How Kaayu Gym Management complies with Republic Act 10173 — the Data Privacy Act of 2012 — and the implementing rules and regulations of the National Privacy Commission.
Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012 (DPA), is the primary Philippine law governing the collection, storage, and use of personal information. It is implemented and enforced by the National Privacy Commission (NPC), an independent body established under the Act.
The DPA applies to the processing of personal information of natural persons (Filipino citizens and non-citizens alike) by any natural and juridical person in the government or private sector. It covers information processed by wholly or partly automated means, as well as non-automated information intended for use in a filing system.
Kaayu Technology Inc. is incorporated and primarily operates in the Philippines, making RA 10173 our foundational data protection framework. This page explains our compliance obligations under the DPA and the rights of data subjects we serve.
Republic Act No. 10173 — Data Privacy Act of 2012, as implemented by the Implementing Rules and Regulations (IRR). Full text available at the National Privacy Commission: privacy.gov.ph.
The DPA distinguishes between a Personal Information Controller (PIC) — who controls the collection, holding, processing, or use of personal information — and a Personal Information Processor (PIP) — who processes personal information on behalf of a PIC.
When gym operators use Kaayu to manage their members' data — names, contact details, fitness records, access logs, payment history — the gym operator is the PIC and Kaayu acts as their PIP. We process member data strictly under the operator's instructions, for purposes defined by the operator, and do not use it for our own commercial purposes.
Gym operators who require a formal Sub-Processing Agreement may request one by emailing legal@kaayu.online.
Kaayu acts as a PIC for personal data it collects for its own business purposes: operator and staff account contacts, billing information, marketing opt-in records, platform usage data, and support communications. For this data, Kaayu bears full responsibility for DPA compliance.
A DPA-compliant sub-processing agreement is available to all Philippine gym operator clients. Email legal@kaayu.online with the subject line "Sub-Processing Agreement Request".
Under Section 12 of RA 10173, processing of personal information is permitted only when at least one of the following criteria applies. Section 13 applies additional, stricter criteria for sensitive personal information.
| Processing Activity | Lawful Criterion | DPA Section |
|---|---|---|
| Operator account management and platform access | Contract necessity — required to deliver the subscribed service | Sec. 12(b) |
| Billing, invoicing, and payment processing | Contract necessity; legal obligation (BIR record-keeping) | Sec. 12(b) & (c) |
| Platform security, fraud prevention, abuse detection | Legitimate interests — protecting the platform and its users from harm | Sec. 12(f) |
| Aggregate anonymised product analytics | Legitimate interests — improving and developing the platform | Sec. 12(f) |
| Marketing emails and product communications | Consent — opt-in at account creation or via communication preferences | Sec. 12(a) |
| Health/fitness data entered by gym operators | Explicit consent of the data subject (obtained by the gym as PIC) | Sec. 13(b) |
| Tax and financial record retention | Legal obligation — BIR Revenue Regulations and NIRC requirements | Sec. 12(c) |
Gym operators (as PICs) are responsible for identifying and documenting their own lawful criteria for processing their members' personal information within the Kaayu platform.
Sections 16 through 20 of RA 10173 grant data subjects the following rights with respect to their personal information. For data for which Kaayu is the PIC, these rights may be exercised directly with us. For gym member data (where the gym operator is the PIC), members should contact their gym operator first.
To exercise any of the above rights regarding data for which Kaayu is the PIC, email privacy@kaayu.online with the subject line "DPA Rights Request." We will acknowledge within 3 business days and resolve your request within 15 business days, extendable by a further 15 business days with notice.
If you are a gym member whose data is managed by a gym that uses Kaayu, your gym is the Personal Information Controller for your membership records. Please contact your gym directly. The gym may then coordinate with Kaayu to fulfil your request.
Section 3(l) of RA 10173 defines sensitive personal information as personal information about a data subject's race, ethnic origin, marital status, age, colour, religious, philosophical or political affiliations, health, education, genetic or sexual life, legal proceedings, and government-issued identification numbers.
