Cinnamon Privacy Policy
Cinnamon (“we”, “us”, “our” or “Cinnamon”), as an online referral marketing software, respects, values, and protects the privacy of its Users (“you”, “your”, or “Users”).
The Cinnamon Privacy Policy (“Privacy Policy”) provides for the treatment and rules governing our collection, use, retention, and sharing of your personal information, as well as your rights with respect to your data, in accordance with established data privacy laws including Republic Act 10173 – Data Privacy Act of 2012 (“DPA”).The Privacy Policy, in particular, contains the following:
- Notice of Consent,
- Definition of Key Terminologies,
- Information we collect from Users,
- Our use for collected personal information,
- Rules on Third Parties
- Rules on our retention of personal information,
- Rules on our Disposal of personal data or personal information,
- Our protection and security for your personal information,
- Your rights in relation to your personal information, and
- Other rules concerning personal information.
All visitors to our site, whether registered or not, shall be classified as a “User” for the purpose of this Cinnamon Privacy Policy. Registered users, Non-registered users, subscribers, brands, customer brands, prospective customer brands, affiliates, and any other person or entity who avail of our Service, Software, and Website shall likewise be considered as a “User” for the purpose of this Policy. Furthermore, all persons and/or entities that use the API of any third-party website, Company, or entity and/or that use Cinnamon’s generated API access tokens to enable Integrations or Interoperations with Cinnamon’s Services, Software, and Website are hereby likewise expressly considered as a “User” for the purpose of this Policy.
Should you have any questions, requests, or any concern regarding this Privacy Policy or our treatment of your personal information or data, please send us a message at: ().
Notice of Consent
Through your use of this Website and accessing of our Services, you consent to the collection, use, retention, and sharing of your personal information in accordance with the Privacy Policy and within the limits of data privacy laws, including DPA.
Definitions of Key Terminologies
Terms used in the Privacy Policy are defined below:
- Data Subject - Data Subject, as defined in the DPA, refers to an individual whose personal information is processed.
-
Personal Information - Personal Information, as defined in the DPA, is refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
Personal information, however, does not include publicly available information or lawfully obtained, truthful information that is a matter of public concern, and deidentified or aggregate consumer information.
-
Sensitive Personal Information – Sensitive Personal Information, as defined in DPA, information refers to personal information:
- About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations.
- About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
- Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
-
Sensitive Personal Information likewise include the processing of biometric information for the purpose of uniquely identifying a consumer, personal information collected and analyzed concerning a consumer’s health, and personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.
Sensitive Personal Information, however, does not include publicly available information or information that is lawfully made available from federal, state, or local government records.
- Processing – Processing, as defined in the DPA, means any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.
-
Consent - Consent, as defined in the DPA, refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so.
Data Subject as applied in this Policy pertains to the current and previous employees, customer personnel, partner/vendor personnel, website visitors, sub-contractors, activity providers, customers and visitors of Cinnamon.
-
Controller - Controller, as defined in the DPA, refers to a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf. The term excludes:
- A person or organization who performs such functions as instructed by another person or organization; and
- An individual who collects, holds, processes or uses personal information in connection with the individual’s personal, family or household affairs;
- Processor – Processor, as defined in the DPA, refers to any natural or juridical person qualified to act as such under this Act to whom a personal information controller may outsource the processing of personal data pertaining to a data subject.;
- Third Party – Third Party, as defined by the National Privacy Commission, refer to other organizations or individuals who may be involved in the processing of personal data by a personal information controller.
Information we collect from Users
The following are the categories of personal information that we collect from Users:
- Account and Contact Data – We collect the following information through our sign-up form when a user registers on our website or subscribes to one of our services: full name, birthday,gender, physical address, email address, company name, email address, mobile number, and bank account details. We may also collect images of your government-issued ID, your ID number or other verification information for identity or business confirmation. We use your contact information in providing our services, answering your requests, billing and other management purposes, and marketing and communicating purposes, and in analyzing service trends through the usage of data in aggregated/anonymized form. We note that all marketing materials we send contain an option for you to opt-out at any time. Furthermore, Cinnamon does not record or store credit information from Users, and rely on third-party PCI-DSS-compliant payment processors for credit card processing.
- Browser Data – When a user visits our website, Cinnamon detects and store the user’s browser language and geolocation. Our servers also passively record the information sent by Users’ browsers for statistical, security, and legal purposes, including the user’s IP address, the time and date of a user’s visit, the user’s browser version and platform, and the web page that referred a user to our Site. We anonymously analyze this automatically recorded data in maintaining and improving our services.
- Payment Information – Cinnamon collects the billing and financial information of Users that are necessary to process charges for our services which require payment. We may also receive the billing and payment information that you provide when your purchase is processed by another party, including your postal and e-mail addresses.
- Technical and usage information – Cinnamon collects the following information when Users access our websites and use our services: certain technical information about the user’s mobile device or computer system, including IP Address and mobile device ID, and usage statistics about your interaction with our Service.
- Cookies and tracking – Cinnamon may use cookies and similar tracking technologies on its Website, such as pixels and web beacons. Personal information sourced through these technologies are used to improve our services by providing a more personalized experience to Users.
- Third-party websites - In order to protect our public API from abuse and misuse, we apply rate-limit tactics based only on the IP address of the visitor when our widgets and snippets are installed on third-party websites. These IP addresses are only temporarily stored and expires after one (1) minute. For the protection of our Users and our Services, Software, and Website, Cinnamon hereby reserves the right to collect and process offending IP addresses in case of abuse or misuse of our public API. Unless specified above, however, Cinnamon stresses that it does not collect, use, retain, and share personal information gathered on Services, Software, and Website that are not owned by Cinnamon.
Our use for collected personal information
We collect, use, and retain your personal information to improve our services and to enhance your customer experience.
In particular, the following are examples by which information we collect can be used:
- Sharing with the activity providers called Activity Providers for those customers booking experiences. The kid' name,age and gender will be provided to the Activity Providers.
- Providing, supporting, and improving our website and services, monitoring and analysis of user trends, usage, and activities in connection with our services,
- Processing essential operations such as billing for purchased services,
- Sending communications to Users including, but not limited to, our responses to your comments, questions, and requests to provide customer service, technical notices, updates, security alerts, support and administrative messages, and informational, marketing and promotional content on our services,
- Assessing our system security and investigating system issues which may affect our services to Users,
- Enforcing compliance with our terms and applicable law, meeting legal requirements, such as court orders, discovery requests, and subpoenas, as well as accounting and security requirements, and responding to lawful requests by public authorities.
Rules on Third Parties
The following are the rules governing our treatment of your personal information and data with respect to third parties such as service providers and subprocessors.
-
Consent of Users is required prior to disclosure, Exceptions
As our policy, we do not sell, rent, trade, share, or otherwise transfer the personal information and data that we collect from you to third parties outside of Cinnamon without your consent.
Notwithstanding the foregoing, we may provide personal data to third parties where we are legally mandated by law enforcement and governmental authorities, and where we are required to comply with legal processes. Furthermore, we may provide personal data to third parties, where absolutely necessary, to respond to claims asserted against us, to administer our policies and agreements with Users, for essential operations such as risk assessments, investigations, and product development, and to protect the rights, property, and safety of Cinnamon, our employees, our Users, and the members of the general public. Cinnamon may also share or disclose aggregated, anonymous, and de-identified information for research purposes and analysis of trends or statistics.
-
Third Parties with whom your personal information is shared
We rely and contract with third party companies, organizations, and individuals that support our Site and Services in essential operations such as software maintenance, data hosting, sending of email messages, web audience analysis, cloud hosting, and marketing and communications. As such, we share the personal information of Users to enable these third parties to perform their functions.
Third parties with whom we share your information include affiliates and vendors, legal, accounting, and other general service providers, service providers who bolster our essential operations, marketing agencies or website hosts, and third parties approved by the user, including social media sites which Users choose to link their accounts to.
Our sharing of personal data and information to third parties as enumerated above is only to the extent of what is necessary to enable them to perform their functions, is limited to the specific purpose for such sharing, and is covered by a specific data processing contract. Furthermore, Cinnamon takes stringent procedures in ensuring that these third parties are compliant with established data privacy laws, including DPA, in processing your personal information, including both not limited to, the imposition of contract obligations to the third parties that personal information we share to them can only be used for their provision of services to us.
-
Direct Marketing
Cinnamon does not share the personal data and information of its Users with third parties for their direct marketing purposes.
-
No liability for third-party websites
Cinnamon shall not be responsible and shall not be held liable for the safety of any information that Users share to third parties who are not affiliated with our Site and Services. Third parties who are not affiliated with our Site and Services include, but are not limited to, brands and other third-parties who advertise, subscribe, or otherwise use our Site but are not affiliated with us, and other websites, online services, or mobile applications that are linked by third-party Users in our Site.
-
Business Transfers
In cases where Cinnamon sells, transfers, or otherwise share some or all of its assets, which include the personal information and data of Users, in connection with a legitimate business transfer such as, but not limited to, a merger, acquisition, reorganization, sale of assets, or bankruptcy, Cinnamon will perform all commercially reasonable efforts to notify Users if their personal information is to be disclosed, transferred, or becomes subject to a different Privacy Policy.
Rules on our retention of personal information
Cinnamon retains a user’s personal information only for the period that is reasonably necessary to accomplish the purpose for which such information was collected.
- Account and Contact Data and Payment Information – we retain such personal information only until we have an ongoing legitimate business need to do so in relation to a user and whether such data is necessary to provide our service. However, we will retain user data for no longer than seven (7) years from the date of termination of contract between the user and Cinnamon, unless a longer period is provided by law or lawful orders of legal authority. We will retain financial data for no longer than eight (8) years from the date of termination of contract between the user and Cinnamon, unless a longer period is provided by law or lawful orders of legal authority.
- Browser Data and Technical and Usage Information, Cookies and tracking – Browser data is retained for a maximum of 12 months, with the exception of cases where there is legitimate concern related to our security or performance of services. Further, Cinnamon retains audit logs for no longer than one (1) year, and other records for no longer than three (3) years, unless a longer period is provided by law or lawful orders of legal authority.
- Job Application Data – We retain information related to job applications for up to 2 years, in order for us to contact prospective employees again for future job propositions. We retain information related to our employees for the duration of their employment contract and for a reasonable time following termination of such contract. Cinnamon, however, will retain employees’ data for no longer than eight (8) years, unless a longer period is provided by law or lawful orders of legal authority.
Rules on our Disposal of personal data or personal information
Our disposal of Users’ personal data and information shall be governed by reasonable data security practices and shall follow the requirements of established data privacy laws.
Our protection and security for your personal information,
Cinnamon implements security procedures and employs information systems to detect security incidents that compromise the availability, authenticity, integrity, and confidentiality of stored or transmitted personal information, and to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure.
The ways that Cinnamon secures your personal information include, but are not limited to: SSL encryption in our processing of personal data, encryption of our database, usage of secure and encrypted servers, usage of E-mail One Time Password (OTP) or email verification Method for the protection of Users’ accounts, and following organizational procedures that restrict staff access to personal data and ensure data security.
Your rights in relation to your personal information
Data privacy laws including the TDA provide for your rights as data subject as regards your personal data. In relation to our collection, use, retention, and sharing of your personal data, you have the following rights, subject to the limitations, exceptions, and requirements imposed by the law:
The data subject is entitled to:
- Be informed whether personal information pertaining to him or her shall be, are being or have been processed;
-
Be furnished the information indicated hereunder before the entry of his or her personal information into the processing system of the personal information controller, or at the next practical opportunity:
- Description of the personal information to be entered into the system;
- Purposes for which they are being or are to be processed;
- Scope and method of the personal information processing;
- The recipients or classes of recipients to whom they are or may be disclosed;
- Methods utilized for automated access, if the same is allowed by the data subject, and the extent to which such access is authorized;
- The identity and contact details of the personal information controller or its representative;
- The period for which the information will be stored; and
- The existence of their rights, i.e., to access, correction, as well as the right to lodge a complaint before the Commission.
-
Reasonable access to, upon demand, the following:
- Contents of his or her personal information that were processed;
- Sources from which personal information were obtained;
- Names and addresses of recipients of the personal information;
- Manner by which such data were processed;
- Reasons for the disclosure of the personal information to recipients;
- Information on automated processes where the data will or likely to be made as the sole basis for any decision significantly affecting or will affect the data subject;
- Date when his or her personal information concerning the data subject were last accessed and modified; and
- The designation, or name or identity and address of the personal information controller;
- Dispute the inaccuracy or error in the personal information and have the personal information controller correct it immediately and accordingly, unless the request is vexatious or otherwise unreasonable. If the personal information have been corrected, the personal information controller shall ensure the accessibility of both the new and the retracted information and the simultaneous receipt of the new and the retracted information by recipients thereof: Provided, That the third parties who have previously received such processed personal information shall he informed of its inaccuracy and its rectification upon reasonable request of the data subject;
- Suspend, withdraw or order the blocking, removal or destruction of his or her personal information from the personal information controller’s filing system upon discovery and substantial proof that the personal information are incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes or are no longer necessary for the purposes for which they were collected. In this case, the personal information controller may notify third parties who have previously received such processed personal information; and
-
Cinnamon shall not discriminate against any user who exercises his or her rights as enumerated above. We shall not, among others, deny goods or services to the user, charge different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties, provide a different level or quality of goods or services to the consumer, and suggest that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.
How to exercise your rights in relation to your personal information
Should you wish to exercise any of the above-mentioned rights, please send us a message at ().
We shall treat your message as valid requests once you provide sufficient information that will allow us to verify your identity as the correct person whom we collected personal data or information from, and sufficient detail as will allow us to understand, evaluate, and respond to your requests. Users may also use authorized agents to exercise their rights on their behalf.
We shall also follow established procedures for the exercise of rights of data subjects as stated in data privacy laws such as the DPA.
Other rules concerning personal information.
-
Policy on the personal information of minors
We do not willfully disregard our Users’ age when we collect, use, retain, and share personal date. Before we process the personal data of minors, the consent of their parents or legal guardians is first obtained when they book the experience on Cinnamon or absent such consent, but with a lawful basis under existing laws, rules, or regulations.
-
Complaints and Grievances
Please direct any concerns, complaints, or grievances about our collection, use, retention, or sharing of personal data, personal information, or sensitive personal data to our Data Protection Officer with the following contact details:
You may also direct any inquiries or message to our postal address at Muntinlupa City, Metro Manila 1781.
-
Updates to the Privacy Policy
Cinnamon regularly updates its Privacy Policy in accordance with the requirements of established data privacy laws. We will provide Users with notice of amendments to the Privacy Policy, as required by established data privacy laws, and update the “Last modified” date as contained in the title of this Privacy Policy. We encourage you to regularly review our Privacy Policy to stay informed on our collection, use, retention, sharing, and protection of your data.