Mithiin Technologies Inc. Data Privacy Policy

for the PUV Compliance and Monitoring System

Introduction & Commitment

Scope

This Privacy Policy describes the principles and safeguards Mithiin Technologies Inc observes as a personal data controller under the PUV Compliance and Monitoring System (PCMS) as it pursues: 1. Collection of personal data from persons who access or use this website, including any micro-site therein (the "Website"); 2. Processing and protection of such personal data and data sharing submitted by Partner Laboratories and Drivers and subsequently forwarded to the Land Transportation Franchising and Regulatory Board (LTFRB), and accessed by the pertinent Transport Operators and the LTFRB. The term "Processing" follows the meaning under Republic Act No. 10173, otherwise known as the "Data Privacy Act of 2012" ("DPA") which refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. This Privacy Policy does not apply to any other information collected by Mithiin Technologies, Inc, by or through any other means, such as information collected through other websites, unless otherwise provided or indicated by Mithiin Technologies. Moreover, when we use the term "you" or "User" we then refer to any individual who accesses or uses the Website, and whose personal, sensitive personal, or privileged information is Processed.

Our Commitment to Privacy

Mithiin Technologies is committed to upholding the privacy and rights of individuals whose personal data we process. We integrate "Privacy by Design and by Default" into our product development, business processes, and partnerships. We recognize that the data entrusted to us, particularly in our work with government agencies, is critical and sensitive, and we pledge to protect it with the highest standards of security and care.

Commitment to International Standards

In addition to complying with Philippine law, Mithiin Labs commits to aligning its privacy and security practices with recognized international standards. We will actively seek and maintain certifications from International Standard Organizations (e.g., ISO/IEC 27701 for Privacy Information Management) to demonstrate our commitment to global best practices in data privacy and information security.

Definitions

For the purpose of this policy, the following terms are defined as follows:

Data Privacy Act (DPA): Republic Act No. 10173.
Data Subject: An individual whose personal, sensitive personal, or privileged information is processed. In the context of the PUV project, this primarily refers to the PUV Drivers.
Personal Information: Any information from which the identity of an individual is apparent or can be reasonably and directly ascertained.
Sensitive Personal Information: Includes, but is not limited to, information about an individual's health (e.g., Drug Test Results), government-issued identifiers (e.g., Driver's License ID), and other data specified in the DPA.
Processing: Any operation performed upon personal data, including collection, recording, use, storage, modification, retrieval, disclosure, and disposal.
Personal Information Controller (PIC): An entity that controls the collection, holding, processing, or use of personal information. In many of our government partnerships, the partner agency (e.g., DoTR-LTFRB) is the PIC.
Personal Information Processor (PIP): An entity to whom a PIC may outsource the processing of personal data. Mithiin Labs primarily acts as a PIP in the context of the PUV Compliance and Monitoring System.
Data Protection Officer (DPO): The individual designated to be accountable for the company's compliance with the DPA.

Data Processing Lifecycle Management

Data Collection

Personal data shall be collected under the PCMS for any of the following purposes: 1. Automated verification and reporting to the LTFRB; 2. Documentation and record-keeping purposes; 3. Regulatory and audit purposes; 4. For inputting in a centralized database of driver compliance records that are accessible to the PIC, Transport Operators, and other relevant agencies, such as the Land Transportation Office and the Philippine Drug Enforcement Agency; 5. In compliance with other relevant laws; 6. Other similar purposes. In any case, Mithiin Technologies will only use the collected personal data in line with the purpose of the PCMS as regulated by LTFRB.

Data Use, Storage, and Transmission

Personal data will be used only for the purposes for which it was collected. All data will be stored in a secure environment, protected by robust technical and organizational measures. Data transmitted, whether internally or to our partners, will be encrypted to prevent unauthorized access.

Data Sharing and Disclosure

As a PIP, Mithiin Technologies will only share data with the designated PIC or other parties as explicitly instructed by the PIC and permitted by our data processing agreements. Any other disclosure will only be made with the Data Subject's consent, or when required by law.

