At CreativeImpact Inc., we are committed to protecting the privacy and security of your personal information in accordance with the Data Privacy Act of 2012 (Republic Act No. 10173) and its Implementing Rules and Regulations (IRR). This privacy statement explains how we collect, use, disclose, and protect your information when you interact with us through our Microsoft 365 environment, including its applications and services (collectively, "M365 Services").

CreativeImpact Inc. acts as the Personal Information Controller under Philippine data privacy laws, responsible for determining the purpose and means by which your personal information is processed within our M365 Services.

1. Information We Collect

We collect various types of information, including personal data, to operate and facilitate the use of our M365 Services. This may include:

Information you provide to us directly through M365:

Identity and Contact Information: Name, email address (CreativeImpact Inc. domain), phone number, employee ID, department, job title.

Account Information: Usernames, passwords, and other credentials used to access M365 Services.

Communication Data: Content of emails (Outlook), chat messages (Teams), documents created or shared (Word, Excel, PowerPoint, SharePoint, OneDrive), meeting recordings (Teams), and other interactions within M365.

Profile Information: Information you choose to add to your M365 profile, such as your profile picture, skills, or projects.

Information we collect automatically when you use our M365 Services:

Usage Data: Information about how you interact with M365 applications (e.g., files accessed, features used, time spent in applications, search queries). This helps us understand usage patterns and optimize our M365 environment.

Device and Network Information: IP address, device type, operating system, browser type, and connectivity data when accessing M365 Services.

Log Data: Information automatically recorded by Microsoft 365 servers, which may include details of your M365 activities.

Information related to your employment or engagement with CreativeImpact Inc.: This includes HR-related data that may be stored or processed within our M365 environment for legitimate business purposes (e.g., performance reviews, training records, payroll information, if applicable through integrations).

2. How We Use Your Information (Purpose of Processing)

We use the information we collect through our M365 Services for legitimate business purposes, primarily to:

Facilitate Business Operations: To enable effective communication, collaboration, and productivity among employees, contractors, and relevant stakeholders. This includes email, instant messaging, document sharing, and project management.

Provide and Manage M365 Services: To manage user accounts, provide technical support, maintain system performance, and ensure the availability of M365 applications.

Security and Compliance: To protect our M365 environment, data, and users from unauthorized access, cyber threats, and fraudulent activities. This includes monitoring for security incidents and ensuring compliance with our internal policies and legal obligations.

Performance Monitoring and Improvement: To analyze usage patterns within M365 to identify areas for improvement, optimize resource allocation, and enhance the overall user experience.

Record Keeping and Archiving: To maintain records as required by law or for internal business needs, such as audit trails and historical data.

Legal Compliance: To comply with legal obligations under Philippine law, including responding to lawful requests from the National Privacy Commission (NPC) or other government authorities.

Internal Investigations: To conduct internal investigations related to company policies, security incidents, or employee conduct.

3. How We Share Your Information (Disclosure of Personal Information)

We are committed to maintaining the confidentiality of your personal information. We may share your information with third parties only in the following limited circumstances:

Within CreativeImpact Inc.: Your information may be accessed by authorized CreativeImpact Inc. personnel (e.g., IT support, HR, department heads) who require access for legitimate business purposes consistent with their roles and responsibilities.

Microsoft and its Affiliates: As our M365 service provider, Microsoft processes data on our behalf. Microsoft's own privacy commitments are available on their website. Microsoft acts as a Personal Information Processor for CreativeImpact Inc.

Third-Party Service Providers: We may engage other reputable third-party service providers (e.g., for specialized IT support, auditing, or specific M365 add-ons) who assist us in operating our business. These providers are bound by confidentiality agreements and are only permitted to process your information for the specific purposes we define and in accordance with the Data Privacy Act.

Legal Requirements and Law Enforcement: We may disclose your information if required to do so by Philippine law, a court order, or in response to valid requests from the National Privacy Commission or other government agencies.

Protection of Rights and Safety: We may disclose your information when we believe it is necessary to protect our rights, property, or safety, or the rights, property, or safety of our employees, users, or the public.

With Your Consent: We may share your information with other third parties when we have obtained your explicit consent to do so.

We will not sell, rent, or trade your personal information to third parties for their marketing purposes without your explicit consent.

4. Data Security (Security Measures)

CreativeImpact Inc. employs reasonable and appropriate organizational, technical, and physical security measures to protect your personal information within our M365 environment against accidental or unlawful destruction, alteration, and disclosure, as well as against any other unlawful processing. These measures include:

Access Controls: Limiting access to personal information to authorized personnel on a need-to-know basis.

Authentication and Authorization: Implementing strong password policies, multi-factor authentication (MFA), and role-based access controls within M365.

Encryption: Utilizing encryption for data at rest and in transit where available within M365.

Regular Security Audits: Conducting periodic security assessments and vulnerability scans.

Employee Training: Providing regular data privacy and security awareness training to our employees.

Incident Response Plan: Maintaining a plan for responding to data breaches and security incidents in accordance with NPC guidelines.

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure.

5. Data Retention (Retention Period)

We retain your personal information collected through M365 for as long as necessary to fulfill the purposes for which it was collected, to comply with our legal and regulatory obligations under Philippine law (e.g., labor laws, tax laws), and to resolve disputes. Once your personal information is no longer needed, we will securely dispose of it in a manner that prevents further processing, unauthorized access, or disclosure.

6. Your Privacy Rights (Rights of the Data Subject)

As a data subject under the Data Privacy Act of 2012, you have the following rights:

Right to Be Informed: To be informed whether personal information pertaining to you is being processed.

Right to Object: To object to the processing of your personal information, especially if the processing is not based on your consent.

Right to Access: To demand reasonable access to your personal information.

Right to Rectification: To dispute the inaccuracy or error in your personal information and have CreativeImpact Inc. correct it immediately and accordingly.

Right to Erasure or Blocking: To suspend, withdraw, or order the blocking, removal, or destruction of your personal information from CreativeImpact Inc.'s filing system.

Right to Damages: To be indemnified for damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of personal information, or for any violation of your rights as data subject.

Right to Data Portability: To obtain a copy of your personal information in an electronic or structured format, commonly used and interoperable, if the personal information is processed by electronic means and in a structured and commonly used format.

Right to File a Complaint: To file a complaint with the National Privacy Commission if you believe your privacy rights have been violated.

To exercise any of these rights, please contact our Data Protection Officer using the contact details provided below. We may require specific information from you to verify your identity before processing your request.

7. Cross-Border Data Transfers (International Data Transfers)

CreativeImpact Inc. utilizes Microsoft 365, which may involve the storage and processing of your personal information in data centers located outside of the Philippines. When your personal information is transferred internationally, CreativeImpact Inc. ensures that adequate safeguards are in place to protect your data in accordance with the Data Privacy Act of 2012 and its Implementing Rules and Regulations. This includes relying on standard contractual clauses or other legally recognized mechanisms for data transfers.

8. Changes to This Privacy Statement

We may update this privacy statement from time to time to reflect changes in our M365 practices, legal obligations, or regulatory requirements. We will notify you of any material changes by posting the updated statement on our internal communication channels (e.g., intranet, email) or through other appropriate communication methods. We encourage you to review this statement periodically.

9. Contact Our Data Protection Officer (DPO)

If you have any questions, concerns, or requests regarding this privacy statement or our data privacy practices within CreativeImpact Inc., please contact our Data Protection Officer:

Data Protection Officer

Email: dpo@creativeimpactinc.com