Data Privacy and Protection Compliance Statement

STATEMENT OF POLICY

TRACTIONCORE is committed to protecting the fundamental human right to privacy while ensuring the free flow of information for innovation and growth. This document outlines our commitment to the Data Privacy Act of 2012 (RA 10173), its Implementing Rules and Regulations (IRR), and the directives of the National Privacy Commission (NPC).

THE PILLARS OF COMPLIANCE

We adhere to the core data privacy pillars mandated by the National Privacy Commission (NPC). TRACTIONCORE has appointed a Data Protection Officer (DPO) and established a privacy management program to ensure continuous compliance with the Data Privacy Act. We conduct regular Privacy Impact Assessments (PIA) for all revenue‑generating and talent‑related projects to identify, assess, and mitigate privacy risks. We maintain Records of Processing Activities (ROPA) to document how personal data is collected, used, shared, retained, and disposed of across our ecosystem. We implement appropriate physical, technical, and organizational security measures to protect personal data against unauthorized access, misuse, or loss. In addition, we maintain a formal Data Breach Response Team (DBRT) and incident response procedures to ensure timely notification to the NPC and affected data subjects, within the period prescribed by law, in the event of a personal data breach.

SCOPE AND APPLICABILITY

This Data Privacy Compliance Statement applies to the processing of personal data relating to, but not limited to:

Individual clients and customers

Business clients and their authorized representatives

Employees, job applicants, trainees, and interns

Independent contractors, talents, consultants, and specialists

Suppliers, partners, and service providers

Website users and other individuals who interact with TRACTIONCORE

Regardless of role or engagement, all data subjects are afforded protection under the Data Privacy Act.

DEFINITION OF PERSONAL DATA

Consistent with Republic Act No. 10173, this Statement covers the following categories of data:

Personal Information

Any information from which the identity of an individual is apparent or can be reasonably and directly ascertained.

Sensitive Personal Information

Including, but not limited to:

Government‑issued identification numbers

Financial, tax, or social security information

Health, education, or employment records

Any information classified as sensitive under Philippine law

Privileged Information

Information protected by legal privilege or confidentiality under applicable laws.

DATA PRIVACY PRINCIPLES

TRACTIONCORE processes personal data in accordance with the following principles:

Transparency – Data subjects are informed of the nature, purpose, and extent of processing

Legitimate Purpose – Personal data is processed only for lawful and declared purposes

Proportionality – Processing is adequate, relevant, and limited to what is necessary

LAWFUL PURPOSE OF PROCESSING

Personal data is collected and processed only for legitimate business and operational purposes, which may include:

Client, business, and service engagements

Contractual, commercial, and administrative activities

Talent, specialist, and workforce management

Communication, coordination, and support

Legal, regulatory, and compliance requirements

Accounting, audit, security, and risk management

Personal data is not processed in a manner incompatible with these purposes.

LEGAL BASIS FOR PROCESSING

TRACTIONCORE processes personal data only when authorized under the Data Privacy Act, including when:

The data subject has provided consent

Processing is necessary for the performance of a contract

Processing is required to comply with legal obligations

Processing is necessary to protect vital interests

Processing is based on legitimate interests, subject to data subject rights

DATA SHARING, DISCLOSURE, AND CROSS-BORDER TRANSFERS

Personal data under the custody or control of TRACTIONCORE is disclosed only under lawful, controlled, and documented conditions. Access to personal data is strictly limited to authorized personnel on a need‑to‑know basis and may be disclosed to government authorities when required by law.

Data may also be shared with service providers, processors, or partners, provided that such entities are bound by enforceable data protection and confidentiality obligations. TRACTIONCORE does not sell personal data and does not permit unauthorized disclosure.

Where personal data is transferred between the Philippines and international clients or partners, TRACTIONCORE implements appropriate safeguards, including Standard Contractual Clauses (SCCs) and Data Transfer Agreements, to ensure that the level of protection required under the Data Privacy Act continues to apply regardless of where the data is processed or stored.

DATA PROTECTION AND SECURITY MEASURES

TRACTIONCORE implements reasonable and appropriate organizational, physical, and technical safeguards, consistent with NPC requirements, including:

Access controls and authorization protocols

Secure physical and electronic storage systems

Confidentiality obligations and internal data privacy policies

Personnel training and awareness programs

Monitoring and risk management measures

DATA RETENTION AND DISPOSAL

Personal data is retained only for as long as necessary to fulfill the declared purpose or comply with legal and regulatory requirements. Upon expiration of the applicable retention period:

Personal data is securely disposed of

Data may be anonymized where appropriate

Records are destroyed in a manner that prevents reconstruction

RIGHTS OF DATA SUBJECTS

In accordance with the Data Privacy Act, data subjects have the right to:

Be informed

Access their personal data

Object to processing

Correct or rectify inaccuracies

Request erasure or blocking

Data portability, where applicable

Seek damages for violations

File complaints with the National Privacy Commission

PERSONAL DATA BREACH MANAGEMENT

In the event of a personal data breach involving personal data under Philippine jurisdiction, TRACTIONCORE shall:

Promptly assess and contain the breach

Mitigate potential harm

Notify the National Privacy Commission and affected data subjects when required by law

Implement corrective measures

DATA PROTECTION OFFICER

TRACTIONCORE has designated a Data Protection Officer (DPO) responsible for overseeing compliance with the Data Privacy Act and related regulations.

Data Protection Officer (DPO)

privacy@tractioncore.com

Vertis North, Vita St., cor. Sola Drive

Quezon City, National Capital Region

Philippines, 1105

https://www.tractioncore.com

RELATIONSHIP TO OTHER PRIVACY POLICIES

This Data Privacy Compliance Statement applies specifically to personal data governed by Philippine law. It supplements TRACTIONCORE’s global or cross‑jurisdictional privacy frameworks and shall prevail in matters relating to compliance with Republic Act No. 10173.

EFFECTIVITY AND UPDATES

This Statement takes effect upon publication and shall remain in force unless amended or replaced. Updates shall be made available through TRACTIONCORE’s official channels.