Privacy Policy

Privacy Policy

Last updated: May 6, 2026

1. Information We Collect

When you create an account, we collect your email address and, if you sign in with Google, your name and profile photo. We also collect usage data such as pages viewed and features used to improve the service.

2. How We Use Your Information

  • To authenticate you and maintain your session
  • To save your preferences, notebook entries, and tool calculations
  • To improve and personalize your experience
  • To send occasional service-related notifications (if opted in)

3. Data Storage & Security

Your data is stored securely on Supabase infrastructure with row-level security policies. We use HTTPS for all communications and never share your personal data with third parties for marketing purposes.

4. Third-Party Services

We integrate with external APIs for market data, currency rates, and news feeds. These services receive only the queries necessary to return data and do not receive your personal information.

5. Cookies

We use essential cookies to manage authentication sessions. We do not use advertising or tracking cookies.

6. Your Rights

You may request access to, correction of, or deletion of your personal data at any time by contacting us. You can also delete your account directly from the application settings.

7. Changes to This Policy

We may update this Privacy Policy from time to time. Significant changes will be communicated through the application. Continued use after changes constitutes acceptance of the updated policy.

8. Administrative Access & Data Processing

To provide technical support and maintain platform integrity, authorized administrators may access user account data. This section describes how and when such access occurs, and the protections in place.

  • Ghost Mode Protocol: Administrators may view your account through a secure "Ghost Mode" that provides read-only access. Ghost Mode does not permit data modification. All sessions are logged, including the administrator identity, timestamp, duration, and the target account accessed.
  • Access to Data: During Ghost Mode sessions, administrators may view your profile information, saved tool data (e.g., cashflow accounts, utility records, amortization schedules, notebook entries), and usage history. They cannot view your password or authentication tokens.
  • Legal Basis: Administrative access is processed under the legitimate interest basis as defined in the Philippine Data Privacy Act of 2012 (R.A. 10173), Section 12(f). We process only the minimum data necessary and retain access logs for audit purposes in compliance with NPC Circular No. 2016-02.
  • Privacy by Design Toggle: You may disable administrative access to your account at any time through the "Allow Support Access" setting in your profile. When disabled, Ghost Mode will not grant access to your account, and support staff will be unable to view your data.
  • Data Breach Notification: In the event of a data breach involving your personal information, we will notify you and the National Privacy Commission within 72 hours as required by R.A. 10173 and NPC Circular No. 2016-03.

9. Your Rights Under the Data Privacy Act

Under the Philippine Data Privacy Act of 2012, you have the following rights regarding your personal data:

  • Right to be informed about how your data is processed
  • Right to access your personal data held by Chamly
  • Right to object to the processing of your personal data
  • Right to erasure or blocking of your data
  • Right to rectification of inaccurate personal data
  • Right to data portability
  • Right to file a complaint with the National Privacy Commission

To exercise any of these rights, contact us through the application or via the email address listed in our support section.