ExploreSiargao Privacy and Cookies Policy
1. Introduction
ExploreSiargao.com (“ExploreSiargao,” “we,” “us,” or “our”) is committed to protecting your privacy. This Privacy and Cookies Policy explains how we collect, use, share, and protect your personal data when you use our website and services (including booking accommodations, vehicle rentals, activities, and tours, or when you list such services as a host). By using our website, you agree to the collection and use of information in accordance with this policy.
We are based in the Philippines and comply with the Philippines’ Data Privacy Act of 2012 (RA 10173). As our platform is open to international users, we also strive to follow international best practices and standards (including principles aligned with the EU General Data Protection Regulation, GDPR) in protecting your data. This means we extend certain privacy rights and safeguards to all our users regardless of location.
If you have any questions or concerns about this policy or how your data is handled, please contact us at [email protected].
2. Information We Collect
We collect various types of information from hosts and users to provide and improve our services.
If you register as a host to list your offerings, we collect personal and business information, including:
Business Details: Your business name, registration number, and copies of business permits (collected for verification purposes only).
Contact Information: Contact person’s name, email address, and phone number.
Payout Information: Bank account or payment details to facilitate payments to you.
(Additional Note: Business permit copies are stored securely and are not shared except as required by law, per Section 16.1.)
If you create an account or make a booking as a guest/user, we collect:
Personal Identifiers: Your name, email address, and phone number.
Payment Information: Payment card details or other payment data (which are processed securely by our third-party payment partner, Xendit). We do not store full payment card numbers on our servers.
Booking Details: Information about your bookings or purchases on ExploreSiargao (such as travel dates, accommodation or activity selected, and number of guests).
Communications: Messages you exchange with hosts through our platform’s private messaging system (we store these to allow you and the host to reference details, and for safety and moderation as described in Section 11).
We automatically collect certain information about the devices and browsers you use and how you interact with our website. This data helps us secure the platform and improve user experience. This includes:
Technical Details: IP address, browser type and version, device type (e.g. mobile or desktop), and operating system.
Usage Data: Pages or screens you view on ExploreSiargao, the dates/times of access, the amount of time spent on pages, and the links or features you click on.
Referral Information: The website or source that led you to ExploreSiargao (for example, a search engine or referral link).
This device and usage information is generally collected through cookies and similar technologies, described further in Section 7.
We use cookies and similar tracking technologies to enhance your experience on ExploreSiargao:
Cookies: Small text files placed on your device. We use both session cookies (which expire when you close your browser) and persistent cookies (which remain for a defined period or until you delete them).
Similar Technologies: We may use web beacons, pixels, or local storage to collect information. These technologies can help recall your preferences, personalize content, and track user trends.
For example, cookies help us keep you logged in during your visit, remember your site preferences, and understand how you navigate our site. Some cookies are essential for site functionality, while others are used for analytics and advertising (see Section 7 for more details on cookie types and how to manage them).
We use the collected information for the following purposes:
Facilitating Transactions: We use your information to process bookings and payments, enable communication between guests and hosts, and provide customer support when you need help. For instance, host information is used to list their properties or services, and guest information is used to make reservations and send confirmations.
Verification: We may verify host business information (such as permits and registrations) to ensure legitimacy of listings. This is for the safety and trust of all users.
Payment Processing: Your payment details are used to charge for bookings and pay hosts. All payments are handled through our payment partner, Xendit, which receives the necessary payment information to process transactions. (Please refer to Xendit’s privacy policy for details on their data practices.)
Service Improvements: We analyze usage data (e.g., frequent site areas, common booking steps) to debug issues, improve our website’s functionality, and enhance the user experience. This helps us optimize page load times, design more intuitive interfaces, and introduce new features that make the platform easier to use.
Customer Support and Research: Information (like your communications and feedback) helps us provide support, resolve issues, and perform research and development. We also use data to ensure regulatory compliance and enforce our Terms of Service.
Recommendations: We use artificial intelligence (AI) and machine learning to analyze your preferences and activity on ExploreSiargao. This allows us to recommend listings, activities, or tours that might interest you (for example, suggesting popular surfing lessons if you frequently view surfing-related listings).
Content Generation: Our systems may use AI to help hosts improve their listings (such as suggesting description text or translating reviews) and to ensure content on the site is high-quality and relevant.
Customization: We may customize the order of search results or homepage content based on your past searches or bookings. By tailoring what you see, we aim to make finding the perfect stay or activity easier.
Privacy note: Whenever feasible, we use anonymized or aggregated data for personalization to protect your privacy. Personal data is only used to personalize when necessary, and we implement safeguards and obtain consent where required by law.
We want to inform you about promotions, new features, and experiences on ExploreSiargao. We use your information in marketing and advertising efforts in the following ways:
Promotional Communications: We may send you promotional emails, newsletters, or push notifications about ExploreSiargao offers, upcoming events, or travel tips. By creating an account or making a booking, you consent to receive these marketing communications as part of our service (we do not require a separate opt-in). You can opt out or unsubscribe from marketing emails at any time by clicking the “unsubscribe” link in the email or contacting us, and we will respect your choice. (Opting out of marketing messages will not affect service-related communications, such as booking confirmations or account alerts.
Targeted Advertising: We work with a variety of third-party advertising networks and partners to show you relevant ads. For example, we may use services like Google Ads, Facebook Ads, or other ad networks to display ads for ExploreSiargao on other websites or social media platforms you visit. These partners use cookies or similar technologies to collect information about your online activities on our site and others, in order to serve you ads that match your interests. This process may involve automated data analysis or AI-driven algorithms to identify likely interests and demographics, so that the marketing content you see is more relevant to you. (For instance, if you searched for island hopping tours on ExploreSiargao, you might later see an ExploreSiargao ad for island tours on Facebook.)
Analytics and Marketing Performance: We use data to monitor and analyze the effectiveness of our marketing campaigns and advertisements. This includes tracking when a marketing email leads to a booking, or which ads are attracting new users to sign up. Analyzing these metrics helps us optimize our ad spending and improve our promotional content. We may also share aggregated, non-identifiable statistics with our marketing partners to help measure ad performance.
Note: We do not sell your personal data to third parties for their own marketing. We only share data with advertising partners as needed to perform services on our behalf (see Section 4) or as part of using cookies as described in Section 7. You have the right to object to certain marketing activities as described in Section 6 (Your Rights).
