Legal

Privacy Policy

Effective March 1, 2026 · Last updated February 27, 2026

1. Introduction

FlowState IT Consultancy ("Company", "we", "us") operates the MachineWallet platform at machinewallet.ai. This Privacy Policy explains how we collect, use, store, share, and protect your personal information in compliance with the Data Privacy Act of 2012 (Republic Act No. 10173) and its Implementing Rules and Regulations.

2. Data Privacy Officer

For privacy concerns or data subject requests:

FlowState IT Consultancy
7635 Guijo Street, Makati City, Philippines
privacy@machinewallet.ai

3. Information We Collect

Information You Provide

Data TypePurpose
Account info (name, email, mobile)Account creation and authentication
Business info (name, SEC/DTI reg, TIN)Merchant verification and KYC
Identity documents (government ID, selfie)KYC/AML compliance per BSP regulations
Financial info (bank accounts, e-wallets)Processing disbursements and collections
Transaction data (amounts, recipients, timestamps)Transaction processing and record-keeping

Information Collected Automatically

Data TypePurpose
Device info (IP, browser, OS)Security and fraud prevention
Usage data (pages visited, API calls)Platform improvement
Session cookies and auth tokensSession management

Information from Third Parties

We receive transaction status and settlement data from our Payment Partners (StarPay, InstaPay network), and authentication data from Firebase (Google).

4. Legal Basis for Processing

Under Section 12 of the Data Privacy Act, we process your data based on:

  • Consent — provided when you create an account
  • Contractual necessity — to perform our obligations under the Terms of Service
  • Legal obligation — compliance with RA 9160 (AML), BSP regulations, and BIR tax requirements
  • Legitimate interest — fraud prevention, platform security, and service improvement

5. How We Use Your Information

Core Services

  • • Processing payments
  • • Managing wallets and accounts
  • • Executing API requests
  • • Generating QR codes

Compliance & Security

  • • Identity verification (KYC)
  • • Suspicious activity monitoring
  • • Fraud prevention
  • • Audit trails

6. How We Share Your Information

We do not sell your personal data.

Payment Partners. Transaction details shared with StarPay and InstaPay network participants as necessary to process payments.

Regulatory Authorities. We may disclose data to the AMLC, BSP, BIR, NPC, or law enforcement pursuant to lawful requests or legal obligations.

Service Providers. Google Cloud Platform (hosting, asia-southeast1 Singapore), Firebase (authentication), and Cloudflare (CDN/security). All bound by data processing agreements.

7. Data Storage and Security

Your data is stored on Google Cloud Platform in the asia-southeast1 (Singapore) region with the following protections:

🔒
TLS 1.2+ encryption
🗄️
Encrypted at rest
🔑
Hashed API keys
Webhook verification
👥
Role-based access
🔍
Security audits

8. Data Retention

Data TypeRetentionBasis
Account infoAccount life + 5 yearsRA 9160
Transaction records5 yearsRA 9160, BSP, BIR
KYC documents5 years after closureRA 9160
Server logs1 yearLegitimate interest
Session dataSession or 30 daysContractual necessity

9. Your Rights

Under the Data Privacy Act of 2012, you have the following rights:

Right to Be Informed (Section 16(a))

Know how your data is collected and processed.

Right to Access (Section 16(c))

Request access to your personal data and how it's been processed.

Right to Correction (Section 16(d))

Request correction of inaccurate or outdated data.

Right to Erasure or Blocking (Section 16(e))

Request deletion or blocking when data is no longer necessary or was unlawfully obtained.

Right to Data Portability (Section 16(f))

Request your data in a structured, machine-readable format.

Right to Object (Section 16(c))

Object to processing, including for direct marketing.

Right to Damages (Section 16(f))

Claim compensation for damages from unauthorized use of your data.

Right to File a Complaint (Section 16(g))

Lodge a complaint with the National Privacy Commission.

How to exercise your rights

Email privacy@machinewallet.ai. We respond within 15 days, extendable by 15 days for complex cases (NPC Circular 2016-01).

National Privacy Commission

3rd Floor, PICC, CCP Complex, Roxas Blvd, Pasay City 1307
privacy.gov.ph · complaints@privacy.gov.ph

10. Cookies

We use essential cookies only — for session management, CSRF protection, and security tokens. These are strictly necessary for the Platform to function. We do not use tracking or advertising cookies.

11. Children's Privacy

The Platform is not directed to individuals under 18. We do not knowingly collect data from minors.

12. Cross-Border Data Transfers

Your data may be processed in Singapore (Google Cloud) and the United States (Firebase, Cloudflare). These transfers comply with NPC Circular 2016-02, relying on adequate protection standards, contractual safeguards, and your consent.

13. Data Breach Notification

In the event of a breach likely to affect your rights, we will notify the NPC and affected individuals within 72 hours of discovery, per NPC Circular 2016-03.

14. Changes to This Policy

Material changes will be communicated via email or Platform notification at least 15 days before taking effect. Continued use constitutes acceptance.

Contact

FlowState IT Consultancy · Data Privacy Officer
7635 Guijo Street, Makati City, Philippines
privacy@machinewallet.ai