This Privacy Notice explains how Omnilert Food & Beverages (operating the Monster Siomai brand) collects, uses, shares, retains, and protects your personal data when you visit monstersiomai.ph or use the Customer Portal at customer.monstersiomai.ph. We comply with the Philippine Data Privacy Act of 2012 (Republic Act No. 10173) and its Implementing Rules and Regulations.
1. Who we are
Omnilert Food & Beverages is the Personal Information Controller responsible for the personal data described in this notice. Our Data Protection Officer can be reached at:
- Email:
dpo@monstersiomai.ph - General contact: see our contact page.
2. What personal data we collect
We collect only the data we need to provide our services. The categories below reflect the actual data flows in our systems — we don’t collect anything else.
From the marketing site (monstersiomai.ph)
- Contact form: your name, email address, and the contents of your message. Sent to us via our email provider; not stored in a database.
From the Customer Portal (customer.monstersiomai.ph)
- Account details: your name and email address (required to create an account); your password (stored only as a one-way cryptographic hash — we never store or see your plaintext password); your optional phone number and birthdate, if you choose to provide them.
- Loyalty / reward data: your loyalty card code, your task-completion history, and your reward-claim history.
- Security and operational data: IP address (recorded for security audit logs and abuse prevention); timestamps of sensitive actions such as password and email changes; password-reset and email-verification tokens (short-lived).
- Usage signals: the timestamp of your most recent activity in the portal. We use this only to compute aggregate active- user counts for internal product decisions. We do not use third-party analytics services.
3. How we use your data
- To create and manage your account, including authentication.
- To verify your email address at sign-up and when you change it, and to notify you of security-relevant events (password changes, email changes).
- To operate the Monster Points loyalty program — awarding points for completed tasks and processing reward redemptions.
- To respond to inquiries you submit through the contact form.
- To detect, prevent, and investigate abuse (rate limiting, credential-stuffing protection, audit logs of sensitive actions).
- To compute internal active-user metrics that inform product and operational decisions. These metrics never identify you to third parties.
- To comply with our legal obligations.
4. Legal basis
Under Sections 12 and 13 of RA 10173, we rely on the following legal bases for processing your personal data:
- Consent — you give us your information when you create an account or submit the contact form.
- Contract — processing is necessary to deliver the Customer Portal services you sign up for, including the loyalty program.
- Legitimate interest — security, fraud prevention, and the integrity of our systems (audit logs, rate limiting, abuse detection).
- Legal obligation — where we are required by law to retain or disclose data.
5. Who we share your data with
We do not sell your personal data. We do not share your personal data for advertising purposes. We share data only with the service providers strictly necessary to operate our services:
- Odoo (loyalty platform) — our loyalty point-ledger and reward-card system runs on Odoo. We share your portal user ID and loyalty card details so points can be awarded and rewards can be claimed.
- Resend (email delivery) — transactional emails (verification, password reset, security notices) are sent through Resend. Your email address and the email body are processed by Resend solely to deliver the message.
- Hosting / infrastructure — our application servers and database are hosted on third-party infrastructure providers under standard data-processing agreements.
We may also disclose data when required by law, by a court order, or to protect the safety, rights, or property of Monster Siomai, our customers, or the public.
6. International transfers
Some of the service providers listed above may process or store data outside the Philippines. Where this is the case, we rely on the provider’s standard data-protection commitments and apply appropriate contractual safeguards, as contemplated by Section 21 of RA 10173.
7. How long we keep your data
We keep your data only as long as needed for the purposes it was collected, or as required by law:
| Data | Retention |
|---|---|
| Account profile (name, email, phone, birthdate) | While your account is active. |
| Password (hashed) | While your account is active. Replaced on each change. |
| Task-completion and reward-claim history | While your account is active — needed to maintain your loyalty balance and redemption history. |
| Password-reset, email-verification, email-change tokens | 1 hour to 24 hours, depending on the token type. Deleted on use or expiry. |
| Security audit logs (sensitive actions, IP) | 1 year from the recorded event. |
| Contact-form submissions | Not retained by Monster Siomai — forwarded to our inbox and managed there. We may keep correspondence as long as needed to address your inquiry. |
If you close your account, we will delete or anonymize personal data that we are not required to retain for legal, accounting, or audit purposes.
8. Your rights under RA 10173
As a data subject, you have the following rights under the Philippine Data Privacy Act:
- Right to be informed — you have the right to know what personal data we hold about you and how we process it. This notice exists to satisfy that right.
- Right to access — you may request a copy of the personal data we hold about you.
- Right to correct (rectification) — if your data is inaccurate or out of date, you may correct it directly in the Customer Portal or by contacting us.
- Right to erasure or blocking — you may request deletion or blocking of your data where the legal basis for processing no longer applies.
- Right to object — you may object to certain processing of your data.
- Right to data portability — you may request your data in a structured, commonly used, machine-readable format.
- Right to damages — you may be entitled to damages for inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of your personal data.
- Right to file a complaint — you may file a complaint with the National Privacy Commission (NPC) at privacy.gov.ph.
9. How to exercise your rights
To exercise any of the rights above, email our Data Protection Officer at dpo@monstersiomai.ph. Please include enough information for us to identify your account (typically your registered email address) and a clear description of the request.
We will respond within thirty (30) days. If we need more time because of the complexity of the request, we will tell you and explain why.
10. How we protect your data
- Passwords are stored only as one-way bcrypt hashes — never in plaintext.
- Session cookies are HttpOnly, Secure (in production), and SameSite=Lax.
- We rate-limit authentication endpoints to deter brute-force attacks, and we maintain audit logs of sensitive actions on accounts.
- We use HTTPS across both sites, with HSTS to prevent downgrade attacks.
- Access to production systems is restricted to authorized personnel.
No system is perfectly secure. If we ever discover a personal-data breach that is likely to result in serious harm, we will notify the National Privacy Commission and affected individuals as required by Section 20(f) of RA 10173.
11. Cookies and tracking
We use only one cookie (the Customer Portal session cookie) and no third-party analytics or advertising trackers. See our Cookies & Tracking page for the full list.
12. Children
Our services are not intended for children under 18. If you are a parent or guardian and believe a child has signed up without your consent, please contact us at dpo@monstersiomai.ph and we will delete the account and any associated personal data.
13. Changes to this notice
We may update this Privacy Notice from time to time. Material changes will be communicated by email to active account holders before they take effect. Smaller updates (clarifications, corrections of typos) are reflected in the “Last updated” date at the top of this page.
14. Contact
Questions about this notice, or about how we handle your personal data? Email dpo@monstersiomai.ph. We’re committed to handling your data responsibly and to answering your questions in plain language.