Legal Requests and Duties: We may use and retain your information to respond to lawful requests by public authorities, comply with subpoenas or court orders, and meet any legal reporting requirements. For example, we might be required by Philippine law to retain transaction records for tax purposes or provide information to the National Privacy Commission if they are investigating a complaint.
Enforcing Terms and Policies: Your information may be used to enforce our Terms of Service, investigate potential violations (such as fraud or abuse on our platform), and ensure the safety and rights of ExploreSiargao, our users, and the general public.
Protecting Rights and Safety: We will use data as necessary to protect the rights, property, or safety of our users, hosts, and the public. This includes sharing information with law enforcement if someone’s safety is at risk or if illegal activity (such as identity theft or credit card fraud) is detected on the platform.
We will not use your personal information for purposes incompatible with those above without your consent. If we need to use your data for a new purpose, we will update this Policy and notify you when required.
We treat your personal information with care and confidentiality. We only share it in specific situations outlined below and with appropriate safeguards:
When you make or receive payments through ExploreSiargao, your payment information will be shared with our payment processor, Xendit, to complete the transaction. Xendit acts as a data intermediary to process payments securely (for example, charging a guest’s credit card or sending a payout to a host’s bank account). Xendit may collect additional information as needed for payment processing (such as billing address or OTP verification for 3-D Secure), and their use of your data is governed by Xendit’s own privacy policy. We only share the information with Xendit that is required to process your payments or refunds.
We use trusted third-party companies to help us operate ExploreSiargao and provide our services to you. We may share necessary information with these third parties, but only for the purposes outlined in this policy and under strict obligations of confidentiality and security. Key types of service providers include:
Website Hosting and Infrastructure: Companies that provide data center, cloud storage, or server maintenance services, allowing our website and database to run reliably. (They process data as needed to host our platform.)
Analytics Providers: For instance, we use Google Analytics to understand how users use our site. Google Analytics may set cookies or similar identifiers to collect usage data (like page views and clicks) and report to us in aggregate form. (See Section 7 for how you can opt out of certain analytics.)
Marketing and Advertising Partners: We may share limited data with marketing service providers who help us manage campaigns, send emails, or display ads. For example, we might upload a list of emails (in hashed form) to an advertising platform to create a “custom audience” for an ExploreSiargao ad. Our advertising partners are authorized to use personal data only as needed to deliver our marketing or measure its effectiveness.
Security Services: We implement Cloudflare Turnstile CAPTCHA on certain parts of our site to protect against spam, bots, and abuse. This service may collect hardware and software information (such as device and application data) and send it to Cloudflare for analysis. Using CAPTCHA means that Cloudflare may process some of your data for security purposes; accordingly, the Cloudflare Privacy Policy and Terms of Service apply to that data. We do not receive any of the information Cloudflare collects via CAPTCHA; we only receive the result of the check (e.g., whether the interaction was deemed legitimate).
All these third-party providers are bound by contracts that limit their use of your data to the specified services and require them to protect it. We do not permit our service providers to use your data for their own unrelated purposes. If any provider is located in a jurisdiction different from yours, we take steps to ensure lawful data transfers (see Section 5 below).
We may disclose your information to governments, law enforcement agencies, regulators, or courts if we believe such disclosure is reasonably necessary to:
Comply with any applicable law, regulation, legal process, or governmental request. For example, we may have to provide data in response to a subpoena or an order relating to a tax investigation.
Enforce our Terms of Service, this Privacy Policy, or other agreements, including investigation of potential violations.
Detect or prevent fraud, security, or technical issues (for instance, investigating suspicious transactions or unauthorized use of our platform).
Protect the rights, property, or safety of ExploreSiargao, our users, hosts, or the public as required or permitted by law.
Such disclosures will be made only to the extent required or permitted by law. Where appropriate, we will notify users of such requests unless legally prohibited from doing so.
Aside from the cases above, we will share your personal information with third parties only if you direct us to or give us explicit consent. For example, if you opt-in to a promotional collaboration where we need to share your email with a partner company, or if you use a feature that interfaces with a third-party application (and you authorize that connection). In those instances, we will make clear at the time of obtaining your consent what information will be shared and with whom.
Important: ExploreSiargao does not sell your personal data to third parties for profit. Any sharing of data is solely for the purposes of providing and improving our services, fulfilling legal obligations, or based on your choices as described above. We also require any third parties who receive personal data to handle it with care and confidentiality.
ExploreSiargao is accessible to users around the world. Consequently, your personal data may be transferred to and processed in countries other than your own. We want to be transparent about how we protect your data when it crosses borders:
Global Operations: We primarily operate from the Philippines, but the information we collect may be stored on cloud servers located in other countries (for example, we may use cloud service providers or data centers in the United States, Europe, or Asia-Pacific). Additionally, if you are a user or host outside the Philippines, your data will naturally be transmitted to our Philippine-based servers.
Risks and Protections: Different countries have different data protection laws, some of which may not be as strict as those in your home country. Regardless of where your data is processed, we handle it in accordance with this Policy and implement appropriate safeguards to protect it. When we transfer personal data internationally, we take steps such as:
Standard Contractual Clauses: If required (for example, for transfers from the European Economic Area to the Philippines or other countries not deemed “adequate” by the EU), we use the European Commission’s approved standard contractual clauses (SCCs) in our contracts with data recipients. These clauses contractually bind the recipient to protect personal data to EU privacy standards.
Adequacy Decisions: Where applicable, we may rely on official decisions that certain countries have adequate data protection laws. (For instance, if data of an EU user is processed in a country that the European Commission has recognized as having strong privacy laws, those transfers can be done under that basis.)
Other Lawful Grounds: In some cases, we may ask for your consent to transfer data, especially if no other legal mechanism is available. We will only do so in compliance with applicable data protection laws. We also ensure any U.S.-based providers are certified under frameworks like the APEC Cross-Border Privacy Rules or similar, if relevant.
Your Awareness: By using ExploreSiargao and providing us your information, you acknowledge that your data may be transferred to and processed in countries other than your own. However, rest assured that we strive to protect your privacy regardless of location. We continuously monitor the legal landscape for international transfers and will update our practices as needed to remain compliant (for example, adapting to new regulations or court rulings on data transfers).