In the context of gym management, the most commonly encountered sensitive personal information includes:
Kaayu applies heightened protections for sensitive personal information stored within the platform: additional field-level encryption, stricter role-based access controls (only authorised staff can view), and comprehensive audit logging of all access events.
Gym operators (as PICs) must obtain the explicit consent of data subjects before collecting sensitive personal information, as required by Section 13(b) of RA 10173. Kaayu provides consent-logging tools within the platform, but operators are responsible for obtaining and documenting that consent.
Under NPC Circular 17-01, personal information controllers that employ at least 250 persons, or those who process sensitive personal information of at least 1,000 individuals, are required to register their data processing systems with the National Privacy Commission.
Kaayu Technology Inc. maintains NPC registration as required for a SaaS platform processing personal data of gym members across multiple operators in the Philippines.
Kaayu Technology Inc. is registered with the National Privacy Commission. Our registration is renewed annually in accordance with NPC requirements. Gym operators may verify our registration status directly with the NPC at privacy.gov.ph.
Philippine gym operators who process the personal data of 1,000 or more individuals may themselves be required to register with the NPC. We recommend consulting NPC Circular 17-01 or contacting the NPC directly at info@privacy.gov.ph to assess your registration obligations.
Kaayu retains personal data only for as long as necessary for the purposes for which it was collected, or as mandated by Philippine law. Our retention schedule is:
Gym operators can configure their own data retention policies for member records within the Kaayu platform. Kaayu provides bulk anonymisation and deletion tools to assist operators in meeting their own retention obligations.
Section 20 of RA 10173 and its IRR require PICs and PIPs to implement reasonable and appropriate security measures. Kaayu's security programme is aligned with NPC guidelines and international best practices:
Section 20(f) of RA 10173 and NPC Circular 16-03 require prompt notification of personal data breaches to the NPC and to affected data subjects. Kaayu's breach response process is as follows:
Where Kaayu acts as PIC: if a personal data breach involves sensitive personal information, or information likely to be used to enable identity fraud, we will notify the NPC within 72 hours of becoming aware of the breach. Where Kaayu acts as PIP, we will notify the affected gym operator immediately so they can fulfil their own notification obligations.
Where a breach is likely to give rise to a real risk of serious harm to affected data subjects, Kaayu (or the gym operator as PIC) will notify those individuals directly, in clear and plain language, describing the nature of the breach, the data involved, and the measures being taken.
To report a suspected data breach or security vulnerability, contact us immediately at security@kaayu.online. All reports are acknowledged within 24 hours.
In accordance with NPC Advisory No. 17-01, Kaayu has designated and registered a Data Protection Officer (DPO) with the National Privacy Commission. The DPO is responsible for overseeing our compliance with RA 10173, advising on data protection matters, and serving as the primary point of contact for data subjects and the NPC.
Data Protection Officer
Kaayu Technology Inc.
Email: dpo@kaayu.online
Phone: +63 947 984 1430
Address: Manila, Philippines
The DPO can be contacted to exercise data subject rights, request a copy of our Privacy Manual, raise concerns about our data processing activities, or inquire about our NPC registration. We aim to respond to all DPO inquiries within 5 business days.
If you believe that Kaayu (or a gym operator using Kaayu) has violated your rights under RA 10173, you have the right to file a complaint with the National Privacy Commission. The NPC has the authority to investigate complaints and impose sanctions including fines and imprisonment for serious violations.
Before filing with the NPC, we encourage you to contact us directly at privacy@kaayu.online — most concerns can be resolved quickly and informally, and we take every privacy complaint seriously.
National Privacy Commission (NPC)
Website: privacy.gov.ph
Email: info@privacy.gov.ph
Hotline: 1-800-1-PRIVACY (1-800-1-774-8229)
Address: 5th Floor, Delegation Building, PICC Complex, Pasay City, Metro Manila
The NPC's complaints process, timelines, and forms are available at privacy.gov.ph/complaints. Complaints must generally be filed within 1 year from knowledge of the violation.
Our registered DPO is available to answer your questions about how Kaayu protects personal data under Philippine law — no jargon, straight answers.