Privacy Policy

AIsikaso is a software-as-a-service platform operated from the Philippines that helps rental shop owners manage inventory, bookings, and customer conversations. The service is accessible at aisikaso.com and rental.aisikaso.com.

For questions about this policy or your data, contact us at support@aisikaso.com.

Operators are the rental shop owners and staff who sign up and use AIsikaso to run their business. We collect their data directly to provide the service.

Customers are the people who message a rental shop's Facebook Page or interact with the shop. We process their data on behalf of the operator (we are the processor; the operator is the controller). Customer data flows through AIsikaso so the operator can respond to inquiries and manage bookings.

• Account identity: name, email, profile photo, authentication method (Google OAuth or email + password). Managed by our authentication provider, Clerk.
• Shop information: shop name, slug, address, team members, billing details (when paid plans launch).
• Inventory and bookings: items, photos, prices, customer records, reservations, payments, expenses, audit logs.
• Facebook Page connection details: when an operator connects their Facebook Page, we store the Page ID, Page name, and an encrypted Page Access Token (AES-256-GCM at rest). We do not store the operator's personal Facebook profile beyond what's needed to identify the connection.
• Usage data: pages visited, actions taken, request timestamps. Used for product improvement and security monitoring. Anonymized aggregate metrics may be processed by Vercel Analytics.
• Login events: when an operator signs in, we record the timestamp, IP address, browser user agent, and approximate geographic location (city/region) derived from the IP. Used to surface suspicious activity and let operators audit their own session history. Login events are retained for ninety (90) days.

When a customer interacts with a rental shop through AIsikaso, we may receive their data through one or more of the following channels, depending on which features the operator has enabled:

Through Facebook Messenger (when the operator has connected a Facebook Page):

• Their Facebook Page-Scoped User ID (PSID) — a per-Page identifier that does not reveal their real Facebook profile
• Their public Facebook display name and profile picture URL
• The text and attachments of messages they send to the Page
• Read receipts and message timestamps

Through the public booking page (/book/{shop-slug}, when the operator has enabled it):

• Name, phone number, and email address
• Pickup or delivery address, if the operator has enabled address collection
• Selected items, rental dates, and any free-text notes entered on the form
• Government identification photos, if the operator requires ID verification. ID photos are sensitive personal information under the Philippine Data Privacy Act and receive the additional protections described below.
• Payment proof images (e.g. GCash transaction screenshots) and reference numbers, if the operator has enabled deposit capture

Through manual entry by the operator (when the operator records a customer they spoke to in person, by phone, or through another channel): name, phone number, email, address, and any free-text notes the operator chooses to record.

In all cases, the customer's reservation and payment history is tied to the customer record the operator creates.

We do NOT collect: the customer's real Facebook account ID, their friends list, posts, or any data outside the conversation with the connected Page; and we do NOT collect any data from the customer's device (cookies, fingerprinting) when they visit the public booking page beyond what the hosting provider's standard request log captures.

Government identification photos, payment proof images, and other documents customers upload through the public booking page are classified as sensitive personal information under the Philippine Data Privacy Act of 2012. We apply the following additional protections:

• Documents are stored in a private storage bucket with row-level access control. The operator's authenticated session is the only path to view them through the AIsikaso interface.
• Documents are not used for any purpose other than the operator's verification of the rental booking.
• Documents are retained for twelve (12) months after the rental end date, then automatically deleted. The operator can also delete a document earlier from the reservation detail page.
• Documents are never shared with third parties for marketing or advertising. They are not exposed to AIsikaso's AI agent. We do not analyze ID documents using AI or any automated extraction at this time.
• Customers can request deletion of their uploaded documents at any time by contacting the operator directly or by emailing AIsikaso. We honour deletion requests within seven (7) business days unless the operator has a specific legal obligation to retain the document longer (in which case we will inform the customer of that obligation).

• Provide the inbox, calendar, inventory, and accounting features of the AIsikaso product
• Generate AI-assisted reply drafts in customer conversations, using Google Gemini. Conversation context (recent messages, inventory snapshot, booking history with the customer) is sent to Gemini to compose contextually-appropriate replies. Operators can disable AI per-conversation at any time.
• Send transactional emails and SMS (booking confirmations, receipts) on the operator's behalf
• Send notifications to the operator (new booking, AI handoff, send failures)
• Monitor service availability, troubleshoot errors, and prevent abuse

We do NOT use customer data for advertising, do NOT sell data to third parties, and do NOT use AI agent transcripts for training any model.

We rely on the following third-party services to operate AIsikaso. Each handles a specific slice of data and is contractually obligated to protect it:

Some sub-processors are based outside the Philippines. By using AIsikaso, you consent to your data being processed in these jurisdictions, subject to the protections required by the Philippine Data Privacy Act of 2012.

• Active operator accounts: data is retained for the lifetime of the account.
• Disconnected Facebook Pages: when an operator disconnects a Page, we delete the encrypted Page Access Token immediately. Past conversation history is retained so the operator can refer back to it; the operator can request conversation deletion via support.
• Deleted accounts: when an operator deletes their account, all personal data is removed within 30 days. Anonymized usage statistics may be retained indefinitely.
• Facebook customer data: when a Facebook user requests data deletion via Facebook's data deletion process, we receive a callback and delete their messages and customer record within 7 days.
• Booking attachments (ID photos, payment proof images uploaded through the public booking page): retained for twelve (12) months after the rental end date, then auto-deleted. Operators can delete an individual attachment earlier from the reservation detail page.
• Login events: retained for ninety (90) days from the event timestamp.
• Backups: standard Supabase backups (daily, retained 7 days) may contain copies of deleted data until they roll off naturally.

Under the Philippine Data Privacy Act, you have the right to:

• Access the personal data we hold about you
• Correct any inaccurate or incomplete data
• Request deletion of your personal data
• Object to certain processing
• Data portability — receive a machine-readable export of your data
• Lodge a complaint with the National Privacy Commission of the Philippines

To exercise any of these rights, email support@aisikaso.com. We respond within 7 business days.

• Database access is gated by Postgres Row-Level Security (RLS), enforced at the database layer. Operators can only see their own shop's data.
• Facebook Page Access Tokens are encrypted at rest using AES-256-GCM with a key managed outside the database.
• All data transit uses TLS 1.2 or higher.
• Authentication is handled by Clerk, including session management, password hashing, and OAuth flows.
• Service-role database access is restricted to a small set of trusted server-side code paths and audited in code review.

AIsikaso is not directed at and not intended for use by anyone under 18 years of age. We do not knowingly collect data from minors. If you believe we have collected data from a minor, contact us and we will delete it promptly.

We may update this policy as the product evolves or as legal requirements change. Material changes will be communicated to operators by email at least 14 days before they take effect. The "Last updated" date at the top of this page will always reflect the current version.

For privacy questions, data requests, or to report a concern, email support@aisikaso.com. If you are unsatisfied with our response, you may also file a complaint with the National Privacy Commission of the Philippines at privacy.gov.ph.