If you have questions about our data transfer practices or require more specifics about the safeguards in place, you can contact us (see Section 15).
We respect your rights to control your personal data. Under the Philippines’ Data Privacy Act of 2012 and other applicable data protection laws (such as the GDPR for users in the European Union), you have certain rights regarding the personal information we hold about you. These rights include:
Right to Be Informed: You have the right to know what personal data we collect, why we collect it, how it is used, and with whom it is shared. This Privacy Policy is part of fulfilling that right. If you have any further questions, we will gladly answer them.
Right of Access: You can request a copy of the personal data we have about you. We will provide you with a summary of the information, and an explanation of how it is being used, within a reasonable time frame. (For example, you can ask for a copy of the profile data and booking history you provided to us.)
Right to Correction (Rectification): If you believe any personal information we hold about you is inaccurate or incomplete, you have the right to request that we correct or update it. For instance, if your phone number or email has changed, you can ask us to update our records. In many cases, you can also edit some information through your account settings.
Right to Deletion (Erasure): You may request that we delete your personal data and/or close your ExploreSiargao account. This is sometimes called the “right to be forgotten.” We honor deletion requests from all users worldwide. When you request deletion, we will remove or anonymize the personal data we hold about you to the extent possible. However, please note that this right is subject to certain exceptions: we may retain information as required by law or for legitimate business purposes even after a deletion request. For example, we might need to keep transaction records for tax and accounting obligations, or to retain information about a banned account to prevent fraud or abuse. Additionally, due to the way our backup systems work, residual copies of your data might persist in secure backups for a short period until those backups are cycled out. Such residual data will remain protected and will be purged in accordance with our retention schedules. Importantly, any publicly posted content you have contributed (such as reviews or forum posts, if those features exist on ExploreSiargao) might remain visible to others if it does not contain personal data or if it has been aggregated, even after your account is deleted.
Right to Object: You have the right to object to certain processing of your data, particularly for direct marketing purposes. If you no longer want to receive marketing emails, you can unsubscribe as noted above, and you can also contact us to record an objection to other forms of marketing (like personalized ads). Additionally, if we were processing your data based on our legitimate interest, you can object if you feel it impacts your rights. We will evaluate such objections and stop or adjust processing unless we have a compelling legitimate ground that overrides your rights or it is needed for legal reasons.
Right to Data Portability (when applicable): For users in some jurisdictions (such as the EU), you may request to receive your personal data in a commonly used, machine-readable format, and to have us transfer it to another service provider if technically feasible. For example, you could ask us for an export of the personal information and transaction history associated with your account. We will assist with such requests as required by applicable law.
Right to Withdraw Consent: In cases where we rely on your consent to process personal data (rather than another legal basis), you have the right to withdraw that consent at any time. For instance, if you consented to a new feature that uses your data, you can change your mind later. Withdrawing consent will not affect the lawfulness of any processing we already performed based on your consent, and it won’t affect processing under other grounds (like fulfilling a contract or complying with law). If you withdraw consent for a service that requires it, we will let you know if your experience is affected (for example, certain optional features might be disabled if they relied on consent).
To exercise any of these rights, please contact us at [email protected] with your specific request. We may need to verify your identity before fulfilling the request (for your protection, we wouldn’t want to give your data to an imposter). We will respond as soon as possible and at most within the timeframe required by law. There is no fee for most requests, but if a request is unfounded or excessive (e.g., repetitive), we may charge a reasonable fee or refuse the request in accordance with applicable law.
If you believe your data privacy rights have been violated or if you are not satisfied with our response, you have the right to lodge a complaint with the appropriate data protection authority. For example, in the Philippines you can contact the National Privacy Commission (NPC), and in the European Union you can reach out to your country’s supervisory authority for data protection. We would, however, appreciate the chance to address your concerns directly first, and we are committed to resolving any issues to your satisfaction.
Our site uses cookies and similar technologies to distinguish you from other users and to improve your experience on ExploreSiargao. This section explains how we use these technologies and your choices regarding them.
We categorize the cookies we use into a few types based on their purpose:
Essential Cookies: These cookies are necessary for our website to function properly and cannot be switched off in our systems. They are usually only set in response to actions you take, such as logging in or making a booking. For example, we use cookies to keep you logged in as you navigate through different pages (so you don’t have to re-enter your password on each page). Essential cookies might also be used to remember things like items in your cart or your progress in a booking form. Because these cookies are crucial for the website’s core functionality, you cannot disable them via our settings. (You can set your browser to block them, but parts of the site may then not work.)
Analytics Cookies: These cookies help us understand how users engage with ExploreSiargao. They allow us to collect information about website traffic and user behavior, such as which pages are visited most often, how users move through the site, and if they encounter errors. We typically use third-party analytics providers (like Google Analytics) for this purpose. The data collected is aggregated and anonymized — for instance, we might see that a certain number of users visited the “Siargao Surf Camp” listing page, but not who those users were. This information is used solely to improve our website’s performance and design.
Advertising Cookies: These cookies are used to deliver advertisements that are more relevant to you and your interests, both on ExploreSiargao and on other websites. They remember that you’ve visited our site and may track your browsing activity across different websites and services. We (and third-party ad networks) use this information to try to ensure that the ads you see are of interest to you – for example, showing you an ad for a popular resort in Siargao that you viewed earlier, instead of a random, unrelated ad. Without these cookies, the ads you see might be less relevant or repeated more often. If advertising cookies are disabled, it doesn’t mean you won’t see any ads, just that those ads will be less tailored to your likely interests.
Functionality Cookies: (Not explicitly listed in our prior examples, but for completeness.) These cookies allow our site to remember the choices you make (such as your preferred language or the region you are in) and provide enhanced, more personal features. For instance, a functionality cookie might remember your previous search filters (e.g., preferred price range or accommodation type) so that we can pre-load those for you next time. These cookies can improve your experience but are not strictly essential.
(Note: The classifications above are for explanation. We may not use all types at all times, and some cookies may serve multiple purposes. For example, an advertising partner’s cookie might also help with analytics.)
