Privacy Policy
Last updated: 2026-06-26 · Effective: 2026-06-26
Sebo Massage (“we”, “us”, “our”) operates the website
sebomassageandspa.com and the application at
app.sebomassageandspa.com, along with the Sebo Massage
mobile applications. This policy describes what information we collect, how we use it, and the choices
you have about your information.
1. Who we are
Sebo Massage is a booking and operations platform for massage and spa businesses operating in the
Philippines. We act as a data controller for end-user information processed through our consumer
booking surfaces, and as a data processor for information our spa partners enter into our operator
tools.
Contact us: info@sebomassageandspa.com
2. Information we collect
2.1 Information you provide
- Account information — name, email, phone number, password (stored only as a
bcrypt hash), and role (customer, owner, manager, frontdesk, therapist, or admin).
- Booking details — service selected, scheduled time, branch, therapist
preferences, focus areas, health notes you choose to share, and payment channel.
- Payment proof — if you upload an advance-payment receipt, we store the image
file so a branch operator can verify it.
- Communications — messages you send through our support channels.
2.2 Information collected automatically
- Device and log data — IP address, browser user-agent, request timestamps, and
error logs. Used for security, rate limiting, and debugging.
- Cookies — a single session cookie and a CSRF token. We do not use third-party
advertising or analytics cookies.
2.3 Information from Google (only if you connect your account)
If you connect a Google account through /account/google, we receive your Google account
email, your Google user identifier, an access token, and a refresh token. We use these only to
write events to your Google Calendar; we do not read existing events on your calendar.
2.4 Push notification tokens (only if you install our mobile app)
If you install our Customer, Shopowner, or Therapist mobile application and grant notification
permission, we receive a device-specific push token from Firebase Cloud Messaging. We use it
solely to deliver booking-related notifications (confirmations, reminders, status changes) to
your device. We never send marketing pushes without separate opt-in. You can revoke the token at
any time by signing out of the app, denying notification permission in your device settings, or
uninstalling the app — the token is invalidated the next time we attempt delivery.
3. How we use your information
- To create, manage, and notify you about your bookings.
- To process payment (we use the GCash and cash payment channels; we do not store full card
details — payment instrument data is handled by the relevant payment provider).
- To send booking confirmations, reminders, and operational emails through our SMTP provider
(Titan Email).
- To push your bookings to your Google Calendar, only if you have explicitly connected Google.
- To detect and prevent fraud, abuse, and policy violations.
- To comply with legal obligations.
4. How we share your information
We do not sell your personal information. We share it only in the following narrow cases:
- Spa operators — when you book a session, the operating branch sees your name,
phone, scheduled time, service, and any preferences you provided. This is necessary to deliver
the service.
- Service providers we rely on — hosting (Hostinger), email delivery (Titan
Email), Google Calendar (for users who connect it), and the Strontium licensing engine (only
license codes and verification responses for our spa-partner billing — never customer data).
- Legal compliance — when required by Philippine law, a valid court order, or
to protect the rights, property, or safety of Sebo Massage, our users, or others.
5. How we protect your information
- All traffic to our site and API is served exclusively over HTTPS (TLS 1.2+).
- Passwords are stored using bcrypt with a per-record salt.
- Google OAuth tokens are encrypted at rest using AES-256 keyed with our application key.
- Authentication uses short-lived bearer tokens with refresh-token rotation; staff sessions are
additionally bound to role and active-status checks on every request.
- We apply per-route rate limits and CSRF protection on all state-changing endpoints.
6. How long we keep your information
- Account records (name, email, phone, role): for as long as your account is
active, then up to 7 years after closure to satisfy Philippine tax, audit, and
anti-fraud obligations.
- Booking and payment records: 7 years from the date of the
booking, consistent with BIR record-keeping rules for service transactions.
- Health notes you share with a booking: deleted within 90 days
after the booking is completed or cancelled, since they aren't useful past the session.
- Server access and security logs: 90 days, then aggregated or
deleted.
- Push notification tokens: deleted within 24 hours of sign-out, app uninstall,
or our first failed delivery attempt to that token.
- Google account tokens: deleted within 24 hours after you disconnect Google at
/account/google, or immediately if Google reports the grant has been revoked.
7. Your rights and how to exercise them
If you are in the Philippines, you have rights under the Data Privacy Act of 2012 (RA 10173),
including: the right to be informed, to object, to access, to correct, to erase or block, to
damages, to data portability, and to file a complaint with the National Privacy Commission. We
respond to verified requests within 30 days.
To delete your account and personal data, do one of the following:
- Email privacy@sebomassageandspa.com from the
email address on your account with the subject "Delete my Sebo Massage account."
- Or write to us at the postal address in section 12 with the same request.
Once verified, we erase or anonymise personal data within 30 days. Records we are legally required
to keep (financial, tax, fraud) are retained for the periods in section 6, but are removed from
active systems and accessed only when legally required.
8. Children's privacy
Sebo Massage is not intended for children. We do not knowingly collect personal information from
anyone under 13 years old, and our booking surfaces are intended for users
18 years and older consistent with our Terms of Service. If we learn we have
collected information from a child under 13 without verified parental consent, we will delete it.
9. Where your data is stored and processed
Our application servers, database, and backups are hosted by Hostinger International Ltd.
Outbound email is delivered through Titan Email (operated by Flock FZ-LLC).
Push notifications are delivered via Firebase Cloud Messaging (Google LLC). The
relevant providers may process your data in data centres outside the Philippines (typically in
Europe, the United States, or Singapore). Where we transfer personal data across borders, we rely
on the contractual safeguards required under the Data Privacy Act and the providers' own
certifications.
10. Security incident notification
If we become aware of a personal-data breach that is likely to give rise to a real risk of serious
harm, we will notify the National Privacy Commission and affected data subjects within
72 hours of becoming aware, consistent with NPC Circular 16-03.
11. Google API services notice (Limited Use disclosure)
Sebo Massage's use and transfer of information received from Google APIs adheres to the
Google API Services User Data Policy, including the
Limited Use requirements. Specifically:
- We request the narrowest scope that works for our feature:
https://www.googleapis.com/auth/calendar.events.owned, which lets us create,
update, and delete events only on calendars the user owns. We do not request access
to read existing events, access shared calendars, or access any other Google service.
- We use Google user data only to provide the user-facing feature for which
it was granted (writing your Sebo Massage bookings to your Google Calendar).
- We do not transfer Google user data to third parties except as necessary
to provide or improve the feature, comply with applicable law, or as part of a merger,
acquisition, or sale of assets with appropriate notice.
- We do not use Google user data for serving advertisements, including
retargeting, personalised, or interest-based advertising.
- We do not use Google user data to develop, improve, or train generalised
or generative AI/ML models.
- We do not allow humans to read Google user data unless: (a) we have your
affirmative agreement for specific messages, (b) it is necessary for security purposes
(such as investigating abuse), (c) it is necessary to comply with applicable law, or
(d) the data is aggregated and used for internal operations.
- You can revoke Sebo Massage's access at any time at
your Google
account's permissions page or by tapping "Disconnect Google" in the app.
12. Contact us
General privacy questions:
privacy@sebomassageandspa.com
General support: info@sebomassageandspa.com
Our postal address is available on request by emailing the above. If you are not satisfied with
our response, you may file a complaint with the
National Privacy Commission of the
Philippines (NPC) at complaints@privacy.gov.ph.
13. Changes to this policy
We may update this policy from time to time. We will post the new effective date at the top of this
page. If the change is material, we will also notify you by email or an in-app banner before it
takes effect.
← Back to home ·
Terms of Service