phaa Privacy Policy

1. Who We Are (Data Controller)

For the purposes of the Philippine Data Privacy Act of 2012 (Republic Act No. 10173, hereinafter "DPA"), phaa — the operator of the phaa.one online gaming platform — is the Personal Information Controller (PIC) in respect of personal data collected through the Platform. phaa is a PAGCOR-licensed online gaming operator duly organised and operating under Philippine law. Our registered Data Protection Officer (DPO) can be contacted via the details provided in Section 14 of this Policy.

This Privacy Policy applies to all personal information collected from individuals who register a phaa account, visit phaa.one, participate in phaa promotions, or otherwise interact with phaa's services, whether through a web browser, mobile device, or any other means of access.

2. Legal Basis for This Policy

This Privacy Policy is issued in compliance with the following Philippine laws and regulatory instruments:

• Republic Act No. 10173 — Data Privacy Act of 2012, and its Implementing Rules and Regulations (IRR).
• National Privacy Commission (NPC) Circulars and Advisory Opinions applicable to online platforms and financial services.
• Republic Act No. 9160 (as amended) — Anti-Money Laundering Act, which imposes data retention and reporting obligations on phaa as a covered person.
• PAGCOR Regulatory Framework — including all applicable PAGCOR-issued issuances governing player data handling by licensed online gaming operators.
• Republic Act No. 8792 — Electronic Commerce Act, governing the legal validity of electronic transactions and data on the phaa Platform.

3. Personal Data We Collect

3.1 Registration Data. When you create a phaa account, we collect: full legal name, date of birth (to verify 21+ age eligibility), mobile phone number, email address, username, and password (stored in hashed form — phaa does not store passwords in plaintext).

3.2 Identity Verification (KYC) Data. To comply with PAGCOR's KYC requirements and the Anti-Money Laundering Act, phaa collects government-issued ID documents (e.g., Philippine passport, SSS ID, UMID, driver's licence, PhilSys national ID), selfie or liveness verification images, and proof of address documentation where required.

3.3 Financial Data. phaa collects transaction data including deposit amounts, withdrawal amounts, payment method identifiers (e.g., GCash account reference, BPI account name — never full bank account numbers), and transaction timestamps. We do not store full card numbers or complete bank account details.

3.4 Gaming Activity Data. We collect data on your gaming sessions including game titles played, bet amounts, win/loss outcomes, session start and end times, and bonus usage. This data is used for account management, fraud detection, responsible gaming monitoring, and PAGCOR regulatory reporting.

3.5 Technical Data. When you access phaa.one, we automatically collect: IP address, device type and operating system, browser type and version, session timestamps, pages visited, and referring URL. This data is collected via standard server logs and cookies (see Section 8).

3.6 Communications Data. If you contact phaa support, we retain records of your communications including live chat transcripts, email correspondence, and support ticket content. This data is used to resolve your enquiry and improve phaa's support quality.

4. How We Use Your Personal Data

phaa processes your personal data for the following purposes:

• Account Registration and Management: Creating and maintaining your phaa account, verifying your identity and age, and managing your account settings and preferences.
• KYC and Regulatory Compliance: Verifying your identity in compliance with PAGCOR's KYC requirements and the Anti-Money Laundering Act. phaa is legally obligated to perform these verifications and cannot process withdrawals from unverified accounts.
• Payment Processing: Processing your deposits and withdrawals via GCash, Maya, BPI, BDO, Metrobank, and other accepted Philippine payment channels.
• Game Provision: Delivering the gaming products and services available on the phaa Platform, including slot games, live casino tables, bingo sessions, and sports betting markets.
• Fraud Detection and Security: Monitoring account activity for signs of fraud, money laundering, bonus abuse, or other prohibited conduct. Protecting the security of the phaa Platform and all players on it.
• Responsible Gaming: Monitoring player gaming patterns to identify potential problem gambling behaviour and administering responsible gaming tools including deposit limits, self-exclusion, and cooling-off periods.
• Customer Support: Responding to your enquiries, complaints, and support requests.
• Marketing Communications: Sending you information about phaa promotions, bonuses, and new games where you have provided consent. You may withdraw consent to marketing communications at any time via your account settings or by contacting phaa support.
• Platform Improvement: Analysing aggregated and anonymised usage data to improve the phaa Platform's performance, game selection, and user experience.
• Legal and Regulatory Compliance: Complying with obligations under Philippine law, PAGCOR directives, AMLC reporting requirements, and court orders.

5. Legal Grounds for Processing

Under the DPA, phaa processes your personal data on the following legal grounds:

• Contract Performance: Processing necessary to perform our contract with you (your phaa account Terms and Conditions), including account management, payment processing, and game provision.
• Legal Obligation: Processing required to comply with Philippine laws and PAGCOR regulations, including KYC verification, AML reporting, and regulatory data retention obligations.
• Legitimate Interests: Processing for phaa's legitimate interests where these do not override your fundamental rights and freedoms — including fraud prevention, platform security, and responsible gaming monitoring.
• Consent: Processing for marketing communications and non-essential cookies, where you have provided explicit consent. You may withdraw consent at any time without affecting the lawfulness of prior processing.

