Oopa
Become a host
Oopa

Seamlessly connecting you with curated, shared resources. Experience access beyond ownership.

TikTok

Quick Links

  • Search
  • Become a host
  • About us

Support

  • Contact Us
  • Terms of Service
  • Privacy Policy
  • Rental Agreement
  • Trust & Safety

Get in Touch

  • Park Triangle Corporate Plaza, BGC, Taguig City, 1630
  • +63 917 324 6672
  • [email protected]
Download Our App
Download on the App StoreGet it on Google Play

© 2026 OOPA. All rights reserved.

Cookie Policy

Legal Document

PRIVACY POLICY

Document No. PP-2026-001

Effective Date

November 6, 2025

Last Revised

July 2, 2026

Jurisdiction

Republic of the Philippines

Governing Law

Data Privacy Act of 2012

I. PREAMBLE

This Privacy Policy ("Policy") constitutes a legally binding agreement between OOPA Philippines, Inc. ("Company," "we," "us," or "our") and any individual or entity ("User," "you," or "your") accessing or utilizing the OOPA vehicle rental platform, including the website at app.oopa.phand the mobile application available on Android and iOS ("Platform"). This Policy governs the collection, processing, storage, and disclosure of Personal Information and Sensitive Personal Information as defined under Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012 ("DPA").

BY ACCESSING OR USING THE PLATFORM, YOU EXPRESSLY ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO BE BOUND BY THE TERMS OF THIS POLICY. IF YOU DO NOT AGREE, YOU MUST IMMEDIATELY CEASE ALL USE OF THE PLATFORM.

II. INFORMATION COLLECTION

A. Account and Profile Information

When you register an account, the Company collects:

1. Basic Identifiers: Full legal name, email address, mobile telephone number, date of birth, and residential address;

2. Authentication Credentials: A one-way hash of your password (hashed with bcrypt; we never store your password in readable form). Where you choose social login, we do not store your social media password or the provider's OAuth tokens; we retain only the provider name (Google, Facebook, or Apple), the provider-issued user ID, and your email address to link your account;

3. Profile Photo: Profile photograph uploaded by you or retrieved from your social login provider with your consent.

B. Identity Verification (KYC) Data

In order to comply with regulatory requirements and ensure platform safety, we require identity verification before you can complete a booking. During the Know-Your-Customer ("KYC") process, we collect:

1. Government-issued identification documents (e.g., PhilSys National ID, passport, SSS/UMID, PhilHealth, or postal ID);

2. Driver's license, front and back (number, expiry, issuing authority);

3. A proof of billing / address document;

4. A selfie photograph (a facial image, typically taken while holding your physical identity document). A facial image is treated as Sensitive Personal Information under the DPA and is handled under heightened security controls.

KYC documents and your selfie are stored in encrypted, access-controlled cloud storage and are accessible only to authorized personnel for verification purposes. Any image-quality, document, or face-comparison checks run on your own device (in your browser or app) and are advisory only; we do not use any automated biometric-matching or liveness-detection service, and every verification decision is made by a human reviewer.

Explicit Consent for Your Selfie / Facial Image:

Because a facial image is Sensitive Personal Information, Section 13 of the DPA requires your separate, explicit, and informed consent to collect and process it. Before submitting your KYC documents, you will be presented with a dedicated consent declaration (distinct from the general Terms of Service) describing the purpose, scope, and retention of this processing. Submitting your KYC documents constitutes acknowledgment of that consent declaration. You may withdraw consent and request deletion of your selfie and identity documents at any time by contacting [email protected], subject to any legal retention obligations.

