Skip to main content

Privacy Policy

·5 mins

Last updated: July 9, 2026

This Privacy Policy explains what data BIR Online Tools collects when you use this blog (bir-online-tools.com/blog/) or the application (bir-online-tools.com/app/), why we collect it, who we share it with, and the choices you have. BIR Online Tools is not affiliated with or endorsed by the Bureau of Internal Revenue (BIR).

What data we collect #

If you only read the blog #

We collect basic analytics data through Google Analytics — pages visited, approximate location, device/browser type, and referral source. Google Analytics uses cookies to do this; see the Cookies section below.

If you create an app account #

Using the BIR Online Tools app requires an account, which collects:

  • Account details: your name, email address, and a securely hashed password (we never store your password in plain text). If you sign in with Google, we receive your name and email from Google instead of setting a password.
  • Company profile: for each company you add, we store the company/trade name, owner name, 9-digit TIN, branch code, RDO code, taxpayer classification, and business address — the details needed to generate BIR-compliant certificates and DAT files under that company’s name.
  • Generated certificates and DAT files: when you generate a BIR Form 2307 certificate or a DAT file, we store the underlying data (payee/payor TINs, names, branch codes, income amounts, and the resulting document) in your company’s record, so you can retrieve it later from the DAT Repository or certificate history.
  • Email delivery data: if you use the “email certificate” feature, we send the recipient’s email address and the generated PDF to our email provider to deliver it on your behalf.

We only collect what’s needed to generate, save, and deliver your tax documents — we do not sell or rent this data to anyone.

How we use your data #

  • To create and secure your account, and verify your email address
  • To generate BIR Form 2307/2316 certificates and DAT files under your company profiles
  • To save your generated documents so you can retrieve them later
  • To email certificates to payees at your request
  • To send account-related messages (email verification, password reset)
  • To understand aggregate blog readership through Google Analytics

Who we share data with #

We use a small number of third-party service providers to operate BIR Online Tools. Each is listed below with exactly what it receives.

ServicePurposeData it receives
ResendSends email verification codes, password reset emails, and certificate deliveriesRecipient email address; for certificate emails, the generated PDF attachment
PayMongoProcesses payments (GCash, Maya) for paid plans, where applicablePayment and billing details you provide at checkout
Google AnalyticsAggregate blog and app usage analyticsPages visited, device/browser type, approximate location, via cookies

We do not share your company data, TINs, or generated certificates with any party beyond what’s needed to deliver the service you requested (for example, emailing a certificate to the payee you specified).

Where and how your data is stored #

The app stores data using an offline-first architecture: your data is written to your browser first, then synced in the background to our servers once you’re online. Company data is stored in a dedicated database per company on our database server, separate from our application server. Both servers use HTTPS/TLS encryption in transit. Because the app is offline-first, some data may also remain cached in your browser’s local storage until it syncs or you clear your browser data.

Cookies #

  • The app does not use cookies for authentication — sign-in is handled with a token stored in your browser’s local storage, not a cookie.
  • Google Analytics, used on both the blog and the app, sets its own cookies to measure usage.
  • The app sets one unrelated cookie to remember a UI preference (whether a sidebar is expanded or collapsed) — this contains no personal data.

You can block or delete cookies in your browser settings; doing so may affect analytics but will not prevent you from using the app, since sign-in does not depend on cookies.

Data retention and deletion #

  • Unverified accounts (email not confirmed) are automatically deleted after 7 days.
  • Company deletion: you can delete a company profile yourself from within the app. This permanently removes that company’s stored data, including its certificates and DAT files.
  • Full account deletion: to delete your entire account, contact us at bir.online.tools@gmail.com. We currently process full account deletions manually to confirm the request is genuinely from the account owner.

Your rights #

Depending on your jurisdiction, you may have the right to access, correct, or request deletion of your personal data. Philippine users have rights under the Data Privacy Act of 2012 (RA 10173), including the right to be informed, to access your data, to object to processing, and to request correction or deletion. To exercise any of these rights, contact us using the details below.

Children’s privacy #

BIR Online Tools is intended for business and professional use and is not directed at children. We do not knowingly collect data from anyone under 18.

Changes to this policy #

We may update this Privacy Policy as the app’s features or data practices change. Material changes will be reflected by updating the “Last updated” date above.

Contact #

Questions about this policy or your data? Email bir.online.tools@gmail.com or see our Contact page.