How Reserva collects, uses, protects, and shares personal data — written in plain language and aligned with the Philippine Data Privacy Act of 2012 (Republic Act No. 10173).
Reserva is a managed AI booking and notification assistant for small and medium-sized businesses in the Philippines. It is operated as a sole proprietorship registered with the Department of Trade and Industry (DTI) and the Bureau of Internal Revenue (BIR), with its principal place of operation in the Republic of the Philippines.
This Privacy Policy applies to:
Reserva typically acts as a Personal Information Processor on behalf of our business clients, who are the Personal Information Controllers of their customers' data. When you interact with a Reserva-powered assistant, the business you are messaging is the primary controller of your data. Reserva processes that data strictly on their instructions and under a signed Data Sharing Agreement.
When a business engages Reserva, we collect:
When you message a business that uses Reserva, we may process:
Reserva does not collect or store: payment card numbers, bank account credentials, Facebook or Google account passwords, government identification documents, biometric data, health or medical records, or any data outside the scope of booking and notification workflows.
When you visit reservaph.com, standard server and CDN logs may record your IP address, browser type, referring URL, and pages accessed. We do not deploy third-party advertising trackers, behavioral analytics, or fingerprinting scripts. If analytics tools are added in the future, this policy will be updated and affected users notified.
| Purpose | What This Means |
|---|---|
| Booking & appointment processing | Recording your inquiry, checking availability, creating a booking or appointment record, and confirming details with you before committing. |
| Notifications & reminders | Sending scheduled reminders about your booking, appointment, downpayment deadline, or upcoming event via SMS, email, or Messenger. |
| Event coordination | Broadcasting event details, collecting RSVPs, processing check-ins, and dispatching updates on behalf of event organizer clients. |
| AI conversation handling | Processing your message through an AI provider to understand your intent and generate a relevant response in Taglish or English. |
| Service operation | Maintaining availability, debugging issues, preventing fraud and abuse, and auditing system actions for accountability and security. |
| Legal compliance | Meeting obligations under the Data Privacy Act, Bureau of Internal Revenue, National Telecommunications Commission, and Meta Platform policies. |
Under Section 12 of the Data Privacy Act of 2012, we process personal data on the following bases:
Reserva does not sell personal data. We share data only in these limited circumstances:
The business you are messaging receives your conversation history, booking details, and status updates. This is the core function of the service and is disclosed at the point of consent.
Reserva relies on the following sub-processors, each bound by their own data protection commitments:
| Provider | Purpose | Data Processed |
|---|---|---|
| MongoDB Atlas | Database hosting | All persistent application records |
| Railway | Backend server & Redis hosting | Transient processing state and job queues |
| Anthropic (Claude API) | AI message processing | Conversation content during API calls; not retained for model training under Anthropic's API terms |
| Meta Platforms | Messenger delivery | Message content sent or received through Facebook Messenger |
| Semaphore | SMS delivery | Phone numbers and SMS content for outbound and inbound messages |
| Resend | Email delivery | Email addresses and message content for transactional emails |
| Cloudflare | Domain, DNS, and static hosting | Standard request metadata (IP, user agent, requested URL) |
We may disclose personal data if required by lawful order from a Philippine court, the National Privacy Commission, the Bureau of Internal Revenue, or another competent authority with jurisdiction.
Some service providers — including Anthropic, Meta, MongoDB Atlas, Resend, and Cloudflare — operate infrastructure outside the Philippines. Where personal data is transferred internationally, we ensure the receiving party maintains an adequate level of protection consistent with the Data Privacy Act, either through contractual safeguards or because the provider operates under a comparable regulatory framework.
| Data Category | Retention Period |
|---|---|
| Conversation messages | Duration of the engagement plus 2 years |
| Booking and appointment records | 5 years from completion (BIR record-keeping requirement) |
| Event records and attendee rosters | 90 days post-event; rosters retained for repeat-event clients |
| Consent records | Duration of the engagement plus 2 years |
| Audit logs | 2 years online, then archived for an additional 5 years |
| Payment transaction records | Up to 10 years (BIR requirement for certain transaction types) |
| One-time action link tokens | Expired tokens purged within 30 days of expiry |
When a business client offboards from Reserva, their data and the data of their customers is deleted from active systems within 30 days. Cold-storage archives are retained only for the legally required minimum period.
Under the Data Privacy Act of 2012, you have the following rights:
To exercise any of these rights, contact our Data Protection Officer (details in Section 12). We respond to access requests within 7 working days and to deletion requests within 14 working days.
You may opt out of SMS communications at any time by replying STOP to any message sent by Reserva. Your number is added to our suppression list within 24 hours. Opt-outs are respected across all businesses that use Reserva — a suppressed number will not receive further Reserva-dispatched SMS from any client.
Reserva applies technical and organizational safeguards to protect personal data:
In the event of a personal data breach that creates a real risk of serious harm, Reserva will notify the National Privacy Commission and affected data subjects within 72 hours of becoming aware of the breach, as required by NPC Circular 16-03. Notifications will describe the nature of the breach, the categories of data involved, the steps taken to contain it, and guidance for affected individuals.
Reserva is not directed to persons under 18 years of age. We do not knowingly collect personal data from minors. If a parent or guardian believes a minor has provided personal data through our platform, they should contact our Data Protection Officer for prompt deletion.
We may update this Privacy Policy from time to time. Material changes will be communicated by updating the Effective Date at the top of this page, notifying registered business clients by email at least 14 days before changes take effect, and — where required — seeking fresh consent from affected data subjects.
For privacy questions, to exercise your rights, or to raise a concern, contact our designated Data Protection Officer:
Email:
Website: reservaph.com
Jurisdiction: Republic of the Philippines
If you are not satisfied with our response, you have the right to file a complaint with the National Privacy Commission at privacy.gov.ph or in person at the 5th Floor, Philippine International Convention Center, Vicente Sotto Street, Pasay City.