Privacy Policy

Account: name, email, phone number, university, role (student/host/admin), avatar, password hash (we never see your plaintext password). Host KYC: government ID and proof of authority, stored in a private bucket. Transactions: reservations, lease terms, payment references, refund records. Browsing: presence (active-now counts), favorites, listing views (aggregated). Communications: messages and dispute submissions.

To create and manage your account, verify identity, match students with hosts, process reservations and refunds, generate legally enforceable leases, resolve disputes, prevent fraud, comply with Philippine law (BIR, NPC, KYC), and improve the platform.

We process personal data based on contract performance (your reservation/listing agreement), legal obligation (KYC, tax, NPC compliance), legitimate interest (fraud prevention, service improvement), and your consent where required (e.g., marketing email, which you can withdraw at any time).

With Hosts: after a reservation, a Student’s name and contact information (email, phone) are revealed to the Host so they can coordinate move-in. With Students: a Host’s public business name and KYC-verified status. Service providers: Supabase (hosting/storage), Vercel (hosting), GCash/Xendit (payments) — under data processing agreements. Authorities: when required by law, court order, or NPC directive.

KYC documents: kept while you operate as a Host and for 5 years after KYC revocation (AML/fraud-prevention basis). Transaction and lease records: 10 years (BIR record-keeping). Reviews: retained as long as the listing exists; anonymized after account deletion. Browsing/presence data is aggregated and not personally identifiable.

Data is stored in Supabase (primary region: Asia Pacific). KYC documents are stored in a private bucket and only released to admins via short-lived signed URLs. Passwords are stored as hashes; sessions use httpOnly cookies. We use TLS in transit and standard administrative, technical, and physical safeguards.

You have the right to be informed, to access your data, to correct inaccuracies, to object to processing, to erase or block data, to data portability, to file a complaint with the NPC, and to be indemnified for damages. To exercise any of these rights, email dpo@unidorms.ph.

We use functional cookies (authentication session, favorites) and minimal analytics. We do not use third-party advertising cookies.

unidorms.ph is not directed at children under 18. If you become aware that a minor has provided personal data without parental consent, please notify our DPO.

Some service providers (e.g., Vercel) may process data outside the Philippines. We rely on contractual safeguards and your consent where required.

We may update this Privacy Policy. Material changes will be announced in-app or by email.

dpo@unidorms.ph · NPC complaints: privacy.gov.ph.