DATA PRIVACY POLICY

Last update: March 21, 2025

I. Purpose

PharmaServ Express (“Company,” “we,” “us,” or “our”) is committed to protecting the privacy and personal data of our users, customers, and stakeholders. This Privacy Policy outlines how we collect, use, store, and protect personal data in accordance with the Philippine Data Privacy Act of 2012 (Republic Act No. 10173), its Implementing Rules and Regulations, and relevant issuances of the National Privacy Commission (NPC).

Through this Privacy Policy, we aim to:

• Ensure transparency in our data processing activities by informing individuals about how their personal data is collected, used, shared, and retained.
• Uphold data subject rights, including the right to access, correct, and object to the processing of their personal data, in compliance with applicable privacy laws.
• Establish accountability measures and security safeguards to protect personal data against unauthorized access, disclosure, alteration, or destruction.
• Demonstrate our commitment to privacy and data protection as a core component of our operations and compliance program.

II. Scope

This Data Privacy Policy applies to all resources involved in the collection, use, storage, sharing, retention and disposal of personal data within PharmaServ Express in the course of its business operations, including freight forwarding services, storage and warehousing, logistics services, business brokerage activities, and wholesale trade. Specifically, this policy protects the following resources:

• Facilities – All company premises where personal data is processed, stored, or accessed, including offices, warehouses, and storage facilities.
• Hardware and Software – All IT infrastructure, systems, devices, and applications used to collect, store, transmit, and process personal data, including databases, cloud storage, and communication tools.
• Information – All forms of personal data processed by the company, whether electronic, physical, or verbal, covering clients, employees, suppliers, vendors, and other stakeholders.
• Personnel – All individuals handling personal data on behalf of the company, including employees, contractors, and third-party service providers.

This policy applies to all company personnel and third parties authorized to access or process personal data. It governs data processing activities conducted within company facilities, through its IT systems, and via third-party services.

This policy is established in compliance with the Philippine Data Privacy Act of 2012 (Republic Act No. 10173), its Implementing Rules and Regulations, and relevant issuances of the National Privacy Commission (NPC).

III. Applicability

This policy applies to all individuals and entities that collect, use, store, or share personal data on behalf of PharmaServ Express. Specifically, it applies to:

• Employees – All full-time, part-time or contractual employees who handle personal data as part of their roles and responsibilities.
• Contractors and Service Providers – Third-party entities, including logistics partners, IT service providers, and business consultants, who process personal data under an outsourcing or service agreement with the company.
• Clients and Customers – Individuals and businesses whose personal data is collected and processed in connection with freight forwarding, logistics, storage, brokerage, and wholesale trade transactions.
• Suppliers and Vendors – Business partners and suppliers who provide goods or services and whose personal data is collected as part of procurement and business transactions.
• Visitors and Other Stakeholders – Any individuals who interact with the company and provide personal data through its facilities, websites, or other communication channels.

All individuals and entities covered under this policy are expected to comply with its provisions to ensure the protection of personal data in accordance with the Philippine Data Privacy Act of 2012 and other applicable regulations.

IV. Roles and Responsibilities

PharmaServ Express is committed to ensuring that all personnel, contractors, vendors, and other stakeholders comply with this Privacy Policy. Data protection is a shared responsibility across all levels of the organization, and the following roles have specific responsibilities in safeguarding personal data:

Data Protection Officer (DPO) and Compliance Officer for Privacy (COP)

The Data Protection Officer (DPO) with the support of the Compliance Officer for Privacy (COP) is responsible for overseeing the organization’s compliance with the Philippine Data Privacy Act of 2012 (Republic Act No. 10173) and other applicable data protection regulations. The DPO’s responsibilities include:

a. Monitor the PIC’s or PIP’s compliance with the DPA, its IRR, issuances by the NPC and other applicable laws and policies. For this purpose, he or she may:

1.) collect information to identify the processing operations, activities, measures, projects, programs, or systems of the PIC or PIP, and maintain a record thereof;

2.) analyze and check the compliance of processing activities, including the issuance of security clearances to and compliance by third-party service providers;

