phmasaya Privacy Policy

1. Introduction

This Privacy Policy ("Policy") describes how phmasaya ("phmasaya," "we," "us," or "our") collects, uses, stores, and discloses personal information obtained from individuals ("you," "Player," or "User") who access or use the phmasaya website, mobile platform, and associated gaming services (collectively, the "Platform").

phmasaya operates in the Philippines and is committed to complying with Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012 ("DPA"), its Implementing Rules and Regulations, and the issuances of the National Privacy Commission ("NPC"). Where applicable, phmasaya also observes the data protection standards required by the Philippine Amusement and Gaming Corporation (PAGCOR) in connection with the operation of online gaming platforms.

By registering an account on phmasaya or otherwise using the Platform, you acknowledge that you have read and understood this Policy and consent to the collection and processing of your personal data as described herein. If you do not agree to this Policy, you must not use the phmasaya Platform.

2. Personal Data We Collect

phmasaya collects the following categories of personal data in connection with the operation of the Platform and the provision of gaming services to Philippine players:

2.1 Identity and Contact Data

• Full legal name as it appears on a government-issued Philippine ID;
• Date of birth (used to verify the 21+ age requirement);
• Residential address (including barangay, city or municipality, province);
• Email address;
• Mobile number registered in the Philippines.

2.2 Identity Verification Data

• Copies of government-issued Philippine identification documents (e.g., PhilSys National ID, passport, driver's licence, UMID, SSS ID, PRC ID);
• Selfie or liveness verification images submitted during KYC procedures;
• Proof of address documents where required.

2.3 Financial Data

• GCash or PayMaya mobile wallet identifiers;
• BPI, BDO, or Metrobank account details used for deposits and withdrawals;
• Transaction history, including deposit amounts, withdrawal amounts, and timestamps;
• Source of funds documentation where required for AML compliance.

2.4 Gaming Activity Data

• Game session logs, including games played, wagers placed, and outcomes;
• Bonus and promotion usage history;
• Responsible gaming tool settings (deposit limits, session limits, self-exclusion status);
• Account login history, including timestamps and IP addresses.

2.5 Technical and Device Data

• IP address and approximate geolocation derived therefrom;
• Device type, operating system, and browser information;
• Cookie identifiers and session tokens (see Section 7);
• Platform interaction logs for security and fraud prevention purposes.

2.6 Communications Data

• Records of live chat, email, and other communications with phmasaya customer support;
• Feedback, survey responses, and complaints submitted to phmasaya.

Data Category	Primary Purpose	Retention Period
Identity & Contact	Account creation, KYC, communications	5 years after account closure
Verification Documents	Age & identity verification, AML	5 years after account closure
Financial Data	Payment processing, AML compliance	7 years (BSP/AMLC requirements)
Gaming Activity	Service delivery, dispute resolution	5 years after account closure
Technical & Device	Security, fraud prevention	12 months on a rolling basis
Communications	Support, dispute resolution	3 years after last interaction

3. How We Collect Your Data

phmasaya collects personal data through the following means:

• Direct submission: Information you provide when registering an account, completing KYC verification, making deposits or withdrawals, contacting customer support, or participating in promotions;
• Automated collection: Technical and device data collected automatically when you access the Platform, including through cookies, session tokens, and server logs;
• Third-party sources: Identity verification data from KYC service providers; fraud and AML screening data from compliance service providers; payment data from GCash, PayMaya, BPI, BDO, and Metrobank in connection with transaction processing.

phmasaya does not purchase personal data from data brokers or third-party marketing lists. All personal data collected by phmasaya is obtained in connection with the provision of gaming services to Philippine players or the fulfilment of phmasaya's legal and regulatory obligations.

4. Legal Basis for Processing

phmasaya processes personal data on the following legal bases under the Data Privacy Act of 2012:

• Consent: Where you have given your express consent to the processing of your personal data for a specific purpose, such as receiving promotional communications from phmasaya;
• Contractual necessity: Where processing is necessary for the performance of the contract between you and phmasaya, including account management, payment processing, and the delivery of gaming services;
• Legal obligation: Where processing is required to comply with applicable Philippine law, including the Anti-Money Laundering Act (AMLA), the Data Privacy Act, PAGCOR regulations, and Bangko Sentral ng Pilipinas (BSP) requirements applicable to payment service providers;
• Legitimate interests: Where processing is necessary for phmasaya's legitimate interests, including fraud prevention, platform security, and the improvement of gaming services, provided such interests are not overridden by your rights and freedoms.

