Privacy Policy

STI College (“we”, “us”, “EnrollEZ”) values your privacy. This policy explains what personal data we collect through the EnrollEZ enrollment platform, why we collect it, how we use it, and your rights under the Republic Act No. 10173, also known as the Data Privacy Act of 2012 (DPA), and its implementing rules and regulations.

§01Who we are

STI College is the personal information controller (PIC) for data submitted through this platform. Our Data Protection Officer (DPO) can be reached at dpo@enrollez.cloud.

§02What personal data we collect

We collect only data that is necessary to process your enrollment:

• Identity & contact information — first name, middle name, last name, date of birth, gender, mobile number, email address, and home address.
• Account credentials — your email and a password hashed using industry-standard bcrypt (we never see your plaintext password).
• Academic records — education level, previous school, year level, program/strand, and General Weighted Average (GWA) where applicable.
• Documents you upload— Form 137, PSA Birth Certificate, Certificate of Good Moral Character, 2×2 ID photo, and Transcript of Records as required by the branch you are applying to.
• Application activity — submission timestamps, review decisions, document review notes, and any administrative status changes.
• Technical data — your IP address (used for rate-limiting login and registration attempts), browser session cookies, and standard server access logs.

§03Why we collect it (purposes)

• To create and authenticate your applicant account.
• To process, review, and decide on your enrollment application.
• To communicate with you about your application status (email notifications for submission, document review, approval, rejection, or requests for revision).
• To comply with our legal, regulatory, and recordkeeping obligations as an educational institution.
• To maintain the security of the platform (audit logging, rate limiting, fraud detection).

We do not use your data for marketing, profiling, or automated decision-making other than the application-status workflow described above.

§04Legal basis

We rely on the following lawful bases under Section 12 of the DPA:

• Consent — when you register, you affirmatively agree to this policy and to the processing described here.
• Performance of a contract — the enrollment application process itself.
• Legal obligation — to comply with the regulations of the Commission on Higher Education (CHED), Department of Education (DepEd), and other applicable Philippine law.
• Legitimate interest — operating and securing the platform.

§05How we share your data

We share your data only as needed and only with parties bound by confidentiality and the DPA:

• Branch admissions staff at the EnrollEZ branch you applied to (BRANCH_ADMIN, DEPT_HEAD, REVIEWER roles) — strictly limited to the branch where you applied.
• STI College headquarters administrators (SUPER_ADMIN role) — for system administration, regulatory reporting, and dispute resolution.
• Service providers — our database host, email delivery service (transactional emails only), and cloud infrastructure provider. Each operates under a written data processing agreement.
• Government and regulatory authorities — when compelled by lawful order or to meet our DPA, CHED, or DepEd obligations.

We do not sell your personal data, and we do not share it with third-party advertisers.

§06How long we keep your data

• Approved applications — retained as part of your official student record for the duration required by Philippine education law and our retention schedule.
• Rejected applications — retained for up to two (2) years for audit and dispute purposes, then securely deleted.
• Audit logs — retained for up to two (2) years.
• Server access logs — retained for up to 90 days for security purposes.

§07How we secure your data

• Encryption at rest — your personal information, academic information, and uploaded documents are encrypted using AES-256-GCM before they are written to the database.
• Encryption in transit — all traffic between you and our servers is protected by HTTPS/TLS.
• Access control — role-based access control (RBAC) ensures staff see only the records permitted by their role and branch.
• Audit logging — sensitive admin actions (login, status overrides, document downloads) are recorded.
• Rate limiting and account lockout — to deter credential stuffing and brute-force attacks.

§08Your rights as a data subject

Under the DPA, you have the right to:

• Be informed of the data we hold about you.
• Access your data.
• Correct inaccurate or outdated data.
• Object to the processing of your data in certain circumstances.
• Erase or block your data when allowed by law.
• Request data portability.
• File a complaint with the National Privacy Commission (NPC).
• Claim damages for harms caused by unauthorized processing.

To exercise any of these rights, email our DPO at dpo@enrollez.cloud. We will respond within the timeframe required by the DPA (generally 15 calendar days).

§09Applicants who are minors

Many of our applicants are below 18 years old. If you are a minor, a parent or legal guardian must consent to the processing of your personal data on your behalf. By registering, you confirm that such consent has been obtained.

§10Cookies and session storage

We use only first-party, strictly necessary cookies to keep you signed in and to remember your theme and accessibility preferences. We do not use third-party tracking or advertising cookies.

§11Changes to this policy

We may update this policy from time to time. Material changes will be announced at the email address on your account at least 7 days before they take effect. The “Last updated” date at the top reflects the current version.

§12Contact us

For privacy questions, requests, or complaints:

• Data Protection Officer — dpo@enrollez.cloud
• General support — support@enrollez.cloud
• National Privacy Commission — privacy.gov.ph