Sigurado
RA 10173 Compliant

Privacy Policy

Last updated: May 30, 2026

Sigurado is built specifically for Philippine dental clinics. Patient health records are Sensitive Personal Information (SPI) under the Data Privacy Act of 2012 (Republic Act 10173). We designed every part of this system around that reality — not as a compliance afterthought, but as a core feature.


Who is responsible for your data?

Under RA 10173, a Personal Information Controller (PIC) determines the purpose and means of processing personal data. A Personal Information Processor (PIP) processes data on behalf of a PIC.

  • Your clinic (the dental practice): The PIC. Your clinic decides what data to collect about patients, why, and for how long. Your clinic bears primary legal responsibility to patients under RA 10173.
  • Sigurado (operated by AI Matters): The PIP. We process patient data only on your clinic's documented instructions. We do not use patient records for any purpose beyond operating the software for your clinic.

This arrangement is formalized in our Data Processing Agreement, which every clinic accepts upon enrollment.


What data we collect and why

We collect only what is necessary for the specific purpose stated. Under Section 11 of RA 10173, personal data must be collected for specified, explicit, and legitimate purposes.

Patient identity
ExamplesFull name, date of birth, sex, contact number, address
PurposeRequired to create and link patient records; BIR-required fields for official receipts
Legal basisContract performance; legal obligation
Health records (SPI)
ExamplesMedical history, dental chart, diagnoses, procedures performed, prescriptions
PurposeCore clinical records — cannot operate as a dental practice without these
Legal basisNecessity for medical treatment under Section 12(c) of RA 10173
Payment records
ExamplesInvoice amounts, payment method, OR numbers
PurposeBilling, official receipts, BIR compliance, loyalty card management
Legal basisContract performance; legal obligation (BIR, NIRC)
Messenger / contact identifiers
ExamplesFacebook Messenger PSID (if patient opts in for reminders)
PurposeSending appointment and follow-up reminders via the channel the patient chose
Legal basisConsent — patient explicitly opts in
Clinic staff
ExamplesFull name, email, phone (admin and secretary accounts only)
PurposeAuthentication, access control, audit logs
Legal basisContract performance

We do not collect: government IDs, PhilHealth/SSS/TIN numbers (beyond what clinics choose to record), financial account numbers, or biometric data.


Patient health records are Sensitive Personal Information

Section 3(l) of RA 10173 explicitly classifies health, medical, and dental information as Sensitive Personal Information. This triggers stricter processing standards, mandatory clinic registration with the NPC (if the clinic processes SPI of 1,000 or more individuals), and heightened security obligations for both the clinic and Sigurado.


How we protect your data

  • 🔒

    Encryption in transit and at rest

    All data is transmitted over TLS 1.2+. Data at rest is encrypted by our infrastructure provider.

  • 🏗️

    Multi-tenant isolation

    Each clinic's data is logically isolated using Supabase Row-Level Security (RLS). A logged-in user for Clinic A cannot query, view, or modify any data belonging to Clinic B — enforced at the database layer, not just application code.

  • 📋

    Audit logs

    All write operations (visit records, payments, voided invoices, staff actions) are logged with a timestamp and the user who performed the action.

  • 👤

    Minimum access principle

    Staff roles are scoped: secretaries can manage patients and visits; CPA users have read-only access to financial reports only. No role has more access than it needs.

  • 🌏

    Data stored in the region

    Your clinic's data is stored in AWS ap-south-1 (Mumbai) via Supabase — the nearest compliant cloud region to the Philippines at time of writing. Data does not leave Asia-Pacific for storage.


Third-party processors

Sigurado uses the following sub-processors to operate the service. Each processes only the data necessary for its specific function. Under RA 10173 and NPC Advisory 2024-01, cross-border transfers require that the receiving party provides comparable data protection.

Supabase (via Amazon Web Services)

📍 AWS ap-south-1 — Mumbai, India

Database hosting, authentication, and file storage

Vercel Inc.

📍 United States / global CDN

Application hosting and serverless compute. No patient data is stored on Vercel — it is a compute layer only.

Meta Platforms (Facebook Messenger)

📍 United States

Delivering appointment reminders to patients who have opted in to receive them via Facebook Messenger. Only the patient's Messenger ID and the message text are transmitted. No health records are sent.

Resend

📍 United States

Transactional email delivery (reminders, invoices). Only the patient's email address and the message content are transmitted.

We do not sell, rent, or share patient data with advertising networks, data brokers, or any third party for their own commercial purposes.


Your rights as a data subject

Section 16 of RA 10173 grants the following rights to every data subject (patient):

Right to be informed

You have the right to know what personal data we hold about you, the purpose for collecting it, and how it is used.

Right to access

You may request a copy of your personal data held in the system at any time.

Right to correction

You may request that inaccurate, incomplete, or outdated personal data be corrected.

Right to erasure / blocking

You may request deletion of your personal data when it is no longer necessary for the purpose it was collected, subject to legal retention requirements.

Right to data portability

You may request your data in a structured, machine-readable format.

Right to damages

You are entitled to claim compensation for damages sustained due to inaccurate, incomplete, outdated, or unlawfully obtained personal information.

Right to file a complaint

You may lodge a complaint with the National Privacy Commission (NPC) at privacy.gov.ph if you believe your rights have been violated.

Right to object

You may object to the processing of your personal data, including processing for direct marketing purposes.

To exercise any of these rights, contact your clinic directly (they are the PIC and can fulfill most requests), or contact our Data Protection Officer at privacy@sigurado.xyz.


What happens if there is a data breach?

In the event of a personal data breach that is likely to give rise to a real risk of serious harm to data subjects, we are required by NPC Circular 2016-03 to:

  1. Notify the National Privacy Commission within 72 hours of becoming aware of the breach.
  2. Notify affected data subjects without undue delay, so they can take steps to protect themselves.
  3. Document all breaches in our security incident log, regardless of whether notification is required.

Because patient health records are Sensitive Personal Information, the threshold for mandatory notification is lower than for ordinary personal data.


How long we keep your data

Patient records are retained for as long as the clinic is actively using Sigurado, and for a reasonable transition period after account closure to allow data export. Clinics are responsible for their own retention schedules under the Medical Act of 1959 and BIR regulations, which generally require keeping records for a minimum of ten (10) years.

Messenger PSIDs and consent records are retained until the patient withdraws consent or requests deletion.


Filing a complaint with the NPC

If you believe your data privacy rights under RA 10173 have been violated and your concern has not been resolved by contacting us or your clinic directly, you may file a complaint with the National Privacy Commission:

National Privacy Commission (NPC)

Website: www.privacy.gov.ph

The NPC handles complaints, conducts investigations, and can impose penalties for violations of RA 10173.


Contact our Data Protection Officer

For any questions about this privacy policy, to exercise your data subject rights, or to report a concern:

Data Protection Officer — Sigurado (AI Matters)

Email: privacy@sigurado.xyz

We will acknowledge your request within three (3) business days and respond substantively within fifteen (15) business days, consistent with NPC expectations.


Changes to this policy

We will post any updates to this page and update the “Last updated” date at the top. Material changes — particularly any that expand data sharing or change the stated purpose of processing — will be communicated to clinic administrators by email before taking effect.