1. This Privacy Policy was updated on 01-March 2025 and is effective from that date.
The purpose of this Privacy Policy is to provide information on how Personal Data (i.e. data that relates to an identified individual or an identifiable individual) is collected, stored, disclosed, destroyed and generally processed by or within the CloudCfo Web App.
This Privacy Policy also outlines CloudCfo’s Data Privacy obligations and confidentiality requirements, together with information on the rights of Data Subjects.
We encourage all users of the Web App to read and understand this Privacy Policy prior to using the Web App. Please ensure to review all Terms carefully prior to confirming your agreement and consent. If you do not agree to any provisions of this Privacy Policy, you should not use the Web App.
This Privacy Policy applies to the CloudCfo Web App, a web-based process and task management application (the “Web App”) which supports the provision of accounting, bookkeeping, payroll and finance services offered to clients globally by the CloudCfo group of companies (the “CloudCfo Services”) and any Personal Data that is processed via the Web App.
The Web App is the primary interface for task management, process monitoring, document exchange and communications between CloudCfo and customers who have contracted CloudCfo for the purposes of engaging CloudCfo Services (“Customers”) under the primary CloudCfo service agreement (the “Service Agreement”).
This Privacy Policy does not apply to any third-party applications or products which are made available as third party integrations, or APIs, by CloudCfo via the Web App. Any such third party applications or products should have their own Data Privacy policies and protocols specific to those applications or products. As such, the relevant third party should be contacted directly for any queries regarding Data Privacy involving such third party applications and products.
For the purposes of this Privacy Policy, the following definitions shall apply:
Customer: A Customer is the company or organization that has contracted with CloudCfo, under the Service Agreement, for the purposes of engaging the CloudCfo Services. Any decision and actions agreed and/or taken by the Customer will be taken via the main Customer representative(s) or principals identified by the Customer to the CloudCfo Team. In the case of one person businesses, whether registered or not, the “Customer” shall be the principle of that business.
Authorized User: Any individuals who are authorized by the Customer to receive login details and access to the Web App in order to support the Customer’s with CloudCfo.
For the purposes of this Privacy Policy, any reference to “CloudCfo”, “We”, or “Us” shall refer to the CloudCfo entity with which the Customer has engaged and contracted. Further, any reference to “You” may refer to a Customer or an Authorized User, depending on the applicable capacity of the individual or company reading and agreeing to these Terms.
To enable CloudCfo perform the CloudCfo Services under the Service Agreement, the Customer will be required to provide CloudCfo with documents, information and data on an ongoing basis. This information will generally be uploaded to and stored on the Web App by the Customer, or by CloudCfo on behalf of the Customer.
In most cases, the type of information that the Customer will be required to provide to CloudCfo will not be classified as Personal Data, as the data will be largely finance-related (i.e. it does not contain identifiable information relating to individuals).
There will, however, be various types of Personal Data contained within the information provided by Customers via the Web App, depending on the Customer business model, commercial activities and the nature of the CloudCfo Services. CloudCfo will also collect Personal Data directly from Web App users via the Web App.
Personal Data provided by Customers and Authorized Users can be divided into two primary categories:
Customer Data: In order for CloudCfo to be able to perform the CloudCfo Services, Customers and Authorized Users will receive access details for a Web App account which will enable them to submit data to their designated CloudCfo Team via the Web App. This data will be generated by the Customer (or by third parties affiliated with the Customer) in the ordinary course of the Customer’s business prior to uploading to the Web App. For the purposes of this Privacy Policy, Customer Data shall refer to any Personal Data within the data uploaded by the Customer into the Web App.
See Appendix 1 of this Privacy Policy to understand the Categories of Customer Data that are regularly provided to CloudCfo via the Web App.
User Data: This includes Personal Data generated or submitted by Customers or Authorized Users when creating and utilizing their Web App Accounts. It also includes Personal Data that is collected by the Web App, through an automated collection method, which helps CloudCfo to analyze Web App performance, understand user behaviour, identify login frequency and locations and in general, help CloudCfo to provide a higher level of user experience across the Web App. For the purposes of this Privacy Policy, User Data shall refer to the Personal Data that is collected from specific Web App users as a result of them creating a Web App account or using the Web App. CloudCfo may collect, process and store the following types of information, via the Web App, which may be classified as User Data:
Cookies - We may use Cookies on the Web App to help us to recognize different web browsers and provide us with details about when, how and why a user accesses the Web App and understand their behaviour on the Web App. This includes information listed below. While not all information collected by Cookies will be Personal Data, some of the information collected can be classified as Personal Data. For further information on Cookies, please reference the Section below entitled “Use of Cookies”.