3.) inform, advise, and issue recommendations to the PIC or PIP;

4.) ascertain renewal of accreditations or certifications necessary to maintain the required standards in personal data processing; and

5.) advice the PIC or PIP as regards the necessity of executing a Data Sharing Agreement with third parties, and ensure its compliance with the law;

b. Ensure the conduct of Privacy Impact Assessments relative to activities, measures, projects, programs, or systems of the PIC or PIP;

c. Advice the PIC or PIP regarding complaints and/or the exercise by data subjects of their rights (e.g., Requests for information, clarifications, rectification or deletion of personal data);

d. Ensure proper data breach and security incident management by the PIC or PIP, including the latter’s preparation and submission to the NPC of reports and other documentation concerning security incidents or data breaches within the prescribed period;

e. Inform and cultivate awareness on privacy and data protection within the organization of the PIC or PIP, including all relevant laws, rules and regulations and issuances of the NPC;

f. Advocate for the development, review and/or revision of policies, guidelines, projects and/or programs of the PIC or PIP relating to privacy and data protection, by adopting a privacy by design approach;

g. Serve as the contact person of the PIC or PIP vis-à-vis data subjects, the NPC and other authorities in all matters concerning data privacy or security issues or concerns and the PIC or PIP;

h. Cooperate, coordinate and seek advice of the NPC regarding matters concerning data privacy and security; and

i. Perform other duties and tasks that may be assigned by the PIC or PIP that will further the interest of data privacy and security and uphold the rights of the data subjects.

Except for items (a) to (c), a COP shall perform all other functions of a DPO. Where appropriate, he or she shall also assist the supervising DPO in the performance of the latter’s functions.

Senior Management

Senior Management is responsible for integrating data privacy into the organization’s strategic and operational plans. Their responsibilities include:

• Ensuring the organization’s privacy program is adequately resourced.
• Promoting a culture of data protection and privacy awareness.
• Supporting the implementation of security measures to protect personal data.
• Approving privacy policies, guidelines, and procedures.

Department Heads and Managers

Department Heads and Managers play a crucial role in ensuring that their teams comply with data protection policies. Their responsibilities include:

• Implementing data privacy and security practices within their departments.
• Ensuring employees and contractors under their supervision receive adequate training on privacy and data protection.
• Reporting potential privacy risks or breaches to the DPO.
• Ensuring that any data processing activities within their departments comply with privacy policies and regulations.

Employees

All Employees must adhere to this Privacy Policy and are responsible for:

• Handling personal data responsibly and in compliance with company policies.
• Keeping personal data secure and preventing unauthorized access, disclosure, or misuse.
• Reporting any data privacy concerns or potential breaches to the DPO immediately.
• Completing mandatory privacy training and awareness programs.
• Following proper procedures when collecting, storing, or processing personal data.

Third-Party Vendors and Service Providers

Third-party vendors and service providers who process personal data on behalf of PharmaServ Express must:

• Comply with the terms of the Data Processing Outsourcing Agreement (DPOA) and this Privacy Policy.
• Implement appropriate security measures to protect personal data.
• Notify PharmaServ Express immediately in case of a data breach or security incident.
• Ensure that any subcontractors engaged for data processing comply with data protection laws and contractual obligations.

Users and Customers

Users and Customers of our software platform are responsible for:

• Providing accurate and lawful personal data.
• Managing their account credentials securely and preventing unauthorized access.
• Understanding how their personal data is used by reviewing this Privacy Policy.
• Exercising their rights under applicable data privacy laws responsibly.

V. Compliance

All individuals and entities covered by this Data Privacy Policy, including employees, third-party vendors and service providers, users, and customers, are expected to comply with the provisions outlined here. Failure to adhere to this policy may result in appropriate consequences, as detailed below:

1. Employees

Employees are required to comply with this Data Privacy Policy and all related Company policies, procedures, and legal requirements concerning data protection. Any violation, including but not limited to unauthorized access, disclosure, or misuse of personal data, may result in disciplinary action, up to and including termination of employment, in accordance with the company’s Code of Conduct and Disciplinary Procedures.

2. Third-Party Vendors and Service Providers

Third-party vendors and service providers that process personal data on behalf of the Company must comply with the terms set forth in their respective contracts, including any data protection agreements or addenda. Non-compliance may result in contract termination, suspension of services, or legal action, as deemed necessary by the Company.

3. Users and Customers

Users and customers are expected to respect the data privacy rights of others when using the company’s services, platforms, or systems. Any misuse of personal data, including unauthorized access, sharing, or fraudulent activities, may lead to the suspension or termination of access to services, as well as possible legal action.

4. Legal and Regulatory Consequences

In cases where non-compliance results in a violation of applicable data protection laws, the Company reserves the right to take legal action against the responsible party. Additionally, violators may be subject to penalties, fines, and other enforcement actions imposed by regulatory authorities.

The Company is committed to enforcing this policy and will take appropriate steps to investigate, address, and mitigate any breaches of compliance.

VI. Organizational Responsibilities

PharmaServ Express as a Personal Information Controller (PIC) has the following obligations:

1. Accountable for complying with the requirements of the DPA.
2. Designate an individual or individuals who are accountable for the Organization’s compliance.
3. Implement reasonable and appropriate organizational, physical, and technical measures to protect personal data.
4. Ensure that third-parties implement security measures.
5. Ensure that employees, agents or representatives hold personal data under strict confidentiality.
6. Promptly notify the NPC and affected data subjects in case of a data breach.
7. Designate and register its Data Protection Officer.
8. Register its data processing systems.
9. Create an inventory of all its data processing systems.
10. Conduct a privacy impact assessment (PIA).
11. Set a privacy management program.
12. Train employees, agents, personnel or representatives.
13. Comply with NPC’s orders.
14. Use contractual or other reasonable means to provide a comparable level of protection while the information is being processed by a third-party.

On the other hand, PharmaServ Express as a Personal Information Processor (PIP) adheres to the following obligations:

1. Implement reasonable and appropriate organizational, physical, and technical measures to protect personal data.
2. Ensure employees, agents or representatives process personal data only upon instructions of the PIC.
3. Processing shall be governed by a contract or other legal act that binds the PIP to the PIC.
4. Not engage another processor without prior instructions from the PIC.
5. Ensure the same obligations are implemented by another processor.
6. Assist in fulfilling data subject rights.
7. Assist in ensuring compliance of PIC with data protection laws and regulations.
8. Inform the PIC of any instructions that infringe on the DPA.
9. Designate and register its Data Protection Officer.
10. Register its data processing systems.
11. Create an inventory of all its data processing systems.
12. Perform a privacy impact assessment (PIA).
13. Establish a privacy management program.
14. Train employees, agents or representatives.
15. Comply with NPC’s orders.

VII. Data Subject Rights

a. The right to be informed

Data subjects have the right to be informed about the processing of their personal data, including whether their data shall be, are being, or have been processed. This includes transparency regarding the existence of automated decision-making and profiling.

Before any personal data is processed, or at the next practical opportunity, data subjects must be notified and provided with the following information:

• A description of the personal data that will be entered into the system.
• The purposes for which the data will be or are being processed, including any use for direct marketing, profiling, or historical, statistical, or scientific research.
• The legal basis for processing, in cases where processing is not based on the data subject’s consent.
• The scope and method by which personal data will be processed.
• The recipients or categories of recipients to whom the personal data may be disclosed.
• The methods used for automated access, if authorized by the data subject, including the extent of such authorization and meaningful information about the logic involved, as well as the significance and anticipated consequences of the processing.
• The identity and contact details of the personal information controller and its representative.
• The duration for which the data will be stored or retained.
• The data subject’s rights concerning their personal data.

b. The right to damages

Data subjects have the right to seek compensation for any damages incurred as a result of the processing of inaccurate, incomplete, outdated, false, unlawfully obtained, or improperly used personal data. This right applies in cases where such processing leads to a violation of their rights and freedoms under applicable data protection laws.

