Privacy Policy

This Privacy Policy applies to:

• Account Holders — homeowners association (HOA) administrators and staff members who register for and manage a Citadel subscription; and
• Residents — subdivision members, homeowners, and occupants whose personal information is collected and processed by HOAs using the Citadel platform.

By using Citadel, or by having your information entered into Citadel by your HOA, this Privacy Policy applies to you.

For HOA admins and staff:

• Full name and email address
• Password (stored as a hashed value — never stored in plain text)
• Billing information, processed securely by Dodo Payments
• Usage activity and audit logs within the platform
• IP address and browser/device information for security purposes

For subdivision members (entered by HOA admins or directly by members):

• Full name, home address, unit or lot number
• Contact information (mobile number, email address)
• Vehicle information (plate number, vehicle sticker status and expiry)
• Dues payment records and history
• Gate pass requests and QR access event logs
• Service request and approval history

Citadel uses personal information to:

• Deliver the Citadel platform, including member management, dues tracking, gate pass issuance, and request workflows
• Process subscription payments via our payment provider
• Send transactional email notifications (dues reminders, approval updates, gate pass confirmations)
• Maintain audit logs for HOA governance and accountability
• Provide customer support to HOA admins and staff
• Detect and prevent fraud, abuse, and security incidents
• Improve the platform using aggregated, anonymized analytics (never individual-level data)

We do not use personal data for advertising or marketing to HOA members.

This Privacy Policy is governed by Republic Act No. 10173, also known as the Data Privacy Act of 2012 (DPA), and its Implementing Rules and Regulations.

Citadel as Personal Information Controller (PIC)

Citadel is the Personal Information Controller for personal data collected directly from HOA admins and staff. We determine the purpose and means of processing this data.

HOA as PIC, Citadel as Personal Information Processor (PIP)

For member data entered into Citadel by an HOA, the HOA is the Personal Information Controller. The HOA bears responsibility for having a lawful basis under RA 10173 to collect and process its members' personal information. Citadel acts as a Personal Information Processor, processing member data solely as directed by the HOA and as necessary to deliver the service.

Our legal bases for processing include:

• Contractual necessity — processing required to fulfil your subscription agreement with Citadel
• Consent — where you have given explicit consent to processing
• Legitimate interests — platform security, fraud prevention, and audit log integrity

Citadel shares personal data only with the following third parties, and only to the extent necessary to deliver the service:

• Dodo Payments — processes subscription payments. Receives billing information only; has no access to HOA or member data.
• Transactional email provider — sends notifications on behalf of Citadel and HOAs. Receives name and email address only.

Citadel does not:

• Sell personal data to any third party
• Share member data with other HOAs or third-party advertisers
• Use member data for any purpose outside of service delivery

We may disclose personal data if required by Philippine law, a valid court order, or a lawful request from the NPC or other government authority.

• Account Holder data: Retained for the duration of the active subscription and for 30 days after cancellation. This window allows HOA admins to export their data before permanent deletion.
• Member data: Retained per the HOA's active subscription. Audit log retention varies by plan (Residencia: 30-day log retention; Hacienda and Enclave: full history). All member data is permanently deleted within 30 days of HOA account closure.
• Billing records: Retained as required by Philippine tax and accounting regulations, regardless of subscription status.

After the applicable retention period, data is securely and permanently deleted from Citadel's systems.

Under the Data Privacy Act of 2012, you have the following rights:

• Right to be informed — to know how your personal data is being collected and processed
• Right of access — to request a copy of the personal data Citadel holds about you
• Right to rectification — to request correction of inaccurate or incomplete personal data
• Right to erasure or blocking — to request deletion of personal data that is unlawfully processed or no longer necessary
• Right to object — to object to the processing of personal data in certain circumstances
• Right to data portability — to receive your personal data in a structured, commonly used, machine-readable format
• Right to damages — to be indemnified for damages sustained due to inaccurate, incomplete, or unauthorized processing

To exercise any of these rights, submit a request to hello@citadelhq.homes. We will respond within 15 business days.

Note for HOA members: Because the HOA is the Personal Information Controller for member data, requests related to member data should be directed to your HOA. Citadel will cooperate with HOAs in fulfilling valid data subject requests.

Citadel implements technical and organizational measures to protect personal data, including:

• Encryption of data in transit (TLS) and at rest
• Role-based access control (RBAC) — staff users can only access data their role requires
• Comprehensive audit logs that record all sensitive actions (member changes, dues updates, approvals)
• Password hashing using industry-standard algorithms
• Regular security reviews and vulnerability assessments

If we become aware of a personal data breach likely to result in risk to your rights and freedoms, we will notify affected parties and the NPC in accordance with RA 10173 and NPC Circular 16-03.

Citadel uses cookies solely for:

• Session/authentication cookies — required for the platform to function; they keep you securely logged in during your session

Citadel does not use advertising cookies, third-party tracking cookies, or analytics cookies that identify individual users. This landing page may use minimal, privacy-respecting analytics (page views only, no fingerprinting).

Citadel may update this Privacy Policy from time to time. We will notify HOA admins of material changes by email at least 30 days before the changes take effect.

Continued use of Citadel after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. The revision date at the top of this page reflects when the policy was most recently revised.

For privacy-related questions, requests, or concerns, contact Citadel at:

hello@citadelhq.homes

If you believe that your rights under the Data Privacy Act of 2012 have been violated, you have the right to file a complaint with the National Privacy Commission (NPC):

• Website: privacy.gov.ph
• Email: info@privacy.gov.ph