Ventris Logo

DATA PRIVACY POLICY

Version 0 – February 19, 2026

I. Purpose

Ventris OPC (“Company,” “we,” “us,” or “our”) is committed to protecting the privacy and personal data of our users, customers, and stakeholders. This Privacy Policy outlines how we collect, use, store, and protect personal data in accordance with the Philippine Data Privacy Act of 2012 (Republic Act No. 10173), its Implementing Rules and Regulations, and relevant issuances of the National Privacy Commission (NPC).

Through this Privacy Policy, we aim to:

  • Ensure transparency in our data processing activities by informing individuals about how their personal data is collected, used, shared, and retained.
  • Uphold data subject rights, including the right to access, correct, and object to the processing of their personal data, in compliance with applicable privacy laws.
  • Establish accountability measures and security safeguards to protect personal data against unauthorized access, disclosure, alteration, or destruction.
  • Demonstrate our commitment to privacy and data protection as a core component of our operations and compliance program.

II. Scope

This Data Privacy Policy applies to all resources involved in the collection, use, storage, sharing, retention and disposal of personal data within Ventris OPC in the course of its business operations, including freight forwarding services, storage and warehousing, logistics services, business brokerage activities, and wholesale trade.

Specifically, this policy protects the following resources:

  • Facilities – All company premises where personal data is processed, stored, or accessed, including offices, warehouses, and storage facilities.
  • Hardware and Software – All IT infrastructure, systems, devices, and applications used to collect, store, transmit, and process personal data, including databases, cloud storage, and communication tools.
  • Information – All forms of personal data processed by the company, whether electronic, physical, or verbal, covering clients, employees, suppliers, vendors, and other stakeholders.
  • Personnel – All individuals handling personal data on behalf of the company, including employees, contractors, and third-party service providers.

This policy applies to all company personnel and third parties authorized to access or process personal data. It governs data processing activities conducted within company facilities, through its IT systems, and via third-party services.

This policy is established in compliance with the Philippine Data Privacy Act of 2012 (Republic Act No. 10173), its Implementing Rules and Regulations, and relevant issuances of the National Privacy Commission (NPC).

III. Applicability

This policy applies to all individuals and entities that collect, use, store, or share personal data on behalf of Ventris OPC, including:

  • Employees
  • Contractors and Service Providers
  • Clients and Customers
  • Suppliers and Vendors
  • Visitors and Other Stakeholders

All individuals and entities covered under this policy are expected to comply with its provisions to ensure the protection of personal data in accordance with the Philippine Data Privacy Act of 2012 and other applicable regulations.

IV. Roles and Responsibilities

Ventris OPC is committed to ensuring that all personnel, contractors, vendors, and other stakeholders comply with this Privacy Policy. Data protection is a shared responsibility across all levels of the organization.

Data Protection Officer (DPO) and Compliance Officer for Privacy (COP)

Ventris OPC designates a Data Protection Officer (DPO) and, where applicable, a Compliance Officer for Privacy (COP), responsible for overseeing compliance with the Philippine Data Privacy Act of 2012 (Republic Act No. 10173) and related regulations.

The DPO's responsibilities include monitoring compliance, conducting Privacy Impact Assessments, advising on data subject rights and complaints, managing breach notifications, promoting privacy awareness, reviewing privacy policies, coordinating with the NPC, and performing other duties necessary to uphold data protection.

Except for items (a) to (c), a COP shall perform all other functions of a DPO and assist the supervising DPO where appropriate.

Senior Management

Senior Management is responsible for:

  • Ensuring the organization's privacy program is adequately resourced
  • Promoting a culture of data protection
  • Supporting security implementation
  • Approving privacy policies and procedures

Department Heads and Managers

Responsible for:

  • Implementing data privacy practices
  • Ensuring employee training
  • Reporting risks or breaches
  • Ensuring departmental compliance

Employees

Employees must:

  • Handle personal data responsibly
  • Prevent unauthorized access or misuse
  • Report privacy concerns immediately
  • Complete mandatory training
  • Follow proper processing procedures

Third-Party Vendors and Service Providers

Must:

  • Comply with contractual data protection obligations
  • Implement appropriate security measures
  • Notify the Company of breaches
  • Ensure subcontractor compliance

Users and Customers

Responsible for:

  • Providing accurate personal data
  • Protecting account credentials
  • Reviewing this Privacy Policy
  • Exercising rights responsibly

V. Compliance

All covered individuals and entities must comply with this Privacy Policy.

Non-compliance may result in:

  • Employees: Disciplinary action up to termination
  • Third Parties: Contract termination or legal action
  • Users/Customers: Suspension or termination of access
  • Legal Violations: Regulatory penalties and enforcement actions

Ventris OPC will investigate and mitigate all compliance breaches.

