Privacy Policy

1. Introduction

This Privacy Policy (the “Policy”) describes how the operator of Miru Market (“Miru,” “we,” “us,” or “our”) collects, uses, discloses, and protects personal information in connection with our website, mobile experiences, and related services (collectively, the “Service”). It applies to registered users, guest users, and visitors of the Service.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Policy. Capitalized terms not defined here have the meanings given in our Terms of Use.

2. Personal Information Controller

For purposes of the Data Privacy Act of 2012, the Personal Information Controller is the operator of Miru Market. The legal entity is in the process of being finalized and will be identified here once confirmed. In the meantime, you may reach us at:

3. Data Protection Officer

Our Data Protection Officer (“DPO”) is responsible for overseeing our compliance with the Data Privacy Act and is your point of contact for any privacy-related concerns. You may reach the DPO at:

4. Scope of this Policy

This Policy applies to personal information we process in our capacity as a Personal Information Controller. It does not apply to (a) information processed by third parties whose services we link to or integrate, which are governed by their own privacy policies; or (b) information that has been irreversibly anonymized such that it can no longer be associated with you.

5. Information we collect

We collect the following categories of information:

5.1 Information you provide directly

• Account information. Mobile phone number, personal identification number (PIN), username, optional avatar, and any optional profile fields.
• Preferences. Notification, language, and accessibility preferences.
• Communications. The content of messages you send us, including support requests, feedback, and survey responses.
• Raffle and promotion details. When required to deliver a prize or comply with promotional permits, we may collect your full legal name, government identification, mailing address, and tax-related information.

5.2 Information collected automatically

• Activity information. Markets viewed, trades placed, positions held, wallet balance and transactions, raffle entries, achievements, notifications, and interaction events.
• Device and technical information. IP address, device identifiers, browser type and version, operating system, language settings, device model, referring page, and timestamps.
• Usage analytics. Pages visited, features used, session length, crash reports, and performance metrics.
• Cookies and similar technologies. See Section 11.

5.3 Guest session information

If you use the Service without registering, we generate a session token stored in your browser's session storage. We maintain a corresponding server-side record of the token, your guest balance, your positions, and the lifecycle of the session (including expiry). This information is not linked to any personal identifier unless and until you register.

5.4 Sensitive personal information

We do not intentionally collect sensitive personal information as defined under Section 3(l) of the Data Privacy Act (such as race, ethnic origin, marital status, age, religious affiliation, health, education, genetic, or sexual life information). If you choose to share sensitive personal information with us, we will treat it with the additional protections required by law.

6. Sources of information

We collect information from the following sources:

• directly from you when you register, trade, or communicate with us;
• automatically from your device and browser as you use the Service;
• from authorized service providers who assist us with hosting, analytics, authentication, push-notification delivery, fraud prevention, and customer support; and
• from public sources or third-party data providers, only where lawful and necessary for fraud prevention, identity verification, or legal compliance.

7. Legal bases for processing

We process your personal information under one or more of the following legal bases recognized by Section 12 of the Data Privacy Act:

• Consent. Where you have given your consent for one or more specific purposes (e.g., marketing communications, optional analytics).
• Contractual necessity. Where processing is necessary to provide the Service you have requested or to take steps at your request before entering into a contract.
• Legal obligation. Where processing is necessary to comply with a legal obligation to which we are subject.
• Vital interests. Where processing is necessary to protect your life or health or that of another person.
• Legitimate interests. Where processing is necessary for our legitimate interests or those of a third party (such as fraud prevention, security, and product improvement), provided those interests are not overridden by your fundamental rights and freedoms.

8. How we use your information

We use the information we collect for the following purposes:

• Operate the Service. Authenticate you, settle trades, credit winnings, manage Virtual Items, deliver Raffles, and maintain your account.
• Communicate with you. Send operational notifications, respond to inquiries, and (with your consent) deliver marketing communications.
• Personalize and improve the Service. Customize your experience, understand how features are used, develop new features, and improve performance.
• Security and fraud prevention. Detect, investigate, and prevent fraud, abuse, market manipulation, and unauthorized access; protect Users and the integrity of the Service.
• Compliance and enforcement. Comply with legal obligations, respond to lawful requests, enforce our Terms of Use, and assert or defend legal claims.
• Research and analytics. Conduct internal research and analytics, generally on aggregated or anonymized data.

9. How we share your information

We do not sell your personal information. We share it only as described below and subject to appropriate safeguards:

• Service providers. We share information with vendors and contractors who perform services on our behalf, including hosting (e.g., Vercel, Convex), analytics, push-notification delivery, fraud prevention, customer support, and email/SMS delivery. These providers are contractually required to protect your information and use it only for the services they provide to us.
• Legal and regulatory. We may disclose information when required by law, regulation, court order, subpoena, or other legal process, or when reasonably necessary to protect our rights, property, or safety, or that of our Users or the public.
• Business transfers. In connection with a merger, acquisition, reorganization, sale of assets, or similar transaction, we may transfer information to the relevant counterparty, subject to confidentiality protections.
• With your consent. We may share information for any other purpose you have consented to.

