Master Privacy Policy Outline: AeonSuite

Part I: AeonSuite Master Privacy Policy (The Hub)

This document provides the "big picture" for the entire ecosystem.

1. Introduction and Scope

1.1. Who We Are (The PIC): AeonSprint Solutions is the Personal Information Controller (PIC) for the AeonSuite platform and all its affiliated applications.

1.2. Scope: This Master Policy covers the data processing activities related to the use of the AeonSuite platform, shared infrastructure, and common services.

1.3. Family of Apps: A list of the current applications covered by this suite:

• Badgermint

• TripidQuest

• “Project Rider” - [Future App  - To be disclosed at launch]

1.4. Layered Approach Notice and Just-in-Time Consent: Explicitly state that for specific details on data collected by an individual app (like location or usage data), the user must consult that app's specific Privacy Notice. Furthermore, for sensitive data collection (such as precise location in TripidQuest), we utilize a "Just-in-Time" Notice to obtain specific consent at the point of collection, in line with advanced compliance recommendations like NPC Advisory No. 2024-03.

2. Data Collected by the AeonSuite Hub (Shared Data)

The AeonSuite Hub collects and processes the following data, which is essential for creating your unified account, maintaining security, and enabling the single sign-on experience across our entire family of applications (Badgermint, TripidQuest, and future services). This data is considered Shared Data across the ecosystem.

2.1. Account & Credentials (Data from Google Sign-In)

As Google Sign-In is the sole authentication gateway for account creation, the following information is collected from your Google account upon initial sign-in and used to establish your core profile within the AeonSuite Hub:

Data Collected and Necessity:

• Name

To personalize your user experience and for basic identification across all AeonSuite applications.

• Email Address

Essential for account recovery, primary communication, and sending critical service and security alerts.

• Profile Picture

For personalizing your user profile and identity across the entire AeonSuite platform.

• Google User ID

Used as a unique, non-PII identifier in our system, essential for maintaining security and enabling the seamless single sign-on (SSO) experience.

2.2. Device & Technical Information (Automatically Collected)

When you access or use the AeonSuite Hub or any of its applications, we automatically collect certain technical data to ensure service delivery, troubleshoot issues, and enhance the platform's security and performance:

Data Collected and Necessity:

• IP Address

Necessary for fraud prevention, detecting unauthorized access, and for generating non-precise location data for service localization.

• Device Type, Operating System, Browser Type

Essential for optimizing the application's performance, ensuring compatibility, and troubleshooting technical support issues.

• Usage/Activity Logs

Used to monitor general interaction, analyze feature adoption, and improve the overall user experience and platform functionality.

• Location Data (General, non-precise)

Derived from your IP address or device settings, used strictly for security, fraud prevention, and service localization purposes.

3. Data Sharing (The "Hub" Logic)

As the Personal Information Controller, AeonSuite must be explicit about how and why your data is shared. Data sharing is categorized into internal sharing within the AeonSuite ecosystem and external sharing with third parties.

3.1. Internal Sharing within the AeonSuite Ecosystem (Affiliates/Partners)

The sharing of data between AeonSuite, Badgermint, TripidQuest, and any future applications under AeonSprint Solutions (our affiliates) is considered a secondary purpose for processing.

Legal Basis: This sharing is based on your explicit consent to the AeonSuite Master Privacy Policy, which governs the use of the entire family of apps.

Purpose and Details: Your data is shared for the purpose of a unified user experience and to enable single sign-on, which is necessary for the platform to function as a seamless ecosystem. Shared credentials (Name, Email Address, Google User ID) and core user data necessary for pre-filling profiles and ensuring seamless access across applications are shared.

3.2. External Sharing with Third Parties

We share information with external parties only as necessary to operate the service, comply with the law, or protect our rights.

• Service Providers: We share data with third parties that perform services on our behalf and are bound by confidentiality obligations.

  • Examples: Cloud hosting, Google Analytics, and payment processors (e.g., Paymongo, Xendit, Stripe, PayPal).

• Legal Compliance: We will disclose data to law enforcement, government authorities, or other third parties when legally required, or in good faith belief that such action is necessary to comply with a legal obligation.

• Business Transfers: In the event of a merger, acquisition, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal data.

4. Data Subject Rights & Security

We are committed to upholding your rights as a Data Subject under the Philippine Data Privacy Act (DPA). We also implement robust security measures to protect the personal information you entrust to us.

