Privacy Policy

1. Introduction and Scope

1.1 Introduction

LionBox, Inc. ("LionBox," "we," "us," or "our") is committed to protecting the privacy and security of personal information entrusted to us. This Privacy Policy ("Policy") describes how we collect, use, store, share, and protect personal information in connection with our Human Resource Information System (HRIS) and Payroll platform (the "Services"). This Policy also explains your rights regarding your personal information and how you can exercise those rights.

1.2 Scope

This Policy applies to all personal information that LionBox collects or processes, including but not limited to: (a) personal information collected through our website (www.lionbox.work) and mobile applications; (b) personal information collected through our Services; (c) personal information collected from employers who subscribe to our Services ("Subscribers"); (d) personal information of employees whose data is processed through our Services ("Employee Data Subjects"); (e) personal information collected from prospective customers, partners, and vendors; and (f) personal information collected from job applicants and our own employees.

1.3 Relationship with Subscribers

In most cases, LionBox processes Employee Data on behalf of our Subscribers, who are the employers of such employees. In these cases, the Subscriber is the "Personal Information Controller" (as defined under the DPA), and LionBox acts as a "Personal Information Processor" processing Employee Data on behalf of and under the instructions of the Subscriber. The Subscriber is responsible for ensuring that it has obtained all necessary consents from its employees and has a lawful basis for processing Employee Data. Employees who have questions about how their employer processes their personal information should contact their employer directly.

1.4 Acceptance of This Policy

By accessing or using our Services, by submitting personal information to us, or by authorizing another person to submit personal information on your behalf, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, storage, and disclosure of your personal information as described herein. If you do not agree with this Policy, please do not access or use our Services or submit any personal information to us.

2. Definitions

For purposes of this Privacy Policy, the following definitions shall apply:

"Consent" refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of his or her personal, sensitive personal, or privileged information. Consent shall be evidenced by written, electronic, or recorded means. It may also be given on behalf of a data subject by a lawful representative or an agent specifically authorized by the data subject to do so.

"Data Subject" refers to an individual whose personal, sensitive personal, or privileged information is processed by LionBox or our Subscribers.

"Data Processing Systems" refers to the structure and procedure by which personal data is collected, recorded, organized, stored, updated or modified, retrieved, consulted, used, consolidated, blocked, erased, or disposed of.

"Employee Data" refers to personal information relating to employees of our Subscribers that is processed through our Services.

"Personal Data Breach" refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

"Personal Information" refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.

"Personal Information Controller" (PIC) refers to a natural or juridical person, or any other body who controls the processing of personal data, or instructs another to process personal data on its behalf.

"Personal Information Processor" (PIP) refers to any natural or juridical person or any other body to whom a personal information controller may outsource or instruct the processing of personal data pertaining to a data subject.

"Processing" refers to any operation or any set of operations performed upon personal data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.

"Privileged Information" refers to any and all forms of data, which, under the Rules of Court and other pertinent laws, constitute privileged communication.

"Sensitive Personal Information" refers to personal information: (a) about an individual's race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; (b) about an individual's health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings; (c) issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and (d) specifically established by an executive order or an act of Congress to be kept classified.

3. Personal Information Controller

3.1 LionBox as Personal Information Controller

For personal information that LionBox collects for its own purposes (such as information about our customers, website visitors, and our own employees), LionBox is the Personal Information Controller and is responsible for determining the purposes and means of processing such personal information.

3.2 LionBox as Personal Information Processor

For Employee Data that LionBox processes on behalf of our Subscribers, LionBox acts as a Personal Information Processor. In this capacity, LionBox processes Employee Data only in accordance with the instructions of the Subscriber and does not use Employee Data for any purpose other than providing the Services to the Subscriber. The Subscriber, as the employer, is the Personal Information Controller for Employee Data and is responsible for ensuring compliance with data privacy laws in relation to its employees.

3.3 Data Processing Agreement

LionBox enters into a Data Processing Agreement (DPA) with each Subscriber, which sets forth the parties' obligations with respect to the processing of Employee Data. The DPA includes provisions relating to: (a) the subject matter, duration, nature, and purpose of processing; (b) the type of personal data and categories of data subjects; (c) the obligations and rights of the Subscriber as controller; (d) LionBox's obligations as processor; (e) security measures; (f) sub-processing; (g) data subject rights; (h) assistance with compliance; and (i) audit rights.

