Back to home

Privacy Policy

Last updated: April 15, 2026

This Privacy Policy explains how Booyah Digital Services, operating under the trade name Lista AI (“Lista AI,” “we,” “us,” or “our”), collects, uses, discloses, and protects personal information when you use our website and services (the “Service”). We are committed to protecting your privacy in accordance with Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012 (“DPA”), its Implementing Rules and Regulations, and the issuances of the National Privacy Commission (“NPC”).

1. Information We Collect

We collect the following categories of personal information:

  • Account information. When you register, our authentication provider, Clerk, collects your name, email address, profile image (if provided), and authentication credentials. We receive a user identifier and basic profile details from Clerk.
  • Brand and business information. Brand names, logos, product categories, descriptions, and other inputs you provide to generate listings.
  • Content and usage data. Prompts you submit, listings and images you generate, token consumption, feature interactions, timestamps, and diagnostic information such as device type, browser, and IP address.
  • Payment information. Payments are processed by PayMongo. We do not store full card numbers on our servers. We retain payment metadata such as the last four digits of the card, card brand, transaction identifiers, billing amounts, and subscription status.
  • Communications. Records of support requests, feedback, and correspondence you send to us.

2. How We Use Your Information

We use personal information to:

  • Provide, operate, and maintain the Service, including authenticating users, generating listings, processing images, and managing your account;
  • Process subscription payments, token purchases, invoices, and refunds where applicable;
  • Improve the Service, including evaluating model output quality, debugging issues, and developing new features;
  • Communicate with you about service updates, billing events, security alerts, and (with your consent) marketing messages;
  • Detect, prevent, and investigate fraud, abuse, violations of our Terms, and security incidents; and
  • Comply with legal obligations and respond to lawful requests from authorities.

3. Legal Bases for Processing

Under the DPA, we process personal information based on one or more of the following: (a) your consent; (b) the performance of a contract to which you are a party, such as these Terms and your subscription; (c) compliance with a legal obligation; (d) our legitimate interests, such as securing the Service and preventing abuse, balanced against your rights and freedoms; and (e) the protection of your vital interests or those of another person.

4. Third-Party Processors

We engage the following third-party processors to deliver the Service. These processors act under written agreements that require them to protect personal information consistent with the DPA:

  • Clerk — authentication and user identity management.
  • Supabase — database and file storage for your account data and generated content.
  • Google (Gemini) — AI processing for text and image generation.
  • PayMongo — payment processing for subscriptions and token purchases.
  • Vercel — application hosting and content delivery.
  • Resend — transactional and notification email delivery.

Some of these processors may store or process data outside the Philippines. Where cross-border transfers occur, we use providers that maintain recognized security standards and contractual safeguards consistent with the DPA and NPC guidance.

5. Your Rights as a Data Subject

Under the Data Privacy Act, you have the following rights with respect to your personal information:

  • Right to be informed about how your data is collected and processed;
  • Right to access your personal information held by us;
  • Right to object to certain processing activities, including direct marketing;
  • Right to rectification to correct inaccurate or incomplete data;
  • Right to erasure or blocking of your personal information where permitted by law;
  • Right to data portability to receive your data in an electronic, structured, and commonly-used format;
  • Right to damages for violations of the DPA; and
  • Right to file a complaint with the National Privacy Commission.

To exercise any of these rights, contact our Data Protection Officer using the details below. We will respond within the timelines required by law.

6. Data Retention

We retain personal information for as long as your account is active and for an additional one (1) year thereafter, or longer where required to comply with legal, tax, accounting, or regulatory obligations (including the record-keeping requirements under Philippine tax law and the Bureau of Internal Revenue). When retention is no longer necessary or lawful, we delete or anonymize the information.

7. Cookies and Similar Technologies

We use a small number of cookies and similar technologies that are strictly necessary to operate the Service. This includes httpOnly session cookies used by our authentication provider to keep you signed in, and a cookie named active_brand_id used to remember the brand context you are currently working in. We do not use third-party advertising cookies. You can control cookies through your browser settings, but disabling essential cookies may prevent the Service from functioning correctly.

8. Data Security

We implement reasonable and appropriate organizational, physical, and technical safeguards to protect personal information against accidental or unlawful destruction, alteration, unauthorized disclosure, or access. These measures include encryption of data in transit using TLS, encryption at rest for databases and file storage, Supabase Row-Level Security (RLS) policies that enforce per-tenant access isolation, role-based access controls, authentication through Clerk, and regular review of access logs. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security.

9. Children’s Privacy

The Service is intended for users who are at least eighteen (18) years of age. We do not knowingly collect personal information from minors. If we become aware that a person under eighteen has provided us with personal information, we will delete it promptly. If you believe a minor has provided us with personal information, please contact our Data Protection Officer.

10. Data Breach Notification

In the event of a personal data breach that is likely to give rise to a real risk of serious harm to affected data subjects, we will notify the National Privacy Commission and affected users in accordance with the timelines and procedures set forth in the DPA and applicable NPC circulars.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date above and, where required by law, notify you by email or through the Service. We encourage you to review this policy periodically.

12. Contact the Data Protection Officer

Booyah Digital Services is the personal information controller under Philippine law. You may contact our Data Protection Officer regarding this policy, the exercise of your rights, or any privacy concern at privacy@booyahdigital.ph. You also have the right to lodge a complaint with the National Privacy Commission at privacy.gov.ph.