Privacy Policy

Cambe Group ("we," "us," or "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy ("Policy") describes how we collect, use, disclose, and safeguard your personal data in connection with our website and services. We operate primarily from the Republic of the Philippines and provide products and services related to the sale of airplanes, helicopters, aircraft parts, and tools. This Policy is designed to comply with applicable data protection and cybersecurity laws, including:

• The Republic Act No. 10173 (Data Privacy Act of 2012) of the Philippines ("DPA") and its Implementing Rules and Regulations;
• To the extent applicable to our operations involving United States residents, the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020) ("CCPA/CPRA"), the Gramm-Leach-Bliley Act ("GLBA") for financial privacy where relevant, the Federal Trade Commission Act ("FTC Act") for unfair or deceptive practices, and other relevant U.S. federal and state privacy and cybersecurity laws, such as those promulgated by the National Institute of Standards and Technology ("NIST") under frameworks like NIST Special Publication 800-53 for security controls; and
• To the extent that we offer goods or services to individuals in the European Union/European Economic Area ("EU/EEA") or otherwise process the personal data of EU/EEA residents (e.g., through targeted online sales, shipping options, or inquiries from EU-based customers), the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR").

By accessing our website or providing us with your personal information, you acknowledge that you have read, understood, and consent to the practices described in this Policy. If you do not agree with this Policy, please do not use our website or services.

1. Information We Collect

We collect only the personal information that you voluntarily provide to us directly through our website or in connection with our services. We do not use cookies, web beacons, tracking pixels, or any other automated tracking technologies to collect information about your online activities. Specifically, the categories of personal information we may collect include:

• Identifiers and Contact Information: Login username, login password (stored in hashed and salted form), first name, last name, home address, and phone number.
• Demographic Information: Age, ethnicity, and gender (collected only where necessary to tailor our services or respond to specific inquiries, such as compliance with export regulations or personalized consultations).
• Professional Information: Job information (e.g., occupation or employer details, if relevant to your inquiries or purchases).
• Inquiry-Related Information: Details about your inquiries regarding airplanes, helicopters, parts, or tools, including specifications, preferences, or requirements you provide.

We do not collect sensitive personal information beyond what is strictly necessary for the purposes outlined below, and we do not engage in the sale, sharing, or cross-context behavioral advertising of personal information as defined under the CCPA/CPRA or the GDPR.

2. How We Collect Your Information

Your personal information is collected directly from you when you:

• Create an account or log in to our website.
• Submit inquiries, requests for quotes, or orders for our products and services.
• Contact us via phone, email, or other communication channels.
• Voluntarily provide such information in the course of our business interactions.

We do not collect information from third-party sources, automated means, or public databases unless explicitly authorized by you in writing.

3. How We Use Your Information

We use your personal information solely for legitimate business and service purposes directly related to the requests or information you provide to us. In accordance with the principles of data minimization, proportionality, and purpose limitation under the DPA, CCPA/CPRA, and GDPR (Article 5), our uses are limited to:

• Processing and fulfilling your inquiries, orders, or requests for airplanes, helicopters, parts, or tools (including contract performance under GDPR Article 6(1)(b)).
• Authenticating your identity for account access and security purposes.
• Communicating with you about your inquiries, transactions, or services, including providing updates, confirmations, or support.
• Complying with legal obligations, such as export controls, tax reporting, or regulatory requirements in the Philippines, the United States, and the EU/EEA.
• Improving our internal business operations, such as analyzing aggregate inquiry trends (without identifying individuals) to enhance our product offerings (pursuant to legitimate interests under GDPR Article 6(1)(f), subject to balancing tests where applicable).

We do not use your personal information for marketing, profiling, automated decision-making (including profiling under GDPR Article 22), or any purposes not directly requested or consented to by you. Under no circumstances do we sell, rent, or share your personal information for monetary or other valuable consideration.

4. How We Share Your Information

Mobile Information will not be shared with third parties for marketing purposes. We do not share your personal information with third parties except in the following limited circumstances:

• With service providers (e.g., payment processors, shipping companies, or IT vendors) who perform functions on our behalf and are contractually bound to use your information only for those purposes, subject to strict confidentiality and data protection agreements compliant with the DPA, CCPA/CPRA, and GDPR.
• To comply with legal obligations, such as responding to valid subpoenas, court orders, or regulatory requests from authorities in the Philippines (e.g., National Privacy Commission), the United States, or the EU/EEA (e.g., supervisory authorities under the GDPR).
• In the event of a merger, acquisition, or asset sale, where your information may be transferred as a business asset, subject to equivalent privacy protections.

We do not disclose your personal information to any affiliates, partners, or advertisers for their independent use.

5. Security Measures

We implement reasonable and appropriate administrative, technical, and physical safeguards to protect your personal information from unauthorized access, disclosure, alteration, or destruction, in full compliance with the DPA's requirements for security of personal data, the DPA's Implementing Rules and Regulations, U.S. cybersecurity laws and best practices (including NIST Special Publication 800-53), and GDPR Article 32 (security of processing).

• Encryption: All personal information transmitted between your device and our servers is secured using HTTPS protocol with Transport Layer Security (TLS) encryption (version 1.3 or higher). This ensures that data in transit, such as login credentials or inquiry details, is protected against interception.
• Access Controls: Access to your personal information is restricted to authorized personnel on a need-to-know basis, with multi-factor authentication and role-based access controls in place.
• Data Storage: Personal information is stored in secure databases hosted in compliance with Philippine data localization requirements where applicable, using encryption at rest (e.g., AES-256).
• Cybersecurity Compliance and Procedures: We adhere to all applicable cybersecurity laws and procedures in the Philippines, the United States, and the EU/EEA (where GDPR applies), including regular risk assessments, vulnerability scanning, penetration testing, employee training on data security, and the maintenance of a comprehensive incident response plan. Our practices are aligned with the DPA's mandate for organizational, physical, and technical security measures, NIST guidelines, and GDPR requirements for appropriate technical and organizational measures. In the event of a data security incident, we follow mandatory notification protocols under the DPA (notifying the National Privacy Commission and affected data subjects within 72 hours where required), U.S. laws (e.g., state breach notification statutes), and GDPR Article 33 (notification to supervisory authorities within 72 hours where feasible) and Article 34 (notification to data subjects where high risk).

While we strive to protect your personal information, no method of transmission over the internet or electronic storage is entirely secure. You are responsible for maintaining the confidentiality of your login credentials.

6. Your Privacy Rights

Depending on your location and applicable laws, you may have the following rights regarding your personal information:

• Under the DPA (Philippines): The right to be informed, object to processing, access your data, correct inaccuracies, erase or block data, data portability, damages for violations, and to withdraw consent.
• Under the CCPA/CPRA (California Residents): The right to know what personal information we collect, delete your information, opt-out of sales (though we do not sell data), non-discrimination, and limit use of sensitive personal information.
• Under the GDPR (EU/EEA Residents, where applicable): The right to access (Article 15), rectification (Article 16), erasure ("right to be forgotten," Article 17), restriction of processing (Article 18), data portability (Article 20), objection (Article 21), and not to be subject to automated decision-making (Article 22). You also have the right to withdraw consent at any time (where processing is based on consent) without affecting the lawfulness of processing before withdrawal, and the right to lodge a complaint with a supervisory authority (e.g., your national data protection authority in the EU/EEA).

To exercise these rights, please contact us using the details below. We will respond to verifiable requests within the timeframes required by law (e.g., 45 days under CCPA/CPRA, extendable; 1 month under GDPR, extendable to 3 months for complex cases; 15 days under DPA for access requests). We do not discriminate against individuals exercising their rights.

7. Retention of Your Information

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Policy, comply with legal obligations, resolve disputes, or enforce our agreements, in line with GDPR Article 5(1)(e) storage limitation principle. For example, account information may be retained for the duration of your relationship with us plus a reasonable period thereafter for record-keeping. Upon request or when no longer needed, we will securely delete or anonymize your data.

8. International Data Transfers

As a Philippines-based company, your personal information is primarily processed and stored in the Philippines. If we transfer data to the United States, the EU/EEA, or other jurisdictions (or if GDPR applies), we ensure appropriate safeguards are in place in compliance with applicable laws, such as:

• Standard Contractual Clauses (SCCs) approved by the European Commission (for GDPR transfers);
• Adequacy decisions (where available); or
• Other mechanisms permitted under the DPA, CCPA/CPRA, and GDPR Chapter V.

9. Children's Privacy

Our services are not directed to individuals under the age of 18 (or the age of majority in your jurisdiction). We do not knowingly collect personal information from children. If we become aware of such collection, we will delete it promptly.

10. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by posting the updated Policy on our website with a revised effective date. Your continued use of our services after such changes constitutes acceptance of the updated Policy.

11. Contact Us

If you have questions about this Policy or our privacy practices, or to exercise your rights, please contact our Data Protection Officer at:

This Policy is governed by the laws of the Republic of the Philippines, without regard to conflict of laws principles, except where mandatory provisions of the GDPR or other applicable laws require otherwise.