Legal
Privacy Policy
Effective date: June 2, 2026 · Last updated: June 2, 2026
This Privacy Policy describes how KOMUNITI, a product of TAVARA HOLDINGS OPC, collects, uses, stores, and protects your personal information. KOMUNITI serves Philippine HOA communities and, as part of TAVARA HOLDINGS' regional strategy, users across Southeast Asia and globally. We comply with all five privacy frameworks identified above. Where frameworks conflict, we apply the stricter standard.
1. Who we are and how to reach us
Data Controller / Personal Information Controller:
TAVARA HOLDINGS OPC (SEC Reg. No. 2026050252208-01)
Operating as: KOMUNITI, delivered by SOLOMON TEKNIKA (Technology Division of TAVARA HOLDINGS)
Metro Manila, Philippines
Privacy Officer / Data Protection Officer:
Email: privacy@komuniti.cloud
Response time: within 5 business days
This policy applies to all users of KOMUNITI globally. Depending on your location, additional rights and obligations may apply under the frameworks listed above.
2. Applicable privacy frameworks
KOMUNITI serves HOA communities in the Philippines and, as part of TAVARA HOLDINGS' regional expansion, users in Southeast Asia and internationally. We comply with:
- Republic Act No. 10173 — Philippine Data Privacy Act of 2012 and its Implementing Rules and Regulations (IRR). Enforced by the National Privacy Commission (NPC). Primary framework for our core Philippine operations.
- GDPR — General Data Protection Regulation (EU) 2016/679, applicable to users in the EU and EEA.
- Singapore PDPA — Personal Data Protection Act 2012 (Singapore), applicable to users in Singapore. Enforced by the Personal Data Protection Commission (PDPC).
- Thailand PDPA — Personal Data Protection Act B.E. 2562 (2019), applicable to users in Thailand. Enforced by the Personal Data Protection Committee (PDPC Thailand).
- Malaysia PDPA — Personal Data Protection Act 2010 (Malaysia), as amended by the Personal Data Protection (Amendment) Act 2024, applicable to users in Malaysia. Enforced by the Personal Data Protection Commissioner under the Department of Personal Data Protection (JPDP).
3. Sensitive personal information
KOMUNITI processes financial records of residents and communities. Under RA 10173, financial information constitutes Sensitive Personal Information (SPI)where it relates to an individual's financial standing. Under GDPR and the PDPA frameworks, financial data processed in the context of debt, delinquency, or enforcement actions requires heightened protection. We treat all financial and governance records with the highest level of protection across all frameworks.
The following data types are classified as sensitive or requiring heightened care:
- Resident financial records — dues balances, payment history, delinquency status
- HOA election ballots and vote records — governance participation is confidential
- Resident complaints and grievances — potentially sensitive personal disclosures
- Construction permits and violation records — may reflect personal circumstances
- Sinking fund and reserve fund financial data — community financial health
The lawful basis for processing financial and governance data is the HOA subscription contract and, where applicable, your explicit consent as a community member. You may contact privacy@komuniti.cloud to exercise data subject rights over sensitive records.
4. What data we collect
We collect only what is necessary to operate the platform:
- Account information — name, email address, phone number, and community affiliation.
- Profile information — unit number, role within your community (board member, resident, staff), and optional profile photo.
- Financial records (SPI) — dues assessments, payment history, outstanding balances, billing statements, and ledger entries.
- Governance records — meeting attendance, election ballots (secret — not linked to identity in results), board resolutions, and grievance submissions.
- Operational records — work order requests, violation notices, construction permit applications, and visitor gate passes.
- Payment data — processed by PayMongo (BSP-regulated). We receive only transaction confirmation and status. We do not store card numbers, GCash PINs, or banking credentials.
- Usage analytics — page views, feature interactions, and error events collected in aggregate via Vercel Analytics. Not linked to your identity in reports.
- Device information — browser type, OS, IP address, and device identifiers for security and access control.
We do not collect: clinical or health records, government ID numbers (beyond what you voluntarily provide for clearance purposes), precise GPS location (guards use QR code proximity, not continuous tracking), or camera/microphone access.
