DATA PRIVACY POLICY

Version 0 – February 19, 2026

I. Purpose

Ventris OPC ("Company," "we," "us," or "our") is committed to protecting the privacy and personal data of our users, customers, and stakeholders. This Privacy Policy outlines how we collect, use, store, and protect personal data in accordance with the Philippine Data Privacy Act of 2012 (Republic Act No. 10173), its Implementing Rules and Regulations, and relevant issuances of the National Privacy Commission (NPC).

Through this Privacy Policy, we aim to:

Ensure transparency in our data processing activities by informing individuals about how their personal data is collected, used, shared, and retained.
Uphold data subject rights, including the right to access, correct, and object to the processing of their personal data, in compliance with applicable privacy laws.
Establish accountability measures and security safeguards to protect personal data against unauthorized access, disclosure, alteration, or destruction.
Demonstrate our commitment to privacy and data protection as a core component of our operations and compliance program.

II. Scope

This Data Privacy Policy applies to all resources involved in the collection, use, storage, sharing, retention and disposal of personal data within Ventris OPC in the course of its business operations, including freight forwarding services, storage and warehousing, logistics services, business brokerage activities, and wholesale trade.

Specifically, this policy protects the following resources:

Facilities – All company premises where personal data is processed, stored, or accessed, including offices, warehouses, and storage facilities.
Hardware and Software – All IT infrastructure, systems, devices, and applications used to collect, store, transmit, and process personal data, including databases, cloud storage, and communication tools.
Information – All forms of personal data processed by the company, whether electronic, physical, or verbal, covering clients, employees, suppliers, vendors, and other stakeholders.
Personnel – All individuals handling personal data on behalf of the company, including employees, contractors, and third-party service providers.

This policy applies to all company personnel and third parties authorized to access or process personal data. It governs data processing activities conducted within company facilities, through its IT systems, and via third-party services.

This policy is established in compliance with the Philippine Data Privacy Act of 2012 (Republic Act No. 10173), its Implementing Rules and Regulations, and relevant issuances of the National Privacy Commission (NPC).

III. Applicability

This policy applies to all individuals and entities that collect, use, store, or share personal data on behalf of Ventris OPC, including:

Employees
Contractors and Service Providers
Clients and Customers
Suppliers and Vendors
Visitors and Other Stakeholders

All individuals and entities covered under this policy are expected to comply with its provisions to ensure the protection of personal data in accordance with the Philippine Data Privacy Act of 2012 and other applicable regulations.

IV. Roles and Responsibilities

Ventris OPC is committed to ensuring that all personnel, contractors, vendors, and other stakeholders comply with this Privacy Policy. Data protection is a shared responsibility across all levels of the organization.

Data Protection Officer (DPO) and Compliance Officer for Privacy (COP)

Ventris OPC designates a Data Protection Officer (DPO) and, where applicable, a Compliance Officer for Privacy (COP), responsible for overseeing compliance with the Philippine Data Privacy Act of 2012 (Republic Act No. 10173) and related regulations.

The DPO's responsibilities include monitoring compliance, conducting Privacy Impact Assessments, advising on data subject rights and complaints, managing breach notifications, promoting privacy awareness, reviewing privacy policies, coordinating with the NPC, and performing other duties necessary to uphold data protection.

Except for items (a) to (c), a COP shall perform all other functions of a DPO and assist the supervising DPO where appropriate.

Senior Management

Senior Management is responsible for:

Ensuring the organization's privacy program is adequately resourced
Promoting a culture of data protection
Supporting security implementation
Approving privacy policies and procedures

Department Heads and Managers

Responsible for:

Implementing data privacy practices
Ensuring employee training
Reporting risks or breaches
Ensuring departmental compliance

Employees

Employees must:

Handle personal data responsibly
Prevent unauthorized access or misuse
Report privacy concerns immediately
Complete mandatory training
Follow proper processing procedures

Third-Party Vendors and Service Providers

Must:

Comply with contractual data protection obligations
Implement appropriate security measures
Notify the Company of breaches
Ensure subcontractor compliance

Users and Customers

Responsible for:

Providing accurate personal data
Protecting account credentials
Reviewing this Privacy Policy
Exercising rights responsibly

V. Compliance

All covered individuals and entities must comply with this Privacy Policy.

Non-compliance may result in:

Employees: Disciplinary action up to termination
Third Parties: Contract termination or legal action
Users/Customers: Suspension or termination of access
Legal Violations: Regulatory penalties and enforcement actions

Ventris OPC will investigate and mitigate all compliance breaches.

VI. Organizational Responsibilities

As a Personal Information Controller (PIC), Ventris OPC shall:

Comply with the DPA
Designate and register its DPO
Register data processing systems
Conduct Privacy Impact Assessments
Implement organizational, physical, and technical safeguards
Notify the NPC and affected individuals in case of breach
Train personnel
Maintain confidentiality
Use contractual safeguards with third parties

As a Personal Information Processor (PIP), Ventris OPC shall:

Process only upon PIC instructions
Implement security safeguards
Assist PIC in compliance and data subject rights
Not engage another processor without authorization
Inform PIC of unlawful instructions
Conduct PIA and maintain privacy program

VII. Data Subject Rights

Data subjects have the right to:

Be informed
Seek damages
Access personal data
File complaints with the NPC
Object to processing
Rectify inaccurate data
Request erasure or blocking
Exercise data portability

All rights are exercised in accordance with the Philippine Data Privacy Act of 2012.

VIII. Data Use Rules

a. What Information We Collect

Ventris OPC collects personal data through:

Forms (feedback, resume, supplier forms, etc.)
Calls, chats, email, SMS
Social media applications
Online platform bookings
Mobile app registration

Collected data categories include:

Employment-related data
User and Patient data
Merchant and Doctor data
Vendor and partner data

b. Legal Bases for Processing

Processing is based on:

Legal obligation – Necessary to fulfill a legal obligation imposed on the Organization.
Contract performance – Necessary for the execution or fulfillment of a contract with the data subject.
Vital interest – Necessary to safeguard the data subject's essential interests, particularly those related to life and health.
Legitimate interest – Necessary to fulfill the legitimate interests of the PIC or PIP, provided these do not override the data subject's fundamental rights.
Consent – The data subject has given his or her consent.

c. Log Management

Ventris OPC collects log data including:

IP address
Pages accessed
Date and time
Geolocation
Device and browser information

For purposes including security, debugging, compliance, fraud detection, and system health monitoring.

d. Risks

Ventris OPC implements reasonable safeguards but acknowledges risks such as cyberattacks, malware, ransomware, or unauthorized access. While we strive to protect your data, no system is completely secure.

e. Security Measures

Ventris OPC implements:

Organizational safeguards – Policies, DPO appointment, training, access controls, audits, breach notification procedures, and third-party agreements.
Physical safeguards – Secure facilities, locked storage areas, CCTV, visitor control, and secure disposal of physical records.
Technical safeguards – Encryption, firewalls, access controls, antivirus, secure development practices, data masking, monitoring, and incident response procedures.

f. Storage and Retention

Ventris OPC stores data in secure servers and cloud environments.

Retention period: Two (2) years from the last triggering event (e.g., last sign-in or transaction).

After the retention period, data is securely disposed of or anonymized for statistical purposes.

g. Disclosure and Transfer

Ventris OPC may share personal data with authorized third parties within the Philippines under appropriate contractual safeguards, including Data Sharing Agreements, Non-disclosure Agreements, and Outsourcing Agreements.

h. Selling of Personal Data

Ventris OPC may sell data only in aggregated, anonymized form for statistical or research purposes, ensuring no personal identifiers are included prior to sale.

i. Disposal

Secure disposal methods include:

Data wiping using specialized software tools
Overwriting data with random values multiple times
Secure digital deletion upon account opt-out
Industry-standard destruction methods for physical records

IX. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, you may contact:

Data Protection Officer (DPO)

Ventris OPC

Address:
161 Pharmaserv Express,
F Mariano Ave., Dela Paz,
District 2, Pasig City
NCR – Philippines

Email: [email protected]

X. Policy Review and Updates

This Privacy Policy shall be regularly reviewed and updated to ensure its continued relevance, effectiveness, and compliance with applicable laws, regulations, and industry standards, including the Philippine Data Privacy Act of 2012 (R.A. 10173).

The Data Protection Officer (DPO), in coordination with relevant stakeholders, shall conduct a formal review at least once annually or whenever there are significant changes in:

Legal or regulatory requirements governing data privacy and protection
Organizational policies, business processes, or data processing activities
Emerging risks, threats, or security vulnerabilities affecting personal data

Any revisions to this Privacy Policy shall be approved by Management and communicated to all affected stakeholders. The latest version of this policy shall be made available through our Company website, internal portal, or other official communication channels.