This Privacy Notice and User Acknowledgment (the “Statement”) describes the personal information processed through aRTCo Tax™ (the “Service”), a proprietary platform operated by Reyes Tacandong & Co. (“RT&Co,” “we,” “us”), and the consent obtained from each user at registration. It is issued in accordance with the Data Privacy Act of 2012 (Republic Act No. 10173) (the “DPA”), its Implementing Rules and Regulations, and applicable issuances of the National Privacy Commission (“NPC”).
This Statement supplements, and should be read together with the Terms of Use, and the Subscription Agreement, which remain the controlling documents.
Personal information controller and Data Protection Officer
Reyes Tacandong & Co. is the personal information controller for platform account, subscription, billing, and usage data, and acts as personal information processor for the taxpayer, employee, payee, and filing data uploaded by a subscriber. RT&Co. controls the account, billing, and usage data it collects to operate the platform, while the subscriber controls the employee, payee, and filing data it uploads into the platform; RT&Co. processes that uploaded data only on the subscriber’s instructions.
Data Protection Officer: dpo@reyestacandong.com
Address: BDO Towers Valero, 8741 Paseo de Roxas, Makati City, 1226 Philippines.
How acknowledgment, acceptance, and consent are obtained
Acknowledgment, acceptance, and consent are obtained inside the Service, through an accept-or-decline step in the web application, not through a separately signed form. During company registration and onboarding, and before any company or filing data is encoded, the authorized representative must affirmatively accept each of the following statements, presented as separate checkboxes. Acceptance is required to proceed with registration and use of the Service.
By selecting Accept, the user acknowledges this Statement and the Privacy Policy, and agrees to the applicable contractual terms, and, where consent is the applicable lawful basis under the “Lawful basis for processing” section below, gives that consent to the processing described in this Statement and the Privacy Policy. Declining ends the registration without creating an account.
Personal information we collect
Depending on how you interact with the Service, we process the following categories of personal information:
- Identity and contact information: full name, designation, work email, mobile number, employer or subscriber company, and user role.
- Authentication and access information: Microsoft Entra ID or Google subject identifiers, verified email, display name, role claims, and session identifiers. We do not store passwords.
- Company and BIR registration information: registered name, TIN, branch code, RDO code, registered address, ZIP code, business style, line of business, VAT status, and details encoded from BIR Form No. 2303.
- Per-certificate transaction data: income payments, compensation, withholding amounts, Alphanumeric Tax Codes, covered periods, alphalist and summary-list entries, and the resulting BIR Form No. 2307, 2306, and 2316 certificates together with the related DAT, PDF, and ZIP files.
Registries you maintain about third parties. To let you reuse counterparties across filing periods, the Service stores reusable registries that you populate:
- Payee registry (counterparties and suppliers): TIN, registered or individual name, business address and ZIP code, foreign address, RDO code, and payee type.
- Employee records (confidential): for individual payees and employees, the full name, home and business address with ZIP code, contact number, date of birth, TIN, RDO code, and employer type (Main or Secondary, for BIR Form No. 2316). These records are revealed only after an additional one-time authenticator code and are visible solely to your authorized users.
- Signatory registry: full name, title or position, and TIN.
- Branch registry: branch code, address, and ZIP code.
Much of this registry data concerns your employees, suppliers, and contractors. The subscriber is responsible for the lawful basis to collect and upload it (see “Subscriber responsibility for third-party data” below).
- Billing and invoicing information: billing contact, email, phone, address, payment terms, plan, and subscription status.
- Operational and audit information: module access, job status, uploads, downloads, approvals, and audit events showing who did what, when, and for which company.
- Technical information: IP address, browser user-agent, device and session metadata, diagnostic logs, and strictly necessary session cookies.
Why we process your personal information
- Authenticate users and enforce access controls and tenant segregation.
- Generate DAT files and BIR certificates, and store and retrieve them in your Tax Cabinet.
- Manage subscriptions and billing, and provide support.
- Monitor platform capacity and security, and prevent fraud.
- Preserve audit trails and comply with legal and regulatory obligations, including the National Internal Revenue Code and BIR issuances.
- Handle data subject requests and send operational notices about the Service.
Lawful basis for processing
Processing is carried out on the bases recognized under the DPA, including performance of a contract, compliance with legal obligations, legitimate interests in platform operations, security, billing, fraud prevention, and audit readiness, and consent where applicable law requires it. Tax and accounting records may also be retained or produced to comply with the National Internal Revenue Code of 1997, as amended, and related BIR issuances.
Hosting, sub-processors, and disclosure
The Service is hosted on Microsoft Azure in the Southeast Asia region (Singapore). We primarily process your data in that region, except for short-term operational redundancy, where required by law, or with your prior written consent.
Personal information may be shared only with authorized personnel of Reyes Tacandong & Co., your subscriber company and its authorized users, vetted service providers acting as personal information processors, RSM network member firms where relevant to an engagement, professional advisers bound by confidentiality, and government authorities such as the BIR, SEC, courts, or the NPC where legally required. Your personal information is never sold.
Retention and disposal
We retain personal information only for as long as necessary for the purposes above or as required by law:
- Account and access records: while the account remains active, plus a reasonable reconciliation period after deactivation.
- Generated BIR-submittable artifacts (DAT files, certificates, and validation reports) in your Tax Cabinet: retained for at least five (5) years consistent with Section 235 of the National Internal Revenue Code, in immutable storage where applicable, and longer where tax, audit, litigation-hold, or legal-preservation requirements apply.
- Superseded file versions: for example, a DAT file replaced by a newer one for the same period, are archived and then permanently purged thirty (30) days after they are superseded.
- Audit logs: retained for up to seven (7) years.
- Billing and accounting records: retained for the period required by applicable law.
Upon expiration of the applicable retention period, personal information is securely deleted, anonymized, overwritten, or otherwise disposed of using reasonable safeguards. A subscriber may also request account deletion, after which personal information is hard-purged following a thirty (30) day cooling-off period.
How we protect your personal information
- TLS-encrypted HTTPS for all access.
- Azure SQL Transparent Data Encryption at rest; Always Encrypted for TIN and income columns where implemented; and a SHA-256 integrity hash recorded for every stored file.
- Role-based access control and per-tenant segregation, so one subscriber’s data is not visible to another.
- The Tax Cabinet stores creditable (2307), final (2306), and compensation (2316) withholding certificates; employee records and the BIR Form No. 2316 (employee compensation) details require a one-time authenticator code before names and full TINs can be revealed.
- Federated sign-in through Microsoft Entra ID and Google, with no passwords stored and multi-factor authentication enforced by the identity provider.
- Immutable audit logging; application secrets are protected and being migrated to Azure Key Vault.
Your rights as a data subject
Under the DPA, you have the right to be informed, to object, to access your personal information, to rectify inaccurate or incomplete information, to erasure or blocking where legally available, to data portability, to damages in proper cases, and to file a complaint with the National Privacy Commission.
To exercise these rights, send a written request to the Data Protection Officer at dpo@reyestacandong.com. Requests are subject to identity verification, subscriber-authorization checks where the request concerns subscriber-controlled filing data, and restrictions under applicable law, tax rules, audit requirements, and litigation holds. Where a request concerns employee, payee, or filing data uploaded by a subscriber, RT&Co. acts as personal information processor and may need to coordinate with, or refer the request to, the subscriber as the appropriate personal information controller, and will assist the subscriber in addressing the request as required by the DPA.
Subscriber responsibility for third-party data
Where a subscriber uploads personal information about its employees, payees, contractors, or signatories, the subscriber warrants that it has a lawful basis under the DPA and has issued adequate privacy notices to those individuals before uploading, and remains responsible for the accuracy and completeness of that data.
Withdrawal of consent and changes to this statement
You may withdraw consent or exercise your rights at any time by contacting the Data Protection Officer. Withdrawal may limit or prevent provision of the Service, does not affect processing already carried out, and does not override records that must be retained by law. Material changes to this Statement are posted and, where practicable, notified to active users at least thirty (30) days in advance.
Record and evidence of consent
Consent is captured and evidenced electronically; no physical signature is collected. Each acceptance is recorded as a consent event that stores the policy accepted and its version, the user’s verified identity (email and identity-provider subject identifier), the date and time, and the originating IP address.
This electronic consent is given by the affirmative accept-or-decline action described above and is legally effective under the Electronic Commerce Act (Republic Act No. 8792). When a policy version changes materially, users are prompted to review and accept again before continuing to use the Service.