In addition to our own cookies, a number of third-party services may set cookies or use similar technologies on your device when you interact with ExploreSiargao. These third parties include:
Analytics Providers: As mentioned, we use Google Analytics, which sets cookies to collect usage data. Google Analytics cookies may track things like how long you stay on a page, what pages you visit in what order, and what site you came from. Google provides an opt-out for its Analytics (via a browser add-on) if you wish to disable this specific tracking.
Advertising and Social Media Partners: We partner with third-party advertising networks (e.g., Google Ads/DoubleClick, Facebook/Meta Ads, and others) to display ads for ExploreSiargao on other platforms and sometimes to display third-party ads on our own site. These partners use cookies and other identifiers to gather information about your browsing activities over time and across different websites. For example, a Google Ads cookie may note that someone visited the page for a particular tour on ExploreSiargao, and later, Google might show that same person an ad for a discount on that tour via our campaign. Similarly, if we enable Facebook Pixel on our site, Facebook might recognize your visit and later allow us to serve an ad on Instagram related to your ExploreSiargao activity. These third-party cookies and technologies are set by the respective third parties, and we do not control the exact data they collect. However, we do contractually require that our advertising partners handle any data collected from our site in accordance with applicable privacy laws and only for our advertising purposes. For more details on these, you can check the privacy policies of the respective platforms (e.g., Google’s Privacy Policy, Facebook’s Data Policy, etc.).
Other Third-Party Services: If we ever integrate content from other third parties – for example, an embedded video from YouTube or a map from Google Maps – those providers may set cookies as well. Such cookies would be governed by the third party’s privacy policy. (We will generally inform you when third-party content is embedded so you can be aware of their cookie practices.)
We want to emphasize that no personal data is shared with third-party ad networks except as described (like a hashed identifier or cookie ID) – we do not give them your contact info without permission. They primarily rely on linking your browsing behavior to a pseudonymous identifier. Nevertheless, because these tracking technologies can impact your privacy, we want you to be aware of them and your choices (see below).
General Consent: By using our site with your browser settings adjusted to accept cookies (and by acknowledging any cookie notice we provide), you are giving consent for cookies to be placed and read out on ExploreSiargao. We currently use a general cookie consent approach, which means we do not provide a granular cookie preferences tool for separate categories of cookies. In other words, when you consent to cookies on our site, you are consenting to all the categories of cookies described above (except strictly necessary cookies which are always active by default). If you do not agree to our use of cookies, you can refuse cookies by adjusting your browser settings as described below. However, please understand that some parts of our site may not function correctly if you disable cookies entirely.
Browser Settings: Most web browsers allow you to manage your cookie preferences, such as blocking new cookies, deleting existing cookies, or notifying you when a cookie is set. You can typically find these options in the “Options” or “Preferences” menu of your browser. For example, in Chrome you can go to Settings > Privacy and Security > Cookies and other site data; in Safari, Preferences > Privacy; in Firefox, Options > Privacy & Security, etc. Using these settings, you can delete cookies or instruct your browser not to accept certain cookies or any cookies at all. You can also usually see what cookies are currently stored and selectively delete them. Keep in mind that if you delete all cookies, any preferences you have set on our site (or other sites) may be lost, and you might be logged out of sessions.
Do Not Track: Some browsers have a “Do Not Track” feature that lets you tell websites you do not want to be tracked across sites. At this time, our site does not respond to “Do Not Track” signals in a uniform way, because there is not yet an industry consensus on how to interpret them. We will update our practices if a standard emerges.
Opt-Out Mechanisms: For third-party advertising cookies, here are some options if you want to opt out of interest-based advertising:
Google Ads: You can use Google’s Ads Settings to control personalized Google ads, and the Google Analytics Opt-out Browser Add-on to disable analytics tracking by Google.
Facebook/Instagram: Adjust your ad preferences in your Facebook settings to limit how your off-Facebook activity is used for ads.
Industry Opt-outs: Websites like the Network Advertising Initiative (NAI) or Digital Advertising Alliance (DAA) offer tools to opt out of many participating ad networks (see the NAI Opt-Out Page or DAA WebChoices). Note that opting out typically works via cookies, so if you clear cookies, the opt-out may reset.
Consequences of Disabling: If you disable or block cookies, especially the essential or functional ones, parts of ExploreSiargao might become inaccessible or not work properly. For example, you might not be able to log in or complete a booking process. Advertising and analytics cookies are not crucial for basic functionality, but without them, you’ll experience a more generic user experience (less personalized content or ads). We want you to have control, but just be aware of the trade-offs.
We currently do not have an in-site banner that lets you selectively accept or reject different cookie types (all non-essential cookies are treated as a bundle upon your consent). If this changes and we implement a more granular cookie consent tool, we will update this Policy and let you know. In the meantime, we encourage you to manage cookies through your browser as described. If you have any concerns about cookies or need assistance, feel free to reach out to us.
We take the security of your personal data seriously and implement a variety of measures to prevent unauthorized access, disclosure, or alteration of your information. However, it’s important to understand that no method of transmitting or storing data is completely foolproof. This section details what we do to safeguard your data and what you can do as well.
ExploreSiargao maintains reasonable and appropriate technical, administrative, and physical security measures to protect your personal data. These include:
Encryption: We use encryption protocols to protect sensitive data. For example, our website is accessible only over HTTPS, which means that any data transmitted between your browser and our servers (such as login credentials or payment information) is encrypted in transit. Sensitive information like passwords is stored in hashed form, and payment information is handled by our payment processor using industry-standard security (such as PCI-DSS compliance).
Access Controls: We limit access to personal data to authorized personnel who need it to perform their job duties (for example, customer support agents or engineers maintaining the system). Access to administrative interfaces and databases is protected by strong authentication measures, and our staff are trained on data privacy and security requirements. We enforce principles like least privilege (employees only have the minimum access necessary) and we promptly remove access for individuals who no longer require it.
Security Monitoring and Audits: We regularly monitor our systems for possible vulnerabilities and attacks. This includes keeping our software and infrastructure up to date with security patches, using firewall and intrusion detection systems, and conducting periodic security audits or penetration testing. By routinely reviewing our security posture, we aim to catch and address potential issues proactively.