Data Retention and Disposal

Retention Period

In line with our commitment to data minimization, personal data shall be retained only for as long as necessary to fulfill the stated purpose. For the PUV Compliance and Monitoring System, all personal and sensitive personal information, including Driver's License IDs and drug test results, will be retained for a maximum period of three (3) years.

Anonymization and Archiving

After the three-year retention period, all personal identifiers will be removed from the dataset. To achieve robust anonymization, Mithiin Labs employs techniques such as the hashing of direct identifiers and the removal or generalization of indirect identifiers to prevent re-identification. The resulting anonymized data will be moved to a secure archive. This data, which can no longer be used to identify an individual, may be used by Mithiin Labs for statistical analysis, historical archiving, and for the training and improvement of our systems and machine learning models.

Use of Anonymized Data

This anonymized data may be used by Mithiin Labs for statistical analysis, historical archiving, and for the training and improvement of our systems and machine learning models. As this data is no longer personally identifiable, it falls outside the scope of the DPA.

Disposal

Data scheduled for disposal will be destroyed using secure methods that prevent its recovery or reconstruction. This process applies to both physical and digital records. For digital data, electronic files will be securely erased using industry-standard sanitization techniques, such as a multi-pass overwrite method, to ensure the information is permanently unrecoverable. For any physical records, such as printed documents, disposal will be done through secure methods like shredding or incineration.

Disposal Documentation

Following the successful disposal of the data, a formal record of the activity will be created and maintained. This documentation serves as a crucial audit trail, demonstrating our compliance with data privacy regulations. The record will detail the exact date of disposal, the name of the data controller who authorized the process, the specific data that was disposed of, and the method used for its destruction. This record will be securely retained for a minimum of two years.

Cross-Border Data Transfers

In the course of processing data, Mithiin Technologies may utilize cloud services or infrastructure located outside of the Philippines. Any transfer of personal data to a different jurisdiction will only be conducted under the following conditions:

The transfer is made to a country or territory that is recognized by the National Privacy Commission as ensuring an adequate level of data protection.
Appropriate safeguards, such as standard contractual clauses and binding corporate rules, are in place as required by the DPA.
The transfer is done with the explicit consent of the Data Subject or as instructed by the Personal Information Controller in accordance with our data processing agreements.
All cross-border transfers will be conducted with the same high level of security, including end-to-end encryption, as data processed within the Philippines.

Engagement of Sub-Processors

Mithiin Labs may engage third-party service providers (Sub-processors) to support the delivery of our services. We shall conduct thorough due diligence on all Sub-processors to ensure their data protection and security measures meet the standards required by the DPA and this Policy. Mithiin Labs will enter into legally binding data processing agreements with all Sub-processors, obligating them to protect personal data to the same standard as Mithiin Labs and to process it only as instructed. A list of our key Sub-processors can be made available to our partners upon reasonable request.

Rights of the Data Subject

Mithiin Technologies respects and will facilitate the exercise of the rights of all Data Subjects as granted by the DPA. Any Data Subject may contact our DPO to exercise the following rights:

The Right to be Informed of the processing of their personal data.
The Right to Object to the processing of their personal data.
The Right to Access their personal data.
The Right to Rectification of any inaccurate or erroneous data.
The Right to Erasure or Blocking of their personal data.
The Right to Data Portability of their data in a common, machine-readable format.
The Right to File a Complaint with the National Privacy Commission.
The Right to be Indemnified for Damages sustained due to inaccurate, incomplete, or unlawful processing of personal data.

To exercise any of the rights listed above, please submit a formal request to our Data Protection Officer via email at [email protected]. Your request should include your full name, contact information, and sufficient detail about your request to allow us to verify your identity and locate your data.

Security Measures

We will implement comprehensive organizational, physical, and technical security measures to protect personal data against any accidental or unlawful destruction, alteration, and disclosure, as well as against any other unlawful processing.

