Merchkins is committed to protecting your privacy and ensuring compliance with the Data Privacy Act of 2012 (Republic Act No. 10173) and its Implementing Rules and Regulations (IRR), as enforced by the National Privacy Commission (NPC) of the Philippines.
1. Introduction
This Privacy Policy describes how Merchkins ("we", "us", or "our") collects, uses, stores, shares, and protects your personal information when you use our platform ("Platform"), including our website and any associated services.
By accessing or using our Platform, you consent to the collection, use, and disclosure of your personal information in accordance with this Privacy Policy. If you do not agree with this policy, please do not use our Platform.
Merchkins is operated by Merchkins, with principal place of business at Magis TBI Richie Hall, Ateneo de Naga University, Ateneo Avenue, Bagumbayan Sur, Naga City, Camarines Sur, 4400, Philippines.
2. Information We Collect
2.1 Information You Provide Directly
We collect information you provide when you:
Create an account: Name, email address, phone number, password
Complete your profile: Profile picture, shipping addresses, billing information
Make a purchase: Payment information, shipping details, order preferences
Contact us: Messages, support tickets, feedback, complaints
Request a refund: Reason for refund, supporting documentation
Participate in surveys or promotions: Responses, preferences, demographic information
2.2 Information We Collect Automatically
When you use our Platform, we automatically collect:
Sellers: Order fulfillment status, delivery information
Analytics providers: Aggregated usage data
2.4 Omni-Channel Communication Data
When you communicate through our omni-channel inbox, we collect:
Facebook Messenger: Messages, profile information (name, profile picture) as permitted by Facebook's data policies
Facebook Page messages: Inquiries, comments, and replies on connected business pages
Website chat: Chat messages, session data, and any information you voluntarily provide
Email: Email address, message content, and attachments
This data is collected to provide customer support, process orders, and maintain communication history for dispute resolution.
3. How We Use Your Information
Under the Data Privacy Act of 2012, we process your personal information based on the following lawful bases and for the following purposes:
3.1 Contractual Necessity
Process and fulfill your orders
Manage your account and provide customer support
Process payments and refunds (including voucher issuance)
Communicate order status, delivery updates, and transaction confirmations
Facilitate dispute resolution between buyers and sellers
3.2 Legitimate Interest
Improve and optimize our Platform and services
Analyze usage patterns and trends
Detect, prevent, and address fraud, security issues, and technical problems
Personalize your experience and provide relevant recommendations
Conduct research and analytics to enhance our services
3.3 Legal Compliance
Comply with applicable laws, regulations, and legal processes
Respond to lawful requests from government authorities
Maintain proper business records as required by law
Enforce our Terms and Conditions and other agreements
3.4 Consent
Send promotional communications and newsletters (with your opt-in consent)
Use cookies for analytics and advertising purposes
Share your information with third parties for marketing purposes (only with explicit consent)
4. How We Share Your Information
We may share your personal information with:
4.1 Sellers (Storefront Operators)
When you place an order or communicate with a seller through our platform, we share your information with the relevant seller. Sellers receive:
Name, email address, and phone number
Shipping and billing address
Order details (products, quantities, preferences)
Communication history through our omni-channel inbox
Payment status (not payment method details)
Seller obligations: Sellers are contractually required to:
Use customer data only for order fulfillment and customer service
Handle data in compliance with the Data Privacy Act of 2012
Not share customer data with third parties without consent
Not use customer data for unrelated marketing without separate consent
Implement reasonable security measures to protect customer data
4.2 Service Providers
We engage trusted third-party service providers who assist us in operating our Platform:
Payment processors: To process your payments securely (e.g., Xendit, GCash, Maya)
Cloud hosting providers: To host and maintain our Platform infrastructure
Email service providers: To send transactional and promotional emails
Analytics providers: To analyze Platform usage and improve our services
Customer support tools: To manage and respond to your inquiries
4.3 Legal and Regulatory Authorities
We may disclose your information when required by law, to respond to legal process, to protect our rights, or in connection with a merger, acquisition, or sale of assets.
4.4 No Sale of Personal Data
We do not sell your personal information to third parties. Your data is never traded or exchanged for monetary consideration.
5. Third-Party API Integrations
Merchkins integrates with third-party platforms to provide omni-channel communication features for sellers. This section describes how we access, use, store, and protect data from these integrations.
Google API Services User Data Disclosure
Gmail integration for omni-channel inbox (available to organization administrators)
Data Accessed
When organization administrators connect their Gmail account, we access:
Email messages (read-only) from the connected inbox
Email metadata (sender, recipient, subject, date)
User profile information (email address, name)
Data Usage
Google user data is used exclusively to:
Display email messages within our omni-channel inbox interface
Enable sellers to respond to customer inquiries from a unified dashboard
Synchronize email communications for customer support purposes
We do not use Google user data for advertising, profiling, or any purpose unrelated to providing the omni-channel inbox feature.
Data Sharing
Google user data is not shared with any third parties. Data is only accessible to the organization administrator who connected the account and authorized team members within their organization. We do not sell, rent, or trade Google user data.
Data Storage & Protection
Google OAuth tokens are encrypted at rest using AES-256 encryption
Email content is cached temporarily for display purposes only
Data is stored on secure, access-controlled cloud infrastructure
Access is restricted to authorized personnel only
We implement industry-standard security measures including TLS encryption for data in transit
Data Retention & Deletion
OAuth tokens are retained only while the integration is active
Cached email data is retained for up to 30 days for display purposes
Users can disconnect their Google account at any time via Settings > Integrations
Upon disconnection, all Google user data (tokens and cached content) is deleted within 7 days
Users may request immediate deletion by contacting [email protected]
Google API Services User Data Policy Compliance: Merchkins' use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Meta (Facebook) API User Data Disclosure
Facebook Messenger and Page integration for omni-channel inbox
Data Accessed
When sellers connect their Facebook Page, we access:
Facebook Messenger conversations from the connected Page
Facebook Page inbox messages and comments
User profile information of message senders (name, profile picture as permitted by Facebook)
Page access tokens for sending/receiving messages
Data Usage
Facebook/Meta user data is used exclusively to:
Display Messenger and Page conversations in our unified inbox
Enable sellers to respond to customer messages from one dashboard
Facilitate order inquiries and customer support through Messenger
Associate conversations with customer orders when applicable
We do not use Facebook user data for advertising, building user profiles, or any purpose beyond providing customer communication features.
