Privacy Policy
Last updated: April 16, 2026
1. Data Controller
The data controller for BLUEWHALEOPS is TAVARA HOLDINGS OPC (SEC registration pending, Philippines), a sole proprietorship organized under Philippine law.
2. Data Protection Officer
For all privacy-related inquiries, data subject requests, or complaints, contact our Data Protection Officer at care@tavaraholdings.com.
3. Data We Collect
We collect the following categories of personal and non-personal data:
a) Account Data
Name, email address, and organization name provided during registration.
b) Monitoring Data
Endpoint URLs you configure, HTTP responses, uptime metrics, performance data, and SSL certificate status collected by our monitoring agents from your registered ventures.
c) Usage Data
Login timestamps, feature usage patterns, and page views within the platform.
d) Technical Data
Browser type and device information (used for responsive rendering). IP addresses are processed temporarily for rate limiting only and are not stored permanently.
e) Payment Data
Payment processing is managed entirely by Stripe Inc. We never receive, store, or have access to your full card numbers. We retain only transaction identifiers and billing metadata necessary for invoicing.
4. Purpose and Lawful Basis for Processing
| Data Category | Purpose | Lawful Basis |
|---|---|---|
| Account Data | Account creation, authentication, customer support | Contract performance (GDPR Art. 6(1)(b)); Consent (RA 10173 Sec. 12(a)) |
| Monitoring Data | Health checks, uptime tracking, incident reports, SLA analytics | Contract performance (GDPR Art. 6(1)(b)); Consent (RA 10173 Sec. 12(a)) |
| Usage Data | Platform improvement, feature prioritization, analytics | Legitimate interest (GDPR Art. 6(1)(f)); Consent (RA 10173 Sec. 12(a)) |
| Technical Data | Responsive rendering, rate limiting, security | Legitimate interest (GDPR Art. 6(1)(f)); Consent (RA 10173 Sec. 12(a)) |
| Payment Data | Subscription billing, invoicing, tax compliance | Contract performance (GDPR Art. 6(1)(b)); Legal obligation (GDPR Art. 6(1)(c)); RA 10173 Sec. 12(c) |
5. Sub-processors
We engage the following sub-processors to deliver the BLUEWHALE service. Each is bound by a Data Processing Agreement (DPA):
| Sub-processor | Function | Location(s) |
|---|---|---|
| Supabase Inc. | Database + Authentication | Singapore, US |
| Vercel Inc. | Application Hosting | US, Global Edge |
| Anthropic PBC | AI Root Cause Analysis | US |
| Stripe Inc. | Payment Processing | US |
| Resend Inc. | Transactional Email | US |
| Cloudflare Inc. | CDN + DNS + DDoS Protection | Global |
6. Cross-border Data Transfers
Your data flows through the following path: User → Vercel (US) → Supabase (Singapore) → Anthropic (US) for AI analysis (when you opt in).
For users in the European Economic Area (EEA), transfers to countries without an adequacy decision are governed by Standard Contractual Clauses (SCCs) as adopted by the European Commission. For users covered by Singapore PDPA, we ensure transfers comply with the PDPA's transfer limitation obligation. For Philippine users, transfers comply with RA 10173 and NPC Circular 2016-02.
7. Data Retention
We retain data for the following periods:
- Account data: Duration of your active subscription + 30 days after cancellation.
- Monitoring data:Varies by plan — 7 days (free tier), 30 / 90 / 180 / 365 days (paid tiers, depending on plan level).
- Audit trail: Retained indefinitely. Audit records are hash-chained; deletion would break chain integrity, which is required for tamper-proof compliance.
- Payment records: 7 years, as required by the Philippine Bureau of Internal Revenue (BIR) for tax record-keeping.
- Server logs: 30 days. No personally identifiable information (PII) is stored in server logs.
8. Your Rights
Under RA 10173 (Philippines), GDPR (EU/EEA), and PDPA (Singapore), you have the following rights regarding your personal data:
- Right of Access — Obtain confirmation of whether we process your data and request a copy.
- Right to Correction — Request correction of inaccurate or incomplete personal data.
- Right to Erasure — Request deletion of your personal data, subject to legal retention requirements.
- Right to Object — Object to processing based on legitimate interest or direct marketing.
- Right to Data Portability — Receive your data in a structured, commonly used, machine-readable format.
- Right to Withdraw Consent — Withdraw consent at any time without affecting the lawfulness of prior processing.
- Right to Restriction — Request restriction of processing while a complaint or correction is pending.
9. How to Exercise Your Rights
To exercise any of the rights listed above, email us at care@tavaraholdings.com with the subject line "Data Subject Request." Please include your account email and a description of your request. We will verify your identity and respond within 30 days (as required by NPC guidelines under RA 10173) or 1 month (as required by GDPR Article 12(3)), whichever deadline applies to your jurisdiction.
10. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant authorities and affected users as follows:
- Philippines (NPC): Within 72 hours of becoming aware of the breach, per NPC Circular 2016-03.
- EU (GDPR Supervisory Authority): Within 72 hours, per GDPR Article 33.
- Singapore (PDPC): Within 3 calendar days of assessing the breach to be notifiable, per PDPA.
- Affected users: Notified without undue delay when the breach is likely to result in high risk to their rights and freedoms.
11. Complaints
If you believe your data protection rights have been violated, you may lodge a complaint with:
- Philippines: National Privacy Commission — privacy.gov.ph/contactus or email complaints@privacy.gov.ph
- EU/EEA: Your relevant supervisory authority (see GDPR Article 77).
- Singapore: Personal Data Protection Commission (PDPC).
12. Cookies
BLUEWHALE uses the following categories of cookies:
- Essential cookies: Required for session authentication and core platform functionality. These cannot be disabled without losing access to the service.
- Analytics cookies:Vercel Analytics — anonymous, aggregate usage data only. No personally identifiable information (PII) is collected through analytics.
13. AI Processing
We use AI for root cause analysis of incidents. This is opt-in— you trigger it manually. No personal data is sent to the AI; only technical metrics (response times, error codes, server status) are transmitted for analysis. AI-generated insights are presented as suggestions and are not used for automated decision-making that produces legal effects concerning you.
14. Children's Privacy
BLUEWHALE is a B2B infrastructure monitoring tool. We do not knowingly collect data from persons under 18 years of age. If we become aware that we have inadvertently collected personal data from a minor, we will take steps to delete it promptly.
15. Changes to This Policy
We will notify you via email and in-app banner at least 30 daysbefore material changes to this Privacy Policy take effect. Non-material changes (e.g., formatting, clarifications) may be made without prior notice. The "Last updated" date at the top of this page reflects the most recent revision.
16. Governing Law
This Privacy Policy is governed by the laws of the Republic of the Philippines, without regard to conflict-of-law principles. For EU/EEA users, nothing in this policy limits your rights under GDPR. For Singapore users, nothing limits your rights under the PDPA.
BLUEWHALEOPS
Terms of Service