5. Lawful basis for processing
We process your data only when we have a valid legal basis:
| Data type | Purpose | RA 10173 | GDPR | SG / TH / MY PDPA |
|---|---|---|---|---|
| Account information | Create and manage your account | Contract | Art. 6(1)(b) Contract | Contract |
| Financial records (SPI) | Dues billing, collection, reporting | Contract + Legal obligation | Art. 6(1)(b) Contract | Contract |
| Governance records | Elections, meetings, resolutions | Contract + Legitimate interest | Art. 6(1)(b) Contract | Contract |
| Complaints / grievances | Dispute resolution | Consent + Contract | Art. 6(1)(b) Contract | Consent + Contract |
| Payment data | Process subscription payments | Contract + Legal obligation | Art. 6(1)(b) Contract | Contract |
| Usage analytics | Platform improvement | Legitimate interest | Art. 6(1)(f) Legitimate interest | Legitimate interest |
| Government filings (BIR, DHSUD) | Legal compliance | Legal obligation | Art. 6(1)(c) Legal obligation | Legal obligation |
We do not sell your data. We do not share your data with third parties for advertising.
6. How we use your information
- Operate and maintain the KOMUNITI platform — billing, governance, compliance, and community management features.
- Send service communications — billing statements (SOA), payment confirmations, compliance deadline reminders, and security alerts.
- Generate government-required filings — DHSUD GIS, BIR 2550-M, and other regulatory exports use your community's data directly.
- Run Niti AI — Niti reads your community's actual ledger and governance records to answer questions. It is scoped to your HOA only and never cross-references another community's data.
- Platform improvement — aggregate, anonymized usage analytics to improve features and performance.
7. International data transfers
KOMUNITI infrastructure involves service providers located outside the Philippines. When your data is transferred internationally, we ensure adequate protections are in place:
- Supabase — database stored in Singapore (ap-southeast-1). Supabase maintains Standard Contractual Clauses (SCCs) for GDPR transfers and is SOC 2 Type II certified.
- Vercel — edge computing in global regions. Vercel maintains SCCs and GDPR Data Processing Agreements.
- Anthropic (Claude / Niti) — US-based. Niti processes community data to generate responses. Anthropic does not use your data to train models (confirmed by API terms). SCCs apply for EU users.
- PayMongo — Philippines-based, BSP-regulated. No cross-border transfer of payment data.
- Resend — US-based transactional email provider. Email content (SOA, billing alerts) may transit US infrastructure.
For EU/EEA users: transfers are governed by Standard Contractual Clauses (SCCs) under GDPR Article 46(2)(c). For Singapore users: transfers comply with the PDPC's Transfer Limitation Obligation. For Thailand users: transfers comply with PDPC Thailand cross-border transfer requirements under Section 28. For Malaysia users: transfers comply with the PDPA 2010 (as amended 2024) cross-border transfer restrictions — we transfer data only to countries with adequate protection or under equivalent contractual safeguards as prescribed by the Minister.
8. Data storage and security
Your data is stored in Supabase (PostgreSQL) with row-level security (RLS) enforced at the database layer — no user or HOA can access another community's data even if the application layer fails. Every HOA's records are isolated by architecture, not just policy.
- Encryption at rest (AES-256) and in transit (TLS 1.3)
- Supabase is SOC 2 Type II certified
- Hash-chained audit trail — every privileged action is permanently recorded and tamper-evident
- Multi-tenant RLS enforced — 0 open CVEs (17 closed in independent security audit)
- Data retained while your account is active, or as required by Philippine law (BIR: 5 years for financial records)
9. Data breach notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant authority and affected users per the applicable framework:
- RA 10173 / NPC (Philippines): Notify the National Privacy Commission within 72 hours of becoming aware of the breach, and notify affected users without undue delay.
- GDPR (EU/EEA): Notify the relevant supervisory authority within 72 hours and notify affected EU users without undue delay where the breach is likely to result in high risk.
- Singapore PDPA: Notify the PDPC within 3 business days of assessing that the breach is notifiable, and notify affected users as required.
- Thailand PDPA: Notify the PDPC Thailand within 72 hours of becoming aware of the breach.
- Malaysia PDPA (2024 Amendment): Notify the Personal Data Protection Commissioner (JPDP) within 72 hours of becoming aware of a notifiable breach, and notify affected Malaysian users without undue delay.
Breach notifications to users will be sent to your registered email address and displayed as an in-app notice.
10. Data sharing and third-party processors
We act as Data Controller / Personal Information Controller. The following act as our data processors (they process data only on our instructions):
- Supabase — database, authentication, and storage (Singapore)
- Vercel — hosting, edge delivery, and anonymized analytics (US/Global)
- Anthropic (Claude) — AI model powering Niti AI responses (US)
- PayMongo — payment processing, BSP-regulated (Philippines)
- Resend — transactional email delivery (US)
- Semaphore — SMS notifications (Philippines)
- OpenAI (Whisper) — meeting audio transcription (US). Audio is processed and discarded; transcripts are stored in your community account only.