Cloudflare CAPTCHA: As noted in Section 4, we utilize Cloudflare Turnstile CAPTCHA on our site as a security measure to help detect and block bots or malicious activity. CAPTCHA analyzes user interactions (mouse movements, typing patterns, etc.) to determine if an action is likely being performed by a human. This helps us prevent automated scripts from, for instance, creating fake accounts or scraping data. Because CAPTCHA involves sending certain data to Cloudflare for analysis, Cloudflare’s Privacy Policy and Terms of Service apply to that data. Implementing CAPTCHA adds an additional layer of defense for our platform and for your account safety.
Backups and Recovery: We routinely back up our databases to ensure that we can recover data in case of accidental loss, corruption, or a disaster scenario. These backups are encrypted and stored securely. In the event of a data loss incident, we have procedures to restore information and resume normal operations. (As mentioned in Data Retention, backups might briefly retain residual copies of data even after deletion requests, but they are eventually purged according to our policies.)
Organizational Policies: We have internal policies and incident response plans for data security. Our team knows how to report and respond to potential security incidents. We also require any third-party service providers handling user data to have robust security practices and, where applicable, we review their security certifications or audits.
Despite all these measures, it’s important to note that no website or internet transmission is 100% secure. Cyber threats evolve rapidly, and while we work hard to protect your data, we cannot guarantee absolute security against every possibility. In the next subsection, we outline steps you can take to help keep your own data safe.
We encourage you to also take steps to protect yourself and your information:
Account Security: Create a strong, unique password for your ExploreSiargao account. Avoid reusing passwords that you use on other websites. A strong password typically includes a mix of letters, numbers, and special characters. Consider using a reputable password manager to help generate and store passwords securely.
Credential Confidentiality: Do not share your ExploreSiargao account password or login credentials with anyone. We will never ask you for your password via phone or email. Be cautious of phishing attempts; always ensure that you are logging in through our official website (look for the correct domain name and the secure lock icon in your browser).
Device Safety: Ensure the devices you use to access ExploreSiargao are secure. Use up-to-date antivirus/anti-malware software, especially if you’re on a Windows or Android device. Keep your operating system and browser updated with the latest security patches. If you access our site from a public computer (like a cybercafé or library) or on someone else’s device, make sure to log out completely when you’re done and clear the browser data if possible.
Two-Factor Authentication (2FA): If we offer two-factor authentication or other additional security features, we highly encourage you to use them. 2FA adds an extra step (like a code from your phone) when logging in, which can prevent unauthorized access even if someone learns your password.
Reporting Issues: If you suspect any unauthorized access to your account or notice any strange activity (for example, login alerts from unknown devices, or bookings you didn’t make), please notify us immediately at [email protected]. We will work with you to secure your account and investigate the issue. Also, if you come across any vulnerabilities or bugs in our platform that could compromise security, we appreciate disclosure – we take such reports seriously and will act promptly.
We are committed to protecting your information and have invested in security measures as described. We also stay up-to-date with industry best practices for cybersecurity. However, as noted, no method of electronic transmission or storage is completely secure. For example, email communications are not always encrypted end-to-end, so please be careful not to send sensitive data (like credit card numbers or passwords) to us via email.
In the unlikely event of a security breach, we have a detailed incident response plan (see Section 13 on Data Breach Notification). We will inform affected users and authorities as required by law, and we will take steps to mitigate the impact.
To summarize, we do our utmost to safeguard your data and we continually update our security practices to tackle new threats. Your trust is important to us, and we will treat your data with the same care as we would treat our own. By being cautious and security-conscious on your end as well, together we can greatly reduce the risk of any security issues.
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. This section outlines how long we typically keep different types of data and the reasons we might retain data even after you stop using our services.
Active Use: For as long as you maintain an account with ExploreSiargao or continue to use our services, we will keep your personal information on file. This allows us to provide you with a continuous service (for example, remembering your account details and booking history).
Retention After Use: When you become inactive or request to delete your account, we don’t immediately purge all your data from our systems. We will delete or anonymize data that is no longer needed, but some data we may keep for a period of time as outlined below:
Transaction and Booking Data: We retain records of your bookings, transactions, payouts, and invoices as long as needed for accounting, auditing, and tax purposes. For example, financial regulations or tax laws may require us to keep transaction records for a certain number of years (commonly 5-7 years, depending on jurisdiction). This is to comply with legal obligations and for bookkeeping.
Communications: If you’ve communicated with us (customer support inquiries, emails) or through our platform (messages with a host or guest), we might retain those communications for a certain time. Platform messages might be retained to protect the safety and legal rights of parties involved (e.g., to have a record in case of disputes or complaints about harassment). Support emails are often kept for a period so we have context if you reach out again, and to improve our services.
Usage Logs: Logs of website activity (like IP addresses and login attempts) are typically retained for a shorter period for security analysis and debugging. These might be kept for a few months up to a year unless they are archived as part of security records.
Deletion and Anonymization: In many cases, after a certain period, instead of outright deletion, we may anonymize data. For instance, we might remove identifying details from booking data but keep aggregated booking statistics (so we know how many bookings happened in 2025, but not that you specifically made one). Anonymized data is no longer personal data since it cannot be linked back to an individual.
There are several legitimate reasons why we might retain some of your data even after you’ve closed your account or otherwise asked us to delete information:
Legal and Regulatory Compliance: As mentioned, laws may require us to keep certain data. For example, financial transactions need to be retained for tax and auditing; identity verification details might be kept to comply with anti-fraud or anti-money laundering regulations. If we received a legal order to preserve data (like a “legal hold” in case of litigation), we would need to keep relevant data until that order is lifted.
Dispute Resolution: If you have an open dispute or issue (for example, a chargeback on a payment, a dispute with a host/guest, or a claim that requires investigation), we will retain the data needed to resolve that issue. We’ll not delete information that is crucial to an ongoing matter until it’s resolved.
Safety and Fraud Prevention: We may retain data to detect and prevent fraud. For example, if we deactivate an account due to fraud or safety concerns, we might keep certain information (like the email or IP address) to block that individual from returning to the platform under a different identity. Retaining a record of banned accounts is necessary to protect our community.
Backups: As noted, our system backups might contain your personal data for a period even after active data is deleted. These backups are for recovery and business continuity purposes. We have retention schedules that eventually delete or overwrite backup data, but it’s possible some data could linger in backups for several weeks or months. During that time, it is effectively not used for any business purpose and is secured.