Organizational Measures:

Appointment of a DPO, implementation of Privacy Impact Assessments (PIAs) for all new projects, and the enforcement of mandatory data privacy training for all personnel.
DPO also creates and reinforces our Privacy Management Program (PMP). The PMP includes a Data Breach Response Team and a detailed breach management policy. This is a requirement under NPC Circular 16-03.
Data Privacy Training is a required component of the employee onboarding process and is supplemented by continuous awareness programs. All employees are required to participate in at least one yearly mandatory training.
Data Sharing policies are covered in Data Privacy Policy 3.6 Engagement of Sub-Processors

Physical Measures:

Secure data centers, restricted access to sensitive areas, and a clean desk policy.

Technical Measures:

End-to-end encryption, robust access control and authentication mechanisms, firewalls, intrusion detection systems, and regular vulnerability scanning.
A backup and recovery plan is available to mitigate any data availability and integration concerns.
There will be logging and auditing of all access to PCMS data and systems. This is crucial for forensic analysis in the event of a breach.
Security and privacy principles are integrated into the design and development process from the beginning (Privacy-by-Design and Privacy-by-Default) by having RBACs, MFAs, etc.
Independent Security Audits: The Company shall engage reputable, independent cybersecurity organizations to conduct an annual audit of our corporate infrastructure and IT products. These audits will serve to validate our security posture and ensure ongoing compliance with regulatory requirements and industry standards.

Data Breach Management

The Company has a Data Breach Response Plan in place. In the event of a data breach, the DPO will be notified immediately. The DPO will take steps to contain the breach, assess the risk, and notify the relevant Personal Information Controller (PIC), the National Privacy Commission, and affected Data Subjects as soon as reasonably possible, and within the 72-hour period where required by law and our contractual agreements.

Stage 1: Discover & Contain

Detection: Employees report suspected breaches to supervisors/DPO immediately. Initial Assessment: DPO determines if it's a security incident or personal data breach. Containment: IT Security Lead takes immediate steps (e.g., disconnect systems, change credentials, secure areas, forensic imaging).

Stage 2: Assess & Evaluate

Risk Assessment: DBRT assesses potential harm to data subjects (data types, number affected, potential for serious harm). Documentation: DBRT documents all breach facts.

Stage 3: Notify & Communicate

Notification to NPC: DPO (with Legal Counsel) notifies the National Privacy Commission within 72 hours for serious breaches. Notification to Data Subjects: Affected data subjects are notified with breach details, compromised data, actions taken, DPO contact, and self-protection recommendations.

Stage 4: Monitor & Remediate

Post-Breach Review: DBRT reviews to identify root cause and implement corrective measures. Remediation: IT Security Lead implements technical solutions; DPO updates policies. Final Report: Report submitted to senior management and NPC (if required).

Profiling

Lawful Basis: Legal Obligation

Legal Obligation

The processing of personal data is necessary to comply with a legal obligation imposed on the company as a Personal Information Controller. The company operates in the public land transportation sector, which is heavily regulated by LTFRB. Our legal authority and obligation to process this data are derived from the Land Transportation and Traffic Code (Republic Act No. 4136) and its subsequent regulations.

The Land Transportation and Traffic Code (R.A. No. 4136) establishes the Land Transportation Office (LTO) and the LTFRB. It governs the registration of motor vehicles, the issuance of driver's licenses, and the regulation of public land transportation.
It requires the collection of personal data such as full name, address, birth date, and other identifying information to create official records, ensure public safety, and regulate transportation services.
This law provides the legal authority for the LTFRB to require and process personal data for purposes like: Issuing Certificates of Public Convenience (CPC), Monitoring compliance of public utility vehicles (PUVs) and their operators/drivers, Processing applications for franchises, special permits, and other transport-related services.
Without processing this data, the company would be unable to comply with the LTFRB's requirements, which could result in penalties, loss of franchise, or inability to operate.

