Privacy Policy

Last updated: July 10, 2026 (rev. 12)

Storia.ph ("we," "our," or "us") is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, store, and protect your data in compliance with the Philippine Data Privacy Act of 2012 (Republic Act No. 10173) and its Implementing Rules and Regulations, NPC Circular 16-03 (Data Breach Management) and NPC Circular 2022-04 (Registration of Data Processing Systems and Notification Regarding Automated Decision-Making), and other applicable issuances of the National Privacy Commission.

Updated 10 July 2026. What changed: Section 15 now reflects our completed registrations. Our BIR Certificate of Registration was issued on 9 July 2026 (non-VAT, 8% income-tax option), and we have filed our NPC Sworn Declaration and Undertaking for exemption from Data Processing System registration. Our registered Data Protection Officer contact is shown in Sections 14 and 15.

1. Information We Collect

We collect the following types of information:

1.1 Personal Information You Provide

1.2 Sensitive Personal Information

The Dream Phase quiz may collect information classified as Sensitive Personal Information under RA 10173 Section 3(l), including:

We process this information only with your explicit consent given through your decision to answer the relevant quiz questions, in accordance with RA 10173 Section 13(a). You may skip any cultural question. See Section 3 for the lawful basis.

Backfill disclosure (couples who took the quiz before May 3, 2026): Earlier versions of our Wedding DNA quiz did not capture your ceremony type as a separate field. To enable cohort-aware features (Auto-Timeline tasks, Budget categories, Hiraya AI suggestions), we backfilled this field for affected couples using a deterministic lookup based on the style profile name your quiz produced. Backfilled classifications are treated as provisional system-generated metadata and are not used for decision-making affecting users unless confirmed by the user. Affected couples see a prompt in Settings to confirm or correct their ceremony type, and the field stays empty until they pick. We did not infer ceremony type for ambiguous cases where the style profile was intentionally cohort-agnostic. Backfill records are retained for accountability under RA 10173 Section 20. You can update your ceremony type anytime in Settings.

1.3 Anonymous Session Data (Dream Phase)

The Dream Phase (quiz plus AI moodboard) is free and does not require you to create an account. During this phase, your answers are tied to an anonymous session identifier, not to your name or email. Your session data is linked to your account only if you later sign up using the same browser session.

1.4 Information Collected Automatically

2. How We Use Your Information

We use your information for the following purposes:

3. Legal Basis for Processing

Under RA 10173, we process your personal information based on the following lawful grounds:

Balancing test for legitimate interest. Where we rely on legitimate interest under Section 12(f), we conduct a balancing assessment to ensure your rights and freedoms are not overridden, particularly where sensitive or emotional personal data is involved. Wedding planning data is high-sensitivity by nature (relationship status, religious affiliation, family dynamics, financial commitments), so we weight individual rights heavily in this assessment. You can object to processing under legitimate interest at any time by contacting us at support@storia.ph.

For Sensitive Personal Information (Section 13):

We process Sensitive Personal Information (religious and cultural preferences) only under Section 13(a): you have given your consent, specific to the purpose of generating your Wedding DNA and personalized moodboard. You may withdraw consent at any time by emailing support@storia.ph or by deleting your data (see Section 8). We do not use sensitive personal data to make decisions that produce legal or similarly significant effects.

4. Data Storage and Retention

We retain your data only as long as necessary for the purpose it was collected. Retention periods are tiered by data category. We retain technical logs and usage data for limited periods consistent with our retention policy described below; specific operational retention windows are documented internally and applied automatically.

Data is stored on secure cloud servers with industry-standard encryption in transit (HTTPS/TLS) and at rest (AES-256). Our primary processing region is asia-southeast1 (Singapore) on Google Cloud Platform.

5. AI Personalization and Automated Decision-Making

What this means for you: Our AI provider is Google. Your quiz answers, your chat messages, and any photos or text you submit to AI features are sent to Google to generate the personalized output we return to you. Google does not use what you submit through our paid services to train its models. You can delete your AI records anytime (Section 8).

5.1 What our AI does

Storia uses artificial intelligence to generate your Wedding DNA profile, personalized moodboards, text summaries, and chat responses (Layon AI, and Hiraya AI). Your quiz answers and, where applicable, your chat messages are sent to our AI provider for processing so we can deliver the personalized output to you.

5.2 Which AI services we use

We use two distinct Google AI services, each for a different set of Storia features. Both are disclosed below per RA 10173 Section 11 (transparency principle) and Section 16 (right to be informed).