Business Needs: Sometimes, certain business records may be retained for operational reasons. For example, we might keep a list of payouts to hosts (with minimal personal data) to reconcile finances, or maintain records of user consents (to prove that we had consent to send emails, etc.).
Example: Host business permits might be kept on file as long as the host is active on the platform, and perhaps for a period after in case of reactivation or verification of past transactions. User booking history might be kept to support customer service inquiries even after an account deletion (like if you need a receipt after the fact). But after the necessary time, this data will be deleted or anonymized.
If you choose to delete your ExploreSiargao account, we will initiate the process of removing your personal data from our systems. Your profile will no longer be accessible, and we will eventually delete the personal information associated with your account from our production database. As described above, what remains will be data we are required or justified to keep.
We want to set expectations: once your account is deleted, you won’t be able to reactivate it or retrieve any data or content (unless you contact us quickly and we have a backup). If you plan to come back to ExploreSiargao, you’d essentially be creating a new account and history.
In some cases, rather than complete deletion, we may prefer to strip personal identifiers from data (anonymization) or combine your data with others (aggregation). For instance, we might keep statistics like “total bookings per month” or “percentage of users from country X,” which are derived from personal data but no longer personally identify anyone. This kind of data may be kept indefinitely as it poses no privacy risk to individuals.
Summary: We strive to keep your data only for as long as we have a valid reason. When personal data is no longer needed, we ensure it is securely deleted or anonymized. If you have specific questions about our data retention policies (for example, how long we keep a copy of your ID if you provided one for verification), please reach out to us for more detailed information.
ExploreSiargao is a general-audience platform and is not intended for children under the age of 18. We do not knowingly collect personal data from anyone under 18 years old. Our services (like booking accommodations or signing up as a host) are all designed for adults or, at minimum, individuals who can legally enter binding contracts (which typically excludes minors).
If you are under 18, you should not use ExploreSiargao or provide any personal information to us. If we discover that we have inadvertently collected personal information from a child under 18, we will take steps to delete that information promptly.
Parents or guardians who become aware that their child (under 18) has provided us with personal information should contact us at [email protected]. We will then work to delete the child’s information and (if applicable) terminate the child’s account.
In certain jurisdictions, the age threshold for “children” might be different (for example, under GDPR, parental consent is required for processing personal data of children under 16 in some countries, unless member states set a lower age like 13). While our general rule is 18 (since our services involve travel and payments), we handle all underage data consistently: we do not want it and will remove it if found.
We encourage families to discuss online privacy and safety with their children. If teenagers (aged 16 or 17) are using the internet to research travel, we suggest that any bookings or account creations on ExploreSiargao be done by a parent or guardian in their name, to avoid any issues.
ExploreSiargao provides a private messaging system to facilitate communication between guests and hosts (for example, to clarify details about a listing or arrange check-in times). We consider these communications private, but there are certain circumstances where we may access or review them to maintain a safe and trustworthy platform.
When you send messages through ExploreSiargao (such as a guest messaging a host before booking, or a host messaging a guest after a booking), those messages are stored on our systems. Both you and the other party (host or guest) can access the conversation through your accounts. While we design the system to be private between the two parties, please be aware of the following:
Monitoring for Policy Compliance: We reserve the right to automated monitoring of messages for safety. This means our system may scan messages for red flags (such as hate speech, harassment, explicit content, or attempts to take a transaction off-platform, which might be against our Terms of Service). For example, we might use automated tools or AI to detect if someone is sending their email/phone number (to warn them to stay on the platform for safety), or detect scam patterns. This is similar to how other platforms ensure communications remain safe and on-platform.
Manual Review: If our automated systems flag a conversation or if a user reports a problematic message, our support or Trust & Safety team may manually review the messages in question. We do not routinely read messages, but we may do so when necessary – for instance, if we receive a report of fraud, abuse, or a terms-of-service violation occurring in messages. In such cases, only authorized personnel will review the content, and they will do so with discretion and respect for your privacy.
Prevention of Misuse: The messaging system is intended to facilitate booking-related and service-related communications. We prohibit certain content in messages (like spam, harassment, illegal content, or exchanging personal contact info before a booking is confirmed if against our policy). We may intervene if messages contain these. For example, to protect users from fraud, we might block messages that attempt to share an email address or phone number prior to a booking (since scammers sometimes try to take conversations off-platform).
Use in Dispute Resolution: In case of disputes between a host and guest, or any incident that requires mediation by ExploreSiargao, we may review the relevant messages to get context and evidence. For instance, if a guest claims a host gave instructions outside the platform that led to a problem, we might look at the message thread to verify what was said.
We urge users to communicate respectfully and avoid sharing sensitive personal information via the messaging system. While it might be necessary to share certain info (like arrival times or dietary requirements for a tour), please refrain from sending things like passwords, payment details, or unnecessarily revealing personal data in messages. Hosts should also treat information received from guests as confidential and use it only for the intended purpose of facilitating the booking.
All messages through ExploreSiargao are subject to this Privacy Policy. By using our messaging feature, you understand that we may process your communications as described above for safety, compliance, and support purposes. We will never publish your private communications or share them with third parties except as needed to investigate an issue (e.g., sharing with law enforcement if required by law due to illegal content).
ExploreSiargao employs certain automated systems and Artificial Intelligence (AI) or Machine Learning (ML) techniques to improve our services and enhance user experience. We want to be transparent about how we use AI and what it means for you.
We may use your data in the following ways to power AI/ML features on our platform:
Personalized Recommendations: As mentioned, our algorithms analyze things like your search history, past bookings, and listing interactions to suggest accommodations, rentals, or activities you might like. This is an automated process that learns from overall user behavior patterns. For example, if you often book surfing lessons, the system might highlight surf-related experiences when you visit the site.
Dynamic Pricing Insights: For hosts, we might use machine learning models to suggest pricing adjustments based on demand, season, or similar listings. (E.g., informing hosts that properties like theirs tend to charge 10% more during a festival week.) The final pricing decision is up to the host, but the suggestion is AI-driven.
Content Creation and Enhancement: We may use AI tools to help generate or refine content. For example, to assist a host in writing a better description, our system might auto-suggest a summary based on key features they input. We might use translation algorithms to provide multilingual descriptions or reviews. If we use any AI-generated text on the platform, we aim to review it for accuracy.
Moderation and Safety: AI is used to keep ExploreSiargao safe. We may use automated tools to flag inappropriate content or behavior: this includes scanning messages for fraud indicators, scanning new listings for prohibited content (e.g., hate speech or pornography), and detecting fake or duplicate accounts. For instance, an AI might flag a message that looks like someone offering to pay off-platform, or a listing photo that seems to contain explicit material. These flags are then reviewed by our team.
Fraud and Risk Detection: We may use machine learning to detect patterns of fraudulent or suspicious activity. For example, our system might analyze login locations, payment attempts, and user behavior to identify accounts that could be bots or fraudsters. If something is deemed very high-risk (say, a login from a new country followed by an attempt to make a large booking with a stolen card), the system might automatically intervene (like temporary suspension pending review).
Customer Support Aids: We might use AI to route support tickets or provide automated answers to common questions. For example, a chatbot could answer “How do I reset my password?” using learned responses. More complex issues are handed to human agents, but AI can assist in categorizing and prioritizing queries.
In all these uses of AI/ML, we strive to minimize the use of personally identifiable information. Often, algorithms work on data that’s been aggregated or encoded (for privacy and efficiency). If personal data is involved, we ensure the processing is compliant with applicable privacy laws by obtaining consent where required and implementing appropriate safeguards.
We recognize that purely automated decisions can sometimes feel opaque or unfair, and certain laws (like GDPR) provide rights to individuals when they are subject to significant automated decisions. ExploreSiargao does not generally make any legally binding decisions about you without human involvement. Most AI usage described above is either to provide suggestions to you or to assist our staff. However, in instances where an automated process does have a significant effect on you, we want you to know your rights:
Right to Explanation: If an automated decision or score is assigned to you (for example, if our system were to flag your account for fraud and that affected your ability to use the service), you have the right to request an explanation of that decision. We will provide you with general information about the logic involved in the decision-making process. Keep in mind, we also have to protect our security measures (so we might not reveal details that would let bad actors game the system), but we will be as transparent as possible about what factors led to the outcome. For example, we might explain, “Your account was temporarily suspended by our system because it detected a login from an unusual location and multiple failed payment attempts, which matched patterns of fraudulent behavior. This was an automated fraud prevention action.”
Right to Human Review: You can ask for a human to review any significant decision made by an algorithm. For instance, if you believe our AI wrongly blocked a message you sent, or incorrectly suspended your account, contact us. A member of our team will look into the matter, consider your explanation, and ensure that the final decision is fair and not just left to a computer. We understand that algorithms aren’t perfect and can sometimes produce false positives, so we always have a human-in-the-loop for sensitive matters.
No Automated Profiling without Consent: We do not engage in profiling that has legal effects on you without your consent. “Profiling” here means any form of automated processing intended to evaluate certain personal aspects, like economic situation, personal preferences, interests, reliability, behavior, location, or movements. While we do profile in a loose sense for personalization and marketing (as described), this does not have a legal or similarly significant effect on you. If we ever introduce something like an automated creditworthiness check for payments, it would be done in compliance with the law and with your knowledge.
Our goal is to use AI and automation to enhance your experience (like faster service, personalization, and safety), not to make detrimental decisions about you. We design and test our algorithms to reduce bias and ensure fairness. If you have any concerns about our use of AI – whether it’s wanting more insight into how a recommendation was made, or questioning an action that might have been automated – please reach out. We believe in the principle of explainable AI and will do our best to clarify the logic behind automated processes that affect you, in plain language.
While we hope it never happens, we have plans in place in the event of a data breach (an incident where personal data may be accessed by unauthorized parties). Transparency is key in such situations, and we are committed to communicating with you and the authorities as required.
If ExploreSiargao experiences a security breach that leads to personal data being compromised, we will take the following steps:
Immediate Containment and Assessment: Our first move is to stop any additional data loss. We’d isolate the cause (for example, taking a hacked database offline or patching a vulnerability) to contain the breach. Our security team will then investigate to understand the scope and impact — specifically, what data and which users are affected, and how many.
Internal Notification: We will escalate the issue to our data protection team and company leadership. If needed, we will also consult external cybersecurity experts to assist in handling the incident.
User Notification: If the breach is likely to result in a risk to your rights and freedoms (to use GDPR terms) or could cause you harm (like identity theft, fraud, or harm to your privacy), we will notify you without undue delay. We’ll contact you via email (or another reliable method) and inform you of what happened in general terms. Specifically, we will tell you what types of personal data were involved (e.g., “names and emails, but not passwords” or “contact info and booking details”), an overview of what we are doing about it, and any steps we recommend you take to protect yourself (for example, reset your password, watch out for phishing emails, etc.). Our goal is to give you actionable information so you can also help protect yourself.
Authority Notification: We will notify the relevant data protection authority or authorities as required by law. For instance, under the Philippines’ Data Privacy Act, we may need to notify the National Privacy Commission (NPC) within a certain timeframe for serious breaches, and under GDPR, we would notify the supervisory authority (unless the breach is unlikely to pose any risk). Typically, the threshold for notification is if the breach poses significant risks (like potential financial harm or identity theft). The notification to authorities will include details of the breach, our proposed mitigation, and contact info for our team.
Ongoing Updates: Data breaches can be fluid situations. If further investigation reveals new information (for example, the breach is larger than initially thought, or additional types of data were affected), we will update the users affected and the authorities. We might not have all the answers in the initial notice, but we won’t hide facts as we learn them.
Mitigation and Remediation: We will take steps to mitigate any damage from the breach. This might involve forcing password resets if credentials were leaked, working with banks if payment info was compromised, offering credit monitoring to victims if appropriate, etc. We will also fix the root cause of the breach – whether that means updating our security infrastructure, changing processes, or sanctioning a rogue employee, whatever is applicable. Our aim is to prevent a recurrence.
Learning and Improvement: After the immediate crisis is handled, we will conduct a thorough review of the incident and how it was handled. We’ll create a report (sometimes required for regulators) that documents everything. Importantly, we’ll use what we learned to improve our security and response plan. Data security is an evolving field, and we take incidents as a chance to strengthen our defenses.