To exercise the right to seek compensation for damages, data subjects may file a complaint with the National Privacy Commission (NPC) if they believe their rights have been violated. The complaint must be submitted in accordance with the NPC’s established Rules of Procedure governing all cases brought before the Commission.

c. The right to access

Data subjects have the right to obtain confirmation on whether their personal data is being processed and to access specific details regarding such processing. This includes the right to request information about:

• The contents of their personal data and the categories of data that have been processed.
• The sources from which their personal data were obtained, if the data was not collected directly from them.
• The purposes for which the data is being processed.
• The manner in which their data has been processed.
• Any automated processes involved in the processing of their data, particularly if such processing is or may become the sole basis for decisions that significantly impact them.
• The names and addresses of individuals or entities to whom their personal data has been disclosed.
• The reasons for disclosing their personal data to specific recipients.
• The date when their personal data was last accessed and modified.
• The duration for which specific categories of personal data will be retained.
• The designation, name or identity, and contact details of the Personal Information Controller’s (PIC) Data Protection Officer (DPO).

d. The right to file a complaint

Data subjects have the right to file a complaint with the National Privacy Commission (NPC) if they believe their personal information has been misused, unlawfully disclosed, improperly disposed of, or if any of their data privacy rights have been violated.

 e. The right to object

Data subjects have the right to refuse the processing of their personal data if the processing is based on consent or legitimate interest as the legal basis.

Data subjects have the right to object to the processing of their personal data under the following circumstances:

• When there is a significant change or amendment to the information previously provided in a consent form, privacy notice, or similar communication. In such cases, they must be notified and given the opportunity to object or withdraw consent if it was previously granted.
• When their personal data is being processed for direct marketing purposes.
• When their personal data is being used for profiling.
• When the processing involves automated decision-making, particularly if their personal data will, or is likely to, be used as the sole basis for a decision that significantly impacts them.

f. The right to rectify

Data subjects have the right to challenge any inaccuracies or errors in their personal data and request the Personal Information Controller (PIC) to correct them within a reasonable timeframe.

g. The right to erasure or blocking

Data subjects have the right to request the suspension, withdrawal, blocking, removal, or destruction of their personal data from the Personal Information Controller’s (PIC) filing system, including both active and backup systems.

Data subjects may request the erasure or blocking of their personal data upon discovery and presentation of substantial proof of any of the following:

• The personal data is incomplete, outdated, false, or unlawfully obtained.
• The data is being used for an unauthorized purpose.
• The personal data is no longer necessary for the purpose(s) for which it was originally collected.
• The information pertains to private matters that are prejudicial to the data subject, unless justified by freedom of speech, expression, or the press, or otherwise legally authorized.
• The data subject objects to the processing, and no other lawful basis for processing applies.
• The processing of personal data is unlawful.
• The Personal Information Controller (PIC) or Personal Information Processor (PIP) has violated the data subject’s rights.

h. The right to data portability

Data subjects have the right to request a copy of their personal data from the Personal Information Controller (PIC) and/or have it transferred to another PIC in an electronic or structured format that is commonly used.

Conditions for Exercising This Right

This right may be exercised when both of the following conditions are met:

1. The processing of personal data is based on consent or a contract.
2. The data is processed electronically in a structured and commonly used format.

                        Types of Personal Data That May Be Requested for Copy or Transfer

The right to data portability applies only to:

• Personal data that the data subject has actively and knowingly provided, such as name, address, age, username, etc.
• Observed data collected through the use of a service or device, such as access logs, transaction history, location data, etc.

VIII. Data Use Rules

a. What information we collect, directly or indirectly

Types of information collected:

• Those shared with PharmaServ Express
• Those PharmaServ Express collects through automated means
• Those we collect from other sources

How we collect your personal data

We collect your personal data when you:

• Complete our various forms such as a feedback form, resume form, contact form, supplier accreditation form, and remittance/encashment form.
• Reveal your personal data to our Authorized Representatives (i.e. our employees) through various channels such as chat facility, phone calls, emails, SMS, or verbal communication.
• Apply through social media platforms such as JobStreet and Facebook.
• Make an order or request service booking through our online platform or other chat facilities.

