Privacy Policy

LIBERTASIAN Inc. is the personal information controller for all data processed through the LIBERTASIAN platform. We are registered with the National Privacy Commission (NPC) as required by the Data Privacy Act for automated data processing systems involving AI-driven analysis.

Data Protection Officer:
Email: dpo@libertasian.com

2.1 Information You Provide

• Account information: Full name, email address, phone number (optional), password (stored as bcrypt hash)
• Organization details: Organization name, type, and membership information
• Billing information: Payment method details processed by our payment provider (we do not store full card numbers)
• User content: Documents you upload, camera scans, notes, annotations, bookmarks, and workspace data
• Communications: Support inquiries and feedback you send us

2.2 Information Collected Automatically

• Usage data: Search queries, features used, pages visited, and interaction patterns
• Device information: Device type, operating system, browser type, and screen resolution
• Log data: IP address (prefix only for session binding), timestamps, and request metadata
• Session data: Authentication tokens (hashed) and active session information

2.3 Information from AI Processing

• Query logs: Your search queries and AI interactions are logged for service improvement and audit purposes
• Model run records: We record the AI model name, version, prompt template version, input/output references, and confidence scores for every AI inference call for audit and quality assurance purposes

Under the Data Privacy Act, we process your personal information based on the following lawful bases:

• Consent: For account creation, marketing communications, and optional data sharing
• Contractual necessity: For providing the Service under your subscription agreement
• Legitimate interest: For fraud prevention, security monitoring, service improvement, and analytics
• Legal obligation: For tax records, audit logs, and compliance with Philippine law

• Service delivery: Processing your queries, generating digests, providing search results, and maintaining your workspace
• Account management: Authentication, session management, and subscription administration
• Service improvement: Analyzing usage patterns, monitoring AI quality metrics (accuracy, abstention rate, confidence distribution), and improving search relevance
• Security: Detecting and preventing unauthorized access, fraud, and abuse through rate limiting and audit logging
• Communication: Sending service notifications, security alerts, billing notices, and (with consent) product updates
• Legal compliance: Maintaining audit logs as required by Philippine law and responding to lawful requests from authorities

Your private content is never shared, published, or used for AI training without your explicit consent.

• Camera scans, document uploads, and notes are private by default, accessible only to you and your organization members (based on role permissions).
• Private content is never added to the public editorial corpus.
• Private content is never used to train or fine-tune our AI models.
• Content can only be promoted to editorial review status with your explicit permission and must pass an editorial rights review before any consideration for corpus inclusion.
• Copyrighted commercial book content detected by our classifier is blocked from editorial promotion.

6.1 Storage

• Personal data is stored in PostgreSQL databases with encryption at rest
• Personally identifiable information (PII) fields — email, phone, full name — are encrypted at the application level using AES-256-GCM
• Uploaded files and camera scans are stored in encrypted object storage, isolated per organization and user
• Passwords are hashed using bcrypt with a minimum cost factor of 12
• Refresh tokens are hashed with SHA-256 before storage

6.2 Security Measures

• TLS 1.3 encryption for all data in transit
• JWT access tokens with 15-minute expiry and RS256 signing
• Refresh token rotation with reuse detection
• Rate limiting on all endpoints
• Multi-factor authentication (TOTP) for administrative roles
• File upload validation including magic byte detection, antivirus scanning (ClamAV), and size limits
• Append-only audit logs for all data access and modifications
• Multi-tenant isolation with database-level organization scoping

6.3 Data Breach

In the event of a personal data breach, we will notify the National Privacy Commission and affected individuals within 72 hours, as required by NPC Circular No. 16-03, if the breach is likely to result in serious harm to data subjects.

We share your personal information only in these circumstances:

• Service providers: Payment processors, cloud infrastructure providers, and email services that help us deliver the Service, under strict data processing agreements
• Within your organization: With other members of your organization based on their role permissions (e.g., team workspace collaboration)
• Legal requirements: When required by Philippine law, court order, or government authority, or to protect our legal rights
• Business transfers: In connection with a merger, acquisition, or sale of assets, with notice to affected users

We do not sell your personal information to third parties.

• Account data: Retained while your account is active, plus 30 days after deletion request for recovery
• Audit logs: Retained for a minimum of 2 years as required by Philippine law
• AI model run records: Retained for 1 year for quality assurance and audit purposes
• Billing records: Retained for 5 years as required by Philippine tax law
• Uploaded content: Deleted within 30 days of your deletion request or account closure
• Search query logs: Anonymized after 90 days (personal identifiers removed)

Under the Philippine Data Privacy Act, you have the following rights:

• Right to be informed: To know how your data is collected, used, and shared (this Privacy Policy)
• Right to access: To obtain a copy of your personal data we hold
• Right to rectification: To correct inaccurate or incomplete personal data
• Right to erasure: To request deletion of your personal data, subject to legal retention requirements
• Right to object: To object to the processing of your personal data for certain purposes
• Right to data portability: To receive your data in a structured, commonly used format
• Right to file a complaint: To lodge a complaint with the National Privacy Commission

To exercise these rights, contact our Data Protection Officer at dpo@libertasian.com. We will respond within 30 days.

• Essential cookies: Session management and authentication (required for the Service to function)
• Local storage: The mobile app uses MMKV and SQLite for offline access and cached content
• Analytics: We may use analytics tools to understand usage patterns, but only with anonymized or aggregated data

We do not use third-party advertising cookies or tracking pixels.

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from minors. If you believe we have inadvertently collected data from a minor, please contact us immediately at dpo@libertasian.com.

Your data is primarily processed and stored in the Philippines. If we need to transfer data internationally (e.g., to cloud service providers), we ensure adequate safeguards are in place, including contractual protections consistent with NPC requirements.

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification at least 30 days before taking effect. The "Last updated" date at the top indicates the most recent revision.

For privacy-related inquiries:

LIBERTASIAN Inc.
Data Protection Officer: dpo@libertasian.com
General inquiries: support@libertasian.com

You may also file a complaint with the National Privacy Commission of the Philippines:
Website: privacy.gov.ph