Privacy Policy

Pepe Lab Co. acts as a Personal Information Controller (PIC) for the data described in this Policy, except where we act as a Personal Information Processor (PIP) on behalf of our school customers — see Section 15 below.

Pepe Lab Co. processes personal information in accordance with the Data Privacy Act of 2012 (Republic Act No. 10173), its Implementing Rules and Regulations, and the issuances of the National Privacy Commission, which together govern how personal data is collected, used, stored, and protected under this Policy.

This Policy is a general framework that applies to all personal information processed by Pepe Lab Co., across all current and future activities, products, and services. Specifically, this Policy covers data processed in the course of:

• Sales and marketing outreach — when we contact schools and educational institutions about Pepe Lab Co. products and services.
• Customer relationships — when schools subscribe to, pilot, or otherwise engage with any Pepe Lab Co. product or service.
• Website operation — when visitors browse pepelab.co, its subdomains or any other digital property we operate.
• Lead form and inquiry submissions — when individuals submit inquiries through Facebook Ads, contact forms, demo requests, or any other intake channel.
• IDentify product operation — when Pepe Lab Co. provides, administers, supports, or maintains the IDentify product suite (Scanner, Dispatcher, Syncbase, Screen, Advanced, AI, ParentBot, StaffBot, API) on behalf of contracting schools. This includes data we may access, view, or process about students, parents, teachers, staff, and other related school documents and records.
• Future products and services — any new product, service, module, integration, software-as-a-service offering, hardware product, AI/automation feature, mobile or web application, or other commercial offering that Pepe Lab Co. may design, develop, launch, distribute, support, or operate in the future, whether under the IDentify brand or under any other brand or product line. This Policy applies to such future offerings from the date of their launch unless we publish a separate, product-specific privacy notice that expressly supersedes this Policy for that specific offering.

Where a future product introduces materially new data categories, processing purposes, or recipient categories not adequately described in this Policy, we will update this Policy and notify affected data subjects in accordance with Section 16.

4.1 Sales prospects

If we contacted you as a school principal, administrator, registrar, or other school staff member, we may process the following categories of personal and professional information:

• Your full name and professional title
• Your school-affiliated email address (e.g., principal@school.edu.ph) and any alternative email addresses publicly listed
• Your direct or school-published landline number, mobile number, and other contact numbers
• Your school name, business address, and physical location
• Your school's website URL, Facebook Page, and other publicly published online presence
• Publicly available role information (e.g., from school websites, DepEd listings, or official directories)
• Outreach interaction data (whether the email was opened, replied to, bounced, or unsubscribed; timestamps; message identifiers)

4.2 Customers and pilot participants

If your school enters into a contract or pilot with Pepe Lab Co., we additionally process:

• Signatory information — full name, title, signature — on contracts and agreements
• Billing and tax information — school legal name, TIN, business address, billing contact
• Authorized contact persons for technical, administrative, and billing matters, including their names, titles, email addresses, mobile numbers, landline numbers, and physical office locations
• School organizational information — website URL, Facebook Page, registered business address, school logo, and other identifying details required to operate the contracted service
• Correspondence and support history (emails, chat logs, ticket records) related to the contracted service

4.3 Website visitors and lead form respondents

If you visit pepelab.co or submit a lead form (e.g., through Facebook Ads), we may process:

• Information you voluntarily provide, including: full name, email address, mobile number, landline number, school name, role or position, city, province, and any additional message or inquiry content
• Your social media profile name and identifier when you submit a Facebook Ads lead form
• Technical data — IP address, browser type and version, device type, operating system, referring URL, page paths visited, and timestamps — used for analytics, security, and abuse prevention

Cookies and similar technologies

Our website may use the following categories of cookies and similar technologies:

We do not use advertising cookies or third-party tracking pixels for retargeting on pepelab.co. Where required by law, we will display a cookie consent banner and respect your choices. You may also disable cookies through your browser settings — note that this may affect site functionality.

4.4 What we do NOT collect

We do not collect or process:

• Sensitive personal information as defined by Section 3(l) of the DPA (race, ethnicity, marital status, age, religious or political affiliations, health information, etc.) unless you voluntarily provide it or it is required for a legitimate, lawful purpose within the IDentify products as authorized by the contracting school
• Government-issued identification numbers from sales prospects
• Personal financial information (credit cards, bank account numbers) — payments are handled by separate providers

4.5 Information processed inside IDentify products (on behalf of schools)

When a school subscribes to IDentify, Pepe Lab Co. may access, view, or process the following categories of data on behalf of and on the instruction of that school:

• Student records — full name, photo/image, date of birth, gender, grade level, section, RFID tag identifier, student ID number, attendance logs (tap-in / tap-out timestamps), home address (where required for emergency contact), and other identifiers needed to administer attendance and notifications
• Parent / guardian contact data — full name, relationship to student, mobile number, landline number, email address, Telegram ID (where opted in), home address, and any alternate contact information
• Employee records — full name, photo/image, date of birth (where required), employee ID, RFID tag identifier, role and department, email address, mobile number, landline number, home or office address, attendance logs, and any digital signatures or credentials issued for system use
• Related school documents and records — enrollment files, class lists, schedules, payroll references (where applicable to attendance), official school correspondence, school website URL, social media references, organizational charts, and any other documents the school provides for the system to operate
• System telemetry and audit data — login activity (user, timestamp, IP), scan device IDs, error logs, audit trails of administrative actions, and notification delivery receipts generated by the IDentify products

This list describes the general categories of data we may process. The specific fields, formats, and use cases are configured by the contracting school and may vary across deployments. Future versions of IDentify and any new Pepe Lab Co. products may introduce additional data categories; we will update this Policy to reflect any material changes.

