STATEMENT OF POLICY

TRACTIONCORE is committed to protecting the fundamental human right to privacy while ensuring the free flow of information for innovation and growth. This document outlines our commitment to the Data Privacy Act of 2012 (RA 10173), its Implementing Rules and Regulations (IRR), and the directives of the National Privacy Commission (NPC).

THE PILLARS OF COMPLIANCE

We adhere to the core data privacy pillars mandated by the National Privacy Commission (NPC). TRACTIONCORE has appointed a Data Protection Officer (DPO) and established a privacy management program to ensure continuous compliance with the Data Privacy Act. We conduct regular Privacy Impact Assessments (PIA) for all revenue‑generating and talent‑related projects to identify, assess, and mitigate privacy risks. We maintain Records of Processing Activities (ROPA) to document how personal data is collected, used, shared, retained, and disposed of across our ecosystem. We implement appropriate physical, technical, and organizational security measures to protect personal data against unauthorized access, misuse, or loss. In addition, we maintain a formal Data Breach Response Team (DBRT) and incident response procedures to ensure timely notification to the NPC and affected data subjects, within the period prescribed by law, in the event of a personal data breach.

SCOPE AND APPLICABILITY

This Data Privacy Compliance Statement applies to the processing of personal data relating to, but not limited to:

• Individual clients and customers
• Business clients and their authorized representatives
• Employees, job applicants, trainees, and interns
• Independent contractors, talents, consultants, and specialists
• Suppliers, partners, and service providers
• Website users and other individuals who interact with TRACTIONCORE

Regardless of role or engagement, all data subjects are afforded protection under the Data Privacy Act.

DEFINITION OF PERSONAL DATA

Consistent with Republic Act No. 10173, this Statement covers the following categories of data:

• Personal Information

Any information from which the identity of an individual is apparent or can be reasonably and directly ascertained.

• Sensitive Personal Information

Including, but not limited to:

• Government‑issued identification numbers
• Financial, tax, or social security information
• Health, education, or employment records
• Any information classified as sensitive under Philippine law

• Privileged Information

Information protected by legal privilege or confidentiality under applicable laws.

DATA PRIVACY PRINCIPLES

TRACTIONCORE processes personal data in accordance with the following principles:

• Transparency – Data subjects are informed of the nature, purpose, and extent of processing
• Legitimate Purpose – Personal data is processed only for lawful and declared purposes
• Proportionality – Processing is adequate, relevant, and limited to what is necessary

LAWFUL PURPOSE OF PROCESSING

Personal data is collected and processed only for legitimate business and operational purposes, which may include:

• Client, business, and service engagements
• Contractual, commercial, and administrative activities
• Talent, specialist, and workforce management
• Communication, coordination, and support
• Legal, regulatory, and compliance requirements
• Accounting, audit, security, and risk management

Personal data is not processed in a manner incompatible with these purposes.

LEGAL BASIS FOR PROCESSING

TRACTIONCORE processes personal data only when authorized under the Data Privacy Act, including when:

• The data subject has provided consent
• Processing is necessary for the performance of a contract
• Processing is required to comply with legal obligations
• Processing is necessary to protect vital interests
• Processing is based on legitimate interests, subject to data subject rights

DATA SHARING, DISCLOSURE, AND CROSS-BORDER TRANSFERS

Personal data under the custody or control of TRACTIONCORE is disclosed only under lawful, controlled, and documented conditions. Access to personal data is strictly limited to authorized personnel on a need‑to‑know basis and may be disclosed to government authorities when required by law.

Data may also be shared with service providers, processors, or partners, provided that such entities are bound by enforceable data protection and confidentiality obligations. TRACTIONCORE does not sell personal data and does not permit unauthorized disclosure.

Where personal data is transferred between the Philippines and international clients or partners, TRACTIONCORE implements appropriate safeguards, including Standard Contractual Clauses (SCCs) and Data Transfer Agreements, to ensure that the level of protection required under the Data Privacy Act continues to apply regardless of where the data is processed or stored.

DATA PROTECTION AND SECURITY MEASURES

TRACTIONCORE implements reasonable and appropriate organizational, physical, and technical safeguards, consistent with NPC requirements, including:

• Access controls and authorization protocols
• Secure physical and electronic storage systems
• Confidentiality obligations and internal data privacy policies
• Personnel training and awareness programs
• Monitoring and risk management measures

DATA RETENTION AND DISPOSAL

Personal data is retained only for as long as necessary to fulfill the declared purpose or comply with legal and regulatory requirements. Upon expiration of the applicable retention period:

• Personal data is securely disposed of
• Data may be anonymized where appropriate
• Records are destroyed in a manner that prevents reconstruction

RIGHTS OF DATA SUBJECTS

In accordance with the Data Privacy Act, data subjects have the right to:

• Be informed
• Access their personal data
• Object to processing
• Correct or rectify inaccuracies
• Request erasure or blocking
• Data portability, where applicable
• Seek damages for violations
• File complaints with the National Privacy Commission

PERSONAL DATA BREACH MANAGEMENT

In the event of a personal data breach involving personal data under Philippine jurisdiction, TRACTIONCORE shall:

• Promptly assess and contain the breach
• Mitigate potential harm
• Notify the National Privacy Commission and affected data subjects when required by law
• Implement corrective measures

DATA PROTECTION OFFICER

TRACTIONCORE has designated a Data Protection Officer (DPO) responsible for overseeing compliance with the Data Privacy Act and related regulations.

Data Protection Officer (DPO)

privacy@tractioncore.com

Vertis North, Vita St., cor. Sola Drive

Quezon City, National Capital Region

Philippines, 1105

https://www.tractioncore.com

RELATIONSHIP TO OTHER PRIVACY POLICIES

This Data Privacy Compliance Statement applies specifically to personal data governed by Philippine law. It supplements TRACTIONCORE’s global or cross‑jurisdictional privacy frameworks and shall prevail in matters relating to compliance with Republic Act No. 10173.

EFFECTIVITY AND UPDATES

This Statement takes effect upon publication and shall remain in force unless amended or replaced. Updates shall be made available through TRACTIONCORE’s official channels.