Legal
Privacy Notice
Last updated: April 16, 2026
1. Who we are
AIRA is an AI-powered governance and compliance platform operated by TAVARA HOLDINGS OPC(“TAVARA”, “we”, “us”), a One Person Corporation organized under the laws of the Republic of the Philippines (SEC registration pending). The platform is accessible at airagov.com.
Data Protection Officer (Interim)
Blas Ramos, Chief Visionary Officer / Sole Director
Email: care@tavaraholdings.com
NPC Registration: Pending
2. What we collect and why
We collect only what is needed to deliver the service you request. Below is every category of personal data we process, the purpose, and the lawful basis.
| Data category | Purpose | Lawful basis |
|---|---|---|
| Account data | Name, email, password hash, organization name, industry, size category — submitted during registration | Contractual necessity (NPC DPA Sec 12(b); GDPR Art 6(1)(b)) |
| Care inquiry data | Name, organization, role, jurisdiction, topic, email, phone (optional) — submitted through /care | Consent (NPC DPA Sec 12(a); GDPR Art 6(1)(a)) — consent checkbox on form |
| Assessment responses | Answers to regulatory assessment questions describing your AI systems, data processing, and governance posture | Contractual necessity (you request the assessment) |
| Chat messages | Messages you send to the AIRA chatbot. Processed by Anthropic's Claude API to generate responses. Not stored by AIRA after the session ends. | Legitimate interest (NPC DPA Sec 12(f); GDPR Art 6(1)(f)) — delivering the advisory service |
| Fiduciary application data | Professional profile, credentials, specialties, jurisdictions, contact details — submitted through /fiduciaries/apply | Consent (application form consent) + contractual necessity |
| Technical metadata | IP address (used transiently for rate limiting — not stored permanently), user agent, timestamps | Legitimate interest (security, fraud prevention) |
3. AI processing disclosure
AIRA uses artificial intelligence (Anthropic's Claude API) to generate regulatory guidance in the chatbot. This is disclosed in compliance with NPC Advisory No. 2024-04 (Transparency, Section 3) and EU AI Act Article 50(1).
- What the AI processes:Your chat messages are sent to Anthropic's API servers in the United States to generate a response.
- What the AI does NOT do: The AI does not make binding legal determinations, does not access your Supabase-stored data, and does not retain your messages after the session.
- Human oversight: Assessment scores are generated by a deterministic rule engine, not by the AI model. The AI chatbot provides supplementary guidance only.
- Your right to object:You may use AIRA's assessment features without using the AI chatbot. If you prefer not to interact with AI, contact care@tavaraholdings.com for human-only advisory.
4. Who we share data with (sub-processors)
We share personal data only with the following service providers, each under a Data Processing Agreement (DPA):
| Provider | Role | Data processed | Location |
|---|---|---|---|
| Anthropic | AI model provider | Chat messages (transient) | United States |
| Supabase | Database and authentication | Account data, assessments, care requests, fiduciary applications | Singapore (ap-southeast-1) |
| Vercel | Hosting and edge compute | HTTP requests, server logs (no PII stored in logs) | United States (global edge) |
| Resend | Transactional email | Recipient email, notification content | United States |
| Cloudflare | DNS, CDN, DDoS protection | HTTP requests (proxied traffic metadata) | Global edge network |
We do not sell personal data. We do not share personal data for advertising. Marketplace fiduciaries receive your data only if you explicitly request an introduction.
5. Cross-border data transfers
Your data may be transferred outside the Philippines to the locations listed above (Singapore, United States, global edge). These transfers are necessary to deliver the service and are protected by:
- Data Processing Agreements with each sub-processor
- Technical safeguards (encryption in transit via TLS 1.3, RLS-enforced database access)
- For EU data subjects: Standard Contractual Clauses (SCCs) where applicable, as incorporated into each provider's DPA
If you require specific documentation of transfer safeguards for your jurisdiction, contact the care team.
6. How long we keep data
| Data | Retention period |
|---|---|
| Account data | Duration of your account + 90 days after deletion request |
| Assessment results | Duration of your account (you may request deletion at any time) |
| Care requests | 24 months from submission, then deleted |
| Fiduciary applications | Duration of marketplace listing + 12 months after removal |
| Chat messages | Not stored. Session-only. Cleared on page close. |
| Evidence vault receipts | Permanent (cryptographic chain integrity requires immutability) |
7. Your rights
Under the Philippine Data Privacy Act (Sections 16-18) and, where applicable, the EU GDPR (Articles 15-22), you have the following rights:
- Access — request a copy of all personal data we hold about you
- Correction — request we correct inaccurate data
- Erasure — request deletion of your data (subject to legal retention obligations)
- Objection — object to processing based on legitimate interest
- Portability — receive your data in a machine-readable format (GDPR Art 20)
- Withdraw consent — where processing is based on consent, withdraw at any time without affecting prior processing
- Restriction — request we limit processing while a dispute is resolved
To exercise any right, email care@tavaraholdings.com with the subject line “Data Subject Request.” We will respond within 30 days (NPC) or without undue delay and within one month (GDPR).
8. Security measures
- Encryption in transit (TLS 1.3 via Cloudflare + Vercel)
- Encryption at rest (Supabase AES-256 database encryption)
- Row-Level Security (RLS) on every database table — users can only access their own data
- Service-role key isolation — admin operations use a separate credential path
- Rate limiting on all API endpoints (per-IP, in-process)
- No permanent storage of IP addresses
- No personal data in server logs
- HMAC-signed admin session tokens with 8-hour expiry
No system is perfectly secure. If you discover a vulnerability, report it to care@tavaraholdings.com.
9. Breach notification
In the event of a personal data breach, we will:
- Notify the NPC within 72 hours of becoming aware (NPC Circular 16-03)
- Notify the Singapore PDPC within 3 calendar days if Singapore data subjects are affected (PDPA Sec 26D)
- Notify affected data subjects within the same timeframes if the breach poses a real risk to rights and freedoms
- Document the breach in an internal register regardless of severity
10. Children
AIRA is designed for business professionals and is not directed at individuals under 18. We do not knowingly collect data from minors. If you believe we have collected data from a minor, contact us immediately.
11. Complaints
If you believe your data privacy rights have not been respected:
- First: Contact us at care@tavaraholdings.com
- Philippines: File a complaint with the National Privacy Commission at privacy.gov.ph
- EU: Lodge a complaint with your local Data Protection Authority (list at edpb.europa.eu)
- Singapore: Contact the PDPC at pdpc.gov.sg
12. Changes to this notice
We update this notice when our data practices change. Material changes are reflected in the “Last updated” date above. Continued use of the platform after a revision constitutes acceptance.