Website Privacy Policy
For final legal review • AI Manila Software Development Services • Sudo Booth
Effective date
5 July 2026
Last updated
5 July 2026
This Privacy Policy explains how AI Manila Software Development Services, operating Sudo Booth, may collect, use, disclose, retain, and protect personal data relating to website visitors, prospective clients, event clients, event organizers, guests, and other individuals who interact with Sudo Booth.
This policy is intended to align with the Philippine Data Privacy Act of 2012, its Implementing Rules and Regulations, and applicable National Privacy Commission issuances. It remains subject to review by qualified Philippine counsel.
1. Who we are
For processing activities where it determines the purposes and means of processing, the personal information controller is:
AI Manila Software Development Services, operating Sudo Booth
Business address: 205 Vega, Stellar Place, Visayas Avenue, Quezon City
Privacy contact: Privacy Contact
Email: slowmomanila@gmail.com
Telephone: +63 926 046 5229
Depending on the event agreement, an event client or organizer may separately act as a personal information controller, while Sudo Booth may act as a personal information processor or as a separate controller for defined activities.
Those roles must be determined for each engagement and reflected in the applicable agreement and guest notice.
2. Scope of this policy
This policy covers:
use of the Sudo Booth marketing website;
inquiries sent to Sudo Booth;
quotation and event coordination;
contracted booth operations;
guest photo and video processing;
AI-generated outputs;
supported QR and web delivery;
selected printing and gallery functions;
related support, security, and business records.
A separate on-booth Consent Notice or Event Guest Privacy Notice may provide more specific information before guest capture and AI processing.
3. Information received through the website
The current website does not host an inquiry form, account registration, or payment function.
Visitors may voluntarily contact Sudo Booth using external or device-based channels such as:
email;
telephone;
Viber;
social-media messaging;
external map or location services.
When you contact Sudo Booth, information received may include:
name;
email address;
telephone or messaging details;
company or organization;
event date and venue;
event type;
estimated guest count;
project requirements;
requested services;
quotation details;
correspondence;
attachments or creative references;
other information you voluntarily provide.
Information submitted through a third-party service is also subject to that provider’s privacy policy.
4. Cookies, analytics, and technical logs
The current website does not intentionally use authorized advertising cookies, marketing pixels, analytics tools, CRM tracking, or behavioral profiling.
The website may nevertheless generate limited technical or security information through normal hosting, content-delivery, network, or security operations, depending on the final hosting configuration. Such information may include:
IP address;
request time;
requested resource;
browser or device information;
error or security event information.
No specific technical logging should be represented as deployed until the public hosting configuration has been verified.
If analytics, non-essential cookies, a hosted inquiry form, CRM integration, advertising technology, or marketing automation is introduced, this policy and any necessary cookie or consent mechanism must be updated before activation.
5. Event and guest information
Depending on the contracted event setup, Sudo Booth may process:
guest photographs;
face, likeness, pose, and visible upper-body appearance;
source images provided for a booth session;
AI-generated or AI-transformed images;
AI-generated or AI-transformed videos;
selected style, theme, attire, props, background, framing, or creative direction;
event and booth-session identifiers;
QR codes, web links, and short codes;
delivery, printing, gallery, and operational records;
consent evidence and applicable notice versions;
technical logs needed to operate, secure, support, troubleshoot, or delete outputs.
Photos and videos containing identifiable individuals are personal data. Their processing or sharing requires a lawful basis and must follow transparency, legitimate-purpose, and proportionality principles.
6. Purposes of processing
Personal data may be processed to:
respond to inquiries;
prepare quotations and proposals;
assess event requirements;
coordinate schedules, venue access, logistics, and technical setup;
provide the contracted booth experience;
capture guest photographs;
generate or transform photo and video outputs using AI;
apply event-specific creative treatments and branding;
display outputs during the booth experience;
provide controlled QR or web access;
support on-site printing where included;
operate galleries where contractually authorized;
maintain service integrity and security;
investigate failures and troubleshoot;
process deletion, access, or privacy requests;
retain appropriate consent and accountability records;
comply with legal, regulatory, tax, accounting, and dispute-resolution obligations.
Guest outputs are not automatically authorized for advertising, social-media posting, campaign reuse, model training, or unrelated promotional use.
Marketing or social-media reuse must have its own lawful basis and, where appropriate, separate optional consent.
7. Legal bases
Depending on the activity, processing may rely on:
consent, particularly for guest photo capture, AI transformation, and optional uses requiring consent;
steps requested before entering into a contract, such as responding to inquiries and preparing quotations;
performance of a contract, such as event coordination and delivery of agreed services;
legitimate interests, where appropriate and balanced against individual rights, such as reasonable service security, fraud prevention, troubleshooting, and business administration;
legal obligations, including tax, accounting, regulatory, court, or lawful government requirements;
another basis permitted by the Data Privacy Act.
Consent must be freely given, specific, informed, evidenced, and capable of withdrawal where consent is the applicable basis. The availability of alternative lawful bases must not be used to bypass meaningful consent where consent is required.
8. Guest consent and AI processing
Before guest capture and AI processing, the booth should present a clear consent notice describing:
photo or video capture;
AI generation or transformation;
event branding or creative treatment;
QR or web access;
relevant storage and deletion information;
available privacy contact;
any event-organizer or client access that applies.
A guest who declines should not proceed through the capture and generation flow.
AI outputs may modify or generate elements including appearance, attire, pose, background, props, framing, visual style, or movement. AI results may not precisely represent reality.
The NPC’s AI guidance emphasizes meaningful transparency and safeguards against harmful or non-consensual uses, with particular concern where children are depicted.
9. QR and web access
Supported outputs may be made available through controlled QR codes, web links, or short codes.
Guest output storage is intended to remain private rather than exposed through openly browsable storage links. Direct storage URLs should not be used as guest-facing access links.
A person who receives or obtains a valid QR code or link may be able to view the associated output during its availability period. Guests should avoid sharing access details when they do not want others to view the output.
The precise access model, availability, expiry, and download functionality may vary by event and output type.
10. Printing and event galleries
Selected event packages may include printing.
Printing uses a separately prepared print output and does not by itself authorize broader cloud, gallery, marketing, or client use.
An event gallery may be provided only where enabled and governed for that event.
The existence of a gallery must not be interpreted as automatic client access to every guest image. Any client or organizer access must be contractually authorized, disclosed to guests where required, appropriately secured, and limited to the stated purpose.
11. Event clients and organizers
The event client or organizer may:
supply event requirements and creative materials;
define an authorized event purpose;
coordinate guest participation;
provide venue and event information;
determine whether certain event-gallery or output-access functions are enabled;
have its own legal and privacy responsibilities.
Depending on the arrangement:
the client may act as PIC and instruct Sudo Booth as a PIP;
Sudo Booth may act as PIC for its own operational, security, consent, legal, or service-administration processing;
the parties may act as separate PICs for distinct purposes.
These roles must be documented in the applicable agreement. They must not be assumed solely from branding or payment arrangements.
12. Sharing and service providers
Personal data may be disclosed only where necessary and lawfully permitted to:
authorized Sudo Booth personnel and operators;
the event client or organizer, where expressly authorized and properly disclosed;
hosting, cloud-storage, delivery, security, or infrastructure providers;
AI-processing providers used for the event;
printing, technical, or operational providers where applicable;
professional advisers, including lawyers and accountants;
insurers or dispute-resolution advisers where necessary;
government, regulatory, judicial, or law-enforcement authorities where legally required.
Providers should receive only the information needed for the assigned purpose and should be subject to appropriate contractual and security obligations.
Not every event client receives access to all guest outputs.
13. Cross-border processing
Some cloud, hosting, communications, or AI-processing providers may process or store data outside the Philippines.
Where cross-border processing applies, Sudo Booth should:
identify the relevant provider and processing location;
assess the provider and intended processing;
use appropriate contractual and security safeguards;
limit transferred data to what is necessary;
remain accountable for processing under applicable Philippine law;
disclose material cross-border processing in the applicable notice.
This section should be finalized only after the actual public hosting, communications, AI, and cloud-provider inventory is confirmed.
14. Security
Sudo Booth uses reasonable and appropriate administrative, organizational, physical, and technical safeguards based on the nature of the data and processing.
Measures may include:
restricted access;
private storage;
authenticated service access;
resolver-mediated QR and web delivery;
data minimization;
retention controls;
logging and redaction;
secure configuration;
deletion and incident procedures;
service-provider controls.
No system can be represented as completely secure or infallible.
PICs and PIPs remain responsible for implementing security measures and respecting data-subject rights; registration or other administrative compliance does not itself prove that all processing is lawful.
