Privacy Policy

Last Updated: May 29, 2026

PH.vacations (the “Website”, “we”, “us”) is operated by Eastgate Technologies. This Privacy Policy explains what information we collect from guests, property owners, and visitors of https://ph.vacations, how we use it, who we share it with, and the rights you have over your information.

By accessing the Website you agree to this Privacy Policy and to our Terms of Service. If you do not agree, please do not use the Website.

1. Information We Collect

We collect the minimum information needed to operate the Website and provide our services.

a. Information you provide

  • Account profile — name, email address, profile photo, phone number, and OAuth provider identifiers (Google, Facebook).
  • Property listings (owners/managers) — listing name, description, location, pricing, amenities, payment method details, and uploaded photos.
  • Bookings & reservations — guest name, contact number, check-in/out dates, payment proof images, optional guest email, and notes.
  • Contact and report submissions — name, email, phone number, and the content of the message.
  • Identity verification (optional, for managers) — government-issued ID photos and supporting documents.
  • Chat messages — direct messages exchanged through our chat feature, stored by our chat provider (GetStream).

b. Information collected automatically

  • IP address, browser type, device, and approximate location derived from request headers.
  • Cookies and similar storage — a CSRF cookie used to prevent cross-site request forgery, and session cookies issued by NextAuth.
  • Aggregate usage analytics via Google Analytics 4 (only on the production ph.vacations domain).
  • Cloudflare Turnstile signals used to distinguish humans from bots on public forms.

2. How We Use Your Information

  • Authenticate users and maintain logged-in sessions.
  • Show vacation listings, fulfill bookings, and notify both guests and managers of status changes by email, in-app inbox, push, and real-time channels.
  • Verify the identity of property owners who request a verified badge.
  • Detect and prevent fraud, abuse, spam, and unauthorized access (including rate limiting, replay protection on machine-to-machine APIs, and bot detection).
  • Respond to support requests, abuse reports, and legal inquiries.
  • Measure how the Website is used so we can improve it.

3. Who We Share Information With

We do not sell your personal information. We share it only with the parties needed to operate the Website:

  • Property managers and guests — when you book a property, the relevant contact information is shared between the booking parties so the stay can be coordinated.
  • Authentication providers — Google and Facebook OAuth, only when you sign in via those services.
  • Infrastructure providers — MongoDB Atlas (database), Google Cloud Storage (verification documents), Google Cloud Platform (hosting), Pusher (real-time events), GetStream (chat), Firebase Cloud Messaging (push notifications), Cloudflare Turnstile (bot defense), Google Analytics (analytics), Google Dialogflow (AI chatbot), and Nodemailer/SMTP (transactional email).
  • Sister sites in the PH network — when a property is published through our centralized network (ph.rentals, ph.condos, ph.house, ph.reviews), listing data may be syndicated to those sites for visibility.
  • Law enforcement and legal compliance — when required by valid legal process, or to protect the rights, property, or safety of users or the public.

4. How We Protect Information

  • HTTPS in production with HTTP-only session cookies issued by NextAuth.
  • CSRF protection on every state-changing API request via a double-submit cookie pattern.
  • HMAC-SHA256 signature verification, nonce-based replay protection, and per-key rate limiting on machine-to-machine API access.
  • Verification documents are stored in private Google Cloud Storage and are accessed only through short-lived (5-minute) signed URLs by administrators.
  • Payment proof images and identity documents are not publicly indexable and are gated by per-booking ownership checks.
  • Passwords are not stored — sign-in is delegated to Google and Facebook OAuth.

No method of transmission or storage is 100% secure. We continuously work to keep your data safe but cannot guarantee absolute security.

5. Cookies

We use the following cookies:

  • NextAuth session cookies — required to keep you signed in.
  • CSRF token cookie — required to safely process form submissions.
  • Google Analytics cookies — set only on the production domain to measure usage.

You can disable non-essential cookies in your browser settings, but the Website may not function correctly without the session and CSRF cookies.

6. Your Rights

Subject to applicable law (including the Philippine Data Privacy Act and the GDPR where it applies), you may:

  • Access the personal information we hold about you.
  • Correct or update inaccurate information from your account settings.
  • Request deletion of your account and associated personal data.
  • Object to or restrict certain processing.
  • Request a portable copy of the data you have provided.
  • Withdraw consent for optional processing (e.g., marketing email) at any time.

To exercise any of these rights, contact us at contact@eastgate.tech.

7. Data Retention

We keep personal data only as long as needed to operate the service and meet legal obligations. Bookings and the messages associated with them are retained for record-keeping and dispute resolution. Verification documents are deleted when an admin closes a verification request or when you delete your account, whichever comes first. Aggregate analytics may be retained indefinitely in non-identifiable form.

8. Account & Data Deletion

To delete your account and the personal data we hold about you, email contact@eastgate.tech from the address linked to your account, or message us on Facebook. We will confirm receipt within 5 business days and complete deletion within 30 days, except for records we are required to retain by law (for example, financial records linked to a completed booking).

9. Children

The Website is not directed to children. By using the Website you represent that you are at least 18 years of age.

10. Links to Other Websites

The Website links to sister products (ph.rentals, ph.condos, ph.house, ph.reviews) and other third-party sites that have their own privacy policies. We are not responsible for the content or privacy practices of those sites.

11. Changes to This Policy

We may update this Privacy Policy from time to time. The “Last Updated” date at the top of this page reflects the most recent change. Material changes take effect five (5) days after they are posted. Your continued use of the Website after that period means you accept the updated policy.

12. Business Transfers

If PH.vacations is involved in a merger, acquisition, or sale of assets, your personal information may be transferred. We will post a notice on this page before any change of ownership takes effect.

13. Contact Us

Questions, requests, or complaints about this Privacy Policy can be sent to contact@eastgate.tech.