Lawful Basis: Legitimate Interests

Legitimate Interests

The processing of personal data is justified under the basis of Legitimate Interests for the following reasons, which have been thoroughly assessed against the rights and freedoms of the data subjects. This basis is a strong secondary justification, particularly for aspects that go beyond the direct, mandatory reporting to the LTFRB.

The company has a clear and compelling legitimate interest in ensuring the safety, security, and efficient operation of its transportation network. Considering that the data subjects are operating within the sector of public transportation, a public service, the drug test results of drivers are of public interest and concern.
Intrusion into their privacy is legitimate and reasonably necessary to ensure the safety of the public at large.
Accurately identifying and linking drivers to their corresponding operators and franchisers is essential for the smooth and accountable management of our business operations.
Processing this data is necessary to prevent unauthorized individuals from operating vehicles, thereby ensuring the safety of the public and the integrity of the transportation service.
Providing operators and LTFRB with performance and compliance data helps them effectively manage routes, schedules, and driver resources, a shared legitimate interest that contributes to overall service quality.

Methods and Logic Utilized for Automated Processing

Our web application is a critical platform designed to streamline the LTFRB driver drug test result submission process. It automates several core functions to ensure efficiency, data integrity, and compliance with all relevant regulations, including those from the Department of Health (DOH) and the Dangerous Drugs Board (DDB). The system employs a series of logical checks and automated procedures to process personal and sensitive personal information.

Automated Clinic Onboarding and Credentialing

The initial phase of our system automates the verification of potential clinic partners. The logic for this process is as follows: Credential Validation: When a clinic registers, the system automatically validates their submitted credentials against a master whitelist of DOH-accredited clinics. A unique Clinic ID is generated upon successful validation. System Access Provisioning: Once credentials are confirmed and the Clinic ID is assigned, the system automatically provisions access and creates a user account for the clinic's designated representative, with role-based access control (RBAC) permissions. This ensures only authorized personnel can access and upload data.

Automated Processing of Driver Drug Test Results

This is the most critical component of our automated processing, as it involves sensitive personal information and leads to a decision that significantly affects a data subject's rights (i.e., whether they can get a license). The system provides a structured form for accredited clinics to upload test results. The form utilizes client-side validation to ensure all required fields are populated and follow the correct data type and format. Any discrepancies automatically flag the record for human review by our internal team. The core automated logic is the classification of test results. Based on the numerical values and parameters entered by the clinic, the system automatically classifies a test result as either "Negative" or "Positive" against the pre-defined cut-off thresholds for various prohibited substances. This is a purely logical, rules-based process that applies the scientific criteria set by government regulatory bodies. After classification, the system prepares the data for submission. The data is encrypted using end-to-end encryption and securely transferred to the LTFRB's designated API endpoint. The system automatically generates a unique transaction ID and a timestamped digital receipt for each successful submission.

Data Security and Compliance Measures

As DPO, my primary focus is to ensure the integrity and privacy of the data throughout this automated process. The system was built from the ground up with data privacy principles. We follow a data minimization approach, collecting only the information absolutely necessary for the LTFRB's requirements. All data, both in transit and at rest, is encrypted using industry-standard protocols. Access to the data is strictly limited to authorized personnel via our RBAC model, and all access attempts are logged for auditing purposes. The system automatically generates a comprehensive audit trail for every action, from the initial clinic login to the final data submission to the LTFRB. This provides a transparent and verifiable record of all data processing activities.

Human Intervention and Accountability

While our system automates much of the workflow, we have built in key points for human intervention to ensure accountability and accuracy. Deficiency Flagging: Any data that fails automated validation checks is not processed further until a human operator from our team reviews it, corrects the deficiency, and manually approves it. Accountability: The DPO is notified of any security incidents or potential privacy violations, which are then subject to a full investigation and, if necessary, reported to the NPC.

Employee Accountability

All employees and personnel of Mithiin Labs are responsible for understanding and adhering to this policy. Failure to comply with this Data Privacy Policy may result in disciplinary action, up to and including termination of employment, in addition to any civil or criminal liability under the law.