Pepe Lab Co. processes this data only for the purposes specified by the contracting school under the Data Processing Agreement. We do not use product data for our own marketing, profiling, AI model training, or any purpose other than providing and improving the contracted service. See Section 15.

4.6 Automated processing, decision-making, and AI features

Pepe Lab Co. uses automated processing in the following ways. Where automated decisions may produce effects concerning data subjects, you have the right under Section 16(d) of the DPA to be informed about the logic involved and to object.

• Attendance notifications (IDentify Scanner / Dispatcher). When a student or employee taps their RFID card, the system automatically determines the recipient (e.g., the registered parent) and dispatches a notification via SMS or Telegram. No human reviews each individual notification.
• Attendance pattern analysis (IDentify AI). Our AI engine may analyze attendance logs to detect patterns (e.g., chronic absenteeism, late arrivals) and surface insights to school staff. The AI does not make consequential decisions about individuals — it produces information that school staff review and act upon.
• Marketing eligibility filtering (sales outreach). Our outreach automation determines which schools receive emails based on filters such as status, prior contact dates, and opt-out flags. No personalized profiling is performed; the system applies rule-based filters only.
• Email engagement tracking. Outbound emails include open-tracking and click-tracking technologies to measure delivery and engagement. See Section 11 for how to opt out.
• Security automation. Intrusion detection, rate-limiting, and automated blocking systems block suspicious requests to protect our infrastructure.

We do not use any AI system, large language model, or third-party AI service to process personal information in a way that produces legally significant or similarly consequential effects on data subjects without human review. We do not use customer school data, parent data, student data, or recipient data to train any AI model, foundation model, or external machine-learning service.

5.1 From publicly available sources

For sales outreach, we collect contact information from sources that are publicly accessible, including:

• School official websites and contact pages
• DepEd public school directory listings
• Google Places business listings
• Public Facebook Pages of educational institutions
• Publicly listed phone directories

5.2 Directly from you

We collect information you voluntarily provide when you:

• Reply to our outreach email
• Submit a Facebook Ads lead form
• Contact us at any of our published email addresses
• Sign a contract or service agreement with us

5.3 Through our products in operation

If your school uses IDentify, we may process technical telemetry (uptime, error logs, scan counts) needed to provide and improve the service. Student/parent data inside IDentify is governed separately by the DPA with the contracting school.

5.4 Through automated means

Our outbound email service tracks delivery, opens, clicks, bounces, and unsubscribes to maintain sender reputation and to honor opt-out requests. We do not use this data for profiling.

Data minimization commitment

In accordance with Section 11 of the DPA, Pepe Lab Co. commits to processing only the personal information that is adequate, relevant, and limited to what is necessary for the stated purposes. We periodically review our data inventory to identify and delete information that is no longer needed.

We do not sell, rent, or trade your personal information. We disclose information only to the following categories of recipients:

7.1 Service providers acting as Personal Information Processors

7.2 Legal authorities

We may disclose information when required by Philippine law, court order, or lawful request from the NPC, BIR, or law enforcement agencies.

7.3 Business successors

In the event of a merger, acquisition, or asset sale, personal information may be transferred to the successor entity, subject to equivalent privacy protections.

7.4 Sub-processor changes

We may add, remove, or replace sub-processors over time. For sub-processors that touch data processed under a DPA with a contracting school, we will:

• Notify the contracting school in writing at least 30 days before engaging a new sub-processor that will process their data
• Provide the school with a reasonable opportunity to object on legitimate data protection grounds
• Maintain an up-to-date sub-processor list available to the school upon request

Some of our service providers (Google, Cloudflare, Resend, Anthropic) are located outside the Philippines. Where we transfer personal information across borders, we ensure that the recipient provides adequate protection through contractual safeguards (Standard Contractual Clauses or equivalent), in compliance with Section 21 of the DPA and NPC Circular 16-02.

Section 16 of RA 10173 grants you the following rights with respect to your personal information:

• Right to be informed — about how your data is collected and used (this Policy fulfills this right).
• Right to object — to processing of your data, including for direct marketing purposes.
• Right to access — to request a copy of the personal data we hold about you.
• Right to rectification — to correct inaccurate or outdated information.
• Right to erasure or blocking — to request deletion of your data, subject to retention exceptions (e.g., tax records).
• Right to damages — to be indemnified for damages sustained due to inaccurate, false, unlawfully obtained, or unauthorized use of your data.
• Right to data portability — to obtain your data in a structured, commonly used electronic format.
• Right to file a complaint — with the National Privacy Commission. See Section 18 below.

