DILIGENCE & DPIAs

8.1 Prior to engaging any Data Processor, we conduct comprehensive due diligence to verify their ability to meet our security and compliance standards. For high-risk processing activities—such as body camera recording—we perform Data Protection Impact Assessments to identify and mitigate privacy risks.

9. RIGHTS OF DATA SUBJECTS

9.1 In accordance with the Data Privacy Act and its IRR, Data Subjects may exercise the following rights by submitting a written request to the Company’s designated DPO:
a. Right to Access: Obtain confirmation and copies of Personal Data processed.
b. Right to Rectification: Request correction of inaccurate or incomplete Personal Data.
c. Right to Erasure or Blocking: Demand deletion, blocking, or destruction of unlawfully processed or unnecessary Personal Data.
d. Right to Data Portability: Transmit Personal Data to another entity in a structured, commonly used, machine-readable format.
e. Right to Object: Object to processing based on legitimate grounds, except when required by law.
f. Right to Withdraw Consent: Withdraw previously granted consent for processing, subject to legal restrictions.

10. DATA RETENTION

10.1 Personal Data shall be retained only for as long as necessary to fulfill the purposes set forth in Article 4 or to comply with applicable legal retention periods.
10.2 Body camera recordings shall be securely stored for thirty (30) days, after which they are irreversibly deleted, unless retention is extended for pending investigations or legal proceedings.

10.3 Account and transaction records are retained for the duration of your active account and for any additional periods required by law.

10.4 Technical and usage logs are retained for no more than two (2) years.

11. EXTERNAL LINKS AND THIRD-PARTY SERVICES

11.1 The App may contain links or integrations to third-party services (e.g., mapping, social media, or analytics providers). The Company assumes no responsibility for the privacy practices of such third parties. Data Subjects are encouraged to review the privacy statements of each external service.

12. CHILDREN’S DATA

12.1 The App is intended exclusively for persons eighteen (18) years of age or older. The Company does not knowingly solicit, collect, or store Personal Data from minors. Should we become aware of any such collection, we shall promptly delete the data in question.

13. OTP VERIFICATION VIA SMS

13.1 As part of our registration and security protocol, we require users to undergo identity verification via a One-Time Password (OTP) sent to their registered mobile number. By registering for an account, you expressly authorize the Company to send SMS-based OTPs to the mobile number you provided for the following purposes:

1. Account verification and authentication;
   b. Fraud prevention and protection of platform integrity;
   c. Password resets, login confirmation, or critical account actions.

Your mobile number may be processed by authorized third-party SMS gateway providers solely for the purpose of delivering the OTP. Such providers are bound by confidentiality obligations and data protection agreements in accordance with Philippine law.

Standard carrier charges may apply. You may not opt out of OTP authentication if you wish to continue using the App’s services.

14. AMENDMENTS

14.1 The Company reserves the right to amend this Policy at any time. Material changes shall be posted within the App and become effective upon posting. Continued use of the App following any amendment constitutes acceptance of the revised Policy.

15. DATA PROTECTION OFFICER

15.1 The Company has appointed a Data Protection Officer (“DPO”) responsible for overseeing compliance with this Policy and applicable data privacy laws.
DPO Contact Information:
Email: DPO@after5.ph
Office Address: #236 P. Dela Cruz St., Novaliches, Quezon City

16. GOVERNING LAW AND VENUE

16.1 This Policy and any disputes arising therefrom shall be governed exclusively by the laws of the Republic of the Philippines.

17. CONTACT INFORMATION

For inquiries, requests, or complaints regarding this Privacy Policy or the processing of your Personal Data, please contact our DPO (Article 13) or write to us at:

• Email: customerservice@after5.ph 
• Address: #236 P. Dela Cruz St., Novaliches, Quezon City

You may also lodge a complaint with the National Privacy Commission via https://privacy.gov.ph.