We do not sell personal data. We do not share resident financial records, election ballots, or grievance submissions with any third party for their own purposes. We share data with your community administrators only as necessary for HOA management functions.
We may disclose information when required by Philippine law, legal process, DHSUD, BIR, or other government authority, or to protect the rights, safety, or property of TAVARA HOLDINGS OPC, our users, or the public.
11. Your rights
Regardless of your location, you have the following rights. We will respond within 30 days (or sooner for urgent requests):
- Access — request a copy of the personal data we hold about you.
- Correction / Rectification — ask us to correct inaccurate data through your account settings or by contacting us.
- Erasure / Right to be forgotten — request deletion of your account and all associated data. We will complete this within 30 days, except where retention is required by Philippine law (BIR: 5 years for financial records).
- Portability — receive your data in a structured, machine-readable format (JSON/CSV).
- Object — opt out of processing based on legitimate interest, including analytics communications.
- Restrict processing (GDPR / Thailand PDPA) — ask us to limit how we process your data while a dispute is resolved.
- Withdraw consent — withdraw consent for any processing based on consent at any time, without affecting the lawfulness of prior processing.
- Not be subject to solely automated decisions (GDPR Art. 22 / Thailand PDPA) — KOMUNITI's AI features (Niti, HOA Health Score) provide recommendations and analysis, but no decision with significant legal or similar effect on a resident is made purely by algorithm without board oversight.
To exercise any right: privacy@komuniti.cloud or use the Data Subject Rights portal at komuniti.cloud/compliance/dsrs
Supervisory authority contacts:
- Philippines: National Privacy Commission (NPC)
- EU/EEA: Your local data protection authority (edpb.europa.eu)
- Singapore: Personal Data Protection Commission (PDPC)
- Thailand: Office of the PDPC Thailand
- Malaysia: Department of Personal Data Protection (JPDP)
For Malaysian users: under the Malaysia PDPA, you have explicit rights to access and correct your personal data. While erasure and portability are not enumerated rights under Malaysia PDPA 2010, we extend these rights to all users globally as our baseline standard.
12. Cookies and analytics
- Session cookies — strictly necessary for authentication and platform function. No consent required.
- Vercel Analytics — anonymized, aggregated page view data. No cross-site tracking. No personal identifiers in reports.
- BLUEWHALE RUM — Core Web Vitals and error monitoring. Operated by TAVARA HOLDINGS internally. No third-party tracking.
We do not use advertising cookies, third-party behavioral trackers, or cross-site profiling. We do not use your data for retargeted advertising on any platform.
13. Data retention
- Account and profile data — retained while your account is active. Deleted within 30 days of account deletion request.
- Financial records (dues, payments, ledger) — retained for 5 years under BIR regulations (even after account deletion), then anonymized or deleted.
- Governance records (minutes, resolutions, elections) — retained for the life of the HOA subscription. Board may export records at any time before deletion.
- Meeting audio transcriptions — audio files are discarded immediately after transcription. Text transcripts retained in your community account until deleted by the board.
- Visitor and gate pass records — retained for 90 days for security purposes, then auto-purged.
- Payment records — retained for 5 years under BIR regulations.
- Anonymized usage analytics — retained indefinitely. Cannot be linked back to any individual.
14. Children
KOMUNITI is not intended for use by individuals under the age of 13 (or under 16 for EU users under GDPR). The platform is designed for HOA board members and adult community residents. We do not knowingly collect personal data from children. If you believe a minor has created an account, contact privacy@komuniti.cloud and we will delete the account immediately.
15. Changes to this policy
If we make material changes, we will notify you by email and in-app notice at least 14 days before the change takes effect. Continued use after that date constitutes acceptance. For changes that materially affect how we process sensitive financial or governance data, we will request fresh explicit consent where required by applicable law.
16. Contact us
For questions, concerns, or data subject requests:
Email: privacy@komuniti.cloud
Data Subject Rights portal: komuniti.cloud/compliance/dsrs
TAVARA HOLDINGS OPC / SOLOMON TEKNIKA
Metro Manila, Philippines
SEC Reg. No. 2026050252208-01
© 2026 TAVARA HOLDINGS OPC · SEC Reg. No. 2026050252208-01