4. Information We Collect

4.1 Information Collected from Subscribers

When organizations subscribe to our Services, we collect the following types of information:

(a) Account Information: Company name, business registration details (SEC/DTI registration number), Tax Identification Number (TIN), business address, industry classification, company size, and other organizational information.

(b) Contact Information: Names, email addresses, phone numbers, and job titles of company representatives, administrators, and authorized users.

(c) Billing Information: Billing address, payment method details, and transaction history.

(d) Configuration Data: Company policies, work schedules, leave policies, payroll configurations, organizational structure, and other settings.

4.2 Employee Data Collected Through Services

Our Services enable Subscribers to collect and process the following categories of Employee Data. The specific data collected depends on the features used by the Subscriber:

(a) Personal Identification Information:

• Full legal name (first name, middle name, last name, suffix)
• Date of birth
• Place of birth
• Gender
• Civil/marital status
• Nationality/citizenship
• Profile photograph

(b) Contact Information:

• Home address (street, barangay, city/municipality, province, region, postal code)
• Mobile phone number
• Landline phone number
• Personal email address
• Work email address
• Emergency contact information (name, relationship, contact number)

(c) Government-Issued Identification Numbers:

• Social Security System (SSS) number
• Philippine Health Insurance Corporation (PhilHealth) number
• Home Development Mutual Fund (Pag-IBIG/HDMF) number
• Tax Identification Number (TIN)
• Unified Multi-Purpose ID (UMID) number
• Driver's license number
• Passport number
• Voter's ID number
• Other government-issued ID numbers as may be required

(d) Employment Information:

• Employee number/ID
• Date of hire
• Date of regularization
• Employment type (regular, probationary, contractual, project-based, seasonal, fixed-term)
• Employment status (active, inactive, separated, on leave)
• Job title/position
• Department/division/unit
• Cost center
• Work location/branch
• Reporting manager/supervisor
• Employment history and previous positions
• Work schedule and shift assignments
• Separation details (if applicable): separation date, separation reason, clearance status

(e) Compensation and Benefits Information:

• Basic salary/wage rate
• Rate type (monthly, daily, hourly)
• Allowances (transportation, meal, communication, clothing, etc.)
• Bonuses and incentives
• Commission structures
• De minimis benefits
• Statutory deductions (SSS, PhilHealth, Pag-IBIG, withholding tax)
• Voluntary deductions (loans, insurance, union dues, etc.)
• Pay schedule assignment
• Salary history

(f) Banking and Financial Information:

• Bank name
• Bank branch
• Bank account number
• Bank account type (savings, checking)
• Payment method preference

(g) Time and Attendance Information:

• Daily time records (DTR)
• Clock-in and clock-out timestamps
• Overtime records
• Undertime records
• Tardiness records
• Absences
• Work hours summary
• Biometric data (if biometric attendance systems are used)
• Location data (if location-based attendance is enabled)

(h) Leave Information:

• Leave balances by type
• Leave requests and approvals
• Leave history
• Leave reasons
• Medical certificates (for sick leave)

(i) Loan and Advance Information:

• Government loan details (SSS salary loan, SSS calamity loan, Pag-IBIG multipurpose loan, Pag-IBIG calamity loan)
• Company loan details
• Cash advance records
• Loan amortization schedules
• Payment history

(j) Tax Information:

• Tax status
• Number of qualified dependents
• Withholding tax computations
• Year-to-date taxable income
• Previous employer income (for annualized tax computation)
• BIR Form 2316 data

4.3 Usage Data

We automatically collect certain information about how users interact with our Services, including:

• IP addresses and geolocation information
• Browser type and version
• Operating system
• Device type and identifiers
• Access timestamps
• Pages viewed and features used
• Clickstream data
• Referring URLs
• Error logs and diagnostic information

4.4 Sensitive Personal Information

Our Services may process sensitive personal information as defined under the DPA, including:

• Government-issued identification numbers (SSS, PhilHealth, Pag-IBIG, TIN)
• Health information (when processing sick leave requests with medical certificates)
• Age and date of birth
• Civil/marital status

The processing of sensitive personal information is subject to additional safeguards and requires explicit consent or a lawful basis as specified under the DPA.

5. How We Collect Information

5.1 Information Provided Directly

We collect information that is provided directly to us through various means, including:

• Account registration and subscription forms
• Employee information entry forms
• Leave request forms
• Loan and cash advance request forms
• Customer support inquiries
• Survey responses
• Communication with our team

5.2 Information Collected Automatically

We automatically collect certain information when you use our Services, including through the use of cookies, web beacons, and similar technologies. This includes usage data, device information, and log data as described in Section 4.3.

