Privacy Statement

Last updated on 28 May 2026

We respect your privacy and are committed to protecting your personal data. This Privacy Statement explains how we collect, use, protect, and manage personal data in accordance with the Data Privacy Act of 2012.

Key points include:

• We collect personal data only when necessary for legitimate business purposes.
• We use personal data only for lawful and transparent purposes.
• We implement reasonable and appropriate safeguards to protect personal data.
• We do not sell personal data.
• You have rights under the Data Privacy Act of 2012, including the right to access and correct your personal data.

For more details on how we process personal data, please read the full Privacy Statement below.

Gokongwei Brothers Foundation, Inc. (“GBF,” “Organization,” “we,” “us,” or “our”) is committed to protecting your personal data in accordance with Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012 (“DPA”), its Implementing Rules and Regulations (“IRR”), and applicable issuances of the National Privacy Commission (“NPC”).

This Privacy Statement outlines how we collect, use, store, protect, share, retain, and dispose of personal data in connection with our business operations and services, and explains your rights as a data subject under the DPA. Our processing of personal data is guided by the principles of transparency, legitimate purpose, and proportionality.

Personal data may be collected through various lawful means, including digital platforms, electronic systems, physical forms, contractual documents, and in-person interactions, and may be processed through manual or automated methods consistent with legitimate and proportionate purposes.

In certain cases, specific services or transactions may be governed by supplemental privacy notices.

Unless otherwise stated, the Organization acts as a Personal Information Controller (“PIC”). In limited circumstances, we may act as a Personal Information Processor (“PIP”) on behalf of another PIC, in accordance with applicable agreements and lawful instructions.

Nothing in this Privacy Statement shall be construed to limit or override the Organization’s legal obligations, regulatory responsibilities, or contractual commitments under applicable laws and agreements.

We collect personal data only where lawful and necessary for legitimate business purposes.

Depending on your interaction with us, we may collect personal data such as:

• Full name
• Contact details (e.g., email address, telephone number, mobile number, mailing address)
• Company or organizational affiliation, where applicable
• Information voluntarily provided through inquiries, applications, feedback, or communications
• Information you submit for employment, business, partnership, scholarship, or professional development opportunities
• Technical information (e.g., IP address, browser type, device information, and access time) collected automatically through our website and cookies
• Any other personal data you voluntarily provide that is necessary for the purposes described below

Where permitted by law and relevant to our operations, we may process sensitive personal information as defined under the DPA, such as government-issued identifiers, financial information, or health-related data, subject to additional safeguards and lawful criteria.

We do not intentionally collect more personal data than is necessary for the purposes stated in this Privacy Statement.

You are responsible for ensuring that the personal data you provide is accurate, complete, and up to date.

Our website may use cookies and similar technologies to:

• Enable essential website functionality
• Enhance user experience
• Analyze website traffic and performance
• Improve content, services, and, where applicable, marketing initiatives

Cookies may include:

• Essential cookies
• Performance or analytics cookies
• Functional cookies
• Advertising or targeting cookies, where applicable

Non-essential cookies are processed based on your consent where required by law.

You may withdraw or modify your cookie preferences at any time through the available cookie consent mechanism or your browser settings, without affecting the lawfulness of processing based on consent prior to withdrawal.

Where third-party analytics or advertising tools are used, such tools may collect and process technical information and may involve cross-border data transfers. In such cases, we implement reasonable and appropriate security and contractual controls to safeguard personal data.

We process personal data for legitimate and lawful purposes consistent with our business operations, which may include:

• Responding to inquiries, comments, and feedback
• Managing beneficiary, vendor, contractor, partner, and stakeholder relationships
• Administering, approving, facilitating, and processing contracts, transactions, applications, programs, and service engagements
• Communicating with you regarding your accounts, transactions, service updates, administrative notices, or changes to our policies
• Conducting marketing, promotional, and communication activities, subject to applicable laws and your right to object where required
• Conducting data analytics, research, surveys, demographic analysis, and business intelligence activities to design new or improve services, operations, and user experience
• Managing recruitment, employment, and internal administrative functions, where applicable
• Supporting organization governance, reporting, audit, compliance, credit, and risk management obligations, where applicable
• Preventing fraud, misuse, unauthorized access, or other improper or unlawful activities
• Ensuring the security of premises, systems, and operations, where applicable
• Complying with legal, regulatory, tax, judicial, and supervisory requirements
• Supporting legitimate internal business operations, planning, recordkeeping, and reporting activities

Where applicable, automated systems may be used to support operational or business decisions, subject to reasonable and appropriate controls.

Processing activities are limited to what is necessary, relevant, and proportionate to the declared purposes.

If we intend to process personal data for a purpose other than those stated above, we will ensure that such purpose is compatible with the original purpose of collection or rely on another lawful basis as required under the DPA. Where required, we will obtain your consent before processing personal data for a new purpose.

We process personal data based on lawful criteria under the DPA, which may include:

• Your consent, where required
• Performance of a contract or pre-contractual steps at your request
• Compliance with a legal obligation
• Protection of vital interests
• Legitimate interests pursued by the Organization or a third party, provided such interests are not overridden by your rights and freedoms

Where processing is based on consent, you may withdraw your consent at any time, subject to legal or contractual limitations.