15. Retention
Event outputs
Recommended public wording:
Guest photo and video outputs are generally retained for up to 30 days from capture or the event date, unless a shorter event-specific period applies. Outputs may be deleted earlier when delivery and operational purposes are complete. Retention beyond 30 days requires a documented legal, security, dispute, or other governed reason.
This is clearer and safer than publishing an indefinite “15 days to one month” range.
The final public policy should adopt one maximum default period before launch. Based on the current approved operating model, up to 30 days from capture is the preferred default, with earlier deletion allowed when the operational purpose is complete.
Operational records
Consent records, security logs, delivery evidence, deletion-request records, accounting records, contractual records, or dispute records may have separate retention periods based on legal, accountability, security, or business requirements.
Those records must be limited to what is necessary and must not be retained indefinitely without a documented basis.
Website inquiries
Inquiry correspondence should be retained only while:
responding to the inquiry;
preparing or negotiating a quotation;
administering a resulting engagement;
maintaining necessary business, legal, tax, or dispute records;
preserving a reasonable record of declined or inactive inquiries.
A precise inquiry-retention schedule must be approved before publication. A possible operational model is:
unsuccessful or inactive inquiries: 12 months after last substantive contact;
contracted-client correspondence and commercial records: according to the applicable legal, tax, accounting, and contractual schedule.
Counsel and accounting advice are required before these periods become final.
16. Deletion and withdrawal
Where consent is the basis of processing, an individual may withdraw consent, subject to processing already lawfully completed and records that must be retained under another lawful basis.
A request may include:
event name or date;
QR link or short code;
approximate capture time;
contact information needed to verify and process the request.
Sudo Booth will assess deletion or blocking requests subject to:
reasonable identity verification;
technical feasibility;
legal obligations;
security and accountability requirements;
dispute or legal holds;
copies already downloaded, printed, screenshotted, or shared outside Sudo Booth’s control.
The policy should not promise permanent deletion in every circumstance.
17. Minors
Minors should participate only with appropriate parent or legal-guardian consent and supervision, subject to the event design and applicable law.
For events directed at, or expected to involve, children:
organizers should notify Sudo Booth in advance;
child-appropriate privacy information should be provided;
guardian authorization should be established;
sharing and client-access settings should be restricted where appropriate;
marketing reuse should not be bundled into ordinary participation;
shorter retention or additional protections should be considered.
The NPC has issued guidance on child-oriented transparency, reinforcing the need for notices that children can understand where processing is directed at them.
Counsel must decide whether the general website should state a specific age threshold or instead use the broader Philippine concept of a minor and event-specific guardian procedures.
18. Data-subject rights
Subject to applicable law, data subjects may have the right to:
be informed;
access personal data;
object to certain processing;
correct inaccurate or incomplete data;
request erasure, deletion, or blocking where applicable;
withdraw consent where consent is the basis;
receive data portability where applicable;
claim compensation where legally available;
lodge a complaint with the National Privacy Commission.
The NPC describes these rights as providing individuals reasonable control over the flow of their personal data.
Requests may be sent to:
Sudo Booth may request reasonable information to verify identity, locate the relevant data, and prevent unauthorized disclosure or deletion.
19. Fictional demonstrations
The website may show fictional or internally produced demo images, campaigns, brands, products, URLs, QR codes, short codes, events, or output examples.
Unless expressly stated otherwise, they do not identify actual clients, actual guests, live public links, or active event records.
Demo content must not use an identifiable person’s image without an appropriate basis and authorization.
20. Data breaches and incidents
Suspected privacy or security incidents should be assessed under the applicable incident-response and breach-notification procedure.
Where the legal requirements for mandatory notification are met, the appropriate notifications must be made. Other security incidents may still require documentation and reporting under NPC requirements.
21. Policy updates
This policy may be updated when:
website functionality changes;
analytics or cookies are introduced;
a hosted inquiry form is added;
CRM or advertising systems are connected;
AI or cloud providers change;
event-access models change;
legal requirements change.
Material changes should be reflected through a new version and updated effective date. Where appropriate, additional notice should be provided.
22. Contact
Privacy requests and questions may be directed to:
AI Manila Software Development Services
Operating Sudo Booth
Privacy contact: Privacy Contact
Email: slowmomanila@gmail.com
Business address: 205 Vega, Stellar Place, Visayas Avenue, Quezon City
Complaints may also be raised with the National Privacy Commission through its official channels.