5.3 Information from Third Parties

We may receive information from third parties, including:

• Biometric attendance devices (time records)
• Banking partners (for payment verification)
• Government agencies (for contribution and tax rate updates)
• Integration partners (when you connect third-party applications)
• Employers (when employers provide employee information)

5.4 Information from Publicly Available Sources

We may collect information from publicly available sources, such as government databases for verifying business registration information, and publicly available professional profiles.

6. Purposes of Processing

6.1 Primary Purposes

We process personal information for the following primary purposes:

(a) Service Provision: To provide, maintain, and improve our Services, including processing payroll, managing employee records, tracking attendance, processing leave requests, managing loans and advances, and generating reports.

(b) Statutory Compliance: To compute and facilitate the remittance of mandatory contributions to SSS, PhilHealth, and Pag-IBIG; to compute and facilitate the remittance of withholding taxes to the BIR; and to generate reports required by government agencies.

(c) Account Management: To create, maintain, and manage user accounts; to authenticate users; to process subscription payments; and to communicate with users about their accounts.

(d) Communication: To send service-related communications, including system notifications, updates, security alerts, and administrative messages.

(e) Customer Support: To respond to inquiries, provide technical support, and resolve issues.

(f) Security and Fraud Prevention: To protect our Services, users, and others from unauthorized access, fraud, abuse, and other harmful activities.

6.2 Secondary Purposes

With appropriate consent or as permitted by law, we may also process personal information for the following secondary purposes:

(a) Service Improvement: To analyze usage patterns, conduct research, and improve our Services.

(b) Marketing: To send promotional communications about our products and services (with consent and opt-out options).

(c) Analytics: To generate aggregated, anonymized statistics and insights about usage patterns.

(d) Product Development: To develop new features and services.

6.3 Processing for Subscribers

When processing Employee Data on behalf of Subscribers, we process such data only for the purposes specified by the Subscriber and in accordance with the Subscriber's instructions, as set forth in the applicable Data Processing Agreement.

7. Legal Basis for Processing

Under the Data Privacy Act of 2012, personal information may be processed when at least one of the following conditions exists:

7.1 Consent

The data subject has given his or her consent to the processing of his or her personal information for one or more specific purposes. For sensitive personal information, consent must be explicitly given. We obtain consent through clear and affirmative actions, such as checking a consent box, signing a consent form, or other unambiguous indications of consent.

7.2 Contractual Necessity

The processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract. This includes processing necessary to provide our Services to Subscribers and their employees.

7.3 Legal Obligation

The processing is necessary for compliance with a legal obligation to which LionBox or the Subscriber is subject. This includes processing required for: (a) compliance with the Labor Code of the Philippines; (b) remittance of statutory contributions to SSS, PhilHealth, and Pag-IBIG; (c) withholding and remittance of taxes to the BIR; (d) compliance with NPC orders and requests; and (e) compliance with court orders and legal process.

7.4 Vital Interests

The processing is necessary to protect the vitally important interests of the data subject, including life and health. This may apply in emergency situations where immediate access to employee contact information is required.

7.5 Legitimate Interests

The processing is necessary for the purposes of the legitimate interests pursued by LionBox or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. Our legitimate interests include: (a) improving and securing our Services; (b) preventing fraud and abuse; (c) conducting business analytics; and (d) exercising and defending legal claims.

7.6 Processing of Sensitive Personal Information

Sensitive personal information may only be processed when: (a) the data subject has given explicit consent; (b) processing is provided for by existing laws and regulations; (c) processing is necessary to protect the life and health of the data subject or another person; (d) processing is necessary to achieve the lawful and noncommercial objectives of public organizations; or (e) processing is necessary for purposes of medical treatment, when carried out by a medical practitioner or medical treatment institution.

8. Data Sharing and Disclosure

8.1 Sharing with Government Agencies

In the course of providing our Services, personal information may be shared with or transmitted to Philippine government agencies for statutory compliance purposes, including:

• Social Security System (SSS): Employee information, contribution amounts, loan deductions, and related data for mandatory social security coverage.
• Philippine Health Insurance Corporation (PhilHealth): Employee information and contribution amounts for mandatory health insurance coverage.
• Home Development Mutual Fund (Pag-IBIG/HDMF): Employee information, contribution amounts, loan deductions, and related data for mandatory housing fund coverage.
• Bureau of Internal Revenue (BIR): Employee information, compensation data, withholding tax amounts, and related data for tax compliance purposes.
• Department of Labor and Employment (DOLE): Employment data as may be required for labor compliance and reporting.