User Account Information - standard information required for opening an online account (name, email address, contact number, company, job title);
User Logs - this relates to the automated collection of user activities within the Web App, including browser type and settings, pages visited, time spent, IP Addresses, searches
Device/Media - the type of device used to access the Web App, and potentially, IP address (or proxy server), device and application serial numbers, general location, browser type, hardware model, operating system;
Geo-Location - Identifying where a user is based (which may be more on a general basis, than a precise location). How much information we collect about location may depend on the type and settings of the device utilized to access the Web App.
For the purposes of this Privacy Policy, each of the above two categories (i.e. Customer Data and User Data) will be treated separately, particularly from the perspective of who is the Controller of the Personal Data and who is the Processor of the Personal Data in each instance.
This Privacy Policy will be updated from time to time to reflect any significant changes in the categories of Personal Data that are regularly collected or processed by CloudCfo via the Web App.
Data Privacy laws in the Philippines, Singapore and many other countries around the world, including the GDPR framework, provide for a clear distinction between a) a Personal Information Controller (the “Controller”) of Personal Data and b) a Personal Information Processor (the “Processor”) of Personal Data. Depending on the specific designation, different obligations and responsibilities will apply to the Controller or Processor entity.
Depending on the source and method of Personal Data being collected and/or processed, CloudCfo may be either a Controller or a Processor of Personal Data, as outlined below:
Customer Data - In almost all circumstances, for any Personal Data generated or supplied by a Customer and submitted via the CloudCfo Web App (i.e. Customer Data), the Customer will remain the Controller, while CloudCfo, via the Web App, will be the Processor;
User Data - For any User Data automatically collected by or within the Web App, CloudCfo will be the Controller.
Whether CloudCfo is acting in the capacity of a Controller or a Processor, the relevant CloudCfo Controller or Processor entity will generally (save for in limited circumstances) depend on which CloudCfo entity the Customer has contracted with for the purposes of engaging CloudCfo’s services under the Service Agreement, as outlined below:
CloudCfo, Inc. will be the Controller of User Data and the Processor of Customer Data which relates to Customers and Authorized Users who are utilizing the Web App on behalf of Customers domiciled in the Philippines. CloudCfo, Inc. is a company incorporated under the laws of the Philippines, with registered business address of 2F Paragon Plaza, 162 EDSA cor. Reliance Street, Mandaluyong, Metro Manila;
CloudCfo Pte. Ltd. will be the Controller of User Data and the Processor of Customer Data which relates to Customers and Authorized Users who are utilizing the Web App on behalf of Customers that are domiciled outside of the Philippines. CloudCfo Pte. Ltd. is a company incorporated under the laws of Singapore, having its registered office at 160 Robinson Road, #14-04 Singapore Business Federation Centre, Singapore 068914.
The legal basis for CloudCfo collecting and processing Personal Data will vary depending on the type of Personal Data as outlined below:
Customer Data
Contract
Any Customer Data that will be processed by CloudCfo on behalf of Customers will be processed in order to perform the CloudCfo Services under the Service Agreement. As such, the legal basis for the processing of Customer Data will be the fulfillment of obligations under a contract.
In the above circumstances, the Customer will remain the Controller and as such, it will be the responsibility of the Customer to ensure that the Customer has obtained all necessary consents and authorizations from all Data Subjects to allow for the transfer or disclosure of Personal Data to CloudCfo (acting as a third party and outsourced provider) via the Web App.
User Data
Legitimate Interests
Where Customers and Authorized Users voluntarily sign up to, access and use the Web App, CloudCfo will be processing their Personal Data in accordance with the legitimate interests of CloudCfo, which generally include a) improving Web App performance, b) understanding Customer and Authorized User behaviour, c) identifying necessary features and functionalities of the Web App d) improving Web App security.