In both cases, "not used to train Google's models" refers to model training. Google still processes your inputs operationally (abuse detection, transient processing logs, cost-optimization caches) per its published retention windows. This is standard for any cloud AI provider and is not the same as training-data use.

5.3 What AI sees about you (input transparency)

Per RA 10173 Section 11 (transparency principle) and Section 16 (right to be informed), we disclose what context our AI assistants receive when you interact with them:

If we add new AI features in the future, we will disclose what context they receive at the point of use and update this section before the feature is enabled. You will always be able to see what each AI surface sees about you, and opt out by not using that surface.

5.4 Synthetic likenesses in AI-generated images

Our moodboard and hero-image generators may render synthetic human likenesses (bride, groom, entourage, guests) for visualization purposes. These synthetic figures are AI-generated and do not represent real individuals. They are not derived from a couple's photographs, are not identifiable biometric data under RA 10173 Section 3(l), and are not retained for facial recognition, identity verification, or any biometric processing. If you upload your own photographs to your wedding workspace (avatars, partner photo), those are personal data and are handled under Section 4 above; they are not used to train AI models or generate synthetic likenesses.

5.5 Our own use of your data for AI training

We do not use your personal data, quiz answers, chat messages, photographs, or AI-generated content to train our own AI models. Aggregate technical metrics are used solely to detect errors, monitor cost, and improve prompt quality.

5.6 Automated decision-making disclosure

Our AI systems generate suggestions (Wedding DNA profile, moodboard styling, chat responses, budget guidance, timeline tasks). These are suggestions, not automated decisions that produce legal or similarly significant effects about you under RA 10173 Section 16(f). You are free to accept, reject, or regenerate any AI output. We do not use profiling to make decisions that produce legal or similarly significant effects. If any Storia feature in the future involves an automated decision with significant effect (for example, automated vendor matching with contractual commitment), we will disclose it here and request your explicit consent separately.

5.7 AI-generated content labeling

Every AI-generated image on Storia (moodboards, hero images) carries an "AI-generated concept" label so you can distinguish AI output from photography. This aligns with emerging global standards for synthetic-media transparency (Content Authenticity Initiative, EU AI Act Article 50) and supports the transparency principle under RA 10173 Section 11.

5.8 Automated safety and accuracy checks

Before Layon AI or Hiraya AI responds, your message passes through an automated safety check. If a message shows signs of serious emotional distress or self-harm, you receive a care response that points you to support, including a crisis hotline, instead of wedding-planning advice. For this check we record only that it occurred: a flag, a severity level, and a count of matched signals. We do not store the message that triggered it or the words that matched. A self-harm disclosure is Sensitive Personal Information under RA 10173 Section 3(l), so we deliberately do not retain it, consistent with the sensitive-information handling described in Section 13 of RA 10173. This response is not a substitute for professional help; Layon AI and Hiraya AI are AI assistants, not counselors (see Section 3 of our Terms of Service).

Layon AI and Hiraya AI also run automated checks on their own replies for accuracy and formatting. Some of these checks may make a brief follow-up request to our AI provider to re-phrase or correct a reply before you see it. These checks operate on the AI's own output and do not collect any new personal information about you. Legal basis for these safety and accuracy checks: RA 10173 Section 12(f) legitimate interest (keeping the service safe and accurate), with the balancing test applied per Section 3 above, and disclosed per RA 10173 Section 11 (transparency principle) and Section 16 (right to be informed).

5.9 Your choices

If you do not wish your data to be processed by our AI features, you can choose not to take the Dream Phase quiz or use chat features. The core Storia experience will be limited without AI personalization. You may also request deletion of your AI records at any time (Section 8).

6. Data Sharing and Third-Party Processors

We do not sell your personal information. We share data with a limited set of processors who help us operate, under confidentiality and data-processing arrangements:

We never share your budget details, vendor payments, guest list, or financial information with third parties without your explicit consent.

7. Cross-Border Data Transfers

Your data is processed primarily in Singapore (Google Cloud asia-southeast1 region). When our AI providers process your inputs, additional processing may occur in jurisdictions where Google operates infrastructure, including the United States. This applies to both Google Cloud Vertex AI (asia-southeast1 is the primary region; US is a fallback for model-tier features) and the Google Gemini API (Google's published consumer-API regions, which are US-centric and multi-region).

We ensure transfers comply with RA 10173 Sections 21 and 22 through contractual safeguards with each processor. For Google Cloud Vertex AI, this is the Google Cloud Data Processing Addendum plus Standard Contractual Clauses for international transfer. For the Google Gemini API, this is Google's published Gemini API terms. Our processor onboarding follows the accountability principle under RA 10173 Section 21 and its Implementing Rules and Regulations.