8.2 Sharing with Service Providers

We engage third-party service providers to assist us in providing and improving our Services. These service providers may have access to personal information as necessary to perform their functions, but are contractually obligated to protect such information and may only use it for the purposes specified by us. Our service providers include:

• Cloud Infrastructure Providers: For hosting and data storage services.
• Payment Processors: For processing subscription payments.
• Email Service Providers: For sending transactional and marketing emails.
• Customer Support Platforms: For managing support tickets and inquiries.
• Analytics Providers: For analyzing usage patterns and improving services.
• Security Service Providers: For security monitoring and threat detection.

8.3 Sharing with Banking Partners

For payroll disbursement purposes, employee banking information and salary amounts may be transmitted to banking partners through secure channels. This sharing is necessary to facilitate the deposit of salaries to employee bank accounts.

8.4 Sharing with Employers (Subscribers)

For Employee Data processed on behalf of Subscribers, personal information is accessible to the Subscriber (employer) and its designated administrators and authorized users. Employees should refer to their employer's privacy notice for information about how their employer processes their personal information.

8.5 Disclosure Required by Law

We may disclose personal information when required to do so by law, regulation, legal process, or governmental request, including but not limited to: (a) compliance with court orders, subpoenas, or legal process; (b) response to requests from law enforcement or other government agencies; (c) protection of our legal rights or defense against legal claims; and (d) investigation of fraud, security issues, or potential violations of our terms.

8.6 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, personal information may be transferred as part of such transaction. We will notify affected users of any such transfer and any choices they may have regarding their personal information.

8.7 Aggregated and Anonymized Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify individuals for research, analytics, benchmarking, and other purposes. Such data is not subject to the restrictions of this Privacy Policy.

9. International Data Transfers

9.1 Data Location

Our primary data processing facilities are located in the Philippines. However, some of our service providers may be located in other countries. In such cases, personal information may be transferred to and processed in countries other than the Philippines.

9.2 Safeguards for International Transfers

When we transfer personal information internationally, we implement appropriate safeguards to ensure that such information receives an adequate level of protection, including: (a) ensuring that the recipient country has adequate data protection laws; (b) entering into data processing agreements that include appropriate data protection clauses; (c) implementing technical and organizational security measures; and (d) complying with the requirements of the NPC for cross-border transfers.

10. Data Retention

10.1 Retention Periods

We retain personal information for as long as necessary to fulfill the purposes for which it was collected, including to comply with legal, accounting, or reporting requirements. The specific retention periods depend on the type of data and the applicable legal requirements:

• Active Subscriber Data: Retained throughout the subscription term and for a reasonable period thereafter to allow for data export and to address any disputes.
• Employee Data: Retained as directed by the Subscriber. Upon termination of the subscription, Employee Data is retained for 30 days to allow for export, then deleted unless longer retention is required by law.
• Payroll and Tax Records: Retained for at least 10 years as required by the National Internal Revenue Code for tax records and by the Labor Code for payroll records.
• SSS, PhilHealth, and Pag-IBIG Records: Retained for at least 10 years as required by applicable regulations.
• Usage Logs and Security Data: Retained for 2 years for security, troubleshooting, and audit purposes.
• Marketing Data: Retained until consent is withdrawn or the data subject opts out.

10.2 Deletion and Anonymization

After the applicable retention period, personal information is securely deleted or anonymized so that it can no longer be used to identify individuals. Deletion is performed using secure methods that ensure data cannot be recovered. Backup copies may be retained for a limited additional period as part of our disaster recovery procedures, after which they are also deleted.

11. Data Security

11.1 Security Measures

We implement comprehensive technical, organizational, and physical security measures designed to protect personal information against unauthorized access, alteration, disclosure, destruction, or loss. These measures include:

(a) Technical Security Measures:

• Encryption of data in transit using TLS 1.2 or higher
• Encryption of data at rest using AES-256 encryption
• Field-level encryption for sensitive data such as government ID numbers and bank account numbers
• Secure hashing algorithms for password storage (bcrypt with appropriate work factors)
• Multi-factor authentication options
• Role-based access controls and principle of least privilege
• Regular security assessments and penetration testing
• Intrusion detection and prevention systems
• Web application firewalls
• DDoS protection
• Secure software development practices
• Regular security patches and updates

(b) Organizational Security Measures:

• Information security policies and procedures
• Employee security awareness training
• Background checks for employees with access to personal information
• Confidentiality agreements
• Incident response procedures
• Business continuity and disaster recovery plans
• Regular security audits and assessments
• Vendor security assessments

(c) Physical Security Measures:

• Secure data center facilities with 24/7 security
• Access controls and monitoring
• Environmental controls (fire suppression, climate control)
• Redundant power and connectivity

11.2 No Guarantee of Security

While we implement robust security measures, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee the absolute security of personal information. Users are responsible for maintaining the confidentiality of their account credentials and for any activities that occur under their accounts.