C. Booking and Transaction Data

1. Booking references, vehicle selection, rental dates and times, pickup/drop-off location preferences;

2. Reservation fees, balance payments, applied discount and promo codes, affiliate referral data;

3. Booking status history and audit trail (e.g., creation, payment confirmation, operator approval, pickup, return);

4. Walk-in customer information recorded on your behalf by an operator (name, phone, email) where applicable.

D. Payment Information

Online payment transactions are processed by our third-party payment gateways, currently Xendit, PayRex, and PayMate. All card and e-wallet details are entered on the gateway's own secure hosted checkout page; the Company does not receive or store your complete card numbers. We retain:

1. Payment gateway transaction identifiers and references;

2. Payment method type (e.g., card, e-wallet, QR Ph, online banking);

3. Payment status, amount, and timestamp;

4. For manual or bank-transfer payments, the sender's account name, the transaction reference, and any proof-of-payment image you upload;

5. Billing addresses where provided.

Your card details are handled by the payment gateway on its own systems, not by OOPA. Please refer to the respective gateway's privacy policy for how it handles your payment credentials.

E. Communications and Messaging Data

The Platform provides a real-time in-app messaging feature connecting customers and vehicle operators. We collect and store:

1. Text messages exchanged between users within booking conversations and vehicle inquiry threads;

2. Files and images attached to messages (up to 20 MB per file; images are automatically compressed for delivery);

3. Message timestamps, read receipts, and message status metadata;

4. Customer support correspondence and dispute records.

F. Automatically Collected Information

When you access the Platform, we automatically collect technical data including:

1. Device identifiers, IP addresses, browser type and version, operating system;

2. Usage data: pages viewed, access times, navigation patterns, vehicle search queries and filters applied;

3. Approximate geolocation (city/region) derived from your IP address, including via Cloudflare edge headers or a fallback IP-geolocation lookup (see Section IV);

4. Precise geolocation (device GPS or browser location), collected only when you actively use a "near me" / "use my location" feature and grant permission, to show nearby vehicles, prefill your city, and set delivery pickup points (see Sections II.H and III.C). You may decline or revoke this permission at any time;

5. HTTP session cookies used for authentication (see Section II.G below);

6. Performance and error monitoring data collected by the New Relic Browser Agent (see Section IV.B).

G. Cookies and Session Tokens

The Platform uses HTTP cookies and browser storage to maintain authenticated sessions and support platform functionality. The following table describes all cookies and storage mechanisms in use:

Name / TechnologyTypeSet ByPurposeDuration
customer_access_tokenSession cookie (HttpOnly, Secure)OOPA (1st party)Authenticates your session; contains a short-lived JWT (about 60 minutes). Strictly necessary.Session / auto-refreshed
customer_refresh_tokenSession cookie (HttpOnly, Secure)OOPA (1st party)Renews your session so you stay signed in without re-entering your password; single-use with rotation. Strictly necessary.Up to 30 days (web) / 90 days (app), sliding
oopa_user (localStorage)Browser localStorageOOPA (1st party)Stores minimal non-sensitive session state (your user ID, a signed-in flag, and KYC status) so the app can restore your session without an extra request. Contains no name, password, or payment data. Strictly necessary.Until logout or cleared
New Relic Browser AgentPersistent cookie / session storageNew Relic (3rd party, production only)Performance monitoring: page load times, JS errors, session traces. Active only in production. No personally identifiable data is intentionally transmitted.Up to 1 year

The authentication cookies (customer_access_token and customer_refresh_token) are strictly necessary for the Platform to function and cannot be disabled without losing access to your account. The New Relic monitoring script is only injected in the production environment and is not active during local development or testing. In addition to the entries above, the Platform stores non-sensitive preferences and app state in your browser's localStorage (for example your favorites, recently viewed vehicles, saved searches, search filters, a booking draft, and cached map/geocoding results). These stay on your device, are not used for advertising or cross-site tracking, and are itemized in full in our Cookie Policy.

How to manage or opt out of cookies:

You may clear all browser cookies and localStorage data at any time through your browser's privacy or settings menu (typically under "Clear browsing data" or "Site data"). Clearing session cookies will log you out. To opt out of New Relic browser tracking specifically, you may use a browser extension that blocks analytics scripts, or consult New Relic's opt-out page at newrelic.com/termsandconditions/privacy.

H. Mobile Application Data

OOPA is available as a native mobile application on Android and iOS (App ID: ph.oopa.app), built using the Capacitor framework. When you use the mobile app, we may additionally collect:

1. Push Notification Token: A device registration token issued by Firebase Cloud Messaging ("FCM") upon your consent to receive push notifications. This token enables delivery of booking updates, payment confirmations, and operator messages to your device;

2. Device Information: Mobile device model, operating system version, and app version for compatibility and debugging purposes;

3. App Interaction Data: In-app navigation and interaction events, network request metadata, and crash reports collected by the New Relic mobile agent for stability and performance monitoring;

4. Precise Location (optional): With your permission, your device's GPS location, used only while you use a "near me" or delivery-location feature to find nearby vehicles and set pickup points. You may decline or revoke this in your device settings at any time;

5. Over-the-Air Updates: To keep the app current, it may download signed update bundles from our update service; this transmits only the app's current version, not personal data.

Push notification permissions are optional. You may withdraw consent at any time through your device's notification settings without affecting your ability to use the Platform.

I. Third-Party Sources

Where you register or log in using a social account, we receive from the respective provider (Google, Facebook, or Apple) only the information necessary to create or link your account (typically your name, email address, and provider-issued unique identifier), subject to your privacy settings with that provider.

III. PURPOSE AND LEGAL BASIS FOR PROCESSING

A. Primary Purposes (Contractual and Legal Necessity)

The following purposes are necessary for the performance of the contract between you and the Company, or for compliance with legal obligations:

1. Creating and managing your account, authenticating your identity, and maintaining platform security;

2. Conducting KYC and identity verification to prevent fraud and protect all platform users;

3. Processing, confirming, and managing vehicle rental bookings;

4. Facilitating payment transactions through our payment gateways (Xendit, PayRex, or PayMate);

5. Enabling real-time communication between customers and operators;

6. Sending transactional notifications (booking confirmations, payment receipts, status updates) via email and push notification;

7. Maintaining booking audit trails for dispute resolution;

8. Compliance with the DPA, Bureau of Internal Revenue requirements, and other applicable Philippine law.

B. Legitimate Interests

1. Platform performance monitoring and error diagnosis using New Relic APM and Browser Agent;

2. Detection and prevention of fraudulent, abusive, or illegal activity;

3. Security incident investigation and response.

C. Consent-Based Purposes

The following activities are conducted only upon your prior consent:

1. Sending promotional communications, special offers, and marketing messages;

2. Delivering push notifications to your mobile device via Firebase;

3. Accessing your device's precise location to show nearby vehicles and set delivery pickup points;

4. Market research, surveys, and user experience studies;

5. Personalized vehicle recommendations and content.

You may withdraw consent for any of the above at any time without prejudice to the lawfulness of processing conducted prior to withdrawal.

How to withdraw consent / opt out of marketing:

• Marketing emails: Click the "Unsubscribe" link in any marketing email, or email [email protected] with subject "Unsubscribe".

• Push notifications: Disable notifications for OOPA in your device's Settings app (iOS: Settings > Notifications > OOPA; Android: Settings > Apps > OOPA > Notifications).

• Personalized recommendations: Email [email protected] to opt out of profiling-based content.

Opting out of marketing does not affect transactional notifications (booking confirmations, payment receipts), which are necessary for service delivery.

D. Automated Decision-Making and Profiling

In accordance with Section 25(g) of the DPA Implementing Rules and Regulations, we disclose the following regarding automated processing activities:

1. Identity verification scoring: The KYC verification process may involve automated preliminary checks (e.g., document format validation, image quality assessment) prior to human review. No booking is approved or rejected solely by automated means. All KYC decisions are reviewed by a human operator.

2. Booking availability: Vehicle availability and pricing are determined by automated algorithms based on requested dates and vehicle configuration. This does not constitute profiling of individual users.

3. Fraud detection: Automated signals may flag transactions for additional review. Flagged transactions are reviewed by personnel before any adverse action is taken.

You have the right to request human review of any automated decision that significantly affects you, to express your point of view, and to contest the decision by contacting our Data Protection Officer at [email protected].

IV. THIRD-PARTY SERVICE PROVIDERS

The Company engages the following categories of sub-processors. All sub-processors are bound by data processing agreements requiring them to maintain confidentiality and process data only for specified, authorized purposes.

Service ProviderCategoryData Processed
XenditPayment GatewayTransaction data, payer name, amount, and billing information (card/e-wallet details are entered on the gateway's hosted page)
PayRexPayment GatewayTransaction data, payer name, amount, and billing information (card/e-wallet details are entered on the gateway's hosted page)
PayMatePayment GatewayTransaction data, payer name, amount, and billing information (card/e-wallet details are entered on the gateway's hosted page)
DigitalOceanCloud Infrastructure & StorageAll platform data, including uploads, KYC documents, and photos held in Spaces object storage, and full-text search indexes of vehicle listings and messages (Managed OpenSearch); Singapore region
CloudflareDNS, CDN, DDoS, Workers & R2 StorageSource IP addresses and HTTP request metadata of all users (for routing, caching, and security); and mobile app update bundles stored in R2
New RelicApplication & Mobile Performance MonitoringPerformance metrics, error and crash logs, request metadata, and browser/mobile session traces
Firebase Cloud Messaging (Google)Push NotificationsDevice push notification tokens and notification content (mobile app only, with consent)
Brevo (Sendinblue)Transactional & Marketing Email DeliveryRecipient name, email address, and email content, including any PDF attachments
Microsoft (Graph / Office 365)Email Delivery (alternate)Same as Brevo, only while this provider is the one enabled for email delivery
Google Maps PlatformMaps, Places & GeocodingLocation search text and latitude/longitude, including delivery addresses, when you use a map or location feature
ipwho.is / ipapi.coIP Geolocation (fallback)Your public IP address, to estimate your city/region when Cloudflare edge location is unavailable
Google / Facebook / AppleOAuth Social LoginName, email, and provider user ID (only upon your initiation)

A. Disclosure to Other Users

Upon confirmation of a booking, the Company discloses limited Personal Information (specifically your display name, profile photograph, and aggregate user rating) to the counterparty (operator or customer) for the sole purpose of facilitating the rental arrangement. Vehicle operators are not provided your full identification documents, payment details, or KYC selfie.

B. Legal Obligations and Government Authorities

The Company may disclose Personal Information when required by applicable law, court order, or upon lawful demand from governmental or regulatory authorities, including but not limited to the National Privacy Commission, Philippine National Police, Anti-Money Laundering Council, or other agencies in the exercise of their lawful functions. We will, to the extent permitted by law, notify you before such disclosure.

C. Business Transfers

In the event of a merger, acquisition, reorganization, or sale of all or substantially all of our assets, Personal Information may be transferred to the acquiring entity. We will provide notice of such transfer and ensure that the recipient is bound by terms no less protective than this Policy.

V. DATA SECURITY MEASURES

A. Technical Safeguards

1. Transport Layer Security (TLS 1.2/1.3) encryption for all data in transit;

2. Encryption at rest for all stored data including KYC documents and selfie images;

3. HttpOnly, Secure-flagged authentication cookies, not accessible to client-side scripts;

4. Short-lived JWT access tokens with automated refresh token rotation;

5. API rate limiting on all authentication endpoints to mitigate brute-force attacks;

6. HMAC-SHA256 authentication for internal service-to-service communication;

7. Automated malware/virus scanning (ClamAV) of files uploaded to the Platform;

8. Regular security assessments and dependency auditing;

9. Intrusion detection systems and real-time monitoring via New Relic.

B. Organizational Safeguards

1. Role-based access controls and the principle of least privilege for all system access;

2. Confidentiality and data processing agreements with all personnel and contractors;

3. Mandatory data protection awareness training;

4. Documented incident response and breach notification procedures in accordance with NPC Circular 16-03.

C. Personal Data Breach Notification

In the event of a personal data breach that is reasonably likely to give rise to a real risk of serious harm to affected data subjects, the Company shall:

1. Notify the National Privacy Commission within seventy-two (72) hours of becoming aware of the breach, where feasible, as required by NPC Circular 16-03;

2. Notify affected data subjects within thirty (30) calendar days from the discovery of the breach, providing: a description of the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to be taken to address the breach;

3. Maintain a record of all breaches, including those not required to be notified, for audit and regulatory purposes.

Notification to data subjects may be delayed beyond thirty (30) days only where law enforcement determines that notification would impede a criminal investigation, subject to subsequent NPC approval.

DISCLAIMER:

Notwithstanding the foregoing security measures, no method of electronic transmission or storage can be guaranteed absolutely secure. The Company shall not be held liable for unauthorized access resulting from circumstances beyond its reasonable control, including zero-day exploits or user account compromise due to weak or reused passwords. You are responsible for maintaining the confidentiality of your account credentials.

VI. DATA SUBJECT RIGHTS

Under Republic Act No. 10173 (Data Privacy Act of 2012) and its Implementing Rules and Regulations, you are entitled to the following rights with respect to your Personal Information:

A. Right to Be Informed

You have the right to be notified of the collection, processing, and disclosure of your Personal Information, including the identity of third parties to whom data is disclosed.

B. Right to Access

You may request copies of your Personal Information that is in our possession or control, and information about how it has been processed.

C. Right to Object

You may object to the processing of your Personal Information for direct marketing purposes, automated decision-making, or profiling activities. You may also withdraw consent for consent-based processing (e.g., push notifications, marketing emails) at any time.

D. Right to Erasure or Blocking

You may request deletion or blocking of your Personal Information where it is no longer necessary for the purposes for which it was collected, or where processing is unlawful. Account deletion requests may be submitted directly through the Platform at Profile > Delete Account. Certain data may be retained beyond deletion as required by law (see Section VII).

E. Right to Rectification

You may update or correct inaccurate or incomplete Personal Information through the Platform profile settings, or by contacting our Data Protection Officer.

F. Right to Data Portability

You may request a copy of your Personal Information in a structured, commonly-used, machine-readable format suitable for transfer to another service provider.

G. Right to Damages

You may institute a complaint or seek indemnification before the National Privacy Commission or competent courts for damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of Personal Information.

How to Exercise Your Rights:

Submit a written request to our Data Protection Officer. Include your full name, registered email address, and a clear description of the right you wish to exercise.

Email: [email protected]

Address: OOPA Philippines, Inc., Data Protection Officer, Bonifacio Global City, Taguig City, Metro Manila 1634

Requests shall be acknowledged within five (5) business days and processed within fifteen (15) calendar days from receipt. Complex requests may require up to thirty (30) calendar days, with notice provided.

Filing a Complaint with the NPC:

If you believe your data privacy rights have been violated, you may file a complaint directly with the National Privacy Commission. Under NPC Circular No. 2020-01, complaints must be filed within one (1) year from the date you knew or ought to have known of the processing complained of, or in case of a continuing violation, within one (1) year from the time the processing ceased. We encourage you to contact our DPO first at [email protected] so that we may attempt to resolve your concern before escalation.

NPC Website: www.privacy.gov.ph

NPC Email: [email protected]

VII. DATA RETENTION AND DISPOSAL

Personal Information is retained only for as long as necessary to fulfill the purpose for which it was collected, or as mandated by applicable law. Upon the expiration of the applicable retention period, data is securely disposed of through irreversible deletion or anonymization.

Standard Retention Schedule:

• Account and Profile Information: Retained for 7 years from account closure or last verified activity

• Transaction and Booking Records: 10 years, per Bureau of Internal Revenue requirements

• KYC and Verification Documents: 7 years from account closure, consistent with DPA requirements

• In-App Messages and Communications: 3 years from the date of last activity in the conversation

• Payment Gateway Records: As directed by Xendit, PayRex, and PayMate subject to their own regulatory obligations

• Technical and Access Logs: 180 days from generation

• Push Notification Tokens: Retained while your account is active; removed upon account deletion or token de-registration

When you submit an account deletion request, your account is immediately deactivated: it is marked as deleted, your active sessions are revoked, and you can no longer sign in or use the account. Your personal data is then retained, inaccessible for ordinary platform use, only for the periods set out in the schedule above (for example, to meet tax, accounting, dispute-resolution, and other legal obligations), after which it is deleted or anonymized. Booking and transaction records associated with completed rentals are retained for the applicable periods set out above.

VIII. CROSS-BORDER DATA TRANSFERS

The Platform operates on infrastructure hosted by DigitalOcean in the Singapore region. Web traffic is additionally routed through Cloudflare(United States) for DNS resolution, content delivery, and DDoS protection, meaning Cloudflare processes request metadata (including source IP addresses) for all users. Certain data may also be transmitted to service providers located outside the Philippines, including New Relic (United States), Google Firebase and Google Maps Platform (United States), our email provider Brevo/Sendinblue (European Union) or, where enabled, Microsoft (United States/European Union), and the IP-geolocation providers used as a fallback for approximate location. All such cross-border transfers are conducted in accordance with the National Privacy Commission's guidelines on cross-border data transfers and under contractual mechanisms, including standard contractual clauses, that provide an adequate level of data protection equivalent to that required under the DPA.

IX. CHILDREN'S PRIVACY

The Platform is not directed to individuals under eighteen (18) years of age. We do not knowingly collect Personal Information from minors. If you are a parent or guardian and believe your child has provided us with Personal Information, please contact our Data Protection Officer immediately so that we may take appropriate action.

X. AMENDMENTS TO THIS POLICY

The Company reserves the right to amend, modify, or update this Policy at any time to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be communicated through a prominent notice on the Platform and by email to your registered address at least thirty (30) days prior to the effective date of the revised Policy. Your continued use of the Platform after the effective date of any amendment constitutes your acceptance of the revised Policy.

XI. CONTACT INFORMATION

Data Protection Officer:

[email protected]

Registered Office:

OOPA Philippines, Inc.
Bonifacio Global City
Taguig City, Metro Manila 1634
Republic of the Philippines

National Privacy Commission (NPC):

You may file a complaint with the NPC if you believe your data privacy rights have been violated:
Website: www.privacy.gov.ph
Email: [email protected]

XII. GOVERNING LAW AND DISPUTE RESOLUTION

This Policy shall be governed by and construed in accordance with the laws of the Republic of the Philippines, including Republic Act No. 10173 (Data Privacy Act of 2012), its Implementing Rules and Regulations, and all relevant issuances of the National Privacy Commission.

Any dispute, controversy, or claim arising out of or relating to this Policy, or any breach, termination, or invalidity thereof, shall first be submitted to the Data Protection Officer for internal resolution. If the matter is not resolved within thirty (30) calendar days, either party may escalate the dispute to the National Privacy Commission pursuant to its rules of procedure, or to the appropriate courts of competent jurisdiction in Taguig City, Metro Manila, Philippines, to the exclusion of all other venues.

Nothing in this clause shall limit your right to file a complaint with the NPC at any time as provided under the Data Privacy Act of 2012 and the rights described in Section VI of this Policy.

ACKNOWLEDGMENT

BY USING THE PLATFORM, YOU ACKNOWLEDGE THAT YOU HAVE READ THIS PRIVACY POLICY IN ITS ENTIRETY, UNDERSTAND ITS CONTENTS, AND AGREE TO BE LEGALLY BOUND BY ITS TERMS AND CONDITIONS. THIS POLICY CONSTITUTES NOTICE PURSUANT TO SECTION 16(A) OF REPUBLIC ACT NO. 10173.

Legal & Policies

Terms of Service

Platform usage terms

Rental Agreement

Car rental contract

Privacy Policy

Data & privacy

Trust & Safety

Safety guidelines

Cookie Policy

Cookie usage