PRIVACY POLICY

Last Updated: June 11, 2026

At xs.yummybox.ph (the “Site”), operated by Yummy Box OPC (“Yummy Box XS”, “we”, “us”, or “our”), we are deeply committed to protecting the privacy, confidentiality, and security of the personal data we collect from our users. This Privacy Policy outlines how we collect, use, process, store, and protect your information in strict accordance with the Philippine Data Privacy Act of 2012 (Republic Act No. 10173).

By registering an account, provisioning our digital wallet system, or linking student profiles to our platform, you explicitly consent to the data processing practices described in this policy.

1. DISCLAIMER ON SCHOOL RELATIONSHIP & DATA SEPARATION

Yummy Box OPC is an independent, third-party food concessionaire operating on the physical school campus. We are entirely separate from Xavier School Inc. The database management, user authentication protocols, and data logs of this Site are maintained completely independently. Xavier School Inc. does not manage, host, or have direct access to the personal data or digital wallet histories securely stored within the xs.yummybox.ph infrastructure pipelines.

2. INFORMATION WE COLLECT

To provide accurate canteen meal distribution and secure transaction tracking, we collect the following categories of information:

A. Account Registration Information (Adults Only)

Because minors are prohibited from creating accounts, we collect data from Parents, Guardians, Faculty, and Staff members, including:

  • Full Name

  • Email Address

  • Contact Number / Mobile Number

  • Password hashes (encrypted)

  • Account Context Meta (e.g., Parent identifier or xs_staff verification tokens)

B. Linked Student Profiles (Provided with Parental Consent)

To map preorder trays to the correct school distribution lines, parents voluntarily provide:

  • Student First Name and Last Name

  • Grade Level and Section

C. Financial & Transactional Data

  • Digital wallet reload tracking, available store credits, balance adjustments, and localized meal purchase records.

  • Note: We do not directly collect or store credit card numbers or banking passwords on our servers. All external funding transfers are routed securely through third-party payment gateways (such as GCash, Maya, or authorized banks).

D. Technical & Session Data

  • Temporary session cookies (_woocommerce_cart) and unique system hashes used to preserve your menu configurations, maintain your authenticated session layout, and keep separate orders distinct while passing through the active cart engine.

3. HOW WE USE YOUR INFORMATION

We process personal and student data strictly for the following operational fulfillment purposes:

  • Meal Tray Allocation Logistics: To programmatically map lunch choices onto correct campus collection counters (e.g., automatically routing Grade 1-6 profiles to the Grade School Canteen and Grade 7-12 profiles to the High School Canteen).

  • Administrative Ledger Verification: To generate final, hardcoded transaction summary lines printed out for our kitchen staff to ensure the right meal goes to the right student or faculty member during designated break windows.

  • Wallet Management: To keep accurate balances, handle transaction rollbacks, and log digital credit reloads safely.

  • Platform Security: To authenticate users, prevent fraudulent access attempts, and isolate software runtime bugs.

4. DATA TRANSFERS & THIRD-PARTY DISCLOSURES

We never sell, rent, or trade your personal or student data to outside advertising brokers or unauthorized third parties. Information is only shared under the following strict conditions:

  • Authorized Canteen Personnel: Internal kitchen and distribution staff will view student names, grades, sections, and preorder selections on sorting sheets purely to hand over the meals at the distribution windows.

  • Payment Processors: Transaction details are passed securely to our external payment gateways to complete account balance reloads.

  • Legal Compliance: If required by law, statutory audit regulations, or a lawful order from a Philippine government authority, we may disclose information to protect our legitimate rights and ensure platform compliance.

5. DATA STORAGE, SECURITY & RETENTION

  • Security Safeguards: We employ robust technical, organizational, and physical security measures—including SSL encryption protocols, firewalls, and strict database access controls—to shield your information from unauthorized access, modification, or accidental data leaks.

  • Data Retention Limits: We store your personal profile and account transaction histories only for as long as your site account remains active, or as required to fulfill standard accounting, legal ledger compliance, and corporate business reporting constraints.

6. YOUR RIGHTS UNDER THE DATA PRIVACY ACT

As a data subject in the Philippines, you possess explicit rights regarding your personal information under the Data Privacy Act (DPA):

  • Right to be Informed: Knowing how your personal data is collected and handled.

  • Right to Access: Requesting a copy of the specific data parameters we hold regarding your profile.

  • Right to Rectification: Modifying or updating inaccurate student profile metadata grids instantly via your account dashboard.

  • Right to Erasure/Blocking: Requesting the permanent deletion of your account and linked student profiles from our active operational databases.

  • Right to Object: Withdrawing your explicit consent to further data processing loop strings.

7. CONTACT OUR DATA PRIVACY HANDLER

If you wish to exercise any of your statutory privacy rights, require clarification on our transactional database retention cycles, or want to file a data inquiry request, please connect directly with our data operations handler:

  • Email: privacy@yummybox.ph

  • Mailing Address: Yummy Box OPC Management, Campus Facility Desk.