Data Processing and Privacy

(Philippines – RA 10173 Compliant)

This Data Processing Agreement (“Agreement” or “DPA”) is entered into by and between:

[Refilling Station / Business Client] (hereinafter referred to as the “Controller”),

and

River Tech Inc., doing business under the trade name Smart Refill (hereinafter referred to as the “Processor”),


collectively referred to as the “Parties.”


This Agreement sets out the terms under which the Processor will process personal data on behalf of the Controller, in compliance with the Philippine Data Privacy Act of 2012 (Republic Act No. 10173) and its Implementing Rules and Regulations (“DPA Law”).


The Processor, River Tech Inc., operates under the trade name Smart Refill, and undertakes to process personal data strictly in accordance with the Controller’s instructions, the provisions of this Agreement, and applicable data privacy regulations.

1. Definitions

“Personal Data” means any information, whether recorded in material or electronic form, from which the identity of an individual is apparent or can reasonably and directly be ascertained.

“Controller” means the party who owns and decides the purpose of data processing (the refilling station or business using Smart Refill).

“Processor” means the party who processes data on behalf of the Controller (River Tech Inc., d/b/a Smart Refill).

“Processing” means any operation performed on Personal Data, such as collection, recording, storage, organization, consultation, use, disclosure, or erasure.

“Data Subject” means the individual to whom the Personal Data refers (e.g., customers of the water refilling station).

2. Scope and Purpose

The Processor shall only process Personal Data on behalf of the Controller for the following purposes:

  • Managing customer orders, deliveries, and refilling station operations.
  • Enabling communications with customers (e.g., order reminders, SMS, email).
  • Maintaining system security, analytics, and service improvements.
  • Compliance with applicable laws and health safety regulations.

The Processor shall never process Personal Data for its own purposes without written instruction from the Controller.

3. Data Minimization

The Processor shall only collect and process Personal Data that is adequate, relevant, and limited to what is necessary in relation to the purposes stated in this Agreement.

4. Processor Obligations

The Processor shall:

  • Process Personal Data only in accordance with the Controller’s instructions.
  • Implement appropriate organizational, technical, and physical security measures to protect data.
  • Ensure confidentiality by requiring staff and contractors to sign confidentiality agreements.
  • Assist the Controller in complying with obligations under RA 10173, including data subject requests.
  • Notify the Controller within 72 hours of any data breach affecting Personal Data.
  • Maintain logs and audit trails of processing activities.
  • Not subcontract processing without prior written consent of the Controller.

5. Controller Obligations

The Controller shall:

  • Ensure that Personal Data provided has been lawfully collected with proper consent.
  • Be responsible for the accuracy, quality, and legality of the Personal Data shared.
  • Inform Data Subjects that their data will be processed by the Processor.
  • Be the primary point of contact for Data Subject rights (access, correction, erasure, etc.).

6. Subprocessors

The Processor may engage Subprocessors (e.g., hosting providers, messaging services) strictly for the purpose of delivering the service, provided that:

  • The Controller is informed of such engagements.
  • Subprocessors are bound by written agreements ensuring equivalent data protection standards.

7. Data Subject Rights

The Processor shall assist the Controller in responding to requests from Data Subjects, including:

  • Right to be informed
  • Right to access
  • Right to rectification
  • Right to erasure (“right to be forgotten”)
  • Right to object
  • Right to data portability

All requests shall be coordinated through the Controller.

8. Security Measures

The Processor shall implement the following safeguards:

  • Encryption of data in transit and at rest.
  • Role-based access controls with authentication and authorization.
  • Regular security testing and vulnerability monitoring.
  • Daily backups with disaster recovery procedures.
  • Storage of Personal Data in trusted global cloud data centers (the same facilities used by leading international companies), which comply with international security standards (e.g., ISO 27001, SOC 2) and applicable data protection laws.

9. Data Breach Management

In case of a data breach, the Processor shall notify the Controller within 72 hours with details of:

  • Nature of the breach
  • Categories and volume of data affected
  • Measures taken to mitigate impact

The Processor shall cooperate fully with the Controller in reporting incidents to the National Privacy Commission (NPC) and affected Data Subjects if required by law.

10. Data Retention and Deletion

Personal Data shall be retained only as long as necessary for processing purposes.

Upon termination of services, all Personal Data shall be securely deleted or returned to the Controller, unless retention is required by law.

11. Data Transfers

If Personal Data is transferred outside the Philippines, the Processor shall ensure such transfers comply with RA 10173 and any NPC issuances, including the use of contractual or technical safeguards to protect the data.

12. Record of Processing Activities

The Processor shall maintain a record of all categories of processing activities carried out on behalf of the Controller and make such records available to the Controller or the NPC upon request.

13. NPC Cooperation

The Processor shall cooperate with the National Privacy Commission in any investigation or inquiry relating to the processing of Personal Data under this Agreement.

14. Audit and Compliance

The Controller may request evidence of Processor’s compliance with RA 10173.

The Processor agrees to provide audit reports, certifications, or other documents as reasonable proof of compliance.

15. Liability and Indemnity

Each Party shall be liable for damages resulting from violations of this Agreement.

The Processor shall be liable for breaches caused by its own negligence, willful misconduct, or non-compliance with agreed standards.

16. Governing Law

This Agreement shall be governed by and construed in accordance with the laws of the Republic of the Philippines, particularly RA 10173 (Data Privacy Act of 2012).

17. Term and Termination

This Agreement shall remain in effect for the duration of the Terms of Service between the Parties.

Either Party may terminate this Agreement with 30 days’ written notice if the other Party materially breaches its obligations.

18. Survival of Obligations

The provisions relating to confidentiality, security, data breach notification, liability, indemnity, and audit rights shall survive the termination of this Agreement.

19. Entire Agreement

This Agreement constitutes the entire agreement between the Parties with respect to data processing and supersedes any prior agreements.

20. Contact Us

If you have questions about these Terms, please contact us: