Oopa
Become a host
Oopa

Seamlessly connecting you with curated, shared resources. Experience access beyond ownership.

TikTok

Quick Links

  • Search
  • Become a host
  • About us

Support

  • Contact Us
  • Terms of Service
  • Privacy Policy
  • Rental Agreement
  • Trust & Safety

Get in Touch

  • Park Triangle Corporate Plaza, BGC, Taguig City, 1630
  • +63 917 324 6672
  • [email protected]
Download Our App
Download on the App StoreGet it on Google Play

© 2026 OOPA. All rights reserved.

Cookie Policy

Technical Policy

COOKIE POLICY

Document No. CP-2026-001

Effective Date

November 6, 2025

Last Revised

July 2, 2026

Jurisdiction

Republic of the Philippines

Regulatory Framework

Data Privacy Act of 2012

I. INTRODUCTION

This Cookie Policy ("Policy") explains how OOPA Philippines, Inc. ("Company," "we," "us," or "our") uses cookies and similar storage technologies on the OOPA vehicle rental platform, including the website at app.oopa.phand the mobile application available on Android and iOS ("Platform").

This Policy supplements our Privacy Policy and should be read together with it. It describes exactly which cookies and storage mechanisms are in use, who sets them, what they do, and how you can control them.

This Policy applies to the technologies actually deployed on the Platform as of the Last Revised date above. We do not use any tracking technology that is not listed here.

II. WHAT ARE COOKIES

Cookies are small text files stored on your device (computer, tablet, or smartphone) when you visit a website. They allow the website to recognize your device across requests within the same session, or across multiple visits. The Platform also uses browser localStorage, which is a similar storage mechanism with larger capacity that persists until explicitly cleared, and session storage, which is cleared when you close the browser tab.

Session cookies: Deleted automatically when you close your browser. Used for login sessions.

Persistent cookies: Remain on your device until they expire or you delete them. Used for performance monitoring.

First-party cookies: Set by OOPA directly.

Third-party cookies: Set by external services integrated into the Platform (e.g., New Relic, Cloudflare).

III. COOKIES AND STORAGE WE USE

The following table is a complete, accurate inventory of all cookies and storage technologies in use on the Platform. We do not use advertising cookies, tracking pixels, or remarketing technologies.

CATEGORY 1: STRICTLY NECESSARY

These are essential for the Platform to function. They cannot be disabled without preventing you from logging in or using core features. No consent is required for these under the DPA.

NameTypeSet ByPurposeDuration
customer_access_tokenHttpOnly, Secure cookieOOPA (1st party)Stores your authentication JWT (about 60 minutes). Proves you are logged in. Transmitted only over HTTPS, inaccessible to JavaScript.Session / auto-refreshed by token rotation
customer_refresh_tokenHttpOnly, Secure cookieOOPA (1st party)Renews your access token so you stay signed in without re-entering your password. Single-use with rotation. Inaccessible to JavaScript.Up to 30 days (web) / 90 days (app), sliding
oopa_user (localStorage)Browser localStorageOOPA (1st party)Stores minimal non-sensitive session state (your user ID, a signed-in flag, and KYC verification status) as a Zustand store, so the app can restore your session without an extra request on every page load. Contains no name, password, or payment data.Until logout or manual clear

CATEGORY 1B: FUNCTIONAL & PREFERENCES (LOCALSTORAGE)

These first-party localStorage entries remember your preferences and app state so the Platform works smoothly across visits. They stay on your device, are never used for advertising or cross-site tracking, and can be cleared at any time (see Section V). None contains your password or payment card data.

KeyPurpose
oopa-favoritesVehicles you have favorited.
oopa-view-historyRecently viewed vehicles.
oopa-saved-searchesSearches you have saved.
unified-search-storageYour current search bar state and filters.
location_historyRecent location searches in the location picker.
booking-trip-sessionAn in-progress booking / trip draft.
oopa-notificationsYour in-app notification list.
oopa_account_modeWhether you are browsing as a renter or a host.
oopa_support_chatYour support-chat conversation state.
oopa_onboarding_completedWhether you have finished first-run onboarding.
app-banner-dismissedWhether you dismissed the "Get the app" banner.
oopa-rq-v2A cache of recently loaded data (TanStack Query) for faster page loads.
reverse_geocode_cache_v1 / forward_geocode_cache_v1Cached map/geocoding lookups to reduce repeat requests.

A few short-lived sessionStorage entries are also used during sign-in and checkout (for example, to remember where to return you after a social login or a payment redirect); these clear automatically when the task completes or you close the tab.

CATEGORY 2: PERFORMANCE & MONITORING

These help us understand how the Platform performs and identify errors. They are active only in the production environment and only when the required environment variables are configured. No personally identifiable information is intentionally transmitted.

NameTypeSet ByPurposeDuration
New Relic Browser Agent (NRBA)Persistent cookie + session storageNew Relic, Inc. (3rd party, US)Collects page load times, JavaScript errors, AJAX request durations, and browser session traces for application performance monitoring and error diagnosis. Session replay is disabled. Data is retained by New Relic in the US.Up to 1 year

CATEGORY 3: NETWORK INFRASTRUCTURE (CLOUDFLARE)

The Platform's DNS and web traffic are routed through Cloudflare's global network for security, performance, and DDoS protection. Cloudflare may set cookies at the network level before a request reaches OOPA's servers. These are set by Cloudflare, Inc. (United States), not by OOPA.

NameTypeSet ByPurposeDuration
__cf_bmSecure cookieCloudflare, Inc. (3rd party, US)Bot Management: distinguishes between human users and automated bots to protect against malicious traffic and DDoS attacks.30 minutes
_cfuvidSecure cookieCloudflare, Inc. (3rd party, US)Rate Limiting: tracks users for identifying and managing abusive traffic patterns. Used in conjunction with bot management.Session
cf_clearanceSecure cookieCloudflare, Inc. (3rd party, US)Challenge Clearance: set after a visitor passes a Cloudflare security challenge (e.g., CAPTCHA or JS challenge), permitting continued access.30 minutes to 24 hours

These cookies are strictly necessary for network-level security. They cannot be disabled without potentially blocking your access to the Platform. For more information, see Cloudflare's Cookie Policy at cloudflare.com/cookie-policy.

CATEGORY 4: SOCIAL LOGIN (CONDITIONAL)

These are only relevant if you choose to log in using a social account. If you use email/password login, none of these technologies are invoked.

ProviderTypePurposeDuration
Google (accounts.google.com)Google-set cookiesOAuth 2.0 authentication flow. Google sets its own session cookies to verify your identity during sign-in. Governed by Google's Privacy Policy.Per Google's policy
Facebook (facebook.com)Meta-set cookiesOAuth 2.0 authentication flow. Meta sets its own cookies during Facebook Login. Governed by Meta's Privacy Policy.Per Meta's policy
Apple (appleid.apple.com)Apple-set tokensSign in with Apple. Apple handles authentication on its own domain; OOPA receives only an identity token. Governed by Apple's Privacy Policy.Per Apple's policy

OOPA does not place any advertising or tracking cookies on behalf of Google, Meta, or Apple. The OAuth flow is a redirect to their respective domains; any cookies they set are governed entirely by their own policies.

CATEGORY 5: MAPS (CONDITIONAL)

When you open a map or use a location / address feature, the Platform loads the Google Maps JavaScript APIfrom Google. Google serves the map tiles and may set its own cookies and receive your IP address together with the location text or coordinates you enter, governed by Google's Privacy Policy. If you do not use a map or location feature, this script is not loaded.

WHAT WE DO NOT USE:

The Platform does not use Google Analytics, Facebook Pixel, advertising cookies, retargeting cookies, heatmapping tools (Hotjar, Mouseflow), A/B testing cookies, or any other marketing or behavioural tracking technology. If this changes in the future, this Policy will be updated and you will be notified in accordance with Section VII.

IV. MOBILE APPLICATION

The OOPA mobile app (App ID: ph.oopa.app) is built with the Capacitor framework and runs as a native WebView loading m.oopa.ph. The same first-party cookies and localStorage mechanisms described in Section III apply within the WebView.

A. Push Notification Token (Firebase)

On first launch, if you grant notification permission, the app registers with Firebase Cloud Messaging (FCM), a service by Google LLC (United States), and receives a device registration token. This token:

• Is stored server-side associated with your account to enable delivery of booking updates, payment confirmations, and operator messages;

• Does not identify you personally (it identifies your device's notification channel);

• Is de-registered and deleted from our systems when you delete your account or disable push notifications.

Push notification permission is optional. You can withdraw it at any time. iOS: Settings > Notifications > OOPA > Allow Notifications (toggle off); Android: Settings > Apps > OOPA > Notifications > All OOPA notifications (toggle off).

B. Device Permissions

The mobile app may request the following permissions when relevant:

PermissionWhy it's requestedOptional?
Push NotificationsBooking updates, payment confirmations, messages from operatorsYes (app works fully without it)
Camera / Photo LibraryUploading KYC documents and profile photoYes (only requested when you initiate upload)
Location (GPS)Finding vehicles near you, prefilling your city, and setting a delivery pickup pointYes (only requested when you tap "use my location")
Storage (Android)Reading photos for KYC/profile uploadYes (only requested when you initiate upload)

Location access is optional and is only requested when you tap "use my location" (or a delivery-location picker). If you decline, you can still search by typing a location instead. When granted, your device's GPS coordinates are used to show nearby vehicles and, if you choose, to set a delivery pickup point; they are not used for advertising or continuous background tracking.

C. On-Device Monitoring & Updates

The native app includes the New Relic mobile agent, which records performance, interaction, network, and crash data to help us keep the app stable. It does not use cookies. The app also updates itself over the air by downloading signed update bundles from our own update service (hosted on Cloudflare R2); this request transmits only the app's current version, not personal data.

V. HOW TO MANAGE COOKIES

A. Browser Settings

You can view, delete, or block cookies using your browser's built-in privacy controls. Note that blocking the customer_access_token cookie will prevent you from logging in.

Google Chrome

Settings → Privacy and Security → Cookies and other site data

Mozilla Firefox

Settings → Privacy & Security → Cookies and Site Data → Manage Data

Safari (macOS)

Safari → Settings → Privacy → Manage Website Data

Safari (iOS)

Settings → Safari → Advanced → Website Data

Microsoft Edge

Settings → Privacy, Search, and Services → Cookies and Site Permissions

B. Opting Out of New Relic Monitoring

New Relic browser monitoring is injected only in the production environment. To opt out, you can:

• Use a browser content-blocking extension (e.g., uBlock Origin) and block js-agent.newrelic.com;

• Review New Relic's own privacy opt-out options at newrelic.com/termsandconditions/privacy.

C. Cloudflare Network Cookies

Cloudflare security cookies (__cf_bm, _cfuvid, cf_clearance) are strictly necessary for network security and cannot be disabled without potentially blocking access to the Platform entirely. They expire quickly (30 minutes to 24 hours) and contain no personal information beyond a hashed session identifier. For more information, see Cloudflare's Cookie Policy at cloudflare.com/cookie-policy.

D. Clearing localStorage

To clear the oopa_user localStorage entry:

• Log out of the Platform (this clears it automatically); or

• Open your browser's Developer Tools (F12) → Application tab → Local Storage → app.oopa.ph → delete the oopa_user key; or

• Use your browser's "Clear site data" or "Clear browsing data" function.

VI. DO NOT TRACK

Some browsers offer a "Do Not Track" (DNT) signal. Because there is no universal standard for how websites should respond to DNT signals, the Platform does not alter its behaviour based on DNT headers. However, because we do not use behavioural advertising or cross-site tracking cookies, the practical effect of enabling DNT on OOPA is minimal. You may use the browser and opt-out mechanisms described in Section V to control data collection more precisely.

VII. UPDATES TO THIS POLICY

This Policy is updated whenever we add, remove, or change cookies or storage technologies on the Platform. Material changes, such as adding a new third-party analytics or advertising tool, will be communicated by email to your registered address and by a prominent notice on the Platform at least fifteen (15) days before taking effect. Non-material changes (e.g., updating cookie durations or descriptions) will be reflected in an updated notice at the top of this document without advance notice.

VIII. GOVERNING LAW

This Policy is governed by the laws of the Republic of the Philippines, including Republic Act No. 10173 (Data Privacy Act of 2012) and its Implementing Rules and Regulations. Any disputes relating to this Policy shall be resolved in accordance with Section XII of our Privacy Policy.

IX. CONTACT INFORMATION

Cookie & Privacy Inquiries:

[email protected]

Registered Office:

OOPA Philippines, Inc.
Bonifacio Global City
Taguig City, Metro Manila 1634
Republic of the Philippines

ACKNOWLEDGMENT

BY CONTINUING TO USE THE PLATFORM, YOU ACKNOWLEDGE THAT YOU HAVE READ THIS COOKIE POLICY AND CONSENT TO THE USE OF THE STRICTLY NECESSARY AND PERFORMANCE COOKIES DESCRIBED HEREIN. THIS POLICY CONSTITUTES NOTICE PURSUANT TO SECTION 16(A) OF REPUBLIC ACT NO. 10173.

Legal & Policies

Terms of Service

Platform usage terms

Rental Agreement

Car rental contract

Privacy Policy

Data & privacy

Trust & Safety

Safety guidelines

Cookie Policy

Cookie usage