Specifically, we collect, use, store, retain, disclose or transfer, and dispose (once they have served their legitimate purpose) the following personal data:

A. Employment, Recruitment, and Selection Process

Personal data for employment pertains to the information collected, processed, and utilized by PharmaServ Express regarding its employees or job applicants. These are the following:

• Name and signature
• Contact information such as address, mobile number, landline number, and email address
• Date and place of birth, nationality, religion, civil status
• Educational background and work experience
• Names of spouse, children, parents, and siblings, if necessary
• Professional licenses and certifications
• Health information
• Background information such as police, barangay and NBI clearances and records
• Performance rating, salaries and benefits, career movements of current employees
• Bank account information for administering payroll
• Name and contact details of references and contact persons

B. Customers who utilize our services

Personal data of customers for delivery pertains to the information collected, processed, and used by PharmaServ Express regarding its customers in connection with the delivery of goods or services.

Users:

• Name
• Email Address
• Contact Number
• Profile Picture
• Birthdate
• Address

Patients:

• Name
• Nickname
• Birthdate
• Gender
• Email Address
• Contact Number
• Profile Picture
• Medical Records
• Patient Relationship

C. Vendors/suppliers or prospective partners

Personal data of vendors/suppliers or prospective partners refers to the details collected, processed, and utilized by PharmaServ Express about its suppliers, vendors, or potential partners.

Merchants:

Non-Personal Data –

• Business Name
• BIR TIN
• Business Address
• Office Contact Number
• Branch Code
• Branch Name

Personal Data –

• Authorized Contact Person
• Designation
• Contact Number
• Owner Name
• Email Address
• Contact Number
• Profile Picture
• Bank Details
• Valid ID of owner, authorized representative, or signatory
• PRC ID of pharmacist
• DTI Certificate of Registration
• SEC Certificate of Incorporation
• FDA License to Operate
• Certificate of Product Registration
• Business Permit
• BIR Form 2303

Doctors:

Non-Personal Data –

• Clinic Name
• Clinic Address
• Clinic Hours
• Clinic Contact Number

Personal Data –

• Name
• Nickname
• Email Address
• Contact Number
• License Number
• Professional Tax Receipt
• E-Signature
• Specialization
• Profile Picture

Manner of Collection:

We collect your personal data through the following ways –

 Users

• User registration through the mobile application

Patients

• A User has the technical access to add a Patient to their account in the mobile application.

 Merchant

• Merchant registration via the Onboarding Page through a web-based platform.

Doctor

• Doctor registration via the Onboarding Page through a web-based platform.

b. Basis, use and purpose for processing of personal data

PharmaServ Express uses the following lawful criteria for processing personal data:

1. Compliance with a legal obligation

    

   Processing is justified when it is necessary to fulfill a legal obligation imposed on the Organization.

2. Contract performance

    

   Processing is justified when it is necessary for the execution or fulfillment of a contract with the data subject.

3. Vital interest

    

   Processing is justified when it is necessary to safeguard the data subject’s essential interests, particularly those related to life and health.

4. Legitimate interest

    

   Processing is justified when it is necessary to fulfill the legitimate interests of the Personal Information Controller (PIC) or Personal Information Processor (PIP), provided that these interests do not override the fundamental rights and freedoms of the data subject.

5. Consent

    

   Processing is justified as the data subject has given his or her consent

In these instances, your personal data is utilized for the following purposes:

• In order to fulfill the legal obligations of PharmaServ Express and as mandated by government entities and/or organizations such as the National Privacy Commission, Bangko Sentral ng Pilipinas, Bureau of Internal Revenue, Home Development Mutual Fund or Pag-IBIG, PhilHealth, Social Security System, among other government agencies and instrumentalities, performing their public mandate to govern our business operations.
• In order to assess and/or fulfill your transaction with us.
• In order to set up, execute, or protect legal claims.
• For employment, recruitment, and selection process.

