Goshen Health and Beauty Care Trading Corp.
Effective Date: September 15, 2025

⸻

1. Introduction

Goshen Health and Beauty Care Trading Corp. (“Company,” “we,” “our,” or “us”) is committed to protecting the privacy and personal data of its customers, employees, suppliers, and stakeholders.

This Manual outlines our data protection policies and practices in accordance with Republic Act No. 10173 (Data Privacy Act of 2012), its Implementing Rules and Regulations, and issuances of the National Privacy Commission (NPC).

⸻

2. Scope

This Manual applies to all personal data collected, processed, and stored by the Company in relation to:
• Customers and clients
• Employees and job applicants
• Business partners, suppliers, and service providers
• Visitors to our offices, website, and online platforms

⸻

3. Definitions
• Personal Data – Any information from which the identity of an individual is apparent or can reasonably and directly be ascertained (e.g., name, address, email, phone number).
• Sensitive Personal Information (SPI) – Includes data such as government-issued IDs, health information, religious beliefs, and other data defined by law.
• Processing – Any operation performed on personal data, including collection, recording, organization, storage, updating, retrieval, use, consolidation, sharing, and destruction.
• Data Subject – Any individual whose personal data is processed by the Company.

⸻

4. Collection of Personal Data

We collect personal data through the following:
• Customer orders and transactions (online and in-store)
• Supplier and service provider agreements
• Employment applications and personnel records
• Digital platforms (website, Shopify, email subscriptions)

Types of data collected:
• Customers: Name, address, contact details, payment information, purchase history
• Employees/Applicants: Personal details, government IDs, resumes, medical records (if required)
• Suppliers/Partners: Business registration documents, contact person information

⸻

5. Purpose of Processing

Personal data is processed only for legitimate purposes, such as:
• Order fulfillment and delivery
• Payment processing
• Customer service and communications
• Employee management and HR administration
• Supplier and partner relations
• Compliance with legal, regulatory, and contractual obligations

⸻

6. Data Sharing and Disclosure

We do not sell or rent personal data. Disclosure is limited to:
• Service providers (payment processors, couriers, IT providers)
• Government agencies as required by law
• Affiliates or partners, with prior consent of the data subject

Any sharing is governed by data-sharing agreements in compliance with NPC guidelines.

⸻

7. Data Retention
• Personal data is retained only for as long as necessary for the purposes stated above.
• Customer and transaction records are stored for [insert number] years, in compliance with accounting and regulatory requirements.
• Employee records are kept for the duration of employment and for a legally mandated period thereafter.
• Data is securely disposed of through shredding (physical records) and permanent deletion (digital files).

⸻

8. Data Protection Measures

We implement organizational, physical, and technical security measures:
• Organizational: Appointment of a Data Protection Officer (DPO), employee privacy training, and access control policies.
• Physical: Secure office facilities, locked storage cabinets, visitor logs, CCTV monitoring.
• Technical: Password-protected systems, encryption of sensitive data, regular backups, firewall and anti-virus protection.

⸻

9. Rights of Data Subjects

Data subjects are entitled to the following rights under the Data Privacy Act:
• Right to be informed – Know how their data is collected and used.
• Right to access – Request a copy of personal data we hold.
• Right to rectification – Request correction of inaccurate data.
• Right to erasure/blocking – Request deletion when processing is no longer necessary.
• Right to object – Withdraw consent to processing, subject to legal and contractual limitations.
• Right to data portability – Obtain a copy of their data in portable format.
• Right to lodge complaints – File complaints with the National Privacy Commission (NPC).

⸻

10. Breach and Incident Management

In case of a data breach:
1. The DPO shall investigate and assess the scope and impact.
2. The Company shall notify the NPC and affected data subjects within 72 hours, if required.
3. Containment, recovery, and remedial measures shall be implemented immediately.

⸻

11. Accountability and Responsibility
• The Board of Directors/Management oversees compliance with data privacy laws.
• The Data Protection Officer (DPO) ensures the implementation of this Manual and acts as the contact person for all data privacy matters.
• All employees are expected to comply with this Manual and attend data privacy training.

⸻

12. Effectivity and Amendments

This Data Privacy Manual shall take effect on [Insert Date] and shall remain effective until revoked or amended by the Company. Updates will be made to comply with changes in laws, regulations, or business operations.

⸻

13. Contact Information

For any questions, concerns, or requests regarding your personal data, please contact our Data Protection Officer (DPO):

Data Protection Officer
Goshen Health and Beauty Care Trading Corp.
Email: [email protected]
Phone: +63917-876-2860
Address: Unit 5 5/F PTC Bldg. #24 Argentina St., Better Living Subd., Parañaque City