Privacy Policy

1. Personal Information Controller

Legit ba 'to? is operated by Lesmon Saluta and Mark Macaraeg, individuals based in Quezon City, Philippines (the “Controllers”, “we”, “us”, or “our”). We are the Personal Information Controllers (PIC) within the meaning of RA 10173 and are responsible for determining the purposes and means of processing your personal data.

For all privacy-related inquiries, requests, and concerns, you may contact us at: lesmon@bscalelabs.com or markmcrg9@gmail.com

Our designated Data Protection Officer (DPO) is Lesmon Saluta, reachable at lesmon@bscalelabs.com. The DPO is responsible for overseeing our compliance with RA 10173 and for handling all data subject requests and inquiries.

2. Information We Collect

Depending on how you interact with us, we may collect the following categories of personal data:

a. Via the Website

• Content you submit: URLs or text you send for fact-checking via the URL checker on our website.
• Technical data: your IP address (used solely for rate-limiting abuse prevention) and standard web server logs (timestamps, HTTP method, response codes). IP addresses are not linked to your identity and are retained only transiently.

b. Via Instagram Direct Message and Facebook Messenger (Bot)

• Messaging platform identifiers: your platform-assigned sender ID, display name, and profile picture URL, as provided by Meta Platforms.
• Message content: the text, URLs, and images you send to our bot for fact-checking.
• Session history: conversation history within a session, stored to allow the AI to maintain context across messages.

3. Legal Bases for Processing

We process your personal data on the following legal bases under Sections 12 and 13 of RA 10173:

• Contractual necessity: processing is necessary to deliver the fact-checking service you request.
• Consent: by messaging our bot, you consent to the collection and processing of the personal data described herein. You may withdraw consent at any time (see Section 8).
• Legitimate interests: to detect and prevent abuse, fraud, and misuse of the service, and to maintain the security and performance of our systems.

4. How We Use Your Information

We use the data we collect to:

• Provide AI-powered fact-checking and source analysis;
• Maintain conversation context within a session for a coherent user experience;
• Enforce rate limits and protect the service against automated abuse;
• Improve the accuracy, safety, and performance of our service over time;
• Respond to support requests, reports, and privacy inquiries;
• Comply with applicable law, including mandatory breach notification obligations under RA 10173.

We do not use your personal data for advertising, and we do not sell or rent your personal data to any third party.

5. Disclosure to Third-Party Processors

To deliver the service, we engage third-party Personal Information Processors (PIPs) that act only on our instructions and for the purposes described below. These fall into the following categories:

• AI analysis provider: content you submit for fact-checking is processed by a third-party AI language model to generate analysis and verdicts.
• Web search provider: search queries are sent to a third-party search service to retrieve publicly available evidence supporting fact-checks. Queries are transmitted without your personal identifiers.
• Content extraction provider: URLs you submit may be sent to a third-party service to extract readable article text for analysis. Only the URL itself is transmitted.
• Messaging platform: when you use our bot via Instagram Direct Message or Facebook Messenger, your messages pass through the respective social media platform before reaching us. Your use of those platforms is independently governed by their own privacy policies.
• Analytics provider: we use a third-party product analytics service to understand how the website is used. This may involve cookies or similar technologies to collect anonymized usage data such as page views, session duration, and interaction patterns. No message content or personally identifiable information is shared for analytics purposes.
• Cloud infrastructure provider: our servers and database, where session data is stored, are hosted by a third-party cloud infrastructure provider.
• Error monitoring and session replay provider: we use a third-party error monitoring service on our website that may record session replays (mouse movements, clicks, and page interactions) to help us diagnose technical issues and improve the user experience. Session replays do not capture passwords or payment information.
• Image processing provider: images submitted via our bot for fact-checking may be uploaded to a third-party cloud media service for processing. Only the image itself is transmitted.

Some of these processors may be located outside the Philippines. Such cross-border transfers are made in compliance with Section 21 of RA 10173, subject to the data protection standards of the processors' respective jurisdictions and their contractual commitments to us. You may request the identities of our current processors by contacting us at lesmon@bscalelabs.com or markmcrg9@gmail.com.