Data Sharing
Facebook user data is shared only with the seller (storefront operator) who connected the Facebook Page. Data is not shared with any other third parties. We do not sell, rent, or trade Facebook user data.
Data Storage & Protection
Facebook access tokens are encrypted at rest
Conversation data is stored in secure, access-controlled databases
All data transfers use TLS encryption
Access is restricted to the connected seller and their authorized team members
Data Retention & Deletion
Conversation history is retained while the integration is active for customer service continuity
Access tokens are retained only while the integration is connected
Sellers can disconnect their Facebook Page at any time via Settings > Integrations
Upon disconnection, access tokens are deleted immediately; conversation data is deleted within 30 days
Users may request immediate deletion by contacting [email protected]
Your personal information may be transferred to and processed in countries outside the Philippines where our service providers operate. When such transfers occur, we ensure appropriate safeguards are in place, including:
Standard contractual clauses or data protection agreements with service providers
Assessment of the recipient country's level of data protection
Implementation of technical and organizational security measures
In accordance with NPC Circular No. 2016-02, we ensure that cross-border data transfers comply with the requirements of the Data Privacy Act.
7. Data Security
We implement robust technical, organizational, and physical security measures to protect your personal information from unauthorized access, alteration, disclosure, or destruction. These measures include:
Encryption: SSL/TLS encryption for data in transit; encryption at rest for sensitive data
Access controls: Role-based access controls limiting data access to authorized personnel
Authentication: Secure authentication mechanisms including multi-factor authentication options
Monitoring: Continuous monitoring for security threats and suspicious activities
Regular audits: Periodic security assessments and vulnerability testing
Employee training: Data privacy and security training for all staff
However, no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee its absolute security.
8. Data Retention
We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. Specific retention periods include:
Account information: Retained while your account is active and for 5 years after deletion (for legal/tax purposes)
Transaction records: Retained for 10 years as required by Philippine tax regulations
Support communications: Retained for 3 years after resolution
Marketing consent records: Retained until consent is withdrawn, plus 2 years for proof of consent
Log data: Retained for 90 days for security and analytics purposes
Upon expiration of the retention period, your personal information will be securely deleted or anonymized in accordance with our data destruction procedures.
9. Your Rights Under the Data Privacy Act
Under the Data Privacy Act of 2012, you have the following rights regarding your personal information:
Right to Be Informed
Know how your personal data is being processed, including its purpose, scope, and method.
Right to Access
Obtain a copy of your personal data in our possession and information about how it is processed.
Right to Rectification
Correct or update inaccurate or incomplete personal information.
Right to Erasure
Request deletion of your personal data when it is no longer necessary or lawfully processed.
Right to Object
Object to the processing of your personal data, including for direct marketing purposes.
Right to Data Portability
Receive your personal data in a structured, commonly used, and machine-readable format.
Right to Block
Suspend, withdraw, or order the blocking or removal of your personal data.
Right to Damages
Claim compensation for damages sustained due to inaccurate, incomplete, or unauthorized processing.
9.1 Exercising Your Rights
To exercise any of these rights, please contact our Data Protection Officer at[email protected]. We will respond to your request within thirty (30) days as required by the Data Privacy Act.
Please note that some rights may be limited where we have overriding legitimate grounds, or where data is needed for legal claims or compliance with legal obligations.
10. Cookies and Tracking Technologies
10.1 What Are Cookies?
Cookies are small text files stored on your device when you visit our Platform. They help us provide a better user experience, remember your preferences, and analyze how you use our services.
10.2 Types of Cookies We Use
Essential cookies: Required for Platform functionality (authentication, security, cart)
Performance cookies: Help us understand how visitors use our Platform
Functional cookies: Remember your preferences and settings
You can control cookies through your browser settings. Most browsers allow you to refuse cookies or delete existing cookies. However, disabling essential cookies may affect Platform functionality.
11. Children's Privacy
Our Platform is not intended for children under the age of thirteen (13). We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal data from a child under 13 without parental consent, we will take steps to delete that information promptly.
Users between 13 and 18 years old must have parental or guardian consent to use our Platform. Parents or guardians who believe their child has provided personal information without consent should contact us immediately.
12. Third-Party Links
Our Platform may contain links to third-party websites or services that are not owned or controlled by Merchkins. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party sites you visit.
13. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
Notify the National Privacy Commission (NPC) within seventy-two (72) hours of becoming aware of the breach
Notify affected data subjects when the breach is likely to result in high risk to their rights and freedoms
Document all breaches including their effects and remedial actions taken
Implement measures to address the breach and prevent future occurrences
This is in compliance with NPC Circular No. 16-03 on Personal Data Breach Management.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:
Update the "Last updated" date at the top of this page
Provide notice through the Platform or via email for significant changes
Obtain fresh consent where required by law
We encourage you to review this Privacy Policy periodically for any changes.
15. Complaints and Contact Information
If you have questions, concerns, or complaints about this Privacy Policy or our data practices, please contact our Data Protection Officer:
Get your own storefront with unified ordering, payment processing, and fulfillment — plus omni-channel support to manage all customer conversations in one inbox.