6. Sharing Your Personal Data

phaa does not sell, rent, or trade your personal data to third parties. phaa may share your personal data with the following categories of recipients, strictly for the purposes described in this Policy:

• PAGCOR: As a condition of phaa's operating license, certain player data and gaming activity records must be made available to PAGCOR upon request or as part of mandatory regulatory reporting.
• Anti-Money Laundering Council (AMLC): phaa is a covered person under the AMLA and is obligated to report covered and suspicious transactions to the AMLC as required by Philippine law.
• Payment Service Providers: GCash, Maya, BPI, BDO, Metrobank, and other Philippine payment processors receive the minimum transactional data necessary to process your deposits and withdrawals. These providers are bound by their own privacy and data security obligations.
• KYC Verification Partners: Third-party identity verification providers process KYC documents on phaa's behalf under strict data processing agreements. These partners are required to handle your documents in accordance with the DPA.
• Game Providers: Third-party game studios (e.g., Pragmatic Play, JILI, PG Soft) may receive anonymised session data necessary to deliver their games. No personally identifiable information is shared with game providers beyond what is required for game functionality.
• Philippine Courts and Law Enforcement: Where required by a valid Philippine court order, subpoena, or law enforcement directive, phaa will disclose personal data to the extent required by law.

All third-party recipients with whom phaa shares personal data are contractually bound to process such data only for the specified purpose and to maintain appropriate security standards.

7. Data Retention

phaa retains your personal data for the following periods:

• Account and KYC Records: For the duration of your active phaa account, plus a minimum of five (5) years following account closure, as required by PAGCOR regulations and the AMLA.
• Transaction Records: A minimum of five (5) years from the date of the transaction, in accordance with AMLC record-keeping obligations.
• Gaming Activity Logs: For the duration of your account plus three (3) years, for PAGCOR compliance and responsible gaming monitoring purposes.
• Support Communications: Two (2) years from the date of the communication, to facilitate resolution of related disputes or complaints.
• Marketing Consent Records: For as long as you remain a registered phaa player or until you withdraw consent, whichever is earlier.

Following the expiry of the applicable retention period, phaa will securely delete or anonymise your personal data in accordance with NPC guidance on data disposal.

8. Cookies and Tracking Technologies

phaa uses cookies and similar tracking technologies on phaa.one for the following purposes:

• Strictly Necessary Cookies: Required for the Platform to function correctly — including maintaining your login session, remembering your preferences, and enabling secure payment processing. These cookies cannot be disabled.
• Analytics Cookies: Used to understand how players navigate and use phaa.one, enabling phaa to improve Platform performance and user experience. Analytics data is aggregated and anonymised where possible.
• Functional Cookies: Enable enhanced functionality such as saving your preferred game categories, language settings, and responsible gaming reminder preferences.

You may manage your cookie preferences through your browser settings. Please note that disabling non-essential cookies may affect the performance and functionality of certain phaa Platform features. Strictly necessary cookies cannot be disabled as they are required for core Platform operation.

9. Your Data Subject Rights

Under the Philippine Data Privacy Act, you have the following rights with respect to your personal data held by phaa:

To exercise any of the above rights, submit a written request to phaa's Data Protection Officer at the contact details in Section 14. phaa will respond to verified data subject requests within fifteen (15) calendar days of receipt.

10. Data Security

phaa implements appropriate technical and organisational security measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These measures include:

• 256-bit SSL/TLS encryption for all data transmitted between your device and phaa servers.
• Hashed storage of account passwords — phaa does not store passwords in recoverable plaintext form.
• Access controls ensuring that phaa personnel can only access personal data necessary for their specific role.
• Regular security audits and penetration testing of the phaa Platform infrastructure.
• Two-factor authentication (2FA) available for all phaa player accounts.
• Automated monitoring for unusual account access patterns with real-time SMS alerts to registered players.

In the event of a personal data breach that poses a real risk of harm to affected individuals, phaa will notify the NPC and affected players within seventy-two (72) hours of becoming aware of the breach, in accordance with NPC breach notification requirements.

11. Children's Privacy

The phaa Platform is strictly intended for adults aged 21 years and above. phaa does not knowingly collect personal data from individuals under the age of 21. The phaa registration process includes mandatory date-of-birth verification and subsequent KYC identity checks to enforce this age restriction. If phaa becomes aware that personal data has been collected from a person under 21, that account will be immediately closed, associated data will be handled in accordance with PAGCOR requirements, and the matter will be referred to the appropriate Philippine regulatory authority. 21+

12. Third-Party Links

The phaa Platform does not contain links to third-party websites. In the event that phaa were to include links to external sites in the future, this Policy would not apply to those third-party sites and phaa would not be responsible for their privacy practices. Users would be advised to review the privacy policies of any third-party sites they visit independently.

13. Updates to This Privacy Policy

phaa reserves the right to update this Privacy Policy at any time. Material changes to this Policy — such as changes to the categories of data collected, the purposes for which data is processed, or your data subject rights — will be communicated to registered phaa players via their registered email address or an on-Platform notification at least seven (7) days prior to the effective date of the change. The "Effective Date" displayed at the top of this Policy will be updated whenever material changes are made. Your continued use of the phaa Platform after the effective date of an updated Policy constitutes acceptance of the revised terms.

14. Contact & Data Protection Officer

For all data privacy enquiries, requests to exercise your data subject rights, or to contact phaa's Data Protection Officer, please use the following:

• Data Protection Officer: phaa DPO
• Email: support at phaa.one — please include "Privacy / DPO Request" in your subject line.
• Live Support: Available 24/7 via the phaa live chat function on phaa.one.
• Regulatory Authority: National Privacy Commission (NPC), 5th Floor Delegation Building, PICC Complex, Roxas Boulevard, Pasay City, Metro Manila, Philippines.
• Gaming Regulator: Philippine Amusement and Gaming Corporation (PAGCOR), 1 Estadio Street, Ermita, Manila, Philippines.

phaa aims to respond to all data privacy requests within fifteen (15) calendar days of receipt of a verified written request. In complex cases, the response period may be extended by a further fifteen (15) days with prior notice to the requestor.