BayaniCRM

← Back to home

Privacy Policy

Effective 31 May 2026. This policy explains what personal information BayaniCRM collects, how we use it, who we share it with, and the rights you have under the Philippine Data Privacy Act of 2012 (Republic Act No. 10173).

1. Who we are

BayaniCRM is a software-as-a-service product that provides CRM and accounting tools to businesses operating in the Philippines. Under RA 10173 we are a Personal Information Controller for the personal data you submit to your account, and a Personal Information Processor for the personal data your business stores about its own customers, contacts, suppliers, and employees.

You can reach us at hello@bayanicrm.com. Our Data Protection Officer can be reached directly at privacy@bayanicrm.com.

2. What personal information we collect

We collect three kinds of personal information:

  • Account data — when you sign up: your name, email address, organisation name, and the password you choose (stored as a salted hash, never in plain text). If you enable two-factor authentication, we also store a TOTP secret and hashed backup codes.
  • Business data you enter — contacts, accounts, deals, activities, products, invoices, quotes, bills, payments, expenses, journal entries, and any notes you add to them. This is your data; we host it on your behalf.
  • Technical data — IP address, log-in timestamps, and (when error monitoring is enabled) error reports including browser/OS metadata. We use this to keep the service secure and to debug problems. We do not track page-by-page browsing within the app, run advertising analytics, or fingerprint your device.

We do not collect government-issued identifier numbers (Philippine ID, SSS, PhilHealth, Pag-IBIG), biometric data, health data, or other categories of sensitive personal information as defined by RA 10173. If you enter a Tax Identification Number (TIN) for a contact or your own organisation, we treat it as ordinary personal information used for invoicing purposes.

3. Why we collect it (legal basis)

Under RA 10173, we process your personal information on the following bases:

  • Contract — to provide the service you signed up for (creating your account, hosting your data, generating invoices, sending the emails you trigger).
  • Legitimate interest — to keep the service secure, debug errors, prevent abuse, and protect against unauthorised access.
  • Consent — for optional features like marketing emails or analytics tracking that goes beyond what is strictly necessary to run the service.
  • Legal obligation — to comply with BIR requirements, NPC orders, court subpoenas, or other Philippine law.

4. Who we share it with

We never sell your personal information. We share it only with third-party service providers we use to run the platform, and only the minimum necessary for them to do their job:

  • Hosting — Railway (United States) hosts our application servers and PostgreSQL database. Your data is encrypted in transit and at rest.
  • Email delivery — Resend (United States) sends transactional emails on our behalf (account verification, password reset, invoice delivery, invitations).
  • Error monitoring — GlitchTip / Sentry collects anonymised error reports to help us fix bugs. We do not send your business data (contacts, invoices, etc.) to error monitoring.
  • Payments (future) — when paid plans launch we will use a Philippine-licensed payment processor. We will update this policy and notify you before that happens.

We may also disclose personal information when required by Philippine law, a court order, an NPC directive, or to protect the rights, property, or safety of BayaniCRM, our users, or the public.

5. Cross-border data transfer

Because our hosting and email providers are based in the United States, your personal information will be transferred outside the Philippines for processing. We require these providers to maintain a level of protection comparable to RA 10173 through contractual safeguards (data processing agreements, standard contractual clauses, encryption). By using BayaniCRM you consent to this cross-border transfer.

6. How long we keep it

We keep your personal information for as long as your account is active. If you ask us to delete your account, we delete your personal information from our active systems on request — typically within 30 days. Send the request to our DPO at the email below.

Encrypted backups (managed by our hosting provider) are rotated on the provider's standard schedule and may contain your data for a longer period before being overwritten. Once rotated out, that data is no longer recoverable.

Accounting records you generate inside BayaniCRM (invoices, journal entries, etc.) may need to be preserved for up to 10 years under Philippine tax law (BIR rules on record retention). You are responsible for keeping your own copies (for example via CSV export) before requesting deletion.BayaniCRM does not preserve your records on your behalf after account deletion.

7. Your rights under the Data Privacy Act

RA 10173 gives you the following rights over your personal information:

  • Right to be informed — to know what we collect, why, and who we share it with. This policy serves that purpose.
  • Right to access — to ask for a copy of the personal information we hold about you.
  • Right to rectification — to correct inaccurate or out-of-date information. Most of this you can do yourself in Settings → Profile.
  • Right to erasure or blocking — to ask us to delete or block your personal information when there is no legal reason for us to keep it.
  • Right to object — to object to certain types of processing, including direct marketing.
  • Right to data portability — to receive your business data in a structured, machine-readable format. We currently offer CSV export for several collections (contacts, accounts, invoices, the Xero-compatible export) from inside the app; for other collections, email our DPO and we will produce an export within a reasonable timeframe.
  • Right to damages — to be indemnified for damages caused by inaccurate, incomplete, or unlawful use of your personal information.
  • Right to file a complaint — to file a complaint with the National Privacy Commission if you believe your rights have been violated.

To exercise any of these rights, email our DPO at privacy@bayanicrm.com. We respond within 15 working days. You can also file a complaint directly with the National Privacy Commission at privacy.gov.ph.

8. Security

We protect your personal information with industry-standard safeguards:

  • HTTPS / TLS encryption for all data in transit.
  • Database and backup storage encryption provided by our hosting partner.
  • Salted password hashing — passwords are never stored or transmitted in plaintext, and cannot be read even by us.
  • Optional two-factor authentication with TOTP and one-time backup codes. The TOTP secret is encrypted with an application-level key before being stored.
  • Rate limiting and brute-force protection on login.
  • Audit logs that record who changed what, and when, on the records we ship audit hooks for.
  • Role-based access control inside each organisation (admin / manager / viewer).

If a personal data breach affecting your information occurs, we will notify both you and the National Privacy Commission within the timeframes RA 10173 requires (within 72 hours of becoming aware of the breach).

9. Cookies and similar technologies

We use a small set of cookies and local storage, all strictly necessary to run the app:

  • payload-token — your authenticated session cookie. Without it, you can't stay logged in.
  • bayani-crm-color-scheme — local storage entry that remembers your light/dark mode preference.

We do not use third-party advertising cookies, cross-site trackers, or social-media pixel cookies. Error monitoring (when enabled) uses an in-memory session identifier that does not persist as a cookie on your device.

10. Children

BayaniCRM is a business product. It is not directed at children under 18 and we do not knowingly collect personal information from children. If you believe we have, please contact our DPO so we can delete it.

11. Changes to this policy

We may update this policy from time to time. When we make material changes, we will notify you by email and update the effective date at the top of this page. Continued use of the service after a change means you accept the revised policy.

12. Governing law

This policy is governed by the laws of the Republic of the Philippines. Any disputes will be resolved in the courts of competent jurisdiction in the Philippines.

13. Contact

Questions about this policy, requests to exercise your rights, or notice of a possible privacy breach should go to our Data Protection Officer:

Data Protection Officer, BayaniCRM
Email: privacy@bayanicrm.com

For general support unrelated to privacy, write to hello@bayanicrm.com.