4.1. Rights of the Data Subject

As a user of the AeonSuite ecosystem, you are afforded the following rights, which you may exercise by contacting our Data Protection Officer (DPO) at privacy@aeonsuite.com:

• Right to Access and Correction: You can view and update your core profile information (Name, Email Address, Profile Picture) directly through the account settings within the AeonSuite platform.

• Right to Deletion (Right to be Forgotten): You may request the permanent deletion of your AeonSuite account and all associated personal data from our systems. This request will be processed in accordance with our data retention policy and legal obligations.

• Right to Object (Marketing): You have the right to object to the processing of your personal data for direct marketing purposes. You can opt-out of receiving marketing communications by following the unsubscribe link provided in any marketing email.

• Do Not Track: Our service does not currently respond to "Do Not Track" signals or other similar mechanisms.

4.2. Security Measures

We implement a rigorous, multi-layered security framework to protect the user data we collect, including the data obtained via Google Sign-In:

• Encryption In Transit: All data transmission between the user's browser, Google's Sign-In service, and our application servers is strictly protected using industry-standard Transport Layer Security (TLS/SSL), ensuring data integrity and confidentiality during transfer (HTTPS).

• Encryption at Rest: Sensitive identifiers, such as the email address, are encrypted in our database using strong, industry-standard cryptographic primitives, specifically AES-256 encryption. The Name and Profile Picture are protected within our secure database environment.

• Secure Storage for IDs: The Google User ID is stored securely and is used as the primary, unique, non-PII identifier for the user within our system.

• Access Control: We employ Role-Based Access Control (RBAC) across all AeonSuite applications to ensure that only authorized and necessary personnel, subject to strict training and need, can view or process raw user data.

• Audit Logging: We maintain comprehensive and detailed logs of all access and changes to user data. These audit logs are regularly reviewed as part of our security monitoring to detect, investigate, and prevent any unauthorized or suspicious activity.

5. Contact Information

We encourage you to contact us first with any questions, concerns, or requests regarding this Master Privacy Policy or the processing of your personal data.

5.1. Data Protection Officer (DPO)

AeonSuite operates under a single Data Protection Officer (DPO) who is responsible for overseeing the data privacy and security of the entire AeonSuite ecosystem, including all affiliated applications.1

• DPO Contact Email for Privacy Requests: privacy@aeonsuite.com

• DPO Name and Office Address: 

  • DPO Officer: Edmundo P. Casulla

  • Address: Ground floor, Unit 15, PFCCC Bldg., Perez Boulevard, Dagupan City, Pangasinan

• Official Website: https://aeonsuite.com

5.2. National Privacy Commission (NPC) Consultation

If you believe that your data privacy rights have been violated, or for matters that remain unresolved after contacting our DPO, you have the right to consult or file a complaint with the National Privacy Commission (NPC) of the Philippines.

Office Address: 25th – 27th Floors, The Upper Class Tower, Quezon Avenue corner Scout Reyes St., Brgy. Paligsahan, Quezon City 1103.

Email for Complaints: complaints@privacy.gov.ph

General Inquiries: info@privacy.gov.ph

Website: https://www.privacy.gov.ph

Trunkline: +632 5322 1322

6. Data Retention

We retain your personal information only for as long as is necessary to fulfill the purpose for which it was collected, to provide our services, and to comply with our legal and regulatory obligations.

• User Account Data: We retain your core profile data (Name, Email Address, Profile Picture, Google User ID) for the entire duration that your AeonSuite account remains active. Upon a user-initiated request for deletion (Right to be Forgotten), your data will be queued for permanent deletion from our active systems. We may retain a backup copy of your data for a limited time (e.g., 90 days) to comply with data recovery, legal obligations, or audit requirements before final, complete deletion.

• Transaction and Usage Data: Data related to your transactions (e.g., TripidQuest rewards, delivery history) and general Usage/Activity Logs are retained for a period necessary for business analysis, accounting, and service improvement (e.g., up to two years). After this period, the data is either permanently deleted or anonymized so that it can no longer be linked back to you.

• Legal and Compliance Holds: In some cases, we may be legally required to retain certain personal information for extended periods to comply with the Philippine Data Privacy Act, tax laws, or other mandatory legal processes, even after an account is terminated.