6. Data Retention

• Bot session history: retained as long as reasonably necessary to maintain conversation context across sessions. You may request deletion at any time by contacting us (see Section 8).
• Fact-check results: stored to support the service and improve analysis quality. Upon a valid deletion request, we will erase or anonymize your personal data associated with any stored results.
• IP address logs: retained for no longer than 30 days, then automatically purged.

7. Security Measures

We implement reasonable and appropriate technical and organizational security measures to protect your personal data, including:

• Encrypted data transmission via TLS/HTTPS for all web communications;
• HMAC-SHA256 signature verification for all incoming webhook events from Meta;
• Database access restricted to private internal networking (Railway private network);
• Role-based access controls limiting access to personal data to authorized personnel only.

In the event of a personal data breach that is likely to result in a real risk to your rights and freedoms, we will notify the National Privacy Commission and affected individuals within seventy-two (72) hours of discovery, as required under NPC Circular No. 16-03.

8. Your Rights Under RA 10173

As a data subject under the Data Privacy Act of 2012, you have the following rights with respect to your personal data:

• Right to be informed: to know what personal data we collect and how it is processed.
• Right of access: to obtain a copy of your personal data that we hold, and information about how it is processed.
• Right to rectification: to request correction of any inaccurate or incomplete personal data.
• Right to erasure or blocking: to request the deletion or blocking of your personal data where it is no longer necessary for the purposes for which it was collected, or where you withdraw consent.
• Right to object: to object to the processing of your personal data on grounds relating to your particular situation.
• Right to data portability: to receive your personal data in a structured, commonly used, and machine-readable format.
• Right to lodge a complaint: to file a complaint with the National Privacy Commission if you believe your rights under RA 10173 have been violated (see Section 10 below).

To exercise any of these rights, please contact us at lesmon@bscalelabs.com or markmcrg9@gmail.com. We will respond to verified requests within fifteen (15) business days. We may ask you to verify your identity before processing your request.

9. Children's Privacy

Our service is accessible to users who meet the minimum age required by the social media platform through which they access it, which is currently thirteen (13) years old for Instagram and Facebook Messenger. We do not knowingly collect personal data from children below this age.

Users between the ages of 13 and 17 are minors under Philippine law. Under RA 10173, processing of personal data of minors requires the consent of a parent or legal guardian. By allowing a minor to use our service, the parent or legal guardian consents to the processing of the minor's personal data as described in this Policy and assumes responsibility for the minor's use of the service. If you believe we have inadvertently collected personal data from a child below the applicable minimum age, or from a minor without proper parental consent, please contact us immediately at lesmon@bscalelabs.com or markmcrg9@gmail.com and we will promptly delete such data.

10. Filing a Complaint with the NPC

If you believe that your rights under RA 10173 have been violated and you are not satisfied with our response, you have the right to lodge a complaint with the National Privacy Commission:

• Website: www.privacy.gov.ph
• Email: info@privacy.gov.ph
• Address: 5th Floor, Delegation Building, PICC Complex, Pasay City, Metro Manila

11. Cookies and Local Storage

Our website does not use advertising cookies. We use the following cookies and similar technologies:

• Session cookies: used to maintain your authenticated session on the website. These are strictly necessary for the service to function.
• Analytics cookies: used by our analytics provider to collect anonymized usage data (page views, session duration, interaction patterns) so we can understand how the service is used and improve it. These do not track you across other websites.
• Error monitoring and session replay: our error monitoring provider may use cookies or similar technologies to record session replays (mouse movements, clicks, page navigation) when you use our website. These recordings help us identify and fix technical issues. Passwords and sensitive input fields are automatically masked.

You may disable cookies in your browser settings, though doing so may affect your ability to use authenticated features of the service.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in the law, our practices, or the features of our service. Material changes will be indicated by an updated “Last updated” date at the top of this page. For changes that materially expand the scope of personal data we collect or how we process it, we will seek your express consent where required by applicable law. For all other changes, continued use of the service after they are posted constitutes your acceptance of the revised Policy.

13. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact:

• Names: Lesmon Saluta and Mark Macaraeg
• Email: lesmon@bscalelabs.com / markmcrg9@gmail.com
• Instagram: @legitbatoph
• Location: Quezon City, Metro Manila, Philippines