11.3 Security Recommendations

We recommend that users take the following steps to help protect their personal information: (a) use strong, unique passwords; (b) enable multi-factor authentication when available; (c) keep software and devices up to date; (d) be cautious of phishing attempts; (e) log out of accounts when using shared devices; and (f) report any suspected security issues to us immediately.

12. Your Rights Under the Data Privacy Act

Under the Data Privacy Act of 2012, data subjects have the following rights with respect to their personal information:

12.1 Right to Be Informed

You have the right to be informed whether your personal information is being, or has been, processed. This includes the right to be informed of: (a) the personal information about you that is being processed; (b) the purposes of processing; (c) the scope and method of processing; (d) the identity and contact details of the personal information controller; (e) the period for which the information will be stored; and (f) the existence of your rights as a data subject.

12.2 Right to Access

You have the right to reasonable access to your personal information held by LionBox or by your employer through our Services. Upon request, and subject to verification of your identity, we will provide you with: (a) the contents of your personal information that was processed; (b) the sources from which it was obtained; (c) the names and addresses of recipients of the personal information; (d) the manner by which such data was processed; (e) the reasons for the disclosure to recipients, if any; (f) information on automated processes where the data will or is likely to be made as the sole basis for any decision affecting the data subject; and (g) the date when the personal information was last accessed and modified.

12.3 Right to Rectification

You have the right to dispute the inaccuracy or error in your personal information and have it corrected, unless the request is vexatious or otherwise unreasonable. If the personal information has been corrected, we shall ensure the accessibility of both the new and the retracted information and the simultaneous receipt of the new and the retracted information by recipients thereof, provided that the third party to whom the corrected personal information has been disclosed shall agree to the same.

12.4 Right to Erasure or Blocking

You have the right to request the suspension, withdrawal, blocking, removal, or destruction of your personal information from the filing system. This right may be exercised when: (a) the personal information is incomplete, outdated, false, or unlawfully obtained; (b) the personal information is being used for purposes not authorized by the data subject; (c) the personal information is no longer necessary for the purposes for which it was collected; (d) you withdraw consent or object to the processing, and there is no other legal ground or overriding legitimate interest for the processing; (e) the personal information concerns private information that is prejudicial to the data subject unless justified by freedom of speech, expression, or the press; or (f) the processing is unlawful.

12.5 Right to Object

You have the right to object to the processing of your personal information, including processing for direct marketing, automated processing, or profiling. You may also object to the processing of your personal information based on your particular situation. Upon objection, we shall no longer process the personal information unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.

12.6 Right to Data Portability

You have the right to obtain your personal information in an electronic or structured format that is commonly used and allows for further use. This right enables you to receive your personal information from us and transmit it to another personal information controller.

12.7 Right to Damages

You have the right to be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of your personal information, taking into account any violation of your rights and freedoms as a data subject.

12.8 Right to File a Complaint

If you believe that your data privacy rights have been violated, you have the right to lodge a complaint with the National Privacy Commission or to seek recourse through appropriate legal means.

12.9 Limitations on Rights

The rights described above may be limited in certain circumstances, including when: (a) disclosure would reveal personal information about another person; (b) disclosure would reveal confidential commercial information; (c) the request is manifestly unfounded or excessive; (d) legal privilege applies; or (e) exercising the right would adversely affect the rights and freedoms of others.

13. Exercising Your Rights

13.1 Employee Data Subjects

If you are an employee whose personal information is processed through our Services by your employer (our Subscriber), you should direct requests to exercise your data privacy rights to your employer in the first instance, as your employer is the Personal Information Controller for your Employee Data. Your employer will process your request in accordance with their own privacy policies and procedures, and may instruct us to assist with fulfilling your request.

13.2 Subscribers and Other Data Subjects

If you are a Subscriber, website visitor, or other data subject whose personal information LionBox controls directly, you may exercise your data privacy rights by contacting our Data Protection Officer using the contact information provided in Section 19. We will respond to your request within a reasonable period, and in any case within 30 days of receiving your request.

