- Who We Are (Data Controller)
- What Personal Data We Collect
- Why We Collect It (Lawful Basis)
- How We Use Your Data
- How Long We Keep Your Data
- Who We Share Your Data With
- How We Protect Your Data
- Cookies & Third-Party Services
- Your Rights Under RA 10173
- Children's Privacy
- Changes to This Policy
- How to Contact Us
Who We Are (Data Controller)
artcyst.ph is a small handcraft studio based in Ilocos Norte, Philippines, operating as a sole proprietorship. We are the personal information controller for the data you provide when placing an order through our website.
Contact: artcyst.ph@gmail.com · Social: @artcyst.ph
What Personal Data We Collect
We collect only the information necessary to process and deliver your order. The table below lists every data point we collect:
| Data Point | Why Collected | Required? |
|---|---|---|
| Full name | Order identification, invoice, shipping label | Yes |
| Email address | Order confirmation, invoice delivery, updates | Yes |
| Phone number | Courier contact, order issues | Yes |
| Shipping address | Delivery of your order | Yes (unless local pick-up) |
| Order specifications (size, colors, engraving text, add-ons) | Crafting your custom folio exactly as specified | Yes |
| Proof-of-payment image (PNG or JPG screenshot) | Payment verification; stored until your order ships | Yes |
| Payment reference / transaction details (visible in PoP image) | Matching payment to order; dispute resolution | Incidental (within PoP image) |
We do not collect payment card numbers, bank credentials, passwords, government ID numbers, or any sensitive personal information beyond the above.
Why We Collect It (Lawful Basis)
Under RA 10173, we may process personal data when there is a lawful basis to do so. For artcyst.ph, our lawful bases are:
| Basis | How It Applies |
|---|---|
| Contractual necessity | Processing your name, contact details, address, and order specs is necessary to fulfil the purchase contract between you and artcyst.ph. |
| Legitimate interest | Storing a proof-of-payment image and transaction reference to protect against fraud and to verify payment disputes. |
| Legal obligation | Retaining minimal transaction records where required for tax and consumer protection compliance under Philippine law. |
How We Use Your Data
Your personal information is used exclusively for the following purposes:
| Purpose | Data Used |
|---|---|
| Processing and confirming your order | Name, email, phone, order specs |
| Crafting your custom folio | Order specifications (size, color, engraving, etc.) |
| Sending a PDF invoice and order confirmation | Name, email, order details |
| Shipping your order or arranging local pick-up | Name, phone, shipping address |
| Verifying payment and preventing fraud | Proof-of-payment image, transaction reference |
| Communicating about delays, defects, or disputes | Email, phone, order details |
| Responding to data access or deletion requests | Email, name (to verify identity) |
We do not use your data for marketing emails, advertising profiling, or any purpose beyond fulfilling and managing your order — unless you separately opt-in at a future date, which will be made clear at that time.
How Long We Keep Your Data
| Data Type | Retention Period | Reason |
|---|---|---|
| Proof-of-payment image (Google Drive) | Deleted once your order has shipped | Only needed for payment verification |
| Order details in Google Sheets (name, contact, specs, total) | Up to 1 year from order date | Dispute resolution, warranty reference, and basic bookkeeping |
| PDF invoice (Google Drive) | Up to 1 year from order date | Customer reference, dispute resolution |
| Email correspondence | Up to 1 year from last interaction | Communication history, dispute resolution |
After the applicable retention period, data is permanently deleted. You may also request earlier deletion — see Section 9 for your rights.
Who We Share Your Data With
We do not sell, rent, or trade your personal information to third parties. We share your data only where strictly necessary to fulfil your order:
| Recipient | Data Shared | Purpose |
|---|---|---|
| Courier / Shipping Provider (e.g., J&T Express, LBC, or similar) | Name, address, phone number | Delivery of your order |
| Google LLC (Google Drive, Google Sheets, Google Apps Script, Gmail) | Order data, PoP images, invoice PDFs, emails | Data storage and order processing infrastructure. Google acts as a data processor under our use of its services. Google's privacy policy applies to their handling of data. |
No other third parties receive your personal information. Government or law enforcement authorities may receive data if required by Philippine law, court order, or to protect against fraud.
How We Protect Your Data
We implement reasonable technical and organizational measures to protect your personal information, including:
| Measure | Details |
|---|---|
| Access control | Only the artcyst.ph owner accesses order data. No third-party staff have access. |
| Secure storage | Data is stored in Google's infrastructure, which is protected by Google's security protocols including encryption at rest and in transit. |
| Limited retention | Proof-of-payment images are deleted once your order ships. All data is purged after the retention periods in Section 5. |
| Website security | Our website uses a strict Content Security Policy (CSP) header and does not store personal data in-browser. |
While we take reasonable steps to protect your data, no internet transmission is 100% secure. In the event of a personal data breach that poses risk to your rights, we will notify you and the National Privacy Commission (NPC) within 72 hours of discovery, as required by RA 10173.
Cookies & Third-Party Services
Our website loads resources from the following third-party services, which may set cookies or process data on their own servers:
| Service | Purpose | Privacy Reference |
|---|---|---|
| Google Fonts | Typography rendering (DM Serif Display, DM Sans, Playfair Display) | Google Privacy Policy |
| Tailwind CSS CDN (cdn.tailwindcss.com) | CSS utility framework, loaded from CDN | No persistent cookies set |
| Swiper.js CDN (cdn.jsdelivr.net) | Image carousel / slider component | jsDelivr Privacy Policy |
| Google Apps Script (script.google.com) | Backend order submission and processing | Google Privacy Policy |
These third-party services are loaded for functional purposes only. We do not use advertising cookies, tracking pixels, or analytics services (e.g., Google Analytics). When you first visit our site, a cookie consent notice is displayed. Accepting functional cookies means you consent to the third-party CDN requests listed above. You may opt out by adjusting your browser settings, though this may affect page appearance and functionality.
We do not use targeting or advertising cookies of any kind.
Your Rights Under RA 10173
The Philippine Data Privacy Act grants you the following rights regarding your personal information:
To exercise any of the above rights, contact us at artcyst.ph@gmail.com with the subject line "Data Privacy Request." We will respond within 15 business days. We may ask you to verify your identity before processing your request.
Children's Privacy
Our website and products are not directed at children under the age of 18. We do not knowingly collect personal information from minors. If you believe we have inadvertently collected data from a minor, please contact us immediately and we will delete it without delay.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. The effective date at the top of this page will always reflect the most recent version. Significant changes will be communicated via a notice on our website. Continued use of our website after changes have been posted constitutes your acceptance of the updated policy.
How to Contact Us
For all privacy-related inquiries, requests, or complaints:
artcyst.ph — Data Privacy Contact
Email: artcyst.ph@gmail.com
Social: @artcyst.ph on Instagram, Facebook, and TikTok
Please use the subject line "Data Privacy Request" for faster response. We aim to respond within 15 business days.
You also have the right to escalate concerns directly to the National Privacy Commission (NPC) of the Philippines at www.privacy.gov.ph.