Privacy Policy

Last updated: April 28, 2026

This Privacy Policy explains how TOS WEB PUBLISHING ("Selebox", "we", "our", or "us") collects, uses, shares, and protects your personal information when you use our mobile application, website at selebox.com, or related services (collectively, the "Service").

This policy is designed to comply with the Philippines Data Privacy Act of 2012 (Republic Act No. 10173), its Implementing Rules and Regulations, and Issuances of the National Privacy Commission (NPC). It also incorporates analogous principles from the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) for users in those jurisdictions.

By using the Service, you consent to the practices described here.

Contents

Who We Are
Information We Collect
How We Use Your Information
Legal Bases for Processing
How We Share Information
Third-Party Services
International Data Transfers
Cookies and Local Storage
Data Retention
Data Security
Your Rights
How to Delete Your Account
Children's Privacy
Changes to This Policy
Contact Us

1. Who We Are

Selebox is operated by TOS WEB PUBLISHING, a business registered in the Philippines. For purposes of the Data Privacy Act, we are the Personal Information Controller for the data described in this policy.

Our designated Data Protection Officer (DPO) is:

Name: Charles Santos
Email: dpo@selebox.com
Postal address: Malolos, Bulacan, Philippines

2. Information We Collect

2.1 Account information

When you register or sign in:

Email address (required for account recovery and important notices)
Username, profile photo, banner, bio, location, website (if you provide them)
Authentication data from sign-in providers (e.g. Google account ID; we do not see or store your Google password)
Account role (user, author, moderator, admin)

2.2 Content you create

Posts, comments, replies, and direct messages you write
Images, videos, and audio you upload
Books, chapters, and reading progress data
Reactions, bookmarks, follows, blocks, and reports you submit

2.3 Usage and device data

Device type, operating system, browser type and version
IP address (used for security, fraud prevention, and approximate region detection)
App and feature usage patterns (which screens you visit, what you click, when sessions start and end)
Performance and crash diagnostics

2.4 Payment-related information

When you purchase Coins, we collect:

Transaction metadata (which pack you bought, amount, currency, timestamp, payment method type)
Payment provider transaction IDs (for reconciliation and refunds)

We do not see, collect, or store your full payment card number, CVV, or e-wallet credentials. All sensitive payment data is handled directly by our payment provider (HitPay) under their own privacy policy and PCI-DSS compliance.

2.5 Wallet activity

Coin and Star balance
Coin and Star transaction ledger (purchases, ad rewards, content unlocks, admin adjustments)
Records of which content (chapters, videos, books) you have unlocked
Daily ad-watch counts (mobile only)

2.6 Information you provide to support

If you contact us via email, in-app feedback, or other channels, we keep records of the conversation, including any attachments you send.

3. How We Use Your Information

We use your information to:

Operate the Service and provide the features you sign up for;
Authenticate your identity and protect your account;
Process payments and credit Coins to your wallet;
Personalize content recommendations (e.g. videos in "Up Next", book suggestions);
Send important transactional notifications (e.g. payment receipts, security alerts);
Detect, prevent, and respond to fraud, abuse, and security incidents;
Enforce our Terms of Service;
Improve the Service through aggregated analytics and bug investigation;
Comply with our legal obligations (e.g. tax, anti-money-laundering, court orders).

4. Legal Bases for Processing

Under the Philippines Data Privacy Act (and the GDPR for EU users), we rely on the following legal bases:

Consent — when you explicitly agree (e.g. accepting these Terms at sign-up).
Contractual necessity — to deliver the Service you signed up for.
Legitimate interests — for fraud prevention, security, analytics, and product improvement, balanced against your rights.
Legal obligation — to comply with tax, accounting, and law-enforcement requests.

We do not sell your personal information. We share information only in the following circumstances:

With service providers who help us operate the Service (see Section 6).
With other users when you choose to share publicly — e.g. posts, comments, profile information, books you publish.
For legal reasons when required by valid legal process, or to protect our rights, our users' safety, or to investigate fraud or security incidents.
In a business transfer — if Selebox is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your information becomes subject to a different privacy policy.
With your consent — for any other purpose disclosed at the time we ask.

6. Third-Party Services

We use the following processors. Each is bound by data-processing agreements that require them to handle your information securely and only on our instructions:

Service	Purpose	Region
Supabase	Database, authentication, real-time messaging, file storage	United States / Global
Bunny.net	Video hosting, encoding, streaming, CDN	European Union / Global
HitPay	Payment processing for Coin purchases	Singapore
Vercel	Website hosting and content delivery	United States / Global
Appwrite	Mobile-app backend (legacy)	European Union / Global
Google AdMob	Rewarded advertising (mobile app only)	United States / Global
Google OAuth	Sign-in with Google option	United States / Global

You can review each provider's privacy practices on their respective websites. If you have questions about a specific provider's role, contact our DPO at dpo@selebox.com.

7. International Data Transfers

Some of our service providers operate servers outside the Philippines. When your information is transferred internationally (for example, to United States–hosted Supabase databases or EU-hosted Bunny.net storage), we rely on safeguards permitted under the Philippines Data Privacy Act, including the use of providers that are independently certified under recognized frameworks (e.g. EU GDPR adequacy, SOC 2, ISO 27001).

8. Cookies and Local Storage

Our website uses cookies and browser local storage for the following purposes:

Authentication — keeping you signed in across page loads (Supabase auth session cookies).
Preferences — remembering your theme (light / dark), font-size in the reader, dismissed banners, and similar UI choices.
Functional state — tracking reading progress, pagination, and one-time actions (e.g. balance migration confirmation).

We do not use third-party advertising cookies on the website. Mobile-app advertising is handled exclusively in the Selebox mobile app via Google AdMob, subject to its own privacy policy.

You may clear cookies and local storage through your browser settings. Doing so will sign you out and reset your preferences.

9. Data Retention

We retain personal information only as long as needed to fulfill the purposes outlined in this policy, satisfy legal obligations, or resolve disputes.

Data type	Retention period
Account profile data	Until you delete your account, then a 30-day grace period for recovery, after which permanently deleted.
Content (posts, books, chapters, videos, comments)	Until you delete it, your account, or until we are legally required to retain it.
Direct messages	Until either participant deletes their account.
Wallet, transaction, and unlock records	10 years (per Bureau of Internal Revenue tax record-keeping requirements).
Audit logs (admin actions, security events)	7 years.
Anonymized analytics data	Indefinitely (no personal identifiers retained).

10. Data Security

We employ technical and organizational measures designed to protect your personal information, including:

Encryption in transit (TLS 1.2 or higher) for all communications between your device and our servers;
Encryption at rest for sensitive database fields and storage;
Row-level security policies on our database that restrict access to your own data;
HMAC verification on payment webhooks to prevent forged transactions;
Audited access controls for staff who can view user data;
Regular security reviews of our codebase and infrastructure.

No system can guarantee absolute security. If we become aware of a personal data breach that affects you, we will notify you and the National Privacy Commission within the timeframes required by Philippine law.

11. Your Rights

Under the Philippines Data Privacy Act and analogous laws (including GDPR for EU users and CCPA for California users), you have the following rights:

Right to be informed — to know what personal data we process about you and why.
Right to access — to request a copy of the personal data we hold about you.
Right to data portability — to receive your data in a structured, commonly-used, machine-readable format.
Right to correction — to update inaccurate or outdated information.
Right to erasure — to request deletion of your personal data, subject to legal retention requirements.
Right to object — to processing based on legitimate interests, including direct marketing.
Right to withdraw consent — at any time, where processing relies on your consent.
Right to file a complaint — with the Philippines National Privacy Commission (privacy.gov.ph) or your local data protection authority if you are outside the Philippines.

To exercise any of these rights, contact dpo@selebox.com. We will respond within 30 days. We may need to verify your identity before fulfilling certain requests.

12. How to Delete Your Account

You can delete your Selebox account at any time. We offer two methods:

12.1 In-app deletion (fastest)

Open the Selebox app on your phone.
Tap your profile avatar in the top-right of the home screen.
Open Settings.
Scroll to the bottom and tap Delete Account.
Confirm the deletion when prompted.

Your account is marked for deletion immediately and you are signed out. After a 30-day grace period (during which you can sign back in to cancel deletion), all personal data described below is permanently removed.

12.2 Email request (if the app is unavailable)

If you cannot access the in-app option, send an email to dpo@selebox.com from the email address associated with your Selebox account. Include your username if you remember it. We will verify your identity, confirm the request, and complete deletion within 30 days.

12.3 What gets deleted

Within 30 days of confirmed deletion, we permanently remove:

Your profile (username, email, avatar, bio, banner, location, website)
Your authored content (posts, books, chapters, videos, stories, comments, replies)
Your direct messages (where the other participant has not also kept the thread)
Your follow / follower relationships
Your reactions, bookmarks, and reading history
Your push notification tokens and device identifiers
Your Coin / Star wallet balance (any unspent balance is forfeited; please use it before deletion)

12.4 What we are required to retain

Some records must be kept for legal and operational reasons even after account deletion:

Wallet, transaction, and unlock records — retained for 10 years per Bureau of Internal Revenue tax record-keeping requirements (Philippines).
Audit logs — retained for 7 years for security and compliance investigations.
Aggregated, anonymized analytics — retained indefinitely (cannot be linked back to you).
Content engaged by other users — books or videos other users have downloaded or paid to unlock remain accessible to those users; references to your authorship are removed.

12.5 Effect on third-party data

Deleting your Selebox account does not automatically delete data held by third-party services you may have linked (Google, Apple, payment processors). To remove those, please contact each service directly.

13. Children's Privacy

Selebox is not directed to children under 16 years of age. We do not knowingly collect personal information from anyone under 16. If we learn that we have collected information from a user under 16, we will delete the account and the associated data.

If you are a parent or guardian and believe your child has created an account, please contact us at dpo@selebox.com immediately.

14. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent revision. For material changes (such as new categories of data collection or new sharing practices), we will notify registered users by email and / or in-app notice at least 14 days before the changes take effect.

We encourage you to review this policy periodically.

15. Contact Us

For privacy-related questions, requests, or concerns:

Data Protection Officer: dpo@selebox.com
General support: support@selebox.com
Postal address: Malolos, Bulacan, Philippines
Website: https://www.selebox.com

You may also file a complaint with the National Privacy Commission of the Philippines at privacy.gov.ph if you believe we have not handled your personal data appropriately.