We may share personal data where necessary and consistent with the purposes described in this Privacy Statement, including the following:

• Within the Gokongwei Group including its internal business units, departments, and authorized personnel, and its subsidiaries and affiliates under common ownership or control, where necessary for legitimate business, operational, administrative, integration, reporting, or compliance purposes and subject to reasonable and appropriate safeguards;
• With authorized service providers, contractors, and partners who process personal data on our behalf under data processing agreements, including those providing IT services, system hosting, administrative support, analytics, or other operational assistance;
• With government agencies, regulators, judicial bodies, law enforcement authorities, tax authorities, or supervisory bodies when required or authorized by law;
• With professional advisers, such as auditors, consultants, or legal counsel, subject to confidentiality obligations;
• With other third parties where permitted or required by law, including in connection with corporate transactions such as mergers, acquisitions, restructuring, asset transfers, or similar business activities.

We may also disclose personal data where necessary to protect our rights, enforce our agreements, prevent fraud or unlawful activities, address security or technical issues, or protect the rights, property, or safety of the Organization, our stakeholders, or the public, as permitted by law.

All recipients are required to implement reasonable and appropriate confidentiality and security measures, and where applicable, are bound by contractual obligations consistent with the requirements of the Data Privacy Act of 2012.

Where required, data sharing arrangements are governed by appropriate agreements to ensure compliance with applicable laws and the implementation of adequate safeguards.

We do not sell personal data.

Where personal data is transferred, stored, or processed outside the Philippines, including through cloud service providers or regional systems, we implement reasonable and appropriate safeguards, including contractual protections and other legally recognized mechanisms, to ensure a level of protection comparable to that required under the Data Privacy Act of 2012.

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected and to comply with applicable legal, regulatory, contractual, and operational requirements.

Retention periods may vary depending on the nature of the personal data, the purpose of processing, applicable laws and regulations, contractual obligations, legitimate business needs, and applicable prescription periods.

Where required by law, regulation, or regulatory authority, personal data may be retained for a specific minimum period. In other cases, personal data is retained only for as long as reasonably necessary to achieve the declared purposes.

Personal data may also be retained for longer periods where necessary for the establishment, exercise, or defense of legal claims, or where subject to ongoing investigations, audits, regulatory review, or litigation hold requirements.

Upon expiration of the applicable retention period, personal data will be securely disposed of, destroyed, anonymized, archived where appropriate, or rendered irrecoverable in accordance with our Personal Data Retention, Archiving, and Destruction Guidelines and other applicable internal policies.

Secure disposal methods may include overwriting, degaussing, shredding, or other appropriate techniques, depending on the format and storage medium of the personal data.

We implement reasonable and appropriate technical, organizational, and physical security measures designed to protect personal data against accidental or unlawful destruction, alteration, unauthorized disclosure, misuse, and access.

Such measures may include access controls, encryption, secure system configurations, role-based access restrictions, employee confidentiality obligations, training and awareness programs, and periodic reviews of security practices.

We continuously monitor and enhance our safeguards to address evolving risks, regulatory expectations, and our organizational accountability for protecting personal data as part of our commitment to privacy by design.

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of affected individuals, we will notify the National Privacy Commission and affected data subjects in accordance with applicable laws and regulations.

We also cooperate with regulatory authorities in accordance with applicable laws to address and mitigate the impact of personal data breaches.

You have the following rights under the DPA:

• Right to be informed – to know how and why your personal data is being collected and processed.
• Right to access – to request a copy of the personal data we hold about you.
• Right to rectification – to request correction of inaccurate or incomplete personal data.
• Right to erasure or blocking – to request deletion or suspension of personal data that is no longer necessary or is being unlawfully processed, subject to applicable legal limitations.
• Right to object or withdraw consent – to object to certain processing activities or withdraw consent previously given, where processing is based on consent.
• Right to data portability – to obtain a copy of your personal data in a structured and commonly used format, where applicable.
• Right to file a complaint before the National Privacy Commission – if you believe your data privacy rights have been violated.
• Right to claim damages – to seek indemnification for damages sustained due to unlawful or inaccurate processing of personal data, where warranted under the law.

The exercise of these rights is subject to identity verification and applicable legal limitations under the DPA and other relevant laws.

To exercise your data privacy rights, you or your duly authorized representative may submit a written request to our Data Protection Officer:

For your protection, we may require reasonable verification of identity before processing a request to ensure that personal data is disclosed only to the proper individual or authorized representative.

Requests will be handled within the period prescribed under applicable laws and regulations.

In certain cases, and as permitted under applicable laws and regulations, a reasonable administrative fee may be charged to cover the costs of processing, reproducing, or transmitting records. We will inform you in advance if such a fee applies.

Where a request cannot be granted due to legal, regulatory, or contractual limitations, we will inform you accordingly and explain the basis for such limitation.

We may update this Privacy Statement from time to time to reflect changes in our processing activities, security practices, or regulatory requirements. Updates will be reflected through the revised effective date indicated above.

This entity is duly registered with the National Privacy Commission as a Personal Information Controller and/or Personal Information Processor in accordance with the Data Privacy Act of 2012.