Privacy Policy (Updated on September 2022)

We, Goldilocks Bakeshop, Inc. (‘Goldilocks,’ ‘we,’ or ‘us’) and its subsidiaries and affiliates, provide a full range of food-related services. In providing such services, we rely on personal information, whether it be the information of our clients, our employees, or any other individual with whom we have a contractual relationship.  

 Given the importance of privacy to all concerned parties, we are committed to the highest standards of privacy and data protection compliance and expect everyone in our Company to adhere to these standards. We demand the highest standards of ethics and compliance with applicable laws and rules from our management, employees, and third party suppliers and service providers.

This Privacy Policy will help you understand: (i) what Personal Information we collect; (ii) how we collect, hold, use and disclose that information; and (iii) the purposes of such collection, holding, use and disclosure.

This Policy applies to all of our facilities, as well as all the services that we offer. 

This Policy does not apply to any website, product or service of any third-party organization even if the website links to (or from) our Website. Please always review the privacy practices of any third-party organization before deciding whether to provide any information.

By using our services, you accept the practices described in this Policy. If you do not agree with this Policy, you should immediately cease and desist from using our Services. Continued use of our Services will signify your acceptance of this Policy.

When you use our services, we collect your Personal Information. 

The term “Personal Information”, as used in this Policy, refers to any data (whether by itself or when linked with other information) in the possession of, or likely to come into the possession of Goldilocks, that can be used to identify a specific living person. 

Personal Information does not include information that has been aggregated or made anonymous such that it can no longer be reasonably associated with a specific person.

Through various means described in Part V below, we collect from you the following Personal Information: 

1. Personal Information

• Full Name
• Address
• Contact Information (Email Address, Landline Number and Mobile)
• IP Address

2. Sensitive Personal Information 

• Age
• Birthday 

Generally, we collect your Personal Information in order to enable us to provide our services.

We collect your Personal Information for the following purposes:

1. To process registrations in GBI’s programs;

2. To facilitate the marketing efforts of the organization;

3. To process online orders;

4. To establish, exercise, or defend legal claims; and

5. To fulfill any other purposes directly related to the above-stated purposes.

Subject to the Data Privacy Act and with your consent, we may share, preserve, transfer, and disclose your Personal Information to the following:

a. Third party suppliers and service providers that help us provide our services, to the extent needed to perform their duties and their functions; and

b. Government authorities and such entities that may have a legitimate and legal interest in the information, in response to a legal request such as a search warrant, court order or subpoena, if we believe in good faith that we are required to do so under the law.

Some of our third party suppliers and service providers may conduct their operations outside of the country. Any international data transfers will be in accordance with this General Data Privacy Policy and in compliance with all applicable laws, local customers, or practices.

Broadly speaking, we collect information in three ways: (1) when you provide it directly to us, (2) when we obtain verification information about you or your company through trusted third parties, and (3) passively through technology such as “cookies”.

Specifically, we collect Personal Information from you through the registration forms, both electronic and physical, that are used and maintained by Goldilocks.

As a data subject whose Personal Information will be collected and processed by us, you are entitled to the following rights, pursuant to Section 16 of Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012, and Section 34 of its Implementing Rules and Regulations: 

1. Right to be Informed:

You have a right to be informed whether Personal Information pertaining to you shall be, are being, or have been processed.

2. Right to Object:

You shall have the right to object to the processing of your Personal Information, including processing for direct marketing. You shall also be notified and be given an opportunity to withhold consent to the processing in case of changes or any amendment to the information supplied or declared to the data subject. 

3. Right to Access:

You have a right to be given access to specific kinds of information identified in the Data Privacy Act, upon reasonable demand. 

4. Right to Rectification:

The data subject has the right to dispute inaccuracies or errors in his Personal Information and have us correct it immediately and accordingly, unless the request is vexatious or otherwise unreasonable. 

5. Right to Erasure or Blocking:

You shall have the right to suspend, withdraw or order the blocking, removal or destruction of your Personal Information from our filing system.

6. Right to Damages:

Upon presentation of a valid decision, we recognize your right to be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of Personal Information, taking into account any violation of your rights and freedoms as data subject.

Please note that this is not an exhaustive discussion of your rights as a data subject. If you wish to know more, please see our Data Subject Rights Policy. 

In compliance with applicable laws and regulations, we pledge to observe the following principles: 

1.  Principle of Transparency

We are committed to ensuring that you know why we collect Personal Information, as well as how much of it we collect. As we seek to ensure the security of your Personal Information, we make sure that you know what risks are involved when we collect and use your Personal Information, as well as the measures we have established to ensure that those risks are lessened or eliminated. 