We sincerely hope we never have to send you a breach notice. But if we do, we want you to know that we have plans in place and that we will handle it with the urgency and transparency it deserves. Protecting your data is our responsibility, and we will act accordingly.
We may update or revise this Privacy and Cookies Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. We encourage you to review this Policy periodically to stay informed about how we are protecting your data.
Posting the Revised Policy: Any changes will be posted on this page with an updated “Last Updated” date at the top. If the changes are minor (such as clarifications or typographical corrections) and do not materially affect the way we use your personal data, we may simply update the policy here and the effective date.
Notice for Significant Changes: If we make any significant changes that affect your rights or the scope of what data we collect or how we use it, we will provide a more prominent notice. This could include: sending you an email notification to the address associated with your account, posting an announcement on our homepage or your user dashboard, or providing an in-app notice. For example, if we were to start collecting a new type of sensitive information or plan to use your data for a new purpose not covered in this policy, we would inform you in advance.
Advance Notice and Consent (if required): In cases where changes are substantial and legally require your consent, we will notify you in advance and seek your consent. For instance, if a new law required us to get fresh consent for certain processing, or if we voluntarily decide to rely on consent for a new data use, we would give you a reasonable opportunity to review and agree to the changes. If you do not agree, you might be able to delete your account or opt-out of the new usage.
Changes to the Privacy Policy will typically become effective immediately upon posting (unless stated otherwise). If you continue to use ExploreSiargao after those changes take effect, it constitutes acceptance of the revised Policy (unless that use explicitly requires fresh consent). We will always indicate the date of the latest revision at the top for transparency.
If you disagree with any changes to this Privacy Policy, you should stop using our services and may contact us if you wish to delete your account or have concerns. We will help facilitate your requests as per Section 6 (Your Rights).
We value your privacy and are here to address any questions or concerns you might have about how we handle your personal data. If you need to reach us regarding this Privacy and Cookies Policy or any privacy-related matter, please use the contact information below:
Email: [email protected] (For privacy inquiries, you can put “Privacy Inquiry” in the subject line to help route your email.)
Data Protection Officer: (At present, our privacy team handles data protection queries. We will update this section with a Data Protection Officer’s details if one is appointed in compliance with any regulatory requirement.)
We will respond to your inquiries as soon as possible, typically within a few business days. If you are contacting us to exercise one of your data subject rights (as described in Section 6), please provide enough information for us to verify your identity (for example, emailing from the address associated with your account and specifying the request). For security and verification, we might ask for additional information if needed.
We are committed to resolving any issues you have and appreciate the opportunity to do so. Your feedback about privacy is important to us – it helps us improve and ensure we’re meeting your expectations and legal obligations.
Finally, here are a few additional points and clarifications regarding our privacy practices that don’t fit neatly into the categories above:
As mentioned earlier, if you are a host, we may collect copies of your business permit or registration documents during the verification process. We wish to clarify that this information is used solely for verification of your legitimacy as a host (to ensure a trustworthy marketplace). We store these documents securely with restricted access. We do not share your business permits with any third parties unless it is required by law or regulation (for example, if a government authority asks for proof of compliance or during a legal dispute). We treat these documents with the same level of security as other sensitive personal data. Once you have been verified, we retain the permit copies in our records as proof of verification, for as long as your account is active as a host or as long as required for legal compliance. If you cease to be a host and request deletion of your data, we will consider whether we can delete these permits or if we must retain them for any legal reason (in which case, we would archive and protect them and delete when no longer needed).
ExploreSiargao may contain links to third-party websites or integrations with third-party services (for example, a link to a partner’s site, or an embedded Google Map on a listing page, or social media sharing buttons). If you click on a third-party link or interact with an embedded service, you will be directed to that third party’s environment. Any information you provide to these third-party sites is not covered by our Privacy Policy. We recommend you review the Privacy Policy of every site you visit or service you use outside of ExploreSiargao.
For clarity, here are third-party services we use or integrate with, which may collect data about you (through cookies or other means) when you use our site, as mentioned in earlier sections:
Google Analytics: to analyze website usage patterns and metrics. (Google’s ability to use and share information collected by Google Analytics about your visits to ExploreSiargao is restricted by the Google Analytics Terms of Use and the Google Privacy Policy.)
Advertising Partners: such as Google Ads (including tools like Google Remarketing/DoubleClick) and Facebook (Meta) Ads. They may collect data via cookies/plugins when you interact with our site to facilitate showing you targeted ads elsewhere.
Social Media and Sharing: If we have any “Share” buttons or social login functionality, the networks (e.g., Facebook, Twitter, Google) may collect info that your browser loads their feature on our page (even if you do not click it). This could include the fact that a certain IP address visited a certain page.
Maps and Location Services: If we show location maps (Google Maps API or OpenStreetMap API for instance) for listings, using those might send some data to Google or OpenStreetMap (like your IP and any location searches you perform).
We do not control these third-parties’ data collection and use. By listing them here and in the relevant parts of this Policy, we aim to make you aware. Please refer to those third parties’ privacy policies for more details on their practices.
This Privacy and Cookies Policy is governed by the laws of the Republic of the Philippines. In practice, this means that we primarily adhere to Philippine privacy law (the Data Privacy Act of 2012 and its Implementing Rules and Regulations). However, because we also voluntarily align with international standards like GDPR, you will notice we often meet or exceed the requirements of Philippine law in order to protect all users’ privacy rights.
If any dispute arises regarding this Policy, we will seek to resolve it in good faith. By using our services, you acknowledge that any legal matter concerning privacy will, unless otherwise required by law, be dealt with under Philippine jurisdiction. That said, we strive to be cooperative with international regulators and to respect the local laws of users as much as possible.
By using ExploreSiargao.com, creating an account, or utilizing any of our services, you acknowledge that you have read and understood this Privacy and Cookies Policy, and agree to be bound by it. If you do not agree with any aspect of this Policy, you should discontinue use of our services. We appreciate your trust in us and we commit to handling your data responsibly and lawfully.
Thank you for taking the time to read our Privacy and Cookies Policy. We aimed to make it comprehensive yet understandable. We care about your privacy and want you to feel comfortable and secure using ExploreSiargao. If you have any questions or feedback about this Policy, please don’t hesitate to reach out to us at [email protected]. Safe travels and happy exploring!
Last Updated: April 26, 2025