11.1 Right to opt out of direct marketing

Under Section 16(b) of the DPA, you have the right to object to the processing of your personal information for direct marketing purposes at any time, free of charge, and without giving any reason. You may opt out through any of these channels:

• One-click unsubscribe link. Every outreach email contains a one-click unsubscribe link in the footer.
• Reply to the email. Reply with "Unsubscribe" in subject or body — processed within one business day.
• Email us directly. Send to connect@pepelab.co with the email address you wish to remove.

Once you opt out, your email address is retained on a suppression list solely for the purpose of honoring your opt-out and is not used for any other processing.

11.2 Email engagement tracking and how to limit it

Our outbound emails include open-tracking (transparent pixel images) and click-tracking (wrapped URLs). We use this data to measure deliverability and engagement. We do not use this data to build behavioral profiles or target advertising.

11.3 Exercising your other rights

To exercise any of the other rights listed in Section 10, send a request to connect@pepelab.co with your full name, email address(es) we may have contacted you at, the specific right you wish to exercise, and any supporting context.

11.4 Identity verification

To protect your information from unauthorized disclosure, we may take reasonable steps to verify your identity before fulfilling certain requests, such as confirming the request was sent from an email address we hold on file or asking you to confirm specific details we already have.

11.5 Response timeline and refusals

We will respond to verified requests within 15 calendar days of receipt, as required by NPC standards. We may decline a request if we cannot verify your identity, the request is manifestly unfounded or excessive, or compliance would violate another legal obligation.

We implement organizational, physical, and technical safeguards proportionate to the nature of the data we process, including:

• Access control — Two-factor authentication on all administrative accounts; credentials stored in an encrypted password manager.
• Network security — Private cloud networking; firewalls; encrypted private-network access (VPN); hardened, key-based server authentication.
• Encryption — Industry-standard encryption (TLS 1.2 or higher) for all data in transit; data at rest encrypted at the infrastructure provider level.
• Backups — Daily offsite backups with a 30-day immutability lock to protect against ransomware.
• Intrusion detection — Automated intrusion prevention on edge servers; file integrity monitoring for critical system files.
• Alerting — An automated alert system notifies the Data Protection Officer of authentication failures, configuration changes, and unusual activity.
• Least privilege — Database access scoped to specific schemas; no shared production credentials.

In accordance with NPC Circular 16-03, if we become aware of a personal data breach that is likely to give rise to a real risk of serious harm to affected data subjects, we will notify the NPC within 72 hours of awareness, notify affected data subjects without unreasonable delay, and cooperate fully with any NPC investigation.

We do not knowingly collect personal information directly from individuals under 18 years of age through this website or our outreach activities. Our outreach is directed exclusively at adult school administrators and professional staff.

Personal data of students (including minors) is collected by the contracting school and processed inside the IDentify products by Pepe Lab Co. acting as a Personal Information Processor on the school's instruction. Parental notification, consent collection, and lawful basis for processing student data are the responsibility of the contracting school.

When a school subscribes to IDentify, Pepe Lab Co. acts as a Personal Information Processor (PIP) for the student, parent, employee, and related school data described in Section 4.5. The contracting school remains the Personal Information Controller (PIC) for that data.

As Personal Information Processor, Pepe Lab Co.:

• Processes product data only on the documented instructions of the contracting school
• Applies the security measures described in Section 12 to product data
• Does not use product data for marketing, profiling, AI model training, or any purpose beyond providing the contracted service
• Assists the school in responding to data subject rights requests from students, parents, and employees
• Notifies the school promptly of any data breach affecting product data
• Engages sub-processors only under contractual data-protection obligations equivalent to those in the school's DPA
• Returns or deletes product data at the end of the contracted service

We may update this Privacy Policy from time to time. The "Effective Date" and "Version" at the top indicate when the Policy was last revised. For significant changes, we will provide reasonable advance notice through our website or, where appropriate, direct communication.

1. No Implied Waiver. No failure or delay by Pepe Lab Co. in exercising any right, power, or remedy under this Agreement, or regarding the Privacy Policy of the RFID-Based School Attendance and Parent Notification System ("IDentify"), shall operate as a waiver of that right, power, or remedy. Furthermore, no single or partial exercise of any right, power, or remedy by Pepe Lab Co. shall preclude any other or further exercise thereof or the exercise of any other right, power, or remedy.
2. Requirements for a Valid Waiver. No waiver of any breach, term, provision, or condition of this Agreement shall be deemed effective unless it is made explicitly in writing and signed by an authorized representative of Pepe Lab Co.
3. No Continuing Waiver. Any waiver by Pepe Lab Co. of a specific breach or default by the User under this Agreement shall not constitute, nor be construed as, a continuous waiver of subsequent breaches, similar defaults, or any other provision herein.
4. Cumulative Remedies. The rights and remedies provided to Pepe Lab Co. under this Agreement and the "IDentify" Privacy Policy are cumulative and are not exclusive of any rights or remedies provided by law, equity, or any other applicable regulations.

We respectfully request that you contact us at connect@pepelab.co first so that we may have the opportunity to address your concern directly.