7. Data Protection Measures

We implement a rigorous, multi-layered security framework to protect the Google user data we collect:

• Encryption In Transit: All data transmission between the user's browser, Google's Sign-In service, and our application servers is strictly protected using industry-standard Transport Layer Security (TLS/SSL), ensuring data integrity and confidentiality during transfer (HTTPS).

• Encryption at Rest:

  • Sensitive identifiers, such as the email address, are encrypted in our database using strong, industry-standard cryptographic primitives, specifically AES-256 encryption.

  • The Name and Profile Picture are protected within our secure database environment.

• Secure Storage and Identification:

  • The Google User ID is stored securely and is used as the primary, unique, non-PII identifier for the user within our system. The Google User ID is never disclosed or shared with external third parties.

• Access Control: We employ Role-Based Access Control (RBAC) across all AeonSuite applications to ensure that only authorized and necessary personnel, subject to strict training and the Principle of Least Privilege, can view or process raw user data.

• Audit Logging: We maintain comprehensive and detailed logs of all access and changes to user data. These audit logs are regularly reviewed as part of our security monitoring to detect, investigate, and prevent any unauthorized or suspicious activity.

8. Specific Google Requirements and Security Measures

To provide you with secure access and the best user experience, we integrate with Google Sign-In for all AeonSuite services.

8.1. Data Collection and Usage

• Sole Authentication Gateway: Google Sign-In is the only method of account creation for Badgermint. All subsequent applications within the AeonSuite ecosystem (Badger, TripidQuest, and future services) utilize the established Badger user account for registration and login.

• Extracted Data: The following data is collected from your Google account upon sign-in and used to establish your core profile:

  • Name

  • Email Address

  • Profile Picture

  • Google User ID

8.2. Data Protection Measures

We implement a rigorous, multi-layered security framework to protect the Google user data we collect:

• Encryption In Transit: All data transmission between the user's browser, Google's Sign-In service, and our application servers is strictly protected using industry-standard Transport Layer Security (TLS/SSL), ensuring data integrity and confidentiality during transfer (HTTPS).

• Encryption at Rest:

  • Sensitive identifiers, such as the email address, are encrypted in our database using strong, industry-standard cryptographic primitives, specifically AES-256 encryption.

  • The Name and Profile Picture are protected within our secure database environment.

• Secure Storage and Identification:

  • The Google User ID is stored securely and is used as the primary, unique, non-PII identifier for the user within our system. We strictly adhere to the use of Google Sign-in for user authentication.

• Access Control: We employ Role-Based Access Control (RBAC) across all AeonSuite applications to ensure that only authorized and necessary personnel, subject to strict training and need, can view or process raw user data.

• Audit Logging: We maintain comprehensive and detailed logs of all access and changes to user data. These audit logs are regularly reviewed as part of our security monitoring to detect, investigate, and prevent any unauthorized or suspicious activity.

Part II: App-Specific Privacy Notices (The Detail)

Each app has its own, concise document linked from the Master Policy.

1. Badgermint Privacy Notice

This Privacy Notice is specific to the Badgermint application within the AeonSuite ecosystem. It supplements the AeonSuite Master Privacy Policy and details the data processing activities unique to Badger, which serves as your identity, event management, and blockchain credential platform.

Data Collected (Specific to Badgermint)

In addition to the core Shared Data collected by the AeonSuite Hub (Name, Email Address, Profile Picture, Google User ID), Badgermint collects the following specific Personal Information to perform its functions:

• Identity/ID Data: User-provided or third-party verified identification data (e.g., Student ID number, Employee ID, Government ID number, or other unique identifiers) for verification purposes.

• Optional Profile Information: Data you actively choose to enter into your Badgermint user profile, which may include details related to your personal interests, career history, business affiliations, and professional certifications.

• Event Management Data: Information related to your participation in events, such as event attendance logs, check-in/check-out times, and digital ticket/QR code generation data.

• Blockchain Credential Data: Data necessary for issuing and managing verifiable digital credentials, including public key information, wallet addresses, and records of credential issuance or verification status (metadata, not private keys).

• Usage Data: Detailed logs of your interaction with Badgermint's specific features.

Purpose of Processing (How Badgermint Uses This Data)

We process the data collected specifically by Badgermint for the following purposes:

• Identity Verification and Access Control: To verify your identity and manage access to secured events, services, or platforms, ensuring that only authenticated users can participate or use credentials.