Usage

Your personal data is used for the following use cases –

Users:

• To communicate with you
• To manage your account
• For verification purposes
• To deliver services you requested
• For personalization
• For payment processing
• For data analysis

 Patients:

• To communicate with you
• To deliver services you requested or need
• For personalization
• For data analysis

Merchants:

• For verification purposes
• To communicate with you
• To manage your account
• To deliver services
• For personalization
• For payment and remittance processing
• For data analysis

Doctors:

• For verification purposes
• To communicate with you
• To manage your account
• To deliver services
• For personalization
• For data analysis

PharmaServ Express uses the following services and  tools to run its software application:

Apple, Google and Microsoft Services –

• Security
• Storage
• Backup
• App Management and Distribution
• AI Tools
• GIS Data/Location-based Information

c. Log Management

Log files are records of events, activities, or system states generated by  software applications, operating systems, or devices. These files contain time-stamped entries that document important system behaviors, errors, warnings, and other runtime details.

The following log file data shall be collected by PharmaServ Express:

• Users’ IP address
• The pages and internal links accessed on our site
• The date and time you visited the site
• Geolocation
• Computer or mobile-device operating system
• Web browser type
• Type of mobile device and settings

The collection of log data is for the purpose of:

• Debugging and Troubleshooting – Helps the Company identify and resolve software errors, bugs, or unexpected behaviors.
• Performance Monitoring – Tracks system performance, response times, and resource utilization to optimize the application.
• Security and Compliance – Logs security events, unauthorized access attempts, and system anomalies for audits and compliance requirements.
• User Activity Tracking – Records user actions to analyze behavior, detect fraud, or enhance user experience.
• System Health Monitoring – Provides real-time insights into system stability and failures, allowing proactive maintenance.
• Regulatory Compliance – Logging is also required for legal and regulatory purposes (e.g., financial, healthcare, or data privacy laws).

d. Risks involved

Risk refers to the possibility of an incident causing harm or posing a threat to either a data subject or an organization. Such risks may lead to the unauthorized collection, use, disclosure, or access to personal data. This includes threats to the confidentiality, integrity, and availability of personal information, as well as the potential for processing activities to violate general data privacy principles and the rights of data subjects.

To mitigate these risks, we implement appropriate physical, technical, and organizational security measures to safeguard personal data. While these safeguards help maintain confidentiality, integrity, and availability, they do not provide absolute protection against all risks. Certain threats, such as targeted cyberattacks, malware, ransomware, computer viruses, or unauthorized access to physical records, may still pose challenges in securing personal data.

e. How information is protected and processed securely (security measures)

Organizational security measures

They refer to policies, procedures, and controls put in place to ensure the protection of personal data within an organization.

• Data Protection Officer appointment
• Registration of DPO/Data Processing Systems
• Conduct of Privacy Impact Assessment *
• Data privacy policies
• Data privacy manual *
• Information security policies and procedures *
• Employee training and awareness programs
• Training records
• Explicit roles and responsibilities in Job Descriptions and Terms of Reference *
• Clear reporting lines and expectations
• Disciplinary process
• Access control mechanisms
• Regular risk assessments and audits
• Data breach notification procedures *
• Third party agreements *
• Terms and Conditions (confidentiality clauses) *
• Due diligence *
• Auditing and monitoring
• Data retention and disposal
• Data subject rights mechanisms

Physical security measures

They refer to safeguards that protect the physical storage and access points of personal data to prevent unauthorized access, destruction, or loss. These measures are aimed at ensuring that physical locations where personal data is processed, stored, or disposed of are secure from both internal and external threats.

• Secure workspaces and facilities (i.e. ID badges, biometric access systems, security personnel)
• Locked and controlled access to data storage areas
• Secure office storage for removable devices and hardcopy information
• Surveillance and monitoring systems (i.e. CCTV cameras)
• Locked windows
• Locked CCTV room
• Lockable pedestals
• Perimeter fence
• Visitor control and logging
• Environmental security controls (i.e. fire suppression systems, temperature controls, backup power supplies, disaster recovery plans)
• Secured workstations and devices (i.e. locking computers, laptops and devices to desks or in secure drawers)
• Secure disposal (shredding of hardcopies)
• Backup and offsite storage protection (i.e. external hard drives with access controls)

Technical security measures

They refer to the technological controls and systems implemented by organizations to protect personal data from unauthorized access, breaches, and other cyber threats. These measures are essential to ensure the confidentiality, integrity, and availability of personal data in electronic formats.