When relying on CloudCfo’s legitimate interests as a legal basis for processing Personal Data, we will ensure to always balance the necessity to process Personal Data against the rights that a Customer or Authorized Use has as a Data Subject and ensure it is appropriate and justified for CloudCfo to engage in such data processing.
Consent
This relates to where a Customer or Authorized User has given their consent regarding the collection and use of Personal Data via the Web App. Customers and Authorized Users are free to revoke or withdraw their consent at any time in the future, however, this may impact the ability of such Customer or Authorized User to access and use the Web App.
Customer Data
Customer Data will generally be provided by the Customer or Authorized User directly via the various upload functions provided for by the Web App, as outlined below:
Manual Upload - by either a Customer, Authorized User or the CloudCfo Team into a specific Task on the Web App via the “File Upload” function;
Web App Inbox - This involves the sending of an email and/or files to a designated “Inbox email” which automatically extracts and stores the email and any attachment(s) within the Web App library;
Reply to Email Notifications - A direct response/reply to an email notification received after an activity actioned within the Web App will result in the automated storage of that response email (and attachment, if applicable) within the Web App.
User Data
The Web App, may from time to time, track sign-in data and user activity within the Web App via an automated data collection process.
CloudCfo will ensure to process any Personal Data collected via the Web App in accordance with the original purpose for which the Personal Data was collected depending on the category of Personal Data collected.
Customer Data
Any Customer Data will be processed by the CloudCfo Team within the Web App for the purposes of fulfilling CloudCfo’s obligations to perform the accounting, bookkeeping, finance and/or payroll services for which CloudCfo was engaged under the Service Agreement.
User Data
User Activity Data: The Web App will track such data for the purposes of improving the Web App’s interface, performance and platform for the benefit of Customers and the CloudCfo Team. Processing is required to understand user behaviour and to help improve the overall Customer experience when using the Web App.
Newsletter Subscribers - Customers and Authorized Users who “Opt-In” to be added as a subscriber to the CloudCfo Newsletter Mailing List will be reviewed and manually encoded into our Newsletter Management System. We currently use MailChimp to manage our Mailing List subscribers and Newsletter creation and issuing. In every Newsletter that is issued, subscribers are provided with an opportunity to unsubscribe or withdraw their consent from the Newsletter Mailing List. To learn more about how MailChimp collects and processes data (including Personal Data), you may refer to the MailChimp Privacy Center.
Depending on the jurisdiction, “Sensitive Personal Information” will generally refer to Personal Data which is specifically about an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations, health, education, genetic or sexual life, criminal offences (including alleged offences) and court proceedings, government agency information such as social security numbers, health records, licenses, tax returns or any information classified by an executive order or an act of Congress. Types of Sensitive Personal Information may vary depending on a Web App user's specific jurisdiction, however, such data will generally be subject to additional safeguards and protections under Data Privacy law.
To the extent possible, CloudCfo aims to limit the collection or processing of Sensitive Personal Information and will only ever request Sensitive Personal Information in circumstances where it is absolutely necessary for a stated purpose. However, through the individual choice of a Customer or Authorized User, they may opt to provide Sensitive Personal Information to CloudCfo via the Web App.
At all times, Sensitive Personal Information will be maintained securely and in the strictest of confidence via the organizational, physical and technical security measures that CloudCfo has developed and put in place.
For further information on the types of Sensitive Personal Information that may be provided to CloudCfo by Customers and Authorized Users from time to time, see Appendix 1 of this Privacy Policy.
CloudCfo will only retain Personal Data for as long as it is strictly necessary in order to fulfill the original purpose(s) or reason(s) for which it was collected, or, as may be required to ensure compliance with applicable laws and/or regulations.
In circumstances where CloudCfo has no further legitimate business reasons to process Personal Data, we will either delete or anonymize such information, or, if this is not possible (for example, if Personal Data has been stored in a backup system), we will retain the Personal Data securely and isolate it from any further processing until deletion can be performed.
Customer Data
The length of time that Personal Data may need to be retained by CloudCfo will depend largely on a) the type of Personal Data and b) the duration of the engagement between CloudCfo and a Customer.
CloudCfo will retain all Personal Data received for the entire duration of an engagement with Customer. This is to ensure that CloudCfo can adequately perform the CloudCfo Services and accurately respond to Customer queries regarding historic transactions.
