+63 0917 804 5253
customersupport@zeninsure.ph

OTO Insurance Privacy Policy

OTO Insurance Agency Corporation (“Company” or “we”), with SEC Registration No.: 2024040144280-02 is concerned about the privacy of the data and information of its users on any of the Company’s websites, mobile sites or mobile applications accessible through various internet enabled smart devices (individually and collectively referred to as “Platform”) or otherwise doing business with the Company and other individuals (collectively “you”).

The Company is committed to ensuring the privacy and confidentiality of your information under Republic Act No. 10173 (or the “Data Privacy Act of 2012”) and will exert reasonable efforts to protect against, inter alia, its unauthorized use or disclosure, taking the following responsive action, should a data breach occur. In an event of breach, we will notify you via email and/or through a phone call within seventy-two (72) hours from the discovery of such security breach. The notification will describe the nature of the breach, the sensitive personal information possibly involved, and the measures taken by us to address the breach. The notification shall also include measures taken to reduce the harm or negative consequences of the breach, information regarding the Company’s Data Protection Officer, including his/her contact details, from whom you can obtain additional information about the breach, and any assistance to be provided to you.

The Company implements and adopts this privacy policy (“Privacy Policy”) in furtherance of these specific objectives:

  1. Ensure fair and lawful processing of the personal data of data subjects, including the Company’s employees, clients, customers, shareholders and other individuals;
  2. Ensure the confidentiality, integrity and availability of personal data under the control of the Company;
  3. Protect the Company from reputational and legal risks that may result from non-compliance with the Data Privacy Act and the regulations of the National Privacy Commission (“NPC”); and
  4. Comply with the statutory obligations set forth under the Data Privacy Act and the regulations of the NPC.

Who does this policy apply to?

This Privacy Policy applies to the data subject, which refers to an individual whose personal, sensitive personal and/or privileged information is processed and includes the Company’s employees, clients, shareholders, job applicants, customers and other individuals whose personal data is collected by the Company. This also includes the following: (i) all individuals accessing our website, including personnel of the Company, regardless of the type of employment or contractual arrangement, (ii) individuals communicating with us through our website, platform, or electronic mail, (iii) users and owners of Company accounts, products and services, (iv) the Company’s clients and individuals inquiring for financing with us whether through our website or through electronic mail, and (v) individuals communicating with us for any other reason whether through our website, offline agents or through electronic mail. If your relationship with us is governed by a specific and definitive legal agreement, that agreement should be read together with this Privacy Policy.

The Privacy Policy applies to all personal data held by the Company relating to identifiable information of individuals in whatever form (e.g., physical or digital), and the processing of personal data in whatever manner (e.g., manual or automated). This Privacy Policy shall be subject to limitations provided under Section 5 (Special Cases) of the Data Privacy Act’s Implementing Rules and Regulations (“IRR”).

What data do we collect?

We collect your personal information during your usage of our Platform or when you avail any of products or services available on or through the Platform, or through communications with any of the Company’s employees or agents. The information collected by the Company may consist of:

1. Personal Information:

Under the Data Privacy Act:

Personal information refers to, but is not limited to:

Any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information or when put together with other information would directly and certainly identify an individual.

Sensitive personal information refers to, but is not limited to:

  • an individual’s race, ethnic origin, marital status, age, color and religious, philosophical or political affiliations;
  • an individual’s health, education, genetic, sexual life, or proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings or the sentence of any court in such proceedings;
  • information issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
  • information specifically established by an executive order or an act of Congress to be kept classified.

Privileged information refers to, but is not limited to:

Any and all forms of data, which, under the Rules of Court and other pertinent laws constitute privileged communication.

2. Non-personal Information:

  • Usage : Information on how you use our Platform, such as the types of content that you view or engage with, the features you use, your searches & results, your browsing information, the actions you take and the time, frequency and duration of your activities.
  • Device Information: Information about the computer, mobile, laptop, tablet or any other internet enabled electronic device (“Device”) you use to access the Platform. This may include real-time information about the geographic location of your device as permitted by you, internet connection, your IP address, operating systems, platforms, browsing information, Device type, Device ID, network information, metadata and other information associated with other files stored on your device, last URL visited, and your website search history.
  • Your transaction documents and business history with our business partners; and
  • Other information as we may need from time to time.

How do we collect data?

The Company collects data whenever you voluntarily provide them to us, such as when you:

  • register online via our website;
  • voluntarily send your data to us via email, in writing, through the telephone, or in person through our offline agents;
  • request us for information on our products and services; and
  • provide feedback.

We may also receive your data indirectly from the following sources:

  • your representative;
  • your contractor or supplier;
  • your business partner;
  • an organization or association which you are a member of or whose mandate is to collect and process your personal data on your behalf; and
  • other publicly available sources of information.

If you are sharing with us any personal information not belonging to you as a representative of other persons, you represent and warrant that you secured the consent of other persons who own such personal information before sharing their personal information to us. You agree to provide us with documentation proving this upon our request. You also agree that you will indemnify us for and against any liabilities, damage, claims, costs, charges, and demands of whatever kind or nature in connection with or arising from sharing such personal information with us

How do we use your information?