• Profile Management and User Disclosure: To manage your full user profile. You are given the option to control the visibility of your optional profile information (personal, career, business, and certifications) and choose whether to disclose it to the public or keep it private. We process this data to reflect your explicit disclosure preference.

• Event Management: To facilitate and record your registration, attendance, and activity at events managed through the platform.

• Credential Issuance and Management: To generate, issue, store, and verify your digital and blockchain-based credentials (e.g., certificates of attendance, digital IDs).

• Service Improvement: To monitor Badgermint-specific feature usage, analyze its performance, and improve the application's functionality.

Data Sharing (Unique to Badgermint)

In addition to the sharing described in the AeonSuite Master Privacy Policy, Badgermint shares data only with the following parties when necessary for its core services:

• Event Organizers/Administrators: We may share identity data (such as Name and ID Data, but not your Google User ID) and Event Management Data with the organizers of a specific event for whom you are using the Badgermint app for verification, attendance tracking, and credential issuance.

• Verification/Third-Party Partners: We may share necessary Identity Data with trusted, third-party verification services to confirm your employment or student status, or to validate the authenticity of a credential.

• Blockchain Services: Data related to your credentials (e.g., public keys, transaction IDs) may be shared with the relevant blockchain or distributed ledger technology service to anchor and verify your credentials.

• Public Disclosure: Data within your Optional Profile Information will be publicly disclosed only if you explicitly set your disclosure preference to public for that specific information. We do not disclose private information unless legally required.

Security Measures

The app will adhere to the same rigorous, multi-layered security framework as the rest of the AeonSuite ecosystem.

• Encryption In Transit: All data transmission is protected using Transport Layer Security (TLS/SSL).

• Encryption at Rest: Sensitive information, including email addresses and full delivery addresses, is encrypted in our database using AES-256 encryption.

• Access Control: We utilize Role-Based Access Control (RBAC) to ensure that driver/cooperative accounts, vendors, and platform administrators only access the data required for their specific roles.

2. TripidQuest Privacy Notice

This Privacy Notice is specific to the TripidQuest application within the AeonSuite ecosystem. It supplements the AeonSuite Master Privacy Policy and details the data processing activities unique to TripidQuest, which functions as a merchant discount marketplace.

Data Collected (Specific to TripidQuest)

In addition to the core Shared Data collected by the AeonSuite Hub (Name, Email Address, Profile Picture, Google User ID), TripidQuest collects the following specific Personal Information to perform its functions:

• Precise Location Data (GPS): Collected only with your explicit consent and used to find and display nearby merchant discounts, rewards, and for map-based functionality.

• Transaction/Rewards Data: Information about discounts redeemed, transactions processed, rewards earned, and preferred merchant categories.

• TripidQuest Usage Data: Detailed logs of your interaction with the marketplace, searches performed, and specific features utilized within the app.

• Optional Preferences: Data you actively choose to provide, such as preferred locations, discount type interests, or travel preferences.

Purpose of Processing (How TripidQuest Uses This Data)

We process the data collected specifically by TripidQuest for the following purposes:

• Service Delivery (Marketplace Functionality): To provide you with access to the merchant discount marketplace, including processing discount redemptions, managing your rewards, and facilitating relevant transactions.

• Personalized Recommendations: To analyze your Transaction/Rewards Data and Usage Data to offer personalized merchant, discount, and rewards recommendations.

• Location-Based Services: To use your Precise Location Data to show you nearby rewards and offers, or to power map features essential to the service. We use "Just-in-Time" Notices to seek your consent when first accessing a location-dependent feature.

• Service Improvement: To monitor TripidQuest-specific feature usage, analyze trends in the marketplace, and improve the app’s performance and content.

Data Sharing (Unique to TripidQuest)

In addition to the sharing described in the AeonSuite Master Privacy Policy, TripidQuest shares data only with the following parties when necessary for its core services:

• Participating Merchants: We share non-personally identifiable, aggregated data (e.g., total number of redemptions for a specific discount) with participating merchants for business reporting and analytics. We do not share your name, email, or exact personal identifiers with merchants unless you explicitly consent to an offer that requires it.

• Map and Geospatial Providers: We share necessary location data with third-party mapping services to accurately display maps and points of interest.