13.3 Verification

To protect your privacy and security, we may need to verify your identity before responding to your request. This verification may include requesting additional information to confirm your identity. If we are unable to verify your identity, we may not be able to fulfill your request.

13.4 Fees

We do not charge a fee for processing requests to exercise data privacy rights. However, if your request is manifestly unfounded or excessive, particularly if it is repetitive, we may charge a reasonable fee taking into account the administrative costs of providing the information or taking the action requested.

14. Cookies and Tracking Technologies

14.1 Cookies We Use

We use cookies and similar tracking technologies to enhance your experience on our Services. The types of cookies we use include:

• Essential Cookies: Required for the operation of our Services, including authentication, security, and session management. These cookies cannot be disabled.
• Performance Cookies: Used to analyze how visitors use our Services and to monitor performance. This helps us improve our Services.
• Functional Cookies: Used to remember your preferences and provide enhanced, personalized features.

14.2 Third-Party Cookies

We do not use third-party advertising or tracking cookies. We do not sell your personal information to third parties for advertising purposes.

14.3 Cookie Management

You can manage cookies through your browser settings. However, disabling essential cookies may affect the functionality of our Services. For more information about cookies and how to manage them, please visit your browser's help resources.

15. Children's Privacy

Our Services are not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have inadvertently collected personal information from a child under 18, we will take steps to delete such information as soon as possible. If you believe that we may have collected personal information from a child under 18, please contact our Data Protection Officer.

16. Third-Party Links and Services

Our Services may contain links to third-party websites, applications, or services that are not owned or controlled by LionBox. This Privacy Policy does not apply to such third-party services. We are not responsible for the privacy practices of third parties, and we encourage you to review the privacy policies of any third-party services you access.

17. Data Breach Notification

17.1 Breach Response

In the event of a personal data breach, LionBox will implement its incident response procedures to contain and investigate the breach, assess the risk of harm, and take appropriate remedial measures.

17.2 Notification to NPC

In accordance with NPC Circular 16-03, LionBox will notify the National Privacy Commission within seventy-two (72) hours upon knowledge of, or when there is reasonable belief that, a personal data breach has occurred, if the breach: (a) involves sensitive personal information; (b) is likely to result in a real risk of serious harm to the affected data subjects; or (c) affects at least 100 individuals or more, or to the extent that the personal information controller is unable to ascertain the full scope of the breach.

17.3 Notification to Affected Data Subjects

LionBox will notify affected data subjects within seventy-two (72) hours upon knowledge of, or when there is reasonable belief that, a personal data breach requiring notification has occurred. The notification will include: (a) the nature of the breach; (b) the personal information potentially involved; (c) measures taken or proposed to address the breach; (d) measures that affected data subjects can take to protect themselves; (e) the identity and contact details of the Data Protection Officer; and (f) any other information that the NPC may require.

17.4 Notification to Subscribers

For breaches involving Employee Data processed on behalf of Subscribers, LionBox will notify the affected Subscriber without undue delay upon becoming aware of the breach, so that the Subscriber can fulfill its own notification obligations as the Personal Information Controller.

18. Changes to This Privacy Policy

18.1 Right to Modify

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. The "Last updated" date at the top of this Policy indicates when the Policy was last revised.

18.2 Notification of Changes

If we make material changes to this Privacy Policy, we will notify you by: (a) posting the updated Policy on our website; (b) sending an email to the email address associated with your account; and/or (c) displaying a prominent notice within our Services. We encourage you to review this Policy periodically to stay informed about our privacy practices.

18.3 Continued Use

Your continued use of our Services after any changes to this Privacy Policy constitutes your acceptance of the updated Policy. If you do not agree to the updated Policy, you should stop using our Services and contact us to request deletion of your personal information.

19. Data Protection Officer

In accordance with the Data Privacy Act, LionBox has appointed a Data Protection Officer (DPO) who is responsible for overseeing our data protection strategy and implementation. The DPO can be contacted for any inquiries, requests, or complaints regarding the processing of personal information:

20. Filing a Complaint with the National Privacy Commission

If you believe that your data privacy rights have been violated, or if you are not satisfied with how we have handled your request or complaint, you have the right to file a complaint with the National Privacy Commission (NPC):

21. Contact Information

If you have any questions, comments, or concerns about this Privacy Policy or our privacy practices, please contact us at: