phmasaya Privacy Policy

1 Introduction & Scope

phmasaya is committed to protecting the privacy and personal data of all players and platform visitors in accordance with Republic Act No. 10173, the Data Privacy Act of 2012 of the Republic of the Philippines ("DPA"), and its Implementing Rules and Regulations ("IRR"), together with any subsequent amendments, guidelines, and circulars issued by the National Privacy Commission ("NPC").

This Policy applies to all personal data collected and processed by phmasaya in connection with the operation of the phmasaya.app platform, including all gaming services, payment processing, customer support interactions, promotional communications, and identity verification activities. It applies to registered players, account applicants, website visitors, and any individual whose personal data phmasaya holds.

This Policy does not extend to third-party websites, payment providers, or game studios that may be linked to or integrated with the phmasaya platform. Those third parties operate under their own privacy policies, and phmasaya encourages you to review those policies independently.

2 Data Controller

For the purposes of the Data Privacy Act of 2012 and its Implementing Rules and Regulations, phmasaya is the personal information controller ("PIC") in respect of the personal data it collects and processes in connection with the phmasaya platform.

3 Personal Data We Collect

phmasaya collects the following categories of personal data from players and platform visitors:

3.1 Account and Identity Data

• Full legal name as it appears on a valid Philippine government-issued identification document;
• Date of birth (for the purpose of verifying that you are 21 years of age or older in compliance with Philippine gaming law);
• Philippine mobile number (in +63 format);
• Email address;
• Username and encrypted password credential;
• Copies of government-issued identification documents submitted during KYC verification (PhilSys National ID, UMID, LTO Driver's License, DFA Passport, COMELEC Voter's ID, PRC ID, or Postal ID);
• Selfie photographs submitted during identity verification;
• Residential address, where required for enhanced KYC or source-of-funds verification.

3.2 Financial and Transaction Data

• Deposit and withdrawal history, including amounts, dates, and payment methods used (GCash, Maya, BPI, BDO, UnionBank, Coins.ph, USDT);
• GCash and Maya account numbers or registered mobile numbers associated with payment transactions;
• Bank account numbers and bank names for bank transfer transactions;
• Cryptocurrency wallet addresses for USDT transactions;
• Source-of-funds documentation where requested in compliance with the Anti-Money Laundering Act.

3.3 Gaming and Behavioral Data

• Game session history, including games played, bet amounts, winnings, and session duration;
• Bonus and promotion usage history;
• Responsible gaming tool settings, including deposit limits, cooling-off periods, and self-exclusion elections;
• Customer support interaction records, including chat transcripts and email correspondence.

3.4 Technical and Device Data

• IP address and approximate geographic location derived therefrom;
• Device type, operating system, and browser type and version;
• Session logs and access timestamps;
• Cookie identifiers and similar tracking technology data as described in Section 9.

4 How We Collect Your Personal Data

phmasaya collects personal data through the following means:

• Directly from you — when you complete the account registration form, submit KYC documents, make deposits or withdrawal requests, contact customer support, or respond to promotional communications;
• Automatically — through cookies, session logs, and device identification technologies when you access and use the phmasaya platform (see Section 9);
• From payment processors — transaction confirmation data from GCash, Maya, BPI, BDO, UnionBank, and other payment providers in connection with deposit and withdrawal processing;
• From identity verification partners — where phmasaya engages third-party KYC and identity verification service providers, those providers may return verification results and risk scores to phmasaya in connection with the processing of your KYC submission;
• From public sources — where phmasaya is required by law or regulatory obligation to conduct enhanced due diligence, it may supplement player data with information from publicly available Philippine government databases or sanctions lists.

5 How We Use Your Personal Data

phmasaya uses the personal data it collects for the following purposes:

6 Legal Bases for Processing

phmasaya processes your personal data on the following legal bases as recognized under the Data Privacy Act of 2012:

• Contractual Necessity: Processing your name, contact details, financial data, and identity documents is necessary to fulfill our contractual obligations to you under the phmasaya Terms and Conditions, including account management, payment processing, and game delivery;
• Legal Obligation: Processing for KYC verification, AML compliance, PAGCOR regulatory reporting, and tax-related data retention is required by Philippine law, including Republic Act No. 9160 (Anti-Money Laundering Act), Republic Act No. 9194, and applicable PAGCOR regulations;
• Legitimate Interests: Processing of technical and device data for fraud prevention, platform security, and responsible gaming monitoring is conducted on the basis of phmasaya's legitimate interest in protecting the integrity of the platform and its players;
• Consent: Processing for direct marketing communications (email promotions, SMS offers) is conducted on the basis of your explicit consent, which you may withdraw at any time by contacting phmasaya support or using the unsubscribe mechanism in marketing communications.

7 Sharing Your Personal Data

phmasaya does not sell, rent, or trade your personal data to third parties for their marketing purposes. phmasaya may share your personal data with the following categories of recipients under the circumstances described:

7.1 Payment Service Providers

Personal data necessary to process deposits and withdrawals (including mobile numbers, bank account details, and transaction amounts) is shared with payment processors such as GCash (G-Xchange, Inc.), Maya (PayMaya Philippines, Inc.), and Philippine banking institutions (BPI, BDO, UnionBank) solely for the purpose of executing payment transactions on your behalf.

7.2 Identity Verification Partners

Where phmasaya engages third-party KYC and identity verification service providers to assist with the verification of player identity and document authenticity, those providers process the personal data submitted during KYC on phmasaya's behalf as personal information processors. phmasaya ensures that such providers are bound by contractual data protection obligations consistent with the DPA.

7.3 Regulatory Authorities

phmasaya is required by law to disclose certain player data to Philippine regulatory and law enforcement authorities, including the Philippine Amusement and Gaming Corporation (PAGCOR), the Anti-Money Laundering Council (AMLC), and other competent authorities, where required by applicable law, court order, or official regulatory directive. Such disclosures are made strictly in compliance with applicable legal requirements.

7.4 Gaming Platform and Technology Providers

phmasaya works with game studios, live dealer streaming providers, and platform technology vendors to deliver gaming services. These providers may process limited technical and session data on phmasaya's behalf as personal information processors. They are contractually prohibited from using such data for any purpose other than delivering the contracted services to phmasaya.

8 Data Retention

phmasaya retains your personal data for as long as is necessary to fulfill the purposes for which it was collected, subject to the minimum retention periods required by Philippine law:

• Account and Identity Data: Retained for the duration of your active phmasaya account, and for a minimum of five (5) years following account closure, in compliance with PAGCOR record-keeping requirements and the Anti-Money Laundering Act;
• Transaction and Financial Data: Retained for a minimum of five (5) years from the date of the transaction in compliance with the Anti-Money Laundering Act and applicable tax regulations;
• KYC Documents: Retained for a minimum of five (5) years from the date of verification or account closure, whichever is later;
• Customer Support Records: Retained for two (2) years from the date of the interaction, unless a longer period is required for the resolution of an ongoing dispute or legal proceeding;
• Technical and Device Data: Retained for twelve (12) months from collection, unless required for fraud investigation or legal proceedings;
• Marketing Consent Records: Retained for the duration of your marketing consent, plus three (3) years from the date of consent withdrawal.

Upon the expiry of the applicable retention period, phmasaya will securely delete or anonymize your personal data in accordance with procedures approved by its Data Protection Officer.

9 Cookies & Tracking Technologies

phmasaya uses cookies and similar tracking technologies on the phmasaya.app platform for the following purposes:

• Essential Cookies: Strictly necessary for the operation of the platform, including session management, login authentication, and security functions. These cookies cannot be disabled without affecting core platform functionality;
• Functional Cookies: Enable enhanced functionality and personalization, such as remembering your preferred game categories, language settings, and responsible gaming preferences;
• Analytics Cookies: Used to collect aggregated and anonymized data about how players interact with the platform, to improve platform performance and user experience. phmasaya uses privacy-compliant analytics tools that do not share identifiable data with third-party advertising networks;
• Security Cookies: Used for fraud detection, bot prevention, and platform integrity monitoring.

You may manage your cookie preferences through your browser settings. Disabling essential cookies may impair your ability to log into or use the phmasaya platform. phmasaya does not use third-party advertising or retargeting cookies.

10 Data Security

phmasaya implements the following technical and organizational security measures to protect your personal data against unauthorized access, disclosure, alteration, or destruction:

• SSL/TLS encryption for all data transmitted between your device and the phmasaya platform;
• AES-256 encryption for personal data stored in phmasaya's databases;
• Role-based access controls limiting access to personal data to authorized personnel on a strict need-to-know basis;
• Multi-factor authentication requirements for all phmasaya staff with access to player data systems;
• Regular security audits and penetration testing of phmasaya's platform infrastructure;
• Dedicated data breach response procedures including NPC notification protocols as required under the DPA IRR;
• Employee data privacy training and confidentiality obligations for all phmasaya staff.

11 Your Data Subject Rights

Under the Data Privacy Act of 2012 and its Implementing Rules and Regulations, you have the following rights with respect to your personal data held by phmasaya. To exercise any of these rights, please contact phmasaya's Data Protection Officer using the contact details in Section 15.