Privacy Policy

MetroMoto Service Hub Effective Date: June 19, 2026 | Last Updated: June 19, 2026

1. Introduction

MetroMoto Service Hub ("we", "us", or "our") is a cloud-based service management platform designed for motorcycle repair and service shops in the Philippines. This Privacy Policy explains how we collect, use, store, share, and protect personal information in connection with our platform.

We are committed to complying with Republic Act No. 10173, also known as the Data Privacy Act of 2012 ("DPA"), and its Implementing Rules and Regulations ("IRR"), as overseen by the National Privacy Commission ("NPC").

By using MetroMoto Service Hub — whether as a shop owner, staff member, mechanic, or customer accessing the customer portal — you acknowledge that you have read and understood this Privacy Policy.

2. Who This Policy Covers

This policy applies to personal information collected from the following individuals:

Shop owners and organization administrators who register an account on the platform.
Staff users (e.g., service advisors, branch managers) added to a shop's organization.
Mechanics whose profiles are created and managed within the platform.
Customers (motorcycle owners) whose records are entered by shop staff during intake.
Customer portal users — motorcycle owners who are invited to access their own service records via the customer portal.

3. Personal Information We Collect

We collect personal information directly from users and indirectly through shop staff entering data on behalf of customers.

3.1 Shop Owners and Staff Users

Full name
Email address and password (stored in hashed form)
Passkey credentials (device-based authentication data)
Two-factor authentication (2FA) configuration
Role and branch assignment within the organization

3.2 Mechanics

Full name
Mobile number
Specialization
Commission rate
Profile photo

3.3 Customers (Motorcycle Owners)

Full name
Mobile number
Email address
Home or business address
Notes (service-relevant information entered by shop staff)
Profile photo (if uploaded)

3.4 Motorcycle and Service Records

The following vehicle information is linked to a customer's record:

Make, model, and year of motorcycle
Plate number
Engine number
Chassis number
Service history (services performed, parts used, dates, assigned mechanics)
Ownership transfer records

3.5 Business and Transactional Data

Sales records and invoices
Inventory items, stock levels, and purchase records
Expense records (amounts, categories, dates)
Sourced parts (externally procured parts for specific customers or jobs)
Subscription plan and payment records for the organization

3.6 Automatically Collected Data

Session data (login timestamps, browser/device identifiers)
Activity logs generated by the platform for audit trail purposes
IP addresses (collected by our infrastructure and email service providers)

4. How We Use Personal Information

We process personal information only for the following specific purposes:

Service delivery: To operate the platform, manage service records, track inventory, process sales, and generate reports for shop owners and staff.
Customer portal access: To allow motorcycle owners to view their own service records and history after accepting an invitation.
Communications: To send account verification emails, portal invitation emails, and password reset emails to users and customers.
Authentication and security: To verify user identity through passwords, passkeys, 2FA, and session management.
Audit and accountability: To maintain activity logs that track who created, modified, or deleted records within the platform.
Subscription management: To manage billing, trial periods, and subscription plan entitlements for subscribing organizations.
Platform improvement: To identify and fix technical issues and improve the reliability and usability of the platform.

We do not use personal information for advertising, profiling, or any purpose beyond what is stated in this policy.

5. Legal Basis for Processing

Under the Data Privacy Act of 2012, we process personal information on the following bases:

Contractual necessity: Processing is required to fulfill our agreement with subscribing shop owners and to provide the platform services.
Legitimate interests: Maintaining audit logs, security measures, and activity tracking to protect the integrity of the platform and its users.
Consent: For customer portal access, customers provide consent when accepting an invitation to register and access their records.
Compliance with legal obligations: Where we are required by law to retain or disclose information.

6. Who We Share Information With

We do not sell, rent, or trade personal information. We share information only with the following trusted third-party service providers who process data on our behalf, under contractual data processing obligations:

Email delivery providers (e.g., Postmark, Resend): Used to send transactional emails such as portal invitations and password resets. These providers receive the recipient's email address and the content of the email.
Cloud file storage (Amazon Web Services S3): Used to store uploaded profile photos and organization logos. Files are stored in a private storage bucket.
Internal notifications (Slack): Used for operational alerts and system notifications directed at our team. Customer personal data is not included in Slack notifications.

Shop data — including customer records, service history, and employee information — is not shared between separate organizations on the platform. Each organization's data is strictly isolated.

7. Data Retention

We retain personal information for as long as necessary to fulfill the purposes for which it was collected, or as required by law. Specifically:

Active accounts: Data is retained for the duration of a shop's active subscription.
Soft-deleted records: Customer, mechanic, and motorcycle records that are deleted within the platform are soft-deleted (marked as inactive) and retained for audit and recovery purposes. Contact us to request permanent deletion.
User accounts: Staff and customer portal accounts are retained until the organization's subscription ends or a deletion request is processed.
Activity logs: Audit trail logs are retained for a minimum period to support accountability and dispute resolution.

When data is no longer required and no legal obligation requires its retention, we securely delete or anonymize it.

8. How We Protect Your Information

We implement technical and organizational security measures appropriate to the sensitivity of the data we process, including:

Passwords are stored using strong cryptographic hashing (bcrypt) and are never stored in plain text.
Support for passkey (FIDO2) authentication as a more secure alternative to passwords.
Optional two-factor authentication (2FA) for user accounts.
Email verification required for new user accounts.
Role-based access control (RBAC) ensures users can only access data appropriate to their role.
Multi-tenant data isolation — each organization's data is logically separated and inaccessible to other organizations.
HTTPS encryption for all data transmitted between your browser and our servers.

While we take these precautions, no system is completely secure. We encourage users to use strong, unique passwords and to enable 2FA.

9. Your Rights as a Data Subject

Under the Data Privacy Act of 2012, you have the following rights with respect to your personal information:

Right to be informed: You have the right to know how your personal data is collected and processed, as described in this policy.
Right of access: You may request a copy of the personal information we hold about you.
Right to rectification: You may request correction of inaccurate or incomplete personal information.
Right to erasure (right to be forgotten): You may request deletion of your personal information, subject to our legal retention obligations.
Right to data portability: You may request your data in a structured, commonly used format.
Right to object: You may object to the processing of your personal information in certain circumstances.
Right to lodge a complaint: You may file a complaint with the National Privacy Commission (NPC) at www.privacy.gov.ph if you believe your rights have been violated.

To exercise any of these rights, please contact us using the details in Section 12. We will respond within a reasonable time and in accordance with the DPA.

10. Customer Portal Users

Motorcycle owners may receive an email invitation from a shop to access the MetroMoto customer portal. By accepting the invitation and registering an account, you consent to MetroMoto Service Hub processing your personal information for the purpose of displaying your service records.

Customer portal accounts are separate from shop staff accounts. You may request deletion of your portal account at any time by contacting the shop that invited you, or by contacting us directly.

11. Children's Privacy

MetroMoto Service Hub is not directed at individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor's information has been submitted to the platform without parental consent, please contact us and we will take steps to delete it.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or the handling of your personal information, please contact our Data Privacy Officer:

MetroMoto Service Hub Data Privacy Officer Email: [email] Website: [site]

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in the platform, applicable law, or our data practices. When we make material changes, we will notify subscribing organizations by email or through an in-app notice. The "Last Updated" date at the top of this document reflects the most recent revision.

Continued use of the platform after changes take effect constitutes acceptance of the updated policy.

← Back