Skip to content

Listoria Privacy Policy

Effective date: 2026-06-17

Last updated: 2026-06-17

App: Listoria (an app in the Resserra platform)

Applies to: the Listoria mobile application, currently distributed as a private pilot build for Android. It is not yet on the Google Play Store or Apple App Store - this policy will be updated when the app is published to public app stores. It also covers the backend services that support the app.

1. Who we are (the data controller)

Listoria is operated by VPDevLabs (Vincent Paul Dais), an independent software developer based in Tanza, Cavite, Philippines. For the purposes of the Data Privacy Act of 2012 (Republic Act No. 10173, "DPA"), we act as the Personal Information Controller (PIC) for the account and technical data described below.

Contact for privacy / data requests:

A note on whose data this is (important)

Listoria is a business inventory tool. There are two layers of data:

  1. Data about you, our app users (your email, password, role). For this data we are the Personal Information Controller.
  2. Business data you enter into the app (your inventory, your suppliers, your locations, your stock movements). This is your business's data. Your business decides what to put in. Where that business data includes other people's personal information (for example, the name and phone number of a supplier contact), your business is the controller of that information and we act as a Personal Information Processor on your behalf, processing it only to provide the app to you. You are responsible for having a lawful basis to collect and store that third-party information (see our Terms of Service). This split matters for who is accountable under the DPA.

2. What data we collect, and why (purpose limitation)

We collect only what we need to run the app. We do not collect data for advertising, and we do not sell your data.

2.1 Account data (your personal information)

Data Why we collect it (purpose) Lawful basis under the DPA
Email address To create and identify your account, log you in, and contact you about your account Performance of a contract / our legitimate interest in operating the service
Password (stored only as a bcrypt hash - we never store or see your plaintext password) To authenticate you securely Performance of a contract
Role (admin / location_manager / staff) To control what you can see and do inside your business's data Performance of a contract
Business (tenant) association To keep your data separated from other businesses Performance of a contract

2.2 Business operational data (data you enter)

You and your team enter this to run your inventory. It is stored to provide the service:

  • Inventory items (name, description, SKU, barcode, category, reorder threshold)
  • Stock movements (receive, dispatch, adjust - quantities, dates, notes)
  • Supplier records (name and contact information - may contain another person's personal data that you have chosen to enter)
  • Location / branch records (name, address)
  • Categories

We process this on your instruction, as a processor, only to operate the app for you. We do not use it for our own purposes.

2.3 Technical and device data (collected automatically)

Data Why Notes
Session / refresh tokens To keep you logged in securely and to refresh your session Stored server-side with an expiry; rotated. Not used for tracking.
Crash reports (device model, OS version, app version, stack trace, and diagnostic data the crash SDK collects) To find and fix crashes Collected via Firebase Crashlytics (Google). See Section 5.
Basic app analytics (app sessions, screen views, in-app events) To understand which features are used and improve the app Collected via Firebase Analytics (Google). We do not use advertising identifiers and do not run ads. See Section 5.

2.4 Data we do NOT collect

  • We do not collect your precise location for tracking.
  • We do not use advertising IDs and we do not serve ads.
  • We do not knowingly collect data from children (see Section 11).
  • We do not sell personal data to anyone.

3. How your data is stored and how we protect it

We take reasonable and appropriate organizational, physical, and technical measures to protect personal data, consistent with Section 20 of the DPA. These include:

  • Passwords are hashed with bcrypt; we never store plaintext passwords.
  • Authentication uses signed tokens (JWT) with refresh-token rotation and expiry.
  • Data is separated per business (tenant) so one business cannot see another's data.
  • Access inside a business is limited by role (admin / location_manager / staff).
  • Data is encrypted in transit (HTTPS/TLS) between the app and our servers.
  • A copy of your data is stored locally on your device in the app's local database (SQLite via Drift) so the app works offline. This local copy is protected by your device's own security (screen lock, OS sandboxing). You are responsible for keeping your device secure.

4. How long we keep your data (retention) and how it is deleted

  • Account data: kept for as long as your account is active. If you delete your account (see Section 6 and Section 12), we delete or anonymize your personal account data, except where we must keep something to comply with law or resolve disputes.
  • Business operational data: kept while your account/business is active so you can use the app. On deletion, it is removed on the same timeline as above, subject to the same exceptions.
  • Local data on your device: removed when you delete the app or clear its data, or on logout if the app is configured to clear local data on logout.
  • Crash and analytics data: retained per the Firebase/Google retention settings you choose in the Firebase console.

5. Third parties who process data for us (sub-processors)

We use trusted service providers to run the app. We share data with them only to the extent needed to provide the service. We do not sell data, and these providers are not allowed to use your data for their own purposes beyond providing their service to us.

Provider What they do for us Data involved Where (data location)
Railway Hosts our backend application and PostgreSQL database Account data + business operational data United States (US) region - see Section 7
Google (Firebase Crashlytics) Crash reporting Device + crash diagnostic data Google infrastructure (may be outside the Philippines)
Google (Firebase Analytics) Basic app usage analytics App usage events, app instance identifiers Google infrastructure (may be outside the Philippines)

Supabase Storage is not currently enabled. If we enable file storage in a future version, we will update this policy before doing so.

6. Your rights under the Data Privacy Act (RA 10173)

If you are a data subject (a person whose personal data we hold), the DPA gives you rights. These include the right to:

  • Be informed - know that your data is being processed, and why (this policy serves that).
  • Access - get a copy of the personal data we hold about you and information about how it is processed. (RA 10173, Section 16)
  • Object / withhold consent - object to processing in certain cases. (Section 16)
  • Correct (rectify) - have inaccurate or outdated personal data corrected. (Section 16)
  • Erasure or blocking - have your personal data removed or blocked where it is incomplete, outdated, false, unlawfully obtained, or no longer necessary. (Section 16)
  • Data portability - obtain and reuse your personal data in an electronic format where applicable. (RA 10173, Section 18)
  • Damages - be indemnified for damages from inaccurate, false, unlawfully obtained, or unauthorized use of your personal data. (Section 16)
  • Lodge a complaint with the NPC - if you believe your rights have been violated, you may file a complaint with the National Privacy Commission (privacy.gov.ph).

How to exercise your rights: email [email protected] from the email address on your account, and tell us what you want to do. We will verify your identity and respond within a reasonable period.

7. Cross-border transfer of data (please read)

Our backend and database are hosted on Railway in the United States. This means that when you use Listoria, your account data and your business operational data are transferred to and stored on servers outside the Philippines. Firebase Crashlytics and Firebase Analytics (Google) may also process data on infrastructure outside the Philippines.

A copy of your data is also stored locally on your device in the Philippines for offline use, and is synced with the US-hosted backend.

Under the DPA, we remain accountable for personal data even when it is transferred abroad or handled by a processor abroad. We rely on contractual and technical safeguards with our providers to protect it.

8. Data breach notification

We maintain measures to detect, respond to, and report personal data breaches. If a personal data breach occurs that meets the notification criteria under the DPA and NPC rules, we will notify the National Privacy Commission and the affected data subjects within seventy-two (72) hours of knowledge of, or reasonable belief in, the breach, as required by NPC Circular 16-03 (Personal Data Breach Management). We will describe the nature of the breach, the data likely involved, and the measures taken.

9. Consent

By creating an account and using Listoria, you acknowledge this Privacy Policy. Where we rely on your consent for any specific processing, we will ask for it clearly and you may withdraw it. Withdrawing consent does not affect processing done before withdrawal.

10. Automated decision-making

Listoria does not make automated decisions that produce legal or similarly significant effects about you (for example, it does not use profiling to make decisions about you).

11. Children's data

Listoria is a business tool intended for business owners, managers, and staff. It is not directed at children and we do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us and we will delete it.

12. Account and data deletion

You can request deletion of your account and associated personal data by emailing [email protected].

When you delete your account, we delete the personal data associated with it, except data we must retain for legal reasons.

13. Changes to this policy

We may update this policy. If we make material changes, we will update the "Last updated" date and, where appropriate, notify you in the app or by email. Continued use after an update means you have read the updated policy.

14. How to contact us / complain

  • Privacy questions or data requests: [email protected]
  • You may also contact the National Privacy Commission at privacy.gov.ph if you believe your data privacy rights have been violated.