We may use the information we collect from you when you apply for a loan, leave an offline message, respond to a marketing communication, surf the website, or use certain other site features in the following ways:

  • to conduct identity verifications through tele-verification and credit bureau checks;
  • to conduct identity verification through field surveys;
  • to assess credit worthiness;
  • to process credit transactions; or
  • to follow up after correspondence (live chat, email or phone inquiries).

We warrant that all use and processing of your personal data, which have been given with your consent as the data subject, are:

  • necessary and is related to the fulfillment of a contract with you, or in order to take steps at your request prior to entering into a contract;
  • necessary for compliance with a legal obligation to which the Company is subject; or
  • the Company necessary for the purposes of the legitimate interests pursued by the Company or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.

Who has access to the data we collect?

Your information may be shared across different entities of the Company group as may be required from time to time to fulfill the purposes for which such information was collected or for a related purpose. Whenever necessary, we also may need to share your information with our service providers, relevant government agencies, or potential and present investors, lenders, buyers or shareholders, or anyone to whom we are required by law to disclose personal information.

The Company shall be responsible for ensuring that proper safeguards are in place to ensure the confidentiality of the personal information processed, prevent its use for unauthorized purposes, and generally, comply with all the requirements of the Data Privacy Act and other laws for processing of personal information.

What are your rights?

We would like to make sure that you are fully aware of all your data protection rights. You are entitled to the following rights as a data subject under the Data Privacy Act:

  1. Right to be informed: You have the right to be informed whether your personal data shall be, are being, or have been processed, including the existence of automated decision-making and profiling.

    You, as the data subject, have the right to be informed on the following matters:

    • whether your personal data shall be, are being or have been processed;
    • the type of personal data to be entered into the data processing system;
    • the purpose/s for the processing;
    • the scope and method of processing;
    • the parties to whom the personal data may be disclosed;
    • methods utilized for automated access if allowed by the data subject;
    • contact details of the Company or its representative;
    • period for which the personal data will be stored; and
    • existence of their rights as data subject.
  2. Right to access: You have the right to reasonable access, upon demand, to the following:
    • sources from which the personal information was obtained;
    • name and address of the recipients of the personal data;
    • manner by which the personal data was processed;
    • reasons for the disclosure of the personal data to the recipients;
    • information on automated processes where the personal data will or likely to be made as the sole basis for any decision significantly affecting or that will affect the data subject;
    • date when your personal data was last accessed or modified; and
    • name, address and contact details of the Company or its representative.
  3. Right to object: You shall have the right to object to the processing of your personal data where such processing is based on consent or legitimate interest.
  4. Right to file a complaint: You have a right to file a complaint for any violation of rights granted under the Data Privacy Act.
  5. Right to Rectification: You have the right to request the correction of inaccurate or incomplete personal data we hold about you, unless the request is unreasonable or unjustified.
  6. Right to Erasure or Blocking: You can request the deletion or blocking of your personal data from the Company under certain circumstances, upon discovery and substantial proof that the personal data are incomplete, outdated, false, unlawfully obtained, used for unauthorized purpose or no longer necessary for the purposes for which they were collected.
  7. Right to Damages: You have the right to seek compensation and indemnity for any direct and actual losses caused by the inaccurate, incomplete, false, unlawfully obtained or unauthorized use of personal data.
  8. Right to Data Portability: You have the right to obtain a copy of your personal data upon request in an electronic or structured format that allows for further use, subject to the specifications, technical standards, modalities, procedures, and other rules for the transfer of such personal data to be issued by the NPC. The foregoing rights may be invoked by your lawful heirs or assigns in case of your death or incapacity.

Exercising Your Rights

To exercise any of your rights, please write to our Data Protection Officer at legal@carbay.com. We will need enough information from you in order to ascertain your identity as well as the nature of your request, so as to be able to deal with your request. All communications should include, at least, the following details:

  • Your full name and contact information; and
  • Brief description of your query or feedback.

The following are the specific procedure for exercising your rights as a data subject under the Data Privacy Act:

  1. Request form. The requesting party shall be required to accomplish the request form found in the Company’s website.
  2. Verification of the identity of the requesting party. The requesting party shall be required to disclose personal information as may be necessary.
  3. Fees and charges. Generally, the Company shall not charge any fee to fulfill the exercise of data subject rights. As an exception, where data subjects request copies of their personal data and the other information in exercising their right to access, we may require reasonable fees to cover administrative costs: provided, that fees imposed shall not be so exorbitant or excessive as to have the effect of discouraging such requests.
  4. Reasonable period for complying with the request. The request of the data subject shall be addressed for a period not exceeding 30 working days after receipt of the request and/or the necessary supporting or additional documentation: provided further, that if a request is complex or numerous, compliance with such request may be extended for a period not exceeding another 15 working days: provided finally, that the data subject or his or her authorized representative is notified of the reason for the extension.
  5. Non-retention data. The Company shall not retain personal data for the sole purpose of making it available for potential future requests for the right to access or data portability.

