How much does a website cost?

Our websites start at ₱3,000 for a single-page business site and go up depending on complexity. E-commerce sites start at ₱7,000, and custom business systems start at ₱8,000. We always provide a clear quote before starting any work — no surprises.

How long does it take to build a website?

A simple business website typically takes 5–7 working days. More complex projects like e-commerce sites or custom systems take 2–4 weeks. We provide a timeline estimate during your free consultation.

Do you offer ongoing support after launch?

Yes! All our plans include post-launch support (30–60 days depending on the plan). After that, we offer affordable monthly maintenance packages or you can reach out anytime for one-time fixes and updates.

What is a Data Protection Officer (DPO) service?

As a certified DPO, we help your business comply with the Data Privacy Act of 2012 (RA 10173) and international data protection standards. This includes creating privacy policies, conducting data audits, handling compliance documentation, and serving as your outsourced DPO.

Do I need to be in the Philippines to work with you?

Not at all! We work with clients worldwide. Everything is handled online — consultations, project updates, file sharing, and support. We use our client portal so you can track progress from anywhere.

Can I see my project progress while it's being built?

Absolutely. Every client gets access to our Client Portal where you can view project status, track tasks, see invoices, and sign agreements. You'll always know exactly where your project stands.

What technologies do you use?

We primarily build with Next.js, React, TypeScript, and Tailwind CSS for websites and web applications. For databases, we use Supabase (PostgreSQL). All our solutions are modern, fast, and mobile-responsive.

Is the free consultation really free?

Yes, completely free with no obligation. We'll discuss your needs, recommend solutions, and give you a clear quote. You decide if you want to proceed — no pressure, no hidden fees.

Do you accept international payments?

We're currently setting up international payment options including Stripe and PayPal. For now, we can arrange payment via bank transfer. Contact us and we'll work out the best option for you.

What if I need changes after the project is delivered?

Minor revisions are included during and after the build phase. For larger changes or new features after launch, we provide a quote based on the scope of work. Our clients often come back for ongoing improvements as their business grows.

How to Handle a Data Subject Access Request in the Philippines (Step-by-Step 2026)

Your customer emails one Tuesday morning: "Per the Data Privacy Act, I am formally requesting a copy of all personal information your business holds about me."

This is a Data Subject Access Request (DSAR). Under Section 16 of RA 10173 and NPC Circular 16-01, you have 30 days to respond — or face administrative penalties under NPC Circular 2022-01.

Most Philippine business owners have never received one. Most don't have a process for when they do. This guide walks through the exact steps, from receipt to closure.

What a Data Subject Access Request Actually Is

A DSAR is the formal exercise of a data subject's right under Section 16 of the Data Privacy Act. The subject (your customer, employee, or anyone whose data you process) can request:

Confirmation that you process their personal data
A copy of that data in a readable format
The purposes for which you're processing it
The third parties you've shared it with
The retention period applied

DSARs do not have to use any specific form, language, or channel. A Messenger DM saying "send me everything you have on me" counts as a DSAR.

The 7-Step Response Process

Step 1 — Acknowledge Within 72 Hours

Even before you investigate, send a written acknowledgment within 72 hours of receipt. Include:

Confirmation you received the request
The 30-day response deadline (calendar days from receipt)
Your DPO's contact details
A unique reference number for follow-up

Acknowledgment ≠ response. The 30-day clock keeps running.

Step 2 — Verify the Requester's Identity

You must confirm the request actually comes from the data subject (not an impersonator). Acceptable verification:

Government-issued ID matching the data subject's records
A signed authorization if filed by a representative
A video call confirming identity for sensitive data requests

Never release data on identity verified only by an email address — that's a breach waiting to happen.

Step 3 — Search Every System That Holds Their Data

Document every place the subject's data may live:

CRM
Email inbox and outbox
Accounting software (invoices, receipts)
Inventory or POS system
Backup files
Paper records
Third-party processors (GCash, J&T, hosting providers)

Skipping systems is the most common mistake. The NPC has fined businesses specifically for incomplete responses.

Step 4 — Compile the Response Pack

Prepare the response in a format the subject can actually read:

Plain English summary of what data you hold and why
Machine-readable export (CSV, JSON, PDF) of the actual data
List of third parties the data has been shared with
Retention periods applied per category
Description of automated decision-making (if any)

Redact any third-party personal data inside the response — a customer is entitled to their own data, not their colleagues'.

Step 5 — Decide on Format and Delivery

Default to electronic delivery (encrypted PDF or password-protected ZIP). Use the email address on file unless the subject specifies otherwise. For paper records or large exports, courier with tracking is acceptable.

Step 6 — Send Within 30 Days

The deadline is 30 calendar days from receipt of the original request. Weekends and Philippine holidays do not pause the clock.

If the request is complex (multi-year records, large datasets), you may extend by an additional 30 days — but you must notify the subject of the extension and the reason within the original 30-day window.

Step 7 — Log the Response

Keep records of:

Date received, acknowledged, and responded
Identity verification method used
Systems searched
Documents released
Any data withheld and why

These logs are what you produce when the NPC audits.

The 4 Valid Grounds for Refusal

You can lawfully refuse a DSAR in only these cases (NPC Advisory Opinion 2017-21):

Manifestly excessive — the same subject has filed identical requests recently
Disproportionate effort — the data is dispersed beyond reasonable retrieval
Public order or national security — narrow exception, rarely applies to private SMEs
Legal privilege — communications between you and your lawyer

"It's inconvenient" is not a valid ground. Neither is "the requester is annoying."

Common DSAR Mistakes

Treating the email as customer service rather than a legal request
Skipping identity verification and releasing data to an impersonator
Forgetting backups, archives, or third-party processor data
Including other subjects' personal data in the response (a separate breach)
Missing the 30-day deadline because you "didn't see it in time"

Frequently Asked Questions

Can I charge a fee for processing a DSAR?

Generally no. The first request from a subject is free. Only repeated or excessive requests can incur a reasonable fee, and you must justify it.

What if my business is too small to have a CRM?

Your obligation is the same regardless of size. If you only have email and a spreadsheet, your DSAR response includes everything in both.

Does this apply to employee data too?

Yes. Employees are data subjects with the same rights. Common DSARs come from former employees requesting their entire HR file.

Don't Wait for Your First DSAR

The first DSAR is always stressful. The fifth one is routine — if you have a written process. A pre-built DSAR template, an identity verification script, and a documented search checklist take an afternoon to create.

At RDahunan I.T. Services we draft DSAR response templates, train DPO teams, and handle DSARs end-to-end for Philippine SMEs as part of our outsourced DPO service. Send us a message for a free 30-minute DSAR readiness check.

General DPO guidance. Not legal advice.