Legal
Privacy Notice
Last updated: April 16, 2026
1. Who we are
AIRA is an AI-powered governance and compliance platform operated by TAVARA HOLDINGS(“TAVARA”, “we”, “us”), a One Person Corporation organized under the laws of the Republic of the Philippines (SEC registration pending). The platform is accessible at airagov.com.
Data Protection Officer (Interim)
Blas Ramos, Chief Visionary Officer — TAVARA Holdings
Email: care@tavaraholdings.com
NPC Registration: Pending
2. What we collect and why
We collect only what is needed to deliver the service you request. Below is every category of personal data we process, the purpose, and the lawful basis.
| Data category | Purpose | Lawful basis |
|---|---|---|
| Account data | Name, email, password hash, organization name, industry, size category — submitted during registration | Contractual necessity (NPC DPA Sec 12(b); GDPR Art 6(1)(b)) |
| Care inquiry data | Name, organization, role, jurisdiction, topic, email, phone (optional) — submitted through /care | Consent (NPC DPA Sec 12(a); GDPR Art 6(1)(a)) — consent checkbox on form |
| Assessment responses | Answers to regulatory assessment questions describing your AI systems, data processing, and governance posture | Contractual necessity (you request the assessment) |
| Chat messages | Messages you send to the AIRA advisor. Processed by an upstream inference provider to generate responses. Not stored by AIRA after the session ends. | Legitimate interest (NPC DPA Sec 12(f); GDPR Art 6(1)(f)) — delivering the advisory service |
| Fiduciary application data | Professional profile, credentials, specialties, jurisdictions, contact details — submitted through /fiduciaries/apply | Consent (application form consent) + contractual necessity |
| Technical metadata | User agent, timestamps, request correlation IDs | Legitimate interest (security, fraud prevention) |
| Demo session data | When you run an anonymous trial assessment we assign a persistent identifier (DEMO{n}) stored in a first-party cookie (aira_demo_sid, 1-year expiry). We capture: your IP address (retained 90 days for abuse investigation and regulator requests, then auto-scrubbed), a salted SHA-256 hash of that IP (retained indefinitely for abuse correlation after the raw IP is scrubbed), and country / region / city / timezone derived from your CDN edge location (non-PII demographics, retained indefinitely). A hashed user-agent is also kept for bot detection. | Legitimate interest (abuse prevention, service analytics, sales-funnel attribution). No special-category or financial data is captured on demo sessions. You can clear this at any time by deleting the cookie. |
3. AI processing disclosure
The AIRA advisor uses an upstream inference provider to generate regulatory guidance. This is disclosed in compliance with NPC Advisory No. 2024-04 (Transparency, Section 3) and EU AI Act Article 50(1).
- What the advisor processes:Your chat messages are sent to our inference provider's API to generate a response.
- What it does NOT do: The advisor does not make binding legal determinations, does not access your Supabase-stored data, and does not retain your messages after the session.
- Human oversight: Assessment scores and control classifications are generated by deterministic rule engines, not by a language model. The advisor provides supplementary guidance only.
- Your right to object:You may use AIRA's assessment, control, evidence, and audit features without using the advisor. Contact care@tavaraholdings.com for human-only advisory.
4. Who we share data with (sub-processors)
We share personal data only with the following service providers, each under a Data Processing Agreement (DPA):
| Provider | Role | Data processed | Location |
|---|---|---|---|
| Inference provider | Upstream language-model provider | Chat messages (transient) | United States / EU |
| Supabase | Database and authentication | Account data, assessments, care requests, fiduciary applications | Singapore (ap-southeast-1) |
| Vercel | Hosting and edge compute | HTTP requests, server logs (no PII stored in logs) | United States (global edge) |
| Resend | Transactional email | Recipient email, notification content | United States |
| Cloudflare | DNS, CDN, DDoS protection | HTTP requests (proxied traffic metadata) | Global edge network |
We do not sell personal data. We do not share personal data for advertising. Marketplace fiduciaries receive your data only if you explicitly request an introduction.
5. Cross-border data transfers
Your data may be transferred outside the Philippines to the locations listed above (Singapore, United States, global edge). These transfers are necessary to deliver the service and are protected by:
- Data Processing Agreements with each sub-processor
- Technical safeguards (encryption in transit via TLS 1.3, RLS-enforced database access)
- For EU data subjects: Standard Contractual Clauses (SCCs) where applicable, as incorporated into each provider's DPA
If you require specific documentation of transfer safeguards for your jurisdiction, contact the care team.
6. How long we keep data
| Data | Retention period |
|---|---|
| Account data | Duration of your account + 90 days after deletion request |
| Assessment results | Duration of your account (you may request deletion at any time) |
| Care requests | 24 months from submission, then deleted |
| Fiduciary applications | Duration of marketplace listing + 12 months after removal |
| Chat messages | Not stored. Session-only. Cleared on page close. |
| Evidence vault receipts | Permanent (cryptographic chain integrity requires immutability) |
7. Your rights
Under the Philippine Data Privacy Act (Sections 16-18) and, where applicable, the EU GDPR (Articles 15-22), you have the following rights:
- Access — request a copy of all personal data we hold about you
- Correction — request we correct inaccurate data
- Erasure — request deletion of your data (subject to legal retention obligations)
- Objection — object to processing based on legitimate interest
- Portability — receive your data in a machine-readable format (GDPR Art 20)
- Withdraw consent — where processing is based on consent, withdraw at any time without affecting prior processing
- Restriction — request we limit processing while a dispute is resolved
To exercise any right, email care@tavaraholdings.com with the subject line “Data Subject Request.” We will respond within 30 days (NPC) or without undue delay and within one month (GDPR).
8. Security measures
- Encryption in transit (TLS 1.3 via Cloudflare + Vercel)
- Encryption at rest (Supabase AES-256 database encryption)
- Row-Level Security (RLS) on every database table — users can only access their own data
- Service-role key isolation — admin operations use a separate credential path
- Rate limiting on all API endpoints (per-IP, in-process)
- Demo-session IP addresses retained 90 days, then automatically nulled by a scheduled Postgres job; only a salted hash persists for abuse correlation
- No personal data in server logs
- HMAC-signed admin session tokens with 8-hour expiry
No system is perfectly secure. If you discover a vulnerability, report it to care@tavaraholdings.com.
9. Breach notification
In the event of a personal data breach, we will:
- Notify the NPC within 72 hours of becoming aware (NPC Circular 16-03)
- Notify the Singapore PDPC within 3 calendar days if Singapore data subjects are affected (PDPA Sec 26D)
- Notify affected data subjects within the same timeframes if the breach poses a real risk to rights and freedoms
- Document the breach in an internal register regardless of severity
10. Children
AIRA is designed for business professionals and is not directed at individuals under 18. We do not knowingly collect data from minors. If you believe we have collected data from a minor, contact us immediately.
11. Complaints
If you believe your data privacy rights have not been respected:
- First: Contact us at care@tavaraholdings.com
- Philippines: File a complaint with the National Privacy Commission at privacy.gov.ph
- EU: Lodge a complaint with your local Data Protection Authority (list at edpb.europa.eu)
- Singapore: Contact the PDPC at pdpc.gov.sg
12. Changes to this notice
We update this notice when our data practices change. Material changes are reflected in the “Last updated” date above. Continued use of the platform after a revision constitutes acceptance.