VI. Organizational Responsibilities

As a Personal Information Controller (PIC), Ventris OPC shall:

  • Comply with the DPA
  • Designate and register its DPO
  • Register data processing systems
  • Conduct Privacy Impact Assessments
  • Implement organizational, physical, and technical safeguards
  • Notify the NPC and affected individuals in case of breach
  • Train personnel
  • Maintain confidentiality
  • Use contractual safeguards with third parties

As a Personal Information Processor (PIP), Ventris OPC shall:

  • Process only upon PIC instructions
  • Implement security safeguards
  • Assist PIC in compliance and data subject rights
  • Not engage another processor without authorization
  • Inform PIC of unlawful instructions
  • Conduct PIA and maintain privacy program

VII. Data Subject Rights

Data subjects have the right to:

  • Be informed
  • Seek damages
  • Access personal data
  • File complaints with the NPC
  • Object to processing
  • Rectify inaccurate data
  • Request erasure or blocking
  • Exercise data portability

All rights are exercised in accordance with the Philippine Data Privacy Act of 2012.

VIII. Data Use Rules

a. What Information We Collect

Ventris OPC collects personal data through:

  • Forms (feedback, resume, supplier forms, etc.)
  • Calls, chats, email, SMS
  • Social media applications
  • Online platform bookings
  • Mobile app registration

Collected data categories include:

  • Employment-related data
  • User and Patient data
  • Merchant and Doctor data
  • Vendor and partner data

b. Legal Bases for Processing

Processing is based on:

  • Legal obligation – Necessary to fulfill a legal obligation imposed on the Organization.
  • Contract performance – Necessary for the execution or fulfillment of a contract with the data subject.
  • Vital interest – Necessary to safeguard the data subject's essential interests, particularly those related to life and health.
  • Legitimate interest – Necessary to fulfill the legitimate interests of the PIC or PIP, provided these do not override the data subject's fundamental rights.
  • Consent – The data subject has given his or her consent.

c. Log Management

Ventris OPC collects log data including:

  • IP address
  • Pages accessed
  • Date and time
  • Geolocation
  • Device and browser information

For purposes including security, debugging, compliance, fraud detection, and system health monitoring.

d. Risks

Ventris OPC implements reasonable safeguards but acknowledges risks such as cyberattacks, malware, ransomware, or unauthorized access. While we strive to protect your data, no system is completely secure.

e. Security Measures

Ventris OPC implements:

  • Organizational safeguards – Policies, DPO appointment, training, access controls, audits, breach notification procedures, and third-party agreements.
  • Physical safeguards – Secure facilities, locked storage areas, CCTV, visitor control, and secure disposal of physical records.
  • Technical safeguards – Encryption, firewalls, access controls, antivirus, secure development practices, data masking, monitoring, and incident response procedures.

f. Storage and Retention

Ventris OPC stores data in secure servers and cloud environments.

Retention period: Two (2) years from the last triggering event (e.g., last sign-in or transaction).

After the retention period, data is securely disposed of or anonymized for statistical purposes.

g. Disclosure and Transfer

Ventris OPC may share personal data with authorized third parties within the Philippines under appropriate contractual safeguards, including Data Sharing Agreements, Non-disclosure Agreements, and Outsourcing Agreements.

h. Selling of Personal Data

Ventris OPC may sell data only in aggregated, anonymized form for statistical or research purposes, ensuring no personal identifiers are included prior to sale.

i. Disposal

Secure disposal methods include:

  • Data wiping using specialized software tools
  • Overwriting data with random values multiple times
  • Secure digital deletion upon account opt-out
  • Industry-standard destruction methods for physical records

IX. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, you may contact:

Data Protection Officer (DPO)

Ventris OPC

Address:
161 Pharmaserv Express,
F Mariano Ave., Dela Paz,
District 2, Pasig City
NCR – Philippines

Email: dataprotection@ventris.ph

X. Policy Review and Updates

This Privacy Policy shall be regularly reviewed and updated to ensure its continued relevance, effectiveness, and compliance with applicable laws, regulations, and industry standards, including the Philippine Data Privacy Act of 2012 (R.A. 10173).

The Data Protection Officer (DPO), in coordination with relevant stakeholders, shall conduct a formal review at least once annually or whenever there are significant changes in:

  • Legal or regulatory requirements governing data privacy and protection
  • Organizational policies, business processes, or data processing activities
  • Emerging risks, threats, or security vulnerabilities affecting personal data

Any revisions to this Privacy Policy shall be approved by Management and communicated to all affected stakeholders. The latest version of this policy shall be made available through our Company website, internal portal, or other official communication channels.