8. Your Rights Under RA 10173

As a data subject, you have the following rights:

How to exercise your rights. Email support@storia.ph with the right you wish to exercise and brief context. We will not require excessive verification or unnecessary steps, and we will provide assistance where needed. We respond within 30 calendar days. If we need more time for a complex request, we will tell you why and when to expect the full response.

If you believe our handling of your rights request was inadequate, you may escalate to the National Privacy Commission at www.privacy.gov.ph.

9. Data Security

We implement appropriate organizational, physical, and technical security measures consistent with RA 10173 Section 20 and its Implementing Rules and Regulations (Rule VI):

10. Cookies and Tracking

We use cookies for:

You can manage cookie preferences through our cookie banner or your browser settings.

11. Children's Privacy

Storia.ph is not intended for users under 18 years of age. We do not knowingly collect personal information from minors. If you believe we have collected data from a minor, please email support@storia.ph immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email (if you are an account holder or Founding Cohort waitlist member) or through a prominent notice on our platform. Your continued use of Storia.ph after changes constitutes acceptance of the updated policy. This policy is dated and version-tracked; a material change always updates the "Last updated" date above.

13. Founding Cohort Data Handling

Storia is opening packages via a Founding Cohort program. Data handling for this program is described below. This section applies in addition to Sections 1-12 above; it does not replace the general policy.

13.1 Founding Candidate (signup without booking)

Founding Candidate status is assigned automatically when you create a Storia account without yet purchasing a package. (Email captures from our Wedding DNA reveal-page recovery flow or our Founding Cohort waitlist do not create an account and are handled separately, per Sections 1.1 and 4.) As a Founding Candidate, we collect and retain:

Retention: Founding Candidate data is retained for 24 months from your last interaction with Storia. You may request deletion at any time via Section 8 rights. If you upgrade to Founding Member status by booking a package, the retention schedule under 13.2 applies.

13.2 Founding Member (paid booking)

Founding Member status is assigned when you complete the booking of one of the founding cohort's paid packages. This status adds the following data collection on top of 13.1:

Retention: Transactional data (payment records, booking receipts) is retained for 10 years to comply with Bureau of Internal Revenue (BIR) audit requirements. Non-transactional usage data is retained for the duration of your active access window published at booking, after which it transitions to read-only archive status until end-of-archive deletion. Data exports remain available throughout active and archive windows.

13.3 Cohort position tracking

To determine your position in the Founding Cohort, we record the timestamp of your completed paid booking. This timestamp is retained as part of your transactional record for the duration described in 13.2. The Founding Cohort is filled in order of booking completion date, not signup date. Founding Member terms are as described in our Terms of Service, Section 5.6.

13.4 Workspace ownership transfer (partner separation)

A wedding workspace is shared between the couple and any invited collaborators. If the relationship between the couple ends and one party requests sole control or full deletion, here is what happens:

Channel. Email support@storia.ph. You can also write directly to the founder; many couples prefer that channel for this conversation. Within 24 hours of your email, we suppress all couple-facing communications and dashboard nudges for both accounts (silent comms freeze) so neither of you receives wedding-themed messages while you sort things out.

Sole-owner takeover. You decide what stays and what is removed; we do not impose changes. We will walk through the workspace with you, item by item if helpful, and act only with your written go-ahead. The 7-business-day SLA is the maximum we will take to complete what you ask, not a deadline we impose on you. Identity is verified by re-authentication of your original Storia email plus a fresh email-OTP, or by government-issued photo ID and a video selfie if account access is lost.

What persists vs what is removed. Identifying contributions of the departing party (chat messages, profile information, photo, displayName, @mentions) are removed or anonymized at your request. Jointly-authored AI-derived artifacts (your shared moodboard, Wedding DNA, joint guest list, joint budget) persist under the remaining party's control because they are joint records. The departing party retains the Section 16 right to a portable export of these joint records but not unilateral deletion, the same way a joint bank account works.

Full workspace deletion. Either party may instead request full workspace deletion under your Right to Erasure (Section 8), which removes all wedding data including the other party's contributions, subject to the retention exceptions in 13.2 (transactional records, BIR audit). Live data deletion completes within a reasonable time consistent with NPC IRR Rule V; backup eviction follows our backup-rotation cycle.

During unresolved conflict. We pause outbound notifications, new collaborator invites, and shared-state writes for 14 days while you and your partner sort things out. Existing data, booking obligations, security alerts, and legal processing continue unchanged. We cannot adjudicate between two people we both care about; what we can do is keep your workspace safe and respond to whichever of you holds the booking on record. If you cannot reach agreement, you may file a complaint with the National Privacy Commission.

