AlaCinco Logo

Privacy Policy

Last updated: June 12, 2026 · Version 1.2

Ala Cinco (“we”, “us”, “our”) respects your privacy. This Privacy Policy explains what personal information we collect when you use our website and booking services (the “Platform”), why we collect it, how we use and share it, and your rights under the Data Privacy Act of 2012 (Republic Act No. 10173) and its implementing rules.

1. Personal information controller

Ala Cinco acts as the personal information controller for data collected through the Platform.

[Registered company name and business address — to be supplied.]

Privacy inquiries and requests: privacy@alacinco.com

2. Scope

This policy applies to visitors, registered users, and guests who book through alacinco.com (or related domains we operate). It does not cover third-party websites you reach through links (Facebook, TikTok, Airbnb listings, Google Maps, payment provider pages, etc.), which have their own privacy policies.

3. Information we collect

We collect only what is reasonably necessary for the purposes described below.

  • Account data: first name, last name, email, phone number, password (stored hashed), profile photo, optional age saved for faster rebooking
  • Google Sign-In: name, email, and profile photo URL from Google when you choose that login method
  • Booking data: guest names and ages, contact details, stay dates, property, pricing, promo codes, notes, booking reference
  • Government IDs (sensitive personal information): images of valid ID (front and back), and sometimes a selfie, for the primary booker and guests where required by location or gatepass rules; ID type and verification status
  • Payment data: payment method type, amounts, transaction references, PayMongo tokens for saved cards (we do not store full card numbers or CVC), crypto payment status via NowPayments, and uploaded manual payment receipts
  • Communications: support chat messages and attachments, email notifications you receive from us, and optional Facebook Messenger notifications to our team (not your DMs to us unless you initiate contact there)
  • Reviews and wishlists: property favorites, review text, ratings, photos, and display name
  • Technical data: IP address, browser type, device signals, session identifiers, CSRF tokens, and login metadata (e.g., user-agent, login method) stored with your session
  • Browser storage: we use HttpOnly cookies for authentication and a CSRF cookie for security; your browser may store checkout progress in localStorage until you complete or clear it

4. Sensitive personal information (government IDs)

Images of government-issued identification are classified as sensitive personal information under Philippine law.

We collect them based on your explicit consent at checkout and because they are necessary to verify guests, comply with resort or building security requirements, and issue gatepasses where applicable.

IDs are stored in secured server storage accessible only to authorized personnel and systems. They are not used for marketing or sold to third parties.

After your stay, ID images are retained only as long as needed for booking fulfillment, dispute resolution, legal compliance, and legitimate security purposes, then deleted according to our automated data-retention schedule described in Section 9.

5. How we use your information

We use personal information to:

  • Create and manage your account; verify your email with one-time codes
  • Process reservations, payments, reschedules, and cancellations
  • Verify identity of bookers and guests; approve or reject ID submissions
  • Send transactional emails (confirmations, payment receipts, gatepass, check-in/out, review requests)
  • Operate wishlists, notifications, reviews, and in-app support chat
  • Prevent fraud, enforce our Terms, and protect the security of the Platform
  • Improve our services and comply with applicable laws

7. Who we share information with

We do not sell your personal information. We share it only as needed with:

  • PayMongo — payment processing (cards, GCash, Maya, GrabPay, online banking, QRPH, etc.)
  • NowPayments — cryptocurrency payments where offered
  • Google — OAuth login and embedded maps on property pages
  • Email delivery providers — SMTP services that send messages on our behalf
  • Authorized Ala Cinco staff and contractors — booking operations, ID verification, and customer support (under confidentiality obligations)
  • Law enforcement or regulators — when required by valid legal process

8. International transfers

Some processors (e.g., Google, PayMongo) may process data outside the Philippines. Where required, we take steps consistent with the Data Privacy Act for cross-border disclosures, including contractual protections offered by those providers.

9. Retention and data deletion

We keep personal information only as long as necessary for the purposes described in this policy. How long we keep each type of data depends on its purpose, legal requirements, and our internal retention settings.

Account profile data is kept while your account is active. If you request account deletion, we anonymize core profile fields (name, email, phone, password, photo) and block login, but booking and payment records may be retained for accounting, tax, and dispute resolution.

Reviews you posted may remain visible with your display name even after your account is anonymized, unless removed under our moderation policy.

Sensitive booking document images — including government IDs, selfies, guest ID uploads, and related files you submitted at checkout — are subject to automated data retention. After your stay has ended, these image files are kept for a defined retention period measured from your check-out date, then permanently deleted from our secured storage. The retention period is configurable by Ala Cinco and is subject to a minimum window (currently at least 90 days) so we can handle disputes, security reviews, refunds, and legal obligations before deletion runs.

Automated deletion applies only to selected image files, not to your booking record itself. When files are purged, we remove the files from disk and clear the associated image references in our systems. Your booking row (dates, property, guest names, amounts, payment references, status, and other metadata needed for operations and compliance) is retained.

Depending on our active retention configuration, scheduled deletion may include: government-issued ID images and selfies for the primary booker; ID images for additional guests; and, where enabled, payment receipt images, gatepass QR code images, and refund proof images. Marketing and analytics systems do not receive government ID data.

When automatic retention is enabled, eligible files may be deleted on a daily schedule (currently 12:00 midnight, Philippines time). Files may also be removed earlier when required by law, a valid request you make under your privacy rights, or manual operational review, subject to records we must keep.

If you have questions about what we still hold for a specific booking, contact privacy@alacinco.com with your booking reference.

10. Security

We use industry-standard measures including HTTPS (TLS) encryption in transit, hashed passwords, HttpOnly session cookies, CSRF protection on authenticated actions, access controls on admin systems, and rate limiting on sensitive endpoints.

Payment card details are entered on PayMongo’s PCI-DSS Level 1 hosted pages; we store only tokens and display metadata for saved cards you choose to keep.

No method of transmission over the Internet is 100% secure. Please use a strong password and protect your device.

11. Cookies and similar technologies

Essential cookies: USRv1 (HttpOnly session), CSRF token cookie, and similar tokens needed for login and secure API calls.

Local storage: temporary checkout and payment-resume data on your device until you complete or clear it.

We do not use third-party advertising or analytics cookies on the core booking flow as of the date above. If we add analytics later, we will update this policy.

12. Your rights

Under the Data Privacy Act, you may have the right to be informed, access, correct, object to or restrict certain processing, data portability where technically feasible, and to file a complaint with the National Privacy Commission (NPC).

To exercise your rights, email privacy@alacinco.com with enough detail for us to verify your identity. We will respond within the timeframes required by law.

13. Closing your account

You may close your account at any time from your Profile page on the Platform (Profile → Danger zone → Delete account). You will be asked to confirm the action. If you registered with an email and password, you must enter your current password to complete deletion. If you sign in only with Google, no password is required.

When you delete your account, we soft-delete your user record: we anonymize your profile (name, email, phone number, password, and profile photo), set a deletion timestamp, and sign you out on all devices. Your original email address may be used to register a new account later.

Closing your account does not delete all data we hold. Bookings, payment records, government ID images tied to completed stays, reviews you posted (which may still show your display name), support chat history, and records we must keep for accounting, tax, fraud prevention, or legal compliance may be retained as described in Section 9.

You may also request account closure by emailing privacy@alacinco.com from the email address on your account if you cannot access the Platform. We will verify your identity before processing the request.

14. Children

The Platform is not directed at children under 13 to open their own accounts. Guest minors may appear in bookings with information provided by the adult booker (name, age, and ID where required by policy).

15. Marketing communications and your choices

If you create an account or make a booking, we may use the email address and contact details you provide to send you marketing communications — for example promotions, special offers, new listings, and occasional newsletters.

Marketing is separate from service messages. Booking confirmations, payment receipts, check-in and check-out details, identity-verification codes, and similar transactional notices are part of the service you requested and will continue even if you opt out of marketing. We do not use government ID data for marketing.

We rely on your consent — given when you register or complete a booking — to send you marketing. You may withdraw this consent at any time; withdrawing it does not affect messages already sent.

Every marketing email includes an “Unsubscribe” link. Selecting it stops future marketing emails to you, usually right away, and we honor that choice on all later campaigns. You may also email privacy@alacinco.com to be removed.

We use a third-party email delivery service to send these messages on our behalf, and we do not sell your personal information.

16. Changes to this policy

We may update this Privacy Policy. The “Last updated” date shows the current version. Significant changes will be posted on the Platform.

17. Contact and NPC complaints

Privacy questions or requests: privacy@alacinco.com

You may also contact the National Privacy Commission if you believe your rights have been violated and we have not resolved your concern.

Home
About
Services
Careers