Once the engagement ends, CloudCfo will retain Personal Data for as long as is necessary to ensure it complies with its obligations under the Service Agreement and is in a position to comply with applicable laws. CloudCfo will generally retain Customer Data for no longer than 1 year after an acknowledgement from customer of the offboarding files at end of service, subject to an alternative agreement with the relevant Customer.
User Data
CloudCfo will generally retain User Data for as long as is necessary to ensure it complies with its obligations under the Service Agreement and no longer than 1 year after an acknowledgement from customer of the offboarding files at the end of service, subject to an alternative agreement with the relevant Customer. At that point, Personal Data may either be anonymized or deleted by CloudCfo, depending on the need for historic statistics and reporting metrics.
In circumstances where CloudCfo is the Controller of Personal Data belonging to a Data Subject which will usually only be the case in relation to User Data, Data Subjects will be entitled to a range of rights when it comes to the processing of their Personal Data.
These rights may differ depending on the jurisdiction in which a Customer or Authorized User is domiciled, but may generally include the following:
Right To Be Informed - if Personal Data pertaining to an individual shall be, is being, or has been processed and to be given information on the specifics of such processing (as outlined in this Privacy Policy)
Right To Object - or withhold consent to the processing of their Personal Data
Right To Access - or receive a copy of their Personal Data that is held or being processed
Right To Have Rectified - any inaccuracies or errors in their Personal Data (provided the request is not vexatious or unreasonable)
Right To Have Erased or Blocked - or removed or destroyed any of their Personal Data from the data system in which it is retained
Right To Data Portability - to obtain a copy of any Personal Data in the same electronic or structured format which enables the Data Subject or Visitor to further use the Personal Data
Right To Damages - to be indemnified for any damages incurred by a Data Subject which arises due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of their Personal Data.
Individual Data Privacy rights may be limited or curtailed where CloudCfo has an overriding interest or legal obligation to continue to process the Personal Data or where Personal Data may be exempt from disclosure due to reasons of legal professional privilege or professional secrecy obligations. Rights can also be limited or supplemented depending on the jurisdiction in which a Data Subject resides.
CloudCfo may have a need to share Personal Data with other third parties depending on circumstances that may arise from time to time. This may include, but is not limited to:
CloudCfo Group Companies - CloudCfo operates entities in a number of different jurisdictions, including the Philippines and Singapore. Any Personal Data that CloudCfo collects may be transferred to and processed by any CloudCfo entity in order to perform the CloudCfo Services;
Cloud-Based Systems - CloudCfo also utilizes various cloud-based systems (including cloud accounting systems) to manage and conduct the efficient and effective operations of the business. Personal Data may be transferred to or encoded into such third party cloud-based systems for further processing. CloudCfo only works with established market standard cloud-based operating systems. The Web App is currently hosted on Amazon Web Services (AWS), a third party cloud-storage provider.
Outsourced Service providers - including tax providers, legal providers, if the need arises.
Government Agencies - For statutory filings or enquiries (e.g. BIR, SSS, Pag-IBIG, PhilHealth) or other regulatory or government bodies
Where CloudCfo has a need to disclose or transfer Personal Data outside of the company, CloudCfo will ensure that there are appropriate and adequate organizational, physical and technical security measures in place in order to safeguard and protect the Personal Data in question.
From time to time, the Web App may use Cookies, in combination with various other Web tracking tools (collectively referred to as “Cookies”) in order to understand the behaviour of Customers and Authorized Users on the Web App and improve the experience and optimize the overall performance of the Web App.
Cookies are small files or data that are stored on your browser or computer when you visit a Website or Web Page. They can be used to ensure that a Web Page or App works properly and performs all of the tasks and activities that it is designed to perform. Cookies can also be used to notify a computer server that a user has returned.
Not all information included in “Cookies” or related Cookie activities will be Personal Data. However, any data that can be used to identify an individual or, if non-identifying data is combined with other non-identifying data and the result is that an individual can be identified, this will result in a classification of Personal Data.