How We Protect Your Data

We implement reasonable and appropriate organizational, technical, and physical measures to protect your data. Any disclosure we make shall be done so on a strictly need-to-know basis only. We can provide you confirmation on what information about you we process, upon your written request and subject to costs that shall be borne by you.

We shall implement reasonable and appropriate organizational, physical and technical measures intended for the protection of personal information against any accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing. We shall implement reasonable and appropriate measures to protect personal information against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.

To protect your data, the Company implements protective measures which include, but are not limited to,

  1. safeguards to protect its computer network against accidental, unlawful or unauthorized usage or interference with or hindering of their functioning or availability;
  2. a security policy with respect to the processing of personal information;
  3. a process for identifying and accessing reasonably foreseeable vulnerabilities in our computer networks, and for taking preventive, corrective and mitigating action against security incidents that can lead to a security breach; and
  4. a monitoring system for security breaches and a process for taking preventive, corrective and mitigating action against security incidents that can lead to a security breach; and
  5. safeguards to ensure that any third parties processing personal information on its behalf shall implement the security measures required by this provision.

All employees, agents or representatives of the Company who are involved in the processing of personal information shall operate and hold personal information under strict confidentiality if the personal information is not intended for public disclosure. This obligation shall continue even upon termination of employment or contractual relations.

The Company shall promptly notify NPC and affected data subjects when sensitive personal information or other information that may, under the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized person, and the personal information controller or NPC believes that such unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject. The notification shall at least describe the nature of the breach, the sensitive personal information possibly involved, and the measures taken by the entity to address the breach. The notification shall also include measures taken to reduce the harm or negative consequences of the breach, information regarding Company’s Data Protection Officer, including his/her contact details, from whom you can obtain additional information about the breach, and any assistance to be provided to you. Notification may be delayed only to the extent necessary to determine the scope of the breach, to prevent further disclosures, or to restore reasonable integrity to the information and communications system.

Third-party disclosure

Company shall not sell, trade, or otherwise transfer to outside parties your personal information. Acts related to the unauthorized processing, transfer, trading or selling of information is illegal and punishable under the law.

That said, under the Data Privacy Act, Company may subcontract the processing of personal information to a third party, provided, that it shall be responsible for ensuring that proper safeguards are in place to ensure the confidentiality of the personal information processed, prevent its use for unauthorized purposes, and generally, comply with the requirements of the Data Privacy Act and other laws for processing of personal information. The subcontractor shall comply with all the requirements of the Data Privacy Act and other applicable laws in the same force and degree as the Company.

Consent to Data Usage

Under the Data Privacy Act, consent of the data subject refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of his or her personal data, sensitive personal data and privileged information. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of a data subject by a lawful representative or an agent specifically authorized by the data subject to do so.

By availing our services, you agree to the collection, use, and processing of your personal data for legitimate purposes.

Data Retention and Storage

Company shall maintain an information and communications system, which refers to a system for generating, sending, receiving, storing or otherwise processing electronic data messages or electronic documents and includes the computer system or other similar device by or which data is recorded, transmitted or stored and any procedure related to the recording, transmission or storage of electronic data, electronic message, or electronic document. The information and communications system shall be secured to protect the data which it processes and stores in its systems.

All personal information maintained by Company shall be:

  1. collected for specified and legitimate purposes determined and declared before, or as soon as reasonably practicable after collection, and later processed in a way compatible with such declared, specified and legitimate purposes only;
  2. processed fairly and lawfully;
  3. accurate, relevant and, where necessary for purposes for which it is to be used the processing of personal information, kept up to date; inaccurate or incomplete data must be rectified, supplemented, destroyed or their further processing restricted;
  4. adequate and not excessive in relation to the purposes for which they are collected and processed;
  5. retained only for as long as necessary for the fulfillment of the purposes for which the data was obtained or for the establishment, exercise or defense of legal claims, or for legitimate business purposes, or as provided by law; and
  6. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected and processed: provided, that personal information collected for other purposes may lie processed for historical, statistical or scientific purposes, and in cases laid down in law may be stored for longer periods: provided, further, that adequate safeguards are guaranteed by said laws authorizing their processing.

All personal information maintained by the Company shall be secured, as far as practicable, with the use of the most appropriate standard recognized by the information and communications technology industry, and as recommended by the NPC. Company shall be responsible for complying with the security requirements mentioned herein while the NPC shall monitor the compliance and may recommend the necessary action in order to satisfy the minimum standards.

Contact our AFC Data Protection Officer

In accordance with applicable laws and regulations, you may request access to, or correct your personal information held by us, or inquire about our data protection policies and practices. For queries or concerns on data privacy, please contact our Data Protection Officer at legal@carbay.com

© 2025 Zen Insure (OTO Insurance Agency Corporation)