Privacy Policy

Pitik Finds is a Philippine-based platform that connects roadside motorcycle photographers along the Marilaque route with riders looking for photos of themselves. For privacy questions, takedown requests, or any concerns about your data, write to admin@pitikfinds.com. That mailbox is monitored by the founders.

We act as the Personal Information Controller for the data described below. Where sub-processors handle data on our behalf, they act as Personal Information Processors under written agreements.

We only collect what we need to run the marketplace. Specifically:

• Account data. Your name, email, role (photographer, rider, or admin), and a hashed password (via Supabase Auth). If you sign in with Google, we receive your basic Google profile (name, email, profile picture, Google account ID) — never your Google password.
• Photographer uploads. The original image files (stored on Cloudflare R2), captions, pricing, and any EXIF metadata embedded in your photos — which can include GPS coordinates, capture timestamp, camera make/model, and lens settings. We rely on this for search and verification.
• Rider activity. Search queries (date, KM marker, time-of-day), photos you view or favorite, purchase history, and download events.
• Payment data. Handled end-to-end by PayMongo. We receive the transaction ID, amount, status, and the last four digits / brand of the card. We never see or store full card numbers, CVVs, or e-wallet PINs.
• Technical data. IP address, user agent, device type, referrer, the Supabase auth session cookie, and basic analytics (page views, feature usage) if/when analytics are enabled.
• Support correspondence. Anything you send to admin@pitikfinds.com or via the in-app feedback widget.

• Create and secure your account, including verifying your role.
• Match riders with photos — surfacing photos by date, KM marker, time of day, and roadside landmarks.
• Process purchases and pay out photographers (through PayMongo, with KYC where required by Philippine financial regulation).
• Send transactional email — purchase confirmations, withdrawal updates, takedown notices, and account alerts — via Resend.
• Detect and prevent fraud, chargeback abuse, watermark circumvention, and other prohibited activity outlined in our Terms of Service.
• Comply with Philippine law, including tax, anti-money-laundering, and lawful requests from authorities.
• Improve the product — understanding which features are used, what searches fail, and where the experience breaks.

We do not sell your personal data. We do share specific data with the following sub-processors so the platform can function. Each link goes to that vendor's own privacy policy.

• Supabase — authentication and Postgres database hosting. supabase.com/privacy
• Cloudflare R2 — object storage for original and watermarked photos. cloudflare.com/privacypolicy
• PayMongo — payment processing for purchases and photographer payouts. paymongo.com/privacy
• Resend — transactional email delivery. resend.com/legal/privacy-policy
• Vercel — application hosting, edge networking, and analytics. vercel.com/legal/privacy-policy
• Google— only if you choose “Sign in with Google.” We receive your basic profile; Google does not see your activity inside Pitik Finds. policies.google.com/privacy

We may also disclose data when legally required — for example, in response to a valid subpoena, court order, or National Privacy Commission inquiry.

Supabase databases and Cloudflare R2 buckets are hosted in the Asia–Pacific region (Singapore by default). Some sub-processors (Vercel, Resend, Google) operate global infrastructure that may process data outside the Philippines. By using Pitik Finds, you consent to those cross-border transfers, which are governed by each vendor's data-processing agreement.

• Unsold photos are automatically deleted from R2 and the database seven (7) days after upload by a nightly cleanup job, unless the photographer extends or publishes them.
• Sold photos remain available to the buyer for the duration of their account. The original photographer retains copyright (see Terms).
• Purchase and payout records are retained for at least five (5) years to comply with Bureau of Internal Revenue and anti-money-laundering record-keeping rules.
• Account profile data is kept until you request deletion, at which point it is anonymized within thirty (30) days — except where retention is required by law.
• Server logs are kept for up to ninety (90) days for security and debugging.

As a data subject under the Philippines Data Privacy Act of 2012 (RA 10173), you have the right to:

• Be informed about how your personal data is processed.
• Access a copy of the data we hold about you.
• Correct inaccurate or outdated personal data.
• Object to specific processing, including marketing if we ever introduce it.
• Erase or block data that is unlawful, outdated, or no longer necessary.
• Data portability — receive your data in a structured, commonly-used, electronic format.
• Damages for unlawful processing.
• Complain to the National Privacy Commission at privacy.gov.ph if you believe we have mishandled your data.

We keep cookies to a minimum:

• Supabase session cookie — required to keep you signed in. Strictly necessary; you cannot opt out and still use the account.
• CSRF and security tokens — used by the framework to prevent cross-site request forgery on sensitive routes.
• Vercel analytics / Speed Insights — anonymous, aggregated usage and performance data. No cross-site tracking.

We do not use third-party advertising cookies, behavioral retargeting pixels, or social-media trackers.

The service is intended for users eighteen (18) years of age or older. We do not knowingly collect personal data from minors. If you believe a minor has registered or uploaded content without parental consent, contact admin@pitikfinds.com and we will remove the account and any associated content promptly.

Roadside photographs may include identifiable people — most often other riders. If you are a subject in a photo on Pitik Finds and you want it removed, you do not need to have an account to make that request.

Email us at admin@pitikfinds.com with the photo URL (or as much identifying detail as you can — date, route, KM marker, plate, helmet) and we will action verified takedowns within seven (7) business days. We may withhold delivery and payouts on a disputed photo while the review is in progress.

We take reasonable, industry-standard precautions, including:

• HTTPS / TLS 1.2+ for all browser-to-server traffic.
• Passwords hashed by Supabase Auth — never stored in plaintext and never visible to our team.
• Row-Level Security in Postgres so users can only read or modify their own rows.
• Private R2 buckets with short-lived signed URLs for uploads and downloads — originals are not world-readable.
• Service-role keys restricted to server-only paths (cron, webhooks, admin endpoints).
• Audit logging on admin actions and payout flows.

No system is perfectly secure. If you suspect unauthorized access to your account, or discover a vulnerability, email admin@pitikfinds.com immediately.

We will revise this policy when our practices change or when the law requires it. Material changes will be announced by email (to the address on your account) and posted on this page at least seven (7) days before they take effect. The “Last updated” date at the top of this page always reflects the current version.

Questions, requests, complaints, or just want to flag something that feels off? Email admin@pitikfinds.com. We read every message.