2.  Principle of Legitimate Purpose 

We are committed to ensuring that your Personal Information will only be used for specified, legitimate purposes. No Personal Information shall be used for a purpose other than that which has been told to you and which you have consented to. 

No Personal Information shall be collected without your consent. If you wish to withdraw consent to the collection of your Personal Information, kindly give us reasonable notice so we may have time to cease any and all processing. 

3.  Principle of Proportionality

We are committed to ensuring that we do not collect Personal Information more than what is necessary from you. Personal Information shall be collected only to the extent that is needed for the purposes specified in this Policy. 

4.   Principle of Lawful Processing

We pledge that we shall uphold your rights as a Data Subject. You shall have the right to refuse, withdraw, consent, or object to the use and collection of your Personal Information. 

In the event that you refuse to give consent, your Personal Information shall no longer be processed, unless:

a.     The Personal Information is needed pursuant to a subpoena;

b.     The collection and processing are for obvious purposes, including, when it is necessary for the

         performance of or in relation to a contract or service to which the customer is a party; or

c.       The information is being collected and processed as a result of a legal obligation. 

Any information to be provided by you shall always be in clear and plain language, to ensure that the information is easy to understand and access. 

Whatever Personal Information given to us by you or pertaining to you, shall only be retained for as long as necessary but not exceed to ten (10) years.

a.         For the fulfillment of the declared, specified, and legitimate purpose, or when the processing relevant to

            the purpose has been terminated;

b.        For the establishment, exercise, or defense of legal claims; or 

c.         For legitimate business purposes, which must be consistent with standards followed by the applicable

            industry or approved by the appropriate government agency. 

Personal Information provided to us by you shall be disposed or discarded in a secure manner that would prevent further processing, unauthorized access, or disclosure to any other party, or prejudice the interests of our customers. 

We will retain Personal Information for the period necessary to fulfill the purposes outlined in this Privacy Policy unless a longer retention period is required or permitted by the Data Privacy Act of 2012. Please note that we have a variety of obligations to retain the Data that you provide to us, i.e. to ensure that transactions can be appropriately processed, settled, refunded or charged-back, to help identify fraud and to comply with anti-money laundering and other laws and rules that apply to us and to our financial service providers. There may also be residual Data that will remain within our databases and other records, which will not be removed.

For a more detailed explanation of how and why we retain your Personal Information, please see our Data Retention Policy. 

We use reasonable organizational, technical and administrative measures to protect Personal Information within our organization. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of your account has been compromised), please contact our Data Protection Officer immediately. His contact details are provided in Part XVI below.

In processing personal information, the following risks are involved:

- accidental or unlawful destruction

- loss

- alteration

-unauthorized disclosure and unauthorized access (data breach)

A data breach may be internal or external due to the very nature of how the personal information was processed. 

Obligated to pay the penalties in accordance with Section 3c, NPC Circular 16-03 and Section5, NPC Circular 16-03 of the Data Privacy Act and damages. 

Installation of Firewalls and anti-virus softwares and implementation of Company Policies with respect to processing of personal data and disposal of information. 

Digital records are stored in Goldilocks secure servers, located in a separate data room. Paper-based records are stored in secure facilities. Goldilocks implements a Data Retention Policy. 

We may change this Privacy Policy. The “Last updated” legend at the top of this Privacy Policy indicates when this Privacy Policy was last revised. Any changes are effective when we post the revised Privacy Policy on the Services.

We may provide you with disclosures and alerts regarding the Privacy Policy or Personal Information collected by posting them on our website. By using our Services, you agree that electronic disclosures and notices have the same meaning and effect as if we had provided you with hard copy disclosures. Disclosures and notices in relation to this Privacy Policy or Personal Information shall be considered to be received by you within twenty-four (24) hours of the time they are posted to our website. 

Our customers can update their Personal Information by sending an email to privacy@goldilocks.com.ph.

If you have any questions or suggestions about this Privacy Policy or would like to access or seek correction of your Personal Information, or if you have any complaints regarding our privacy practices, please contact our Data Protection Officer. His contact information is as follows: 

Data Protection Officer

Goldilocks Bakeshop, Inc.

16th Floor, Greenfield Tower

Mayflower corner William Streets

Greenfield District, Mandaluyong City

Metro Manila

Email: privacy@goldilocks.com

Please note that you, as the requesting party, would have to pay the reasonable costs and expenses incurred by Goldilocks for producing the requested information. 

Because email communications are not always secure, you are asked to not include credit card or other sensitive Data (such as racial or ethnic origin, political opinions, religion, health, or the like) in emails sent to us.

You may access Goldilocks Bakeshop, Inc. Certificate of Registration with the National Privacy Commission here.