10. International data transfers

Some of our service providers process information outside the Philippines, including in the United States and the European Union. Where such transfers occur, we rely on appropriate safeguards consistent with Section 21 of the Data Privacy Act, including contractual commitments by the recipient to maintain a comparable level of protection. By using the Service, you acknowledge that your information may be processed in jurisdictions whose data-protection laws may differ from those of the Philippines.

11. Cookies and similar technologies

We use cookies and similar technologies to:

• maintain your session and authentication state;
• remember your preferences;
• understand how the Service is used; and
• support security and fraud prevention.

You may control cookies through your browser settings. Disabling cookies may impair functionality, including your ability to remain signed in. Where required by law, we will obtain your consent before placing non-essential cookies.

12. Security measures

We implement reasonable and appropriate organizational, physical, and technical security measures to protect personal information against unauthorized access, disclosure, alteration, or destruction, including:

• encryption in transit using industry-standard protocols (HTTPS/TLS);
• secure hashing of PINs and other credentials;
• role-based access controls and least-privilege provisioning;
• logging, monitoring, and audit of access to systems containing personal data;
• regular security reviews and patching of our systems and dependencies; and
• vendor due diligence and contractual data-protection obligations.

No system is completely secure. While we strive to protect your information, we cannot guarantee its absolute security.

13. Data retention

We retain personal information only for as long as is necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, tax, or reporting requirements, and to defend against legal claims. Specific retention periods include:

• Account data: for the duration of your Account, plus a reasonable period thereafter for fraud prevention, dispute resolution, and legal compliance.
• Trading and wallet records: retained for as long as required to preserve the integrity of Markets and to comply with applicable record-keeping obligations.
• Guest sessions: active for twenty-four (24) hours after the first trade. Expired guest sessions are reassigned to a system account; the underlying session token is preserved for audit purposes.
• Raffle prize records: retained as required by applicable promotional-permit and tax regulations.
• Communications and support records: retained for a reasonable period to support service quality and legal claims.

When personal information is no longer required, we will securely delete or irreversibly anonymize it, except as otherwise required by law.

14. Your rights as a data subject

Subject to applicable conditions and exceptions, the Data Privacy Act grants you the following rights with respect to your personal information:

• Right to be informed of whether personal information about you is being or has been processed and the purpose, scope, and method of such processing.
• Right to access your personal information held by us.
• Right to object to the processing of your personal information, including for direct marketing or automated decision-making.
• Right to rectification— to correct or update inaccurate or incomplete personal information.
• Right to erasure or blocking— to request the suspension, withdrawal, blocking, removal, or destruction of your personal information under specified circumstances.
• Right to data portability— to obtain a copy of your personal information in a structured, commonly used, electronic format.
• Right to damages for inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of personal information.
• Right to lodge a complaint with the National Privacy Commission (see Section 21).

15. How to exercise your rights

You may exercise any of the rights in Section 14 by contacting our DPO at dpo@mirumarket.com. To protect your information, we may request that you verify your identity before acting on your request. We will respond within the time required by applicable law. There is generally no fee, but we may charge a reasonable fee or decline to act on requests that are manifestly unfounded, excessive, or repetitive.

16. Children’s privacy

The Service is not directed to children under eighteen (18) years of age, and we do not knowingly collect personal information from minors. If you believe a minor has provided us with personal information, please contact our DPO and we will take appropriate steps to investigate and, where required, delete that information.

17. Third-party links and services

The Service may contain links to or integrations with third-party websites or services, including hosting, analytics, payment, identity, and notification providers. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before sharing any information with them.

18. Automated decision-making

We may use automated systems to assist with fraud detection, abuse prevention, and security. These systems may flag activity for manual review but do not, on their own, produce legal or similarly significant effects on you. Where automated decision-making takes place, you have the right to obtain human intervention, express your point of view, and contest the decision.

19. Data breach notification

In the event of a personal data breach that is likely to give rise to a real risk of serious harm to affected data subjects, we will notify the National Privacy Commission and affected data subjects within seventy-two (72) hours of becoming aware of the breach, in accordance with the Data Privacy Act and NPC Circular No. 16-03.

20. Changes to this Policy

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The “Last updated” date at the top of this page reflects when changes were last made. We will provide notice of material changes through the Service or by other reasonable means. Your continued use of the Service after a change becomes effective constitutes your acceptance of the updated Policy.

21. Complaints to the National Privacy Commission

If you believe your rights under the Data Privacy Act have been violated, you may file a complaint with the National Privacy Commission (NPC):

We encourage you to contact our DPO first so we have an opportunity to address your concern directly.

22. Contact us

For questions about this Policy or our privacy practices, please contact us at: