What we collect, and why.

Umayon is a digital studio operating from Manila, Philippines. We design and build brand identities, websites, and product experiences for ambitious teams worldwide.

For all privacy enquiries, write to hello@umayon.io. We answer within five working days.

We collect only what we need to run this site and reply to enquiries. Specifically:

• Contact form submissions— your name, email, optional phone, optional company name, the service you're interested in, and the body of your message.
• Anonymous analytics events — pageviews, the project or product card you clicked, your country (derived from IP, then discarded), your device class (mobile / tablet / desktop), and a per-tab session identifier we generate locally. No personal information is associated with these events.

We do not buy, sell, or rent personal data. We do not run advertising trackers or third-party social-media pixels.

Contact form data is used solely to follow up on your enquiry and, if we engage, to deliver the service you requested. Internal admins of Umayon are the only people with access; we do not forward your message to third parties.

When you submit the contact form we send two emails: an internal notification to our team, and a confirmation receipt back to the address you provided. Both pass through our own SMTP relay; no third-party email provider sees your message.

Analytics events help us understand which projects, services, and pages resonate so we can keep improving the site. Aggregated counts only — never linked back to you.

We do not use tracking cookies.The session identifier our analytics uses is stored in your browser's sessionStorage — it disappears the moment you close the tab.

We use localStorageonly to remember your consent decision so we don't ask you again on every visit. That entry is technical, not analytical.

Analytics is split between two systems, both operated by Umayon — no third-party data processors:

• An in-house event log running on the same infrastructure as this website. Raw events are kept 180 days, then automatically deleted.
• A self-hosted Umami Analytics instance for traffic basics (sources, referrers, geographic breakdown). Umami is privacy-first by design and does not use cookies either.

The consent banner is the authoritative signal. We do not track at all until you press Accept. Browser-level signals (Do Not Track, Global Privacy Control) are not enforced server-side because the consent banner already provides explicit, recorded opt-in — but if you decline on the banner, no analytics events leave your device.

All personal data and analytics events are stored on infrastructure operated by Umayon — a self-hosted PostgreSQL database (one instance for application data, a separate one for Umami's event store) and a self-hosted S3-compatible object storage for any media you might attach.

Servers are located in the Philippines for the production environment. We never transfer your data to providers we do not control.

• Contact form leads— kept for as long as the relationship is active, plus seven years for accounting and audit purposes (Philippines BIR requirement). You can ask us to delete them earlier; see “Your rights” below.
• Raw analytics events — 180 days, then automatically purged. Aggregated daily counts (no IP, no session, no path) may be retained longer for trend analysis.
• Authentication tokens — refresh tokens for our internal admin tool expire after seven days; expired or revoked tokens are deleted within 15 minutes.

Whether you're in the Philippines (Data Privacy Act of 2012, RA 10173), the European Union (GDPR), the United Kingdom (UK-GDPR), or anywhere else, you have the following rights regarding your personal data:

• Access — request a copy of what we hold about you.
• Rectification — correct any data that is inaccurate or out of date.
• Erasure — ask us to delete your data, subject to legal retention requirements.
• Restriction and objection — limit how we process your data, or object to a specific use.
• Portability — receive your data in a structured, machine-readable format.
• Withdraw consent — at any time, by clearing your browser localStorage for this site, or by emailing us.

To exercise any of these, write to hello@umayon.io. We respond within 30 days.

You also have the right to lodge a complaint with the National Privacy Commission of the Philippines (npc.gov.ph) or your local data-protection authority.

Passwords for our internal admin tool are hashed with bcrypt at cost factor 12. Access tokens are signed JWTs with a 15-minute lifetime; refresh tokens are SHA-256 hashed before storage and rotate on every use. Repeated failed login attempts trigger an account lock.

We use TLS 1.2+ for all connections in production. Database backups are encrypted at rest.

This site is not directed at children under 16. We do not knowingly collect personal information from minors. If you believe a child has submitted data, contact us and we will delete it.

We may update this policy when our practices change. The “last updated” date at the top reflects the most recent version. Material changes will be flagged on the home page for at least seven days.