Consent to Cookies
Through a Pop-Up Page on this Web App, we request the Consent to the use of Cookies from all Web App users. Users are able to confirm their consent to the use of all Cookies via the Pop-Up by clicking on “I Accept”. Visitors can also block certain Non-Necessary Cookies by clicking on the “Cookies Settings” button within the Pop-Up Page (see below). The disabling of Cookies may impact the full functionality of the Web App and can prevent users from benefiting from all features and areas of the Web App.
Turning off Web App Cookies
Visitors can change their Cookie preferences when visiting our Web App by going to the “Cookie Settings” tab on the Cookie Pop-Up on the Web App. Visitors are also able to block Non-Necessary Cookies by clicking the slider within the Cookie Settings page. See below for further information on the differences between Necessary and Non-Necessary Cookies.
Deleting, Blocking, Disabling Cookies
Web App users should be aware that they can delete, block or disable Cookies at any time via their own internet or web browser settings. Web App users should also be aware that the Cookies will appear again, however, upon re-entry to the Web App.
Necessary Cookies v Non-Necessary Cookie
We use Necessary Cookies as they are essential to the working of the basic functionalities of the Web App. If Necessary Cookies are not enabled or are switched off, CloudCfo could not guarantee that the Web App would work properly or that minimum security levels would be in place. In short, we use Necessary Cookies to:
Identify if a user has entered the Web App;
Authenticate each user;
Ensure that the user is connected properly to the Web App (including any updates or changes to the Web App)
Support certain basic security features within the Web App.
Non-Necessary Cookies are Cookies that are not particularly necessary to ensure the continued running and proper functioning of the Web App. Such Cookies generally relate more to optimized performance, tracking or targeting and they help to collect information about how a user utilizes the Web App, which CloudCfo can then, in turn, use to improve Web App performance. This would include Cookies used for Web and User Analytics, Visitor personalization and also to help identify areas of the Web App that could perform better or more effectively.
Our WebApp uses Google APIs to enhance our services and improve user experience. In compliance with Google's API Services User Data Policy, we clearly outline how we access, use, store, and share Google user data:
a. Access: The WebApp accesses Google user data only with the explicit consent of the user. This access is facilitated through OAuth 2.0 protocols, ensuring that users are fully aware of the types of data our app is accessing.
b. Use: The Google user data accessed by our WebApp is strictly limited to the purposes outlined in this Privacy Policy and our service functionality to access Google Drive for file syncing.
c. Storage: Google user data is stored securely on our servers. CloudCfo implement robust security measures to protect this data from unauthorized access or breaches.
d. Sharing: CloudCfo do not share Google user data with third parties except as necessary to provide the services requested by our users, comply with legal obligations, or as part of a structured data protection agreement.
Limited Use Disclosure
CloudCfo adhere strictly to Google’s Limited Use requirements, ensuring that the use of Google user data is consistent with the privacy policy under which it was collected. CloudCfo do not use this data for advertising purposes, nor do we allow third-party advertisements in our WebApp.
We are committed to keeping all Personal Data provided to us secure and we have implemented appropriate information security policies, rules and technical measures to protect the Personal Data that we have under our control from unauthorised access, improper use or disclosure, unauthorized modification and unlawful destruction or accidental loss.
CloudCfo has a range of appropriate and adequate organizational, physical and technical security safeguarding measures in place across the Web App to ensure that all Personal Data processed within the Web App is properly protected and aligns with the principles and requirements of various data privacy laws.
For further detailed information on the security practices applicable to the Web App, see Appendix 1 of the Web App Customer and User Terms and Conditions, entitled “Security Practices and Protocols”.
From time to time, we may transfer Personal Data from the Web App to outside of the Philippines or Singapore.
The transfer of Personal Data would only arise in limited circumstances and only where it is necessary in accordance with CloudCfo’s legitimate interests or if required under law.
As an example, the Web App is currently hosted on Amazon Web Services (AWS), a third party cloud-storage provider with servers located in various international jurisdictions. Personal Data from the Web App may, therefore, be stored outside of the Philippines or Singapore.
Another example is the potential transfer of Personal Data between various CloudCfo entities that are based in different jurisdictions.
If Personal Data is transferred outside of the Philippines or Singapore, CloudCfo will put in place all appropriate organizational, physical and technical security safeguarding measures to ensure that the Personal Data is adequately protected and kept safe.
