RecoverAIBack to Home

Privacy Policy

Last updated: March 18, 2026

1. Introduction

RecoverAI (“we,” “us,” or “our”) is committed to protecting your privacy and the privacy of individuals whose data is processed through our platform. This Privacy Policy explains how we collect, use, disclose, and safeguard information in compliance with Republic Act No. 10173, also known as the Data Privacy Act of 2012 (DPA), and its Implementing Rules and Regulations (IRR).

2. Information We Collect

2.1 Account Information

When you create an account, we collect your name, business email address, organization name, and contact information. We do not accept personal email addresses for account registration.

2.2 Debtor Data

Our platform processes debtor information uploaded by our clients, including names, contact numbers, account balances, and payment histories. This data is processed solely on behalf of our clients as a Personal Information Processor (PIP) under the DPA.

2.3 Communication Data

We record and store AI voice call transcripts, SMS logs, and email communications for compliance audit purposes as required by SEC MC 18-2019 and BSP Circular 1160-2022.

2.4 Technical Data

We collect IP addresses, browser types, device information, and usage analytics to maintain platform security and improve our services.

3. How We Use Your Information

  • To provide and maintain our AI-powered debt collection platform
  • To process payments and manage subscriptions via Stripe
  • To enforce compliance with Philippine debt collection regulations
  • To generate analytics and reporting for our clients
  • To maintain audit trails as required by applicable regulations
  • To communicate platform updates, security alerts, and support responses
  • To detect, prevent, and address fraud, abuse, and security incidents

4. Legal Basis for Processing

We process personal information under the following legal bases as defined by RA 10173:

  • Consent: For account registration and marketing communications
  • Contract: To fulfill our service agreement with clients
  • Legal obligation: To comply with SEC, BSP, and NPC regulations
  • Legitimate interest: To maintain platform security and prevent fraud

5. Data Sharing and Disclosure

We do not sell personal information. We share data only with:

  • Service providers: Stripe (payments), Vapi.ai (voice), Semaphore/Twilio (SMS) — under data processing agreements
  • Regulatory authorities: When required by law, court order, or regulatory directive (SEC, BSP, NPC)
  • Your organization: All debtor and collection data is accessible only to authorized members of your organization

6. Data Security

We implement industry-standard security measures including: encryption in transit (TLS 1.2+) and at rest (AES-256), multi-tenant data isolation with PostgreSQL Row-Level Security, JWT-based authentication with token refresh, CSRF protection, rate limiting, and comprehensive audit logging. All integration credentials are encrypted using Fernet symmetric encryption before storage.

7. Data Retention

We retain personal information for the duration of your subscription plus any additional period required by applicable regulations. Communication records and compliance audit trails are retained as mandated by SEC MC 18-2019 and RA 10173. You may request data deletion subject to regulatory retention requirements.

8. Your Rights Under RA 10173

As a data subject, you have the following rights:

  • Right to be informed — of the collection, use, and processing of your data
  • Right to access — your personal data held by us
  • Right to object — to certain data processing activities
  • Right to erasure — request deletion of your data (subject to legal retention requirements)
  • Right to rectification — correct inaccurate personal data
  • Right to data portability — receive your data in a structured, commonly used format
  • Right to file a complaint — with the National Privacy Commission

9. AI and Automated Decision-Making

Our platform uses AI for voice-based debtor outreach, Propensity-to-Pay (PTP) scoring, and campaign optimization. AI-generated communications are subject to real-time guardrails including input sanitization, output validation, topic boundary enforcement, and sentiment monitoring. Automated PTP scores are used to prioritize outreach but do not make final collection decisions without human oversight.

10. Contact Us

For privacy-related inquiries or to exercise your rights, contact our Data Protection Officer:

Email: privacy@recoverai.io

You may also file a complaint with the National Privacy Commission (NPC) at https://privacy.gov.ph.