• Data encryption
• Access control systems
• Regular software updates and patch management
• Firewalls and intrusion detection/prevention systems (IDS/IPS)
• Antivirus and anti-malware software
• Password protection
• Spam filters
• Data backup and recovery systems
• Logging and monitoring mechanisms
• Sharing data (technical solutions – e.g. via email, portals)
• Secure software development practices
• Cloud provider
• Network segmentation
• Incident response and data breach management
• Secure disposal of electronic data
• Data masking and anonymization
• System testing and maintenance

f. Storage and retention

PharmaServ Express stores your personal data in a computer server and through the use of virtual cloud services.

We will retain your personal data for a period of two (2) years from the last triggering event.  Such triggering events include last sign-in and last transaction using PharmaServ Express’ software application through a timestamp.

Upon termination of our legitimate purpose behind the processing of your personal data, we will securely dispose of the same data following our data retention and disposal policy.

Some instances may arise when PharmaServ Express will retain your information for historical data, statistical and data analysis purposes, but we will remove personal identifiers to establish and maintain the confidentiality and security of your information.

g. Disclosure and Transfer of Personal Data

PharmaServ Express will share personal data with third-parties within the Philippines, for the purposes and use cases stated in this Privacy Policy, specifically:

Users Data:

• App users – merchants and doctors

Patients Data:

• App users – merchants and doctors

Merchants Data:

• App users – users, patients, and doctors

Doctors Data:

• App users – users, patients, and merchants

PharmaServ Express may disclose personal data with third-parties who need access to such information to carry out work on behalf of the Company, provided that similar levels of information security and data protection are in place. To comply with relevant laws and regulations, PharmaServ Express executes Data Sharing Agreements, Outsourcing Agreements, Non-disclosure Agreements and other contractual means  with third-parties to protect your personal data.

h. Selling of Personal Data

There may be instances where PharmaServ Express will sell data, but in an aggregated form where personal identifiers that point to a person’s exact identity are deleted, prior to selling, for statistical and research purposes.

i. Disposal

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, in compliance with applicable laws and regulations. Once the retention period expires or when data is no longer required, we securely dispose of it using industry-standard methods to prevent unauthorized access, retrieval, or reconstruction.

Data Disposal Methods –

To ensure the secure disposal of personal data, we implement the following measures:

1. Data Wiping

We use specialized software tools to permanently erase data from storage devices. This process ensures that the deleted data cannot be recovered or reconstructed.

2. Overwriting

We overwrite existing data with random values multiple times, rendering the original data irretrievable. This method is applied to electronic records stored on hard drives, servers, and other digital storage media.

PharmaServ Express disposes personal data that have served their legitimate purpose through the following secure means according to User Interface –

Users and Patients Data:

Deletion of electronic documents and files –

• When the User/Patient opts-out, PharmaServ Express will digitally delete the account from our database.

Merchants and Doctors Data:

Deletion of electronic documents and files –

• When the Merchant/Doctor opts-out, we will digitally delete the account from our database

IX. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, you may contact us at:

Data Protection Officer (DPO)

PharmaServ Express
Address:
89 Mayor Gil Fernando Ave.
San Roque, Marikina City
Philippines
Email: dataprotection@pharmaservexpress.com
Phone: (+63) 920 861 6911

X. Policy Review and Updates

This Privacy Policy shall be regularly reviewed and updated to ensure its continued relevance, effectiveness, and compliance with applicable laws, regulations, and industry standards, including the Philippine Data Privacy Act of 2012 (R.A. 10173).

The Data Protection Officer (DPO), in coordination with relevant stakeholders, shall conduct a formal review at least once annually or whenever there are significant changes in:

• Legal or regulatory requirements governing data privacy and protection
• Organizational policies, business processes, or data processing activities
• Emerging risks, threats, or security vulnerabilities affecting personal data

Any revisions to this Privacy Policy shall be approved by Management and communicated to all affected stakeholders. The latest version of this policy shall be made available through our Company website, internal portal, or other official communication channels.