CloudCfo has appointed a Data Protection Officer to oversee compliance with this Privacy Policy and to deal with any questions or concerns that Customers or Authorized Users might have from time to time in relation to this Privacy Policy or the Personal Data measures we have in place across the Web App. For further information about the matters set out in this Privacy Policy, you may contact the CloudCfo Data Protection Officer:
By Post to: or by Email: privacy@cloudcfo.ph
The Data Protection Officer
CloudCfo Inc.
2F, Paragon Plaza
162 EDSA cor Reliance Street
Mandaluyong
1550 Metro Manila
If you are a Data Subject and CloudCfo is the Data Controller and you wish to exercise any of your Data Subject rights as outlined in this Privacy Policy or as applicable depending on your jurisdiction, you may use the Data Subject Rights and Access Request Form at Appendix 2 of this Privacy Policy to submit your query or request.
If you are not happy with the way that CloudCfo is protecting your Data Privacy rights or if you wish to resolve any issue you might have in relation to how CloudCfo is processing your Personal Data, you may have a right to submit a complaint with your local Data Privacy Authority in your own jurisdiction or with the National Privacy Commission in the Philippines by downloading this NPC Complaint Form from the NPC Website, completing the form and submitting it to NPC in accordance with the guidance and steps outlined by the NPC.
To ensure that you are always aware of how we use and process the Personal Data of Customers and Authorized Users, we will update this Privacy Policy from time to time to reflect any changes to how Personal Data is collected and processed via the Web App. We may also make changes as required to comply with updates in applicable law or regulatory requirements. We encourage you to review and accept (if you accept) this Privacy Policy each time you receive a notification that the Privacy Policy has been updated to ensure that you remain updated at all times and remain fully aware about how we use, process and protect the Personal Data processed via the Web App.
Appendix 1 - Personal Data Categories
Appendix 2 - Data Subject Rights and Access Request Form
Personal Data Categories
Data Subject Rights and Access Request Form
Introduction
In certain circumstances, Data Privacy law provides individuals (“Data Subjects”) with certain rights regarding their Personal Data that has been collected and/or processed by CloudCfo via the Web App.
In particular, these rights include:
Right To Be Informed - To be given information on the specifics of any processing of a Data Subject’s Personal Data
Right To Object - To object or withhold consent to the processing of the Personal Data
Right To Access - To access or receive a copy of the Personal Data being held or processed
Right To Have Rectified - Any inaccuracies or errors in the Personal Data (provided the request is not vexatious or unreasonable)
Right To Have Erased or Blocked - Or removed or destroyed any Personal Data from the data system in which it is retained.
Right To Data Portability - To obtain a copy of any Personal Data in the same electronic or structured format which enables the Data Subject to further use the Personal Data
If you wish to exercise any of your rights under Data Privacy law or make a Data Privacy-related enquiry, you may submit this completed Data Subject Rights and Access Request Form, together with a copy of your photo identification:
By Post to:
The Data Protection Officer
CloudCfo Inc.
2F, Paragon Plaza
162 EDSA cor Reliance Street
Mandaluyong
1550 Metro Manila
or
by Email:
Please note that, in certain circumstances, you may be asked for additional information to help us fully understand the nature and extent of your request and ensure a comprehensive response.
Details of Data Requester
Relationship with CloudCfo
Data Access/Rights Request
Details of Right/Access Request
Verification and Identification
Please note that in order for CloudCfo to protect the security and integrity of any Personal Data which it holds, it is necessary for you to provide proof of your identity together with your submission of this Request Form. As such, a copy of your Photo ID (Passport, Drivers Licence, National ID, etc), in which you are fully identifiable, must accompany this Form before your request can be processed.
A scanned copy of your ID should be acceptable in the majority of cases. However, CloudCfo reserves the right, at its discretion, to request an original of the applicable identification document where it deems necessary.
Document Retention
The information you supply in this form will only be used for the purposes of identifying the Personal Data you are requesting and for responding to your request. You are not required to complete this form to make a request, but doing so will make it easier for us to process your request with greater efficiency and accuracy.
CloudCfo will only keep a copy of these request documents until such time as your request has been fully processed and completed and all relevant review or appeal procedure timelines have expired.
Declaration of Requester