Audit. Every takeover decision is logged in an internal audit record retained for 10 years (BIR-overlap), accessible to administrators only.

13.5 Pausing communications during a difficult time

If you are experiencing a death in the immediate family, serious illness, partner separation, or any difficult circumstance, you can request a comms pause. Email support@storia.ph or message us via Settings.

What we suspend within 24 hours of your request:

What continues during a pause (per RA 11967 Section 8 and RA 10173 Section 16):

Duration. A pause lasts 30 days and auto-ends with a single re-engagement notice asking if you would like to extend. You may extend at any time, or convert to a permanent marketing opt-out via the unsubscribe link in any email (always available). A pause does not affect your booking, refund eligibility, or access duration.

If more than one of these clauses applies at once (for example, a partner's passing alongside a workspace handover), write to us once. We will sequence the response with you.

14. Contact Us

For questions, concerns, or to exercise your data rights, contact our Data Protection Officer:

Data Protection Officer: Enrique Lacambra III, privacy@storia.ph

Data-subject requests (including wedding guests): email privacy@storia.ph. If a couple listed you as a guest and you want to access, correct, or delete those details, we verify your request against the information on file and coordinate with the couple, who is the controller of their guest list, to action it within 30 calendar days. You can also ask the couple directly.

General support: support@storia.ph

National Privacy Commission:

If you have concerns about our data practices, you may file a complaint with the NPC at www.privacy.gov.ph.

15. Compliance and Registration Status

Storia.ph operates as a sole proprietorship under Philippine law. We disclose our registration status transparently per the Internet Transactions Act (RA 11967) Section 7, so you know our compliance posture before signing up.

Registration Status Reference
DTI Business Name Registered 11 May 2026. Valid until 11 May 2031. LACAMBRA WEB PORTAL SERVICES, BN Cert No. 8179942, National scope. Issued by Sec. Ma. Cristina A. Roque, DTI.
NPC (data processing system) We filed an NPC Sworn Declaration and Undertaking for exemption from Data Processing System registration on 8 July 2026. The exemption remains valid while our processing activities stay below the applicable thresholds under the NPC's registration rules. We will file a Data Processing System registration if any threshold is crossed. RA 10173 (Data Privacy Act)
Mayor's Permit (LGU) In progress RA 7160 (Local Government Code)
BIR Tax Registration Registered 9 July 2026. Non-VAT (8% income-tax option). BIR Form 2303 Certificate of Registration, RDO 046 East NCR, PSIC 63120, RSN 046RC20260000011356. RA 8424 (NIRC) Section 236(A).
Data Protection Officer (DPO) Designated. Enrique Lacambra III serves as our Data Protection Officer, the contact for data-subject requests. privacy@storia.ph

Status updates. Where a registration or licence remains in process, for example the Local Mayor's Permit, it will be updated above upon issuance by the relevant authority. The NPC route is an exemption (see above), not a pending registration, so no NPC registration certificate is forthcoming.

Receipts and the BIR registration sequence. We do not accept payment for any paid package until our BIR Certificate of Registration (COR) is issued. After the COR is issued, and while our Authority to Print (ATP) is still pending, we issue a pre-numbered Acknowledgement Receipt at the time of payment in compliance with BIR Revenue Memorandum Circular 36-2019. Once our ATP is approved, we issue the corresponding BIR Invoice under Revenue Regulations 7-2024, and any customer who paid during the Acknowledgement Receipt window receives it. If you receive a refund before the BIR Invoice is issued, the Acknowledgement Receipt is voided and no Invoice is issued for the refunded amount; you receive a refund confirmation email referencing the voided AR number.

Data privacy posture and lawful basis. Storia processes personal data, including sensitive personal information (religious affiliation per RA 10173 Section 3(l)), under explicit consent obtained at the quiz and signup steps and other lawful bases described in Section 3 above. Storia operates under the NPC registration exemption described above; there is no pending NPC PIC registration certificate.

Questions or concerns about our registration posture, the receipt we will issue you, or our data privacy posture: email support@storia.ph and we will respond within 24 hours.

This Privacy Policy is compliant with Republic Act No. 10173 (Data Privacy Act of 2012), its Implementing Rules and Regulations, and applicable NPC Circulars including 16-03 (Data Breach Management) and 2022-04 (Registration of Data Processing Systems and Notification Regarding Automated Decision-Making). Registration status is disclosed in Section 15 above per RA 11967 (Internet Transactions Act) Section 7.