Privacy Policy

1. Who we are

DAIMASU 大桝 BAR (“DAIMASU”, “we”, “us”) is an 8-seat counter Japanese bar located at Unit A-1/2/3, Ground Floor, Allegro Center, 2284 Chino Roces Ave, Makati City, 1231 Metro Manila. We act as a Personal Information Controller under the Philippine Data Privacy Act of 2012 (RA 10173). For privacy questions, contact our Data Protection Officer at daimasumakati@gmail.com.

2. What we collect

• Reservation data: name, email, phone, party size, date, dietary notes, language preference.
• Payment data: handled by Stripe; we receive only a transaction reference + last 4 digits + payment method type. Full card data never reaches our servers.
• Celebration data (optional): celebrant name, occasion, surprise instructions, when you provide them.
• Technical data: IP address (rate limiting, fraud), browser language, page views (Google Analytics 4 — anonymized).
• Cookies: a session cookie for your booking, a language preference cookie, a consent cookie. No third-party advertising cookies.

3. Why we collect it (lawful basis)

• Performance of contract: to honour your reservation, send confirmations, process the deposit and any refund.
• Legal obligation: tax records (BIR), receipts, accounting kept for 5 years.
• Legitimate interest: fraud prevention (rate limiting, honeypot), service improvement (anonymous analytics).
• Consent: marketing emails. You opt in at booking; you can opt out anytime via the unsubscribe link.

4. How long we keep it

• Reservation + payment records: 5 years (BIR / accounting requirement).
• Marketing list: until you unsubscribe.
• Audit log of administrative actions: 5 years.
• IP-keyed rate-limit state: 1 hour, in memory only.

5. Who we share it with

We share personal data only with these processors, all under Data Sharing Agreements:

• Stripe, Inc. (USA) — payment processing; PCI-DSS Level 1.
• Supabase, Inc. (USA) — database hosting; SOC 2.
• Resend (USA) — transactional email delivery.
• Telegram Messenger LLP — restaurant operations notifications.
• Twilio (WhatsApp Business) — optional reminder channel.
• Vultr Holdings — application hosting in Asia (Singapore).

We do not sell your data. We do not transfer your data to advertisers or data brokers.

6. Your rights (RA 10173)

You have the right to:

• Be informed — this document.
• Object to processing for marketing.
• Access a copy of the data we hold about you.
• Rectify inaccurate or incomplete data.
• Erase or block data, subject to our 5-year tax-record obligation.
• Damages if your rights are violated.
• Data portability — receive a machine-readable copy.
• Lodge a complaint with the National Privacy Commission (privacy.gov.ph).

Email daimasumakati@gmail.com to exercise any right. We respond within 5 business days.

7. Security measures

HTTPS-only transport (HSTS preload). Database encrypted at rest (Supabase). Strict Content-Security-Policy. Rate limiting on public endpoints. Stripe webhook signature verification. Audit log on every administrative action. Access to administrative tooling is restricted to named owners on an allowlist, behind an authenticated session.

8. Children

DAIMASU does not knowingly collect data from children under 18. Bookings are intended for adults; minors must be accompanied by a parent or guardian who provides the booking data on their behalf.

9. Updates

We may revise this policy. Material changes will be flagged on the booking page; the “Last updated” date above always reflects the current version.