Master Privacy Policy and Data Processing Agreement

1. Executive Summary & Legal Framework

Optima Tech Innovations Limited ("Optima," "we," "our," "us," or the "Company") strictly operates as a Enterprise Platform-as-a-Service (PaaS) and Digital Connection Bridge. We provide secure API routing infrastructure connecting end-users with independent, SEC-licensed financial institutions in the Republic of the Philippines.

CRITICAL NOTICE: WE ARE NOT A LENDER, FINANCING COMPANY, OR CREDIT REPORTING AGENCY. WE DO NOT ISSUE LOANS OR MAKE CREDIT DECISIONS.

This Master Privacy Policy governs the collection, encryption, transit, and destruction of your personal data in strict compliance with the Philippine Data Privacy Act of 2012 (Republic Act No. 10173) ("DPA"), its Implementing Rules and Regulations (IRR), and applicable data protection frameworks in the Hong Kong Special Administrative Region.

2. Definitions and Roles

• "Data Subject" refers to you, the individual utilizing our digital bridge to route an application.
• "Data Controller" refers to the Third-Party Licensed Financial Institutions that receive your routed data and determine the purposes of processing (i.e., loan underwriting).
• "Data Processor" refers to Optima Tech Innovations Limited, acting solely on the explicit instruction of the user to securely transit data to the Data Controller.
• "Sub-processor" refers to cloud infrastructure providers (e.g., AWS, Cloudflare) utilized by Optima to facilitate secure data transit.

3. Exhaustive Scope of Information Processed

To facilitate the digital routing protocol, we process data through the principle of absolute data minimization. We collect only the following data payloads:

4. Legal Basis and Purpose of Processing

Pursuant to Section 12 of the DPA, we process your data based on your explicit, freely given consent and the necessity of processing to fulfill a pre-contractual step requested by you. Purposes include:

• Core Routing: Packaging your data into an encrypted JSON payload and transmitting it via API to your selected licensed financial institution.
• Anti-Fraud & Integrity: Utilizing technical telemetry to mitigate Distributed Denial of Service (DDoS) attacks, block automated bots, and prevent identity spoofing on our network.
• Regulatory Audit: Maintaining stateless transmission logs to comply with legal subpoenas and technology audits by government regulators.

5. Data Sharing, Sub-Processors, and Third-Party Transfer

We are a conduit. By initiating a submission, you authorize the cross-border and domestic transfer of your data to:

• SEC-Licensed Financial Institutions: The ultimate recipients of your data. Once successfully routed, their respective Privacy Policies govern the data. Optima has no control over their underwriting algorithms or data retention.
• Cloud Infrastructure Sub-Processors: Tier-1 providers (such as Amazon Web Services or Google Cloud Platform) hosting our routing nodes in secure Availability Zones (primarily Singapore or Hong Kong).
• Law Enforcement & Regulators: We will disclose transmission logs if served with a valid court order, warrant, or regulatory directive from the National Privacy Commission (NPC) or equivalent bodies.

Commercial Prohibition: Optima Tech Innovations Limited categorically does not engage in the sale, leasing, brokering, or unauthorized commercialization of your personal data to marketing agencies or unauthorized third parties.

6. Cryptographic Security & Data Protection Standards

We deploy enterprise-grade cryptographic protocols to secure your data pipeline:

• In Transit: All data transmissions over public networks are secured using Transport Layer Security (TLS) 1.3 cryptographic protocols with perfect forward secrecy.
• At Rest: Temporary caching of data (prior to successful API delivery) is encrypted using Advanced Encryption Standard (AES-256) at the block level.
• Access Control: Strict Role-Based Access Control (RBAC), multi-factor authentication (MFA) for all DevOps personnel, and zero-trust network architectures.

7. Incident Response and Data Breach Notification

In the highly unlikely event of a security breach compromising the confidentiality of your personal data, Optima Tech Innovations Limited has established a rapid Incident Response Plan (IRP). In accordance with NPC Circular 16-03, if a breach poses a real risk of serious harm, we will:

1. Notify the National Privacy Commission within seventy-two (72) hours of discovering the breach.
2. Notify affected Data Subjects via email or platform notification, detailing the nature of the breach, the specific data compromised, and mitigation measures recommended.
3. Deploy forensic containment protocols to isolate the compromised network segment.

8. Data Retention and Cryptographic Wiping

We operate predominantly on a stateless routing paradigm. Personal Identity Information (PII) is retained in our secure caches only for the duration necessary to achieve a successful API handshake with the third-party institution (typically milliseconds to a maximum of 72 hours in case of network retries). Once successful transmission is confirmed, PII is subjected to cryptographic wiping. De-identified, aggregated technical telemetry (e.g., API success rates) may be retained for up to five (5) years for diagnostic and SLA auditing purposes.

9. Data Subject Rights (DSR) & Deletion Protocols

Pursuant to the Philippine DPA, you are entitled to comprehensive rights regarding your personal data. We provide dedicated channels to exercise these rights:

• Right to be Informed: Fulfilled via this transparent Master Privacy Policy.
• Right to Access: You may request a cryptographic copy of the telemetry or data logs we hold concerning your routing request.
• Right to Rectify: You may request corrections to anomalous data before routing.
• Right to Object & Right to Data Portability: Subject to technical feasibility.

10. Cookies, Web Beacons, and Tracking Technologies

Our web interfaces utilize strictly necessary session cookies to maintain state during your application routing process. We do not deploy persistent tracking cookies, third-party advertising pixels, or cross-site tracking beacons. You may configure your browser to reject cookies, though this will result in the immediate failure of the application routing process due to security token invalidation.

11. Automated Decision-Making and Profiling

Optima Tech Innovations Limited does not engage in automated credit scoring, algorithmic underwriting, or behavioral profiling. Any approval, denial, or credit limit assignment is executed entirely by the proprietary algorithms of the independent Third-Party Licensed Financial Institution.

12. Contact the Data Protection Officer (DPO)

Our appointed Data Protection Officer is responsible for overseeing compliance with this policy and the DPA. All legal, compliance, or privacy inquiries must be directed to: