HRnFLEX ("we," "our," "us") is dedicated to ensuring the privacy and security of personal information and sensitive personal information (collectively, "personal data") following data privacy laws and regulations, including the Philippine Data Privacy Act of 2012 ("DPA") and its implementing rules and regulations ("DPA IRR"). This Policy outlines our practices for collecting, processing, and safeguarding personal data, adhering to principles of transparency, legitimate purpose, and proportionality. The latest version of this Policy is available on our website at www.hrnflex.com.

Key terms used in this Policy are defined in Schedule 1. Schedule 1 also includes rules for interpreting certain terms and phrases used throughout this Policy.

All client information and data collected during business operations are treated with strict confidentiality. HRnFLEX is committed to maintaining the confidentiality and security of this information, except when disclosure is required by law or authorized by relevant regulations and authorities.

Certain personal data and their collection and processing are exempt from the application of the DPA. This Policy does not cover those data and activities.

We collect personal data through various means, including but not limited to:

• Agreements, whether written or verbal, including employment contracts, service agreements, or other contracts to avail of our services.

• Applications, forms, requests, notices, or other documents submitted to us.

• Inquiries or applications for employment.

• Employment as an employee, officer, consultant, agent, supplier, or service provider of the Company.

• Accessing, browsing, or using our websites, platforms, social media presence, or other online resources.

• Providing personal data directly or through another person.

We may also collect data from publicly available sources, including online platforms.

The types of personal data we collect include but are not limited to, names, addresses, email addresses, telephone numbers, age, marital status, government-issued information, and other data necessary for contracts, service provision, communication, or lawful purposes.

When you visit our website, we may also collect standard browsing information, such as IP addresses, access times, system activity, cookies, device identifiers, and other log data.

We collect and process personal data for purposes such as:

• Fulfilling the reasons for which the data was provided or made available to us.

• Complying with applicable laws.

• Other purposes are detailed in Schedule 3.

Recipients of personal data may include our affiliates, third-party service providers, advisors, suppliers, and others as necessary to achieve these purposes. Some data transfers may be cross-border. We may also disclose personal data in response to lawful requests by governmental authorities or as required by law. Schedule 3 provides more details on the recipients of personal data.

By providing personal data through interactions mentioned in Clause 5, you consent to our collection, use, disclosure, sharing, and processing of the data for the specified purposes and under the terms of this Policy. This consent does not replace any other consent you may have given or any lawful basis for data processing under applicable laws.

We use standard manual and automated methods to collect, store, and process personal data in line with the principles outlined in this Policy and legal requirements. Personal data will be retained for the period necessary to achieve the purposes for which it was collected or as required by law.

We may update this Policy as needed. By continuing to use our services, you agree to the terms of the updated Policy as published on our website. Please check our website regularly for updates.

Under the DPA, data subjects have the following rights:

• Right to Object: You can refuse the processing of your data for direct marketing, automated processing, or profiling, except when required by law or other lawful bases.

• Right to Access: You can request access to your data and information on its processing.

• Right to Rectification: You can request corrections to any inaccurate or outdated personal data.

• Right to Erasure or Blocking: You can request the suspension, withdrawal, blocking, or removal of your data if it is incomplete, outdated, false, or unlawfully obtained.

• Limitations: These rights are subject to limitations provided by law, particularly for scientific and statistical research purposes.

Requests must be made in writing and will be considered received upon confirmation as outlined in Clause 14.2.

We have implemented appropriate security measures to protect personal data from unauthorized access, alteration, disclosure, or destruction. These measures include internal reviews of data collection, storage, and processing practices and physical security measures.

We comply with relevant laws and regulations regarding the handling of personal data breaches. In the event of a breach involving sensitive personal data or information that could lead to identity fraud, we will notify the affected data subjects and the National Privacy Commission as required by law.

Our Data Protection Officer (DPO) ensures compliance with data privacy laws and this Policy. The DPO's contact email is [email protected]

For inquiries about this Policy, contact our DPO using the details above. Requests, demands, or notices under this Policy must be in writing and will be deemed received upon delivery, confirmation by courier, or email confirmation as specified in Clause 14.2.

1. Definitions

• Business Day: Any day Philippine banks are open for business in Makati City.

• DPA: Data Privacy Act of 2012 and its implementing rules and regulations.

• Person: Any natural or juridical person.

• Personal data: Personal information and sensitive personal information.

• Personal information: Information that identifies an individual, directly or indirectly.

• Policy: This data privacy policy as amended or supplemented.

• Processing: Any operation performed on personal data, including collection, recording, organization, storage, and destruction.

• Sensitive personal information: Information about race, ethnicity, marital status, age, health, education, government-issued identifiers, and other sensitive data.

2. Interpretation

Terms like "include," "includes," or "including" mean "without limitation." Singular and plural forms and gender-specific terms apply equally to all genders.

This Policy does not apply to:

1. Public information related to government officials or employees.

2. Personal data is processed for research purposes intended for public benefit.

3. Information necessary for public authority functions related to law enforcement or regulatory functions.

1. General Purposes:

   • Compliance with contracts and legal obligations.

   • Service performance and improvement.

   • Implementation of efficiencies and best practices.

   • Obtaining services and advice for operations.

   • Conducting surveys and research.

   • Marketing and promotional activities.

   • Communication with data subjects.

   • Allowing audits and compliance reviews.

2. Employee Data:

   • Initiating, maintaining, or terminating employment agreements.

   • Processing job applications and retaining data for future opportunities.

   • Sharing data as authorized by law or with consent.

This privacy notice is provided to individuals who visit our offices or digital sites, interact with our personnel, or participate in our events or activities. It complies with the Data Privacy Act of 2012 (DPA).

When you visit our premises or engage with us, we may collect data such as your name and contact details. For example, you may be asked to sign in, register for an event, or provide an identification card. Our office premises are monitored by CCTV, and your movements may be recorded.

We collect this data to perform our functions, comply with requests, ensure security, and for other legitimate purposes. Generally, we do not share this data outside our organization unless permitted by law or necessary to protect our interests. We will retain the data only for as long as necessary for the purposes for which it was collected.

By providing your data, visiting our premises or sites, utilizing our services, or participating in our events and activities, you consent to our collection, use, disclosure, and processing of that data as described in this notice. This consent supplements any other consent you have provided regarding your data.

If you provide the personal data of others, you represent that you have the authority to do so and that they consent to this notice's terms.

Our website and digital presence may contain links to third-party sites. We are not responsible for these third parties' data and privacy practices. We encourage you to review their privacy policies.

Data subjects have rights under the DPA, including the right to be informed, object, access, rectify, erase, and seek damages for data breaches. Collection and processing of personal data are subject to our data privacy policy, available on our website and at our reception.

If you do not provide the requested data, we may not be able to permit access to our premises, services, or events.

We may update this Privacy Notice periodically. Changes will be posted on our website and at our reception.

We and/or our third-party provider agree to provide the aforesaid products and services, while you agree to pay the aforesaid charges as part of your regular recurring service fees.