Your data, protected

Privacy & Data Protection Policy

Apolaki is built so your rooftop and your bill help you decide on solar — without handing your identity to anyone you haven't chosen to meet.

This policy explains, in plain terms, what personal information Apolaki collects when you use this website and our app, why we collect it, how we keep it safe, and the rights you hold over it. We have written it to comply with the Philippine Data Privacy Act of 2012 (Republic Act No. 10173), its Implementing Rules and Regulations, and the issuances of the National Privacy Commission (NPC).

Who we are

Apolaki is a digital solar readiness and partner-matching platform for Filipino homes. It is operated by VESS Corp., a venture founded by students at the Asian Institute of Management (AIM) in Makati City, Metro Manila.

For the purposes of RA 10173, VESS Corp. (operating Apolaki) is the Personal Information Controller — the party that decides what data is collected and how it is processed. You can reach us about anything in this policy at jelegado.MIB2026B@aim.edu.

Scope

This policy covers personal data we process through:

  • this marketing website (apolaki.ai); and
  • the Apolaki app and assessment platform (apolaki-478302.web.app), including your account and any readiness assessment you run.

It does not cover the separate privacy practices of installers you choose to connect with, or third-party sites we link to. Those parties have their own policies.

Information we collect

We collect only what we need to give you a useful, bill-backed readiness report. This includes:

  • Account information — your name and email address when you create an account.
  • Assessment data — the details of your electricity bill (such as your monthly consumption in kWh and amount, typically from a MERALCO bill you may upload), your rough location and a roof pin you drop on the map, and your energy-usage patterns. This is the information that anchors your estimate on reality instead of a generic guess.
  • Technical information — device and browser details, log data (such as IP address and pages visited), and cookies, used to keep the service secure and working.
  • Communications — messages you send us, support requests, and any feedback you choose to share.

We do not ask for, and you should not send us, sensitive personal information (such as government ID numbers, health, or financial-account details) — none of it is needed to assess your roof.

How and why we use your information

We use your information to:

  • Provide the readiness assessment — generate your personalised solar report, including estimated system size, savings, and payback.
  • Anchor estimates on your real bill — combine your consumption with rooftop and irradiance data so the numbers reflect your home, not an average one.
  • Match you with installers — only with your consent — when, and only when, you explicitly choose to connect, we share what is needed for a vetted installer to prepare a quote.
  • Support, secure, and improve the product — answer your questions, protect against fraud and abuse, fix problems, and make the assessment more accurate over time.

Under RA 10173, we rely on these lawful bases for processing:

  • Your consent — for example, before any identifying details are shared with an installer.
  • Performance of a service or contract you requested — to deliver the readiness assessment you asked for.
  • Our legitimate interests — such as keeping the platform secure and improving it — balanced against your rights, and never overriding them.

Signing in with Google or Facebook

You can create your account or sign in using Google or Facebook instead of a password. When you choose to do so, that provider shares a limited set of profile details with us — your name, email address, and profile picture — which we use solely to create and secure your Apolaki account and to sign you in. We request nothing beyond basic profile and email.

  • We never post on your behalf, and we never access your friends, contacts, posts, or any other part of your social account.
  • We do not share this data back to Google or Facebook, and we do not use it for advertising.
  • You stay in control — you can revoke Apolaki’s access at any time from your Google Account or Facebook settings, and you can delete your Apolaki account as described below.

Your use of Google or Facebook sign-in is also governed by that provider’s own privacy policy.

Consent and the ‘anonymised until you connect’ principle

This is the heart of how Apolaki treats your data. By default, the analysis and anything an installer can see uses only anonymised rooftop metrics — for example, usable roof area, estimated production, and recommended system size — with your name, email, exact address, and contact details stripped out.

  • Anonymised in analysis and matching. Installers browse opportunities described by the numbers, not by who you are.
  • Identifying details shared only when you choose to connect. Your name and contact information are released to a specific installer solely when you explicitly decide to connect with them — never before.
  • No back-channel. There is no direct homeowner-to-installer contact until you opt in, so no one can reach out to you off the platform.
  • Enforced by architecture. This is built into how the platform stores and shares data — it is a design constraint, not just a promise on a page.

