Manila Live

№ I

House privacy

"We handle client data the way a newsroom handles a source: with discretion, on a need-to-know basis, and never for any purpose other than the work."

— House style, third edition

Privacy, in plain language — without the dark patterns.

Most privacy policies are long because they are designed to cover the company, not to inform the reader. This one is designed to tell you what we collect, what we don't, where it goes, and what you can do about it. When our operators do work for you, we are a processor of your data on your instructions. We do not treat your data as an asset. We treat it as a liability — something we are responsible for and want to return cleanly when the engagement ends.

Start a brief →
№ II What We Collect About Clients

Contact form fields, chatbot transcripts, and server logs. That's it.

When you submit a contact form or start a brief, we collect your name, email address, and message. That data goes into our brief intake system, where the editor on duty reads it. It is not shared with a marketing platform, a CRM vendor, or an advertising network. It is read by a person and used to respond to you.

The Concierge chatbot on this site processes your messages in memory only. Transcripts have a one-hour TTL — after that they are deleted from the session and not stored anywhere. We do not log chatbot conversations to a database, and the model (Qwen 32B, self-hosted in Michigan) does not retain them. What you type to the Concierge is gone within the hour.

We collect server logs in the standard format — IP addresses, request paths, HTTP status codes, timestamps. We use these to monitor for abuse and to diagnose infrastructure issues. They are not used for analytics, are not shared with third parties, and are rotated on a standard schedule.

№ III What We Don't Collect

No tracking cookies. No analytics scripts. An editorial decision.

This site does not run Google Analytics, the Meta Pixel, or any other third-party analytics platform. There are no behavioral tracking cookies, no fingerprinting scripts, and no retargeting pixels. This is a deliberate editorial decision, not a technical limitation.

We know roughly how many people read a given page because our CDN gives us aggregate request counts. We do not know who you are, where you came from, how long you stayed, or whether you clicked a link. We do not need to know. Our clients find us through referrals and through the work, and we do not run the site as a marketing funnel.

If a future version of the site adds any analytics capability, this section will be updated thirty days in advance and active clients will be notified by email, per § X below.

№ IV Data Your Operator Handles
GDPR Article 28 processor for EU clients.

Your data. On your instructions. Under our NDA.

When our operators do work for you, they handle whatever data you put in front of them — inboxes, ledgers, CRM records, call recordings, customer data, financial statements. That data belongs to you. We process it on your instructions and for no other purpose.

Every operator assigned to a client engagement signs our standard confidentiality agreement before they touch the workstream. The section editor who reviews the work is bound by the same agreement. Data that appears in the editorial review cycle — a sample of calls, a portion of a ledger — is handled under the same confidentiality terms as the underlying work.

For clients who are subject to GDPR, we operate as a data processor under Article 28. We will sign a Data Processing Agreement on request; our standard DPA is available from the editor on duty. We do not rely on Standard Contractual Clauses for transfers to the Philippines — the Philippines has an adequacy-equivalent framework under the Data Privacy Act of 2012 and NPC issuances, which we comply with.

№ V How We Store Data

Manila infra. EU edge for static. No AI training. No data sale.

Client data and engagement records are stored in Postgres databases on our Manila infrastructure. Static assets are served from EU edge nodes via Cloudflare. The underlying hosting runs on a combination of AWS and Hetzner, depending on the region and workload type.

We do not sell your data. We do not share it with partners, affiliates, or any third party except the sub-processors listed in § VII and as required by law. We do not use client data to train AI models — not ours, not anyone else's. The chatbot on this site runs Qwen 32B, self-hosted on our own hardware in Michigan. Your chatbot transcripts do not leave our infrastructure and are not sent to OpenAI, Anthropic, or any other AI provider.

Data retention: contact form submissions and brief intake records are kept for three years from the last interaction. Operator engagement records are kept for five years. On written request, we will delete any record we are not legally required to retain.

№ VI Your Rights

Access, correction, deletion, export. Five business days.

You have the right to request access to data we hold about you, to correct inaccuracies, to request deletion (subject to our legal retention obligations), and to receive an export in a machine-readable format. Email [email protected] with your request. We respond within five business days, Manila time.

GDPR-specific rights: if you are based in the EU, you additionally have the right to restrict processing, to object to processing, and to lodge a complaint with your supervisory authority. Our Data Protection Officer function is handled by Andre Lazaro; the contact is the same address above.

CCPA-specific rights: if you are a California resident, you have the right to know what personal information we collect, to delete it, and to opt out of any sale. We do not sell personal information, so the opt-out is already in effect. To exercise your other rights, use the same email address.

№ VII Third-Party Sub-Processors

Four. Each with a specific and bounded role.

We use the following sub-processors. Each has a specific function; none of them receive more data than their function requires.

3AVA Mail
Transactional email delivery. Receives your email address and the content of confirmation and notification emails we send you. Does not receive any other client data.
Cloudflare
CDN and web application firewall. Receives all incoming web requests to this site — IP addresses, request paths, and response codes. Does not receive engagement data or personal data beyond what appears in standard HTTP traffic.
AWS / Hetzner
Compute and storage infrastructure. Hosts the encrypted databases and application servers. Receives no application-level data; they are infrastructure providers, not processors of your personal data in the GDPR sense.
Postgres
Our primary database engine. All client and engagement data at rest lives here, encrypted, on infrastructure we control. Postgres is software, not a vendor service; we run it ourselves.
№ VIII Cookies

One. Session only. For the chatbot.

We set one cookie: a session cookie for the Concierge chatbot, created only when you open it. It holds the session identifier so the chatbot remembers your conversation within the browser tab. It is set with SameSite=Lax and does not persist beyond the browser session. It is not a tracking cookie. No third-party cookies are set on this site.

If you never open the chatbot, no cookie is set at all.

№ IX Children

We don't market to under-18s and don't knowingly collect their data.

724 Care is a B2B service. Our marketing is directed at business buyers, not at consumers and not at minors. We do not knowingly collect personal data from anyone under the age of 18. If you believe we have done so, write to [email protected] and we will delete the relevant data immediately.

№ X Changes to This Policy

Thirty days notice to active clients. Not retroactive.

If we make a material change to this policy — adding a new sub-processor, changing retention periods, or adding any form of tracking — we will email every active client thirty days before the change takes effect. The email will describe exactly what changed. Changes will not apply retroactively to engagements that predate the effective date of the revision.

Typographical corrections and clarifications that do not change the substance of the policy take effect on publication without prior notice. The effective date at the bottom of this page reflects the date of the last material change.

№ XI

Privacy questions

Any questions — email [email protected].

The DPO function is handled by Andre Lazaro. Write "Privacy request" in the subject line and we will respond within five business days, Manila time. If you are making a formal GDPR or CCPA request, note the specific right you are exercising.

Effective date: 1 May 2026 · DPO: Andre Lazaro · [email protected]