• Payment Processors: If any transaction is processed directly through the app, we share necessary payment details with a secure payment processor.

Security Measures

The app will adhere to the same rigorous, multi-layered security framework as the rest of the AeonSuite ecosystem.

• Encryption In Transit: All data transmission is protected using Transport Layer Security (TLS/SSL).

• Encryption at Rest: Sensitive information, including email addresses and full delivery addresses, is encrypted in our database using AES-256 encryption.

• Access Control: We utilize Role-Based Access Control (RBAC) to ensure that driver/cooperative accounts, vendors, and platform administrators only access the data required for their specific roles.

3. Project Rider - Privacy Notice

This Privacy Notice is specific to the future application with codename “Project Rider” within the AeonSuite ecosystem. It supplements the AeonSuite Master Privacy Policy and details the data processing activities unique to this SaaS platform for the food delivery and logistics industry.

Data Collected (Specific to future app)

In addition to the core Shared Data collected by the AeonSuite Hub (accessed via the Badgermint Sign-in), the future all collects the following specific Personal Information:

• Delivery/Transaction Data: Details required to fulfill an order, including food items ordered, total transaction cost, and transaction history.

• Recipient Information: Recipient name, precise delivery address, and contact phone number.

• Payment Data: While payment processing is handled by a third party, we collect confirmation of the transaction and limited data such as the last four digits of the payment method and its expiry date for order tracking and audit purposes.

• Logistics and Mapping Data: GPS data for tracking delivery routes, estimated time of arrival (ETA), and service coverage areas.

• Cooperative/Driver Data (If Applicable): If you are a cooperative member or driver using the platform, we collect verification documents, route logs, and performance metrics.

Purpose of Processing (How the future app will use this Data)

We process the data collected specifically by the future app for the following purposes:

• Service Delivery and Fulfillment: To accurately process, fulfill, and track your food delivery and logistics orders from placement to completion.

• Customer and Order Support: To communicate with you regarding your order status, address delivery issues, and provide customer support.

• SaaS Platform Operations: To manage the FoodLoDeco platform for local Transport Cooperatives, including managing driver/cooperative accounts, processing payments, and ensuring the efficient function of the logistics network.

• Service Improvement and Analysis: To analyze delivery times, optimize routing, and improve the overall efficiency and quality of the platform.

Data Sharing (Unique to the future app)

In addition to the sharing described in the AeonSuite Master Privacy Policy, the future app shares data only with the following parties when necessary for its core services:

• Restaurant/Food Vendors: We share your order details (items ordered, special instructions, and confirmation of payment) with the respective food vendor to prepare your order.

• Transport Cooperatives/Delivery Personnel: We share the necessary Recipient Information (Name, precise delivery address, and phone number) with the assigned Transport Cooperative and the specific delivery personnel to ensure accurate and timely delivery.

• Payment Processors: We share transaction details with secure, third-party payment processors (e.g., Stripe, PayPal) to complete your order payment.

Security Measures

The app will adhere to the same rigorous, multi-layered security framework as the rest of the AeonSuite ecosystem.

• Encryption In Transit: All data transmission is protected using Transport Layer Security (TLS/SSL).

• Encryption at Rest: Sensitive information, including email addresses and full delivery addresses, is encrypted in our database using AES-256 encryption.

• Access Control: We utilize Role-Based Access Control (RBAC) to ensure that driver/cooperative accounts, vendors, and platform administrators only access the data required for their specific roles.

Part III. Children’s Privacy

We recognize the importance of safeguarding the privacy of minors.

• Target Audience: The AeonSuite platform and its affiliated applications (Badgermint, TripidQuest, and future services) are not directed to children under 13 years of age. We do not knowingly collect Personally Identifiable Information from children under this age.

• Minors (Ages 13 to 17): Our applications may be used by high school students (ages 13 and older). Given that the age of majority in the Philippines is 18, if you are a minor between the ages of 13 and 17, your parent or legal guardian must review and consent to this Master Privacy Policy and the specific Privacy Notice for the application you use.

• Parental Contact: If a parent or guardian believes that AeonSuite has inadvertently collected personal information from a child under 13 without verifiable parental consent, they may contact us immediately at our DPO Contact Email for Privacy Requests: privacy@aeonsuite.com. We will take reasonable steps to promptly remove such information from our records.