Sharing and disclosure

We are deliberately narrow about who sees your data:

  • Vetted installers — on your consent only. We share your identifying details with an installer only after you choose to connect with that installer.
  • Service providers (processors). Trusted vendors that run parts of our infrastructure — for example, cloud hosting on Google Cloud — process data on our behalf, under contract, bound by confidentiality, and only for the purposes we set.
  • Legal requirements. We may disclose information where required by law, court order, or a lawful request from a competent authority.
  • We never sell your personal data. Full stop — not to installers, advertisers, or data brokers.

A note on data sources. Apolaki uses NASA POWER for solar-irradiance data and Google Solar for rooftop data. These provide environmental and roof information that feeds your estimate; they are not recipients of your personal data.

Data security

We protect your information with safeguards appropriate to its sensitivity:

  • Encryption in transit and at rest — data is encrypted as it travels to us and while stored.
  • Access controls — staff and systems get only the access they need (least-privilege), and access is logged.
  • Short-lived signed URLs — any private files you upload, such as a bill photo, are served through time-limited links that expire, rather than being left openly accessible.
  • Operational discipline — we keep credentials and infrastructure access tightly scoped and review them as we grow.

No system is perfectly secure, but we work to keep risk low and to respond quickly if something goes wrong.

Data retention and disposal

We keep personal data only for as long as it is needed for the purpose we collected it — to maintain your account and assessment, support you, and meet legal or regulatory obligations. When data is no longer needed, we securely delete it or irreversibly anonymise it so it can no longer identify you. You may ask us to delete your data at any time, subject to any retention the law requires.

Your rights as a data subject

Under RA 10173, you have the following rights, and we will help you exercise them:

  • Right to be informed — to know whether and how your data is processed.
  • Right to object — to stop or limit processing, including for matching or marketing.
  • Right to access — to obtain a copy of the personal data we hold about you.
  • Right to rectification — to correct inaccurate or incomplete data.
  • Right to erasure or blocking — to have your data removed or suspended where grounds exist.
  • Right to damages — to be indemnified for harm from inaccurate, unlawful, or unauthorised use of your data.
  • Right to data portability — to obtain your data in a usable electronic format.
  • Right to lodge a complaint — to raise concerns with us, and with the National Privacy Commission.

To exercise any of these, email jelegado.MIB2026B@aim.edu. We may need to verify your identity before acting, to protect your account.

Data Protection Officer

Apolaki has designated a Data Protection Officer (DPO) responsible for overseeing compliance with RA 10173, handling data-subject requests, and coordinating our response to any data-privacy incident.

You can reach the DPO at jelegado.MIB2026B@aim.edu using the subject line “DPO / Data Privacy”. We aim to acknowledge requests within a reasonable period and to respond promptly. As we scale, we will publish a dedicated dpo@ inbox; until then, the address above reaches the DPO directly.

Data breach response

We maintain procedures to assess, contain, and remediate personal-data breaches. Where a breach is likely to give rise to real risk to your rights, we will, in line with NPC rules, notify the National Privacy Commission and the affected data subjects within the required timeframes, and tell you what happened and what you can do.

Cookies

We use two kinds of cookies:

  • Essential cookies — needed to keep you signed in and the site working.
  • Analytics cookies — help us understand, in aggregate, how the site is used so we can improve it.

You can control or delete cookies in your browser settings at any time. Blocking essential cookies may stop parts of the service from working as intended.

International transfers

Some processing may take place outside the Philippines through our cloud providers. Where this happens, we use reputable providers that apply appropriate safeguards — including encryption and contractual protections — so your data receives a comparable level of protection wherever it is handled.

Children

Apolaki is intended for adults aged 18 and over, since solar decisions concern a household and its accounts. We do not knowingly collect personal data from minors. If you believe a minor has provided us data, contact us and we will delete it.

Filing a complaint with the National Privacy Commission

If you believe your data-privacy rights have been violated and you are not satisfied with our response, you may lodge a complaint with the National Privacy Commission. Details on how to file are available at privacy.gov.ph. We would, of course, prefer the chance to put things right first — please reach our DPO.

Changes to this policy

We may update this policy as our service, technology, or the law evolves. When we do, we will post the revised version here and update the effective date at the top. Material changes will be made clear. Please check back from time to time.

Contact us

Questions, requests, or concerns about your data are welcome.