5. How We Use Your Personal Data

phmasaya uses the personal data it collects for the following purposes:

5.1 Account Management and Service Delivery

To create and maintain your phmasaya account; to verify your identity and age (21+ requirement); to process deposits and withdrawals via GCash, PayMaya, BPI, BDO, and Metrobank; to deliver gaming services and resolve disputes; and to administer bonuses, promotions, and the phmasaya VIP programme.

5.2 Legal and Regulatory Compliance

To comply with phmasaya's obligations under the Anti-Money Laundering Act, PAGCOR regulations, the Data Privacy Act, and other applicable Philippine laws. This includes conducting Know Your Customer (KYC) checks, monitoring transactions for suspicious activity, and reporting to the Anti-Money Laundering Council (AMLC) and other competent authorities as required by law.

5.3 Security and Fraud Prevention

To detect, investigate, and prevent fraudulent activity, account takeovers, bonus abuse, and other prohibited conduct on the phmasaya Platform. phmasaya uses automated systems and human review to identify unusual account activity and protect the integrity of the Platform for all players.

5.4 Customer Support

To respond to your enquiries, resolve complaints, and provide technical assistance. Communications with phmasaya customer support are recorded and retained for quality assurance and dispute resolution purposes.

5.5 Responsible Gaming

To administer responsible gaming tools including deposit limits, session controls, and self-exclusion; to identify players who may be exhibiting signs of problem gambling; and to comply with phmasaya's responsible gaming obligations under PAGCOR guidelines.

5.6 Marketing Communications

Where you have provided consent, to send you promotional offers, bonus notifications, and updates about new games and features on phmasaya. You may withdraw your consent to marketing communications at any time by updating your account preferences or contacting phmasaya customer support.

5.7 Platform Improvement

To analyse aggregated, anonymised usage data for the purpose of improving the phmasaya Platform, optimising the user experience for Filipino players, and developing new features and game offerings.

6. Data Sharing and Disclosure

phmasaya does not sell your personal data to third parties. phmasaya may share your personal data with the following categories of recipients in the circumstances described below:

• Payment service providers: GCash, PayMaya, BPI, BDO, and Metrobank, for the purpose of processing deposits and withdrawals to and from your phmasaya account;
• Identity verification providers: Third-party KYC and AML screening service providers engaged by phmasaya to verify player identities and screen for sanctions and politically exposed persons (PEPs);
• Game providers: Third-party game studios and live dealer platform providers whose games are available on phmasaya, to the extent necessary for the delivery of those games;
• Regulatory authorities: PAGCOR, the Anti-Money Laundering Council (AMLC), the National Privacy Commission (NPC), and other competent Philippine government authorities, where disclosure is required by law or regulatory directive;
• Law enforcement: Philippine law enforcement agencies, where disclosure is required pursuant to a valid legal process or court order;
• Professional advisers: Legal counsel, auditors, and other professional advisers engaged by phmasaya, subject to appropriate confidentiality obligations.

All third parties with whom phmasaya shares personal data are required to process such data in accordance with applicable Philippine data privacy laws and phmasaya's data processing requirements. phmasaya does not permit third-party service providers to use your personal data for their own marketing purposes.

7. Cookies and Tracking Technologies

phmasaya uses cookies and similar tracking technologies on the Platform for the following purposes:

• Essential cookies: Required for the Platform to function correctly, including maintaining your login session and remembering your account preferences. These cookies cannot be disabled without impairing Platform functionality;
• Security cookies: Used to detect and prevent fraudulent activity, including session hijacking and cross-site request forgery;
• Analytics cookies: Used to collect aggregated, anonymised data about how players use the Platform, enabling phmasaya to improve the user experience;
• Preference cookies: Used to remember your language, display, and notification preferences across sessions.

You may manage your cookie preferences through your browser settings. Please note that disabling essential or security cookies may affect your ability to access and use the phmasaya Platform. phmasaya does not use third-party advertising cookies or share cookie data with advertising networks.

8. Data Retention

phmasaya retains personal data for as long as necessary to fulfil the purposes for which it was collected, including compliance with legal, regulatory, and contractual obligations. The specific retention periods applicable to each category of personal data are set out in the table in Section 2 of this Policy.

Upon expiry of the applicable retention period, phmasaya will securely delete or anonymise your personal data in accordance with its data disposal procedures. Where anonymisation is not technically feasible, phmasaya will restrict the processing of your data to the minimum necessary for compliance purposes.

9. Data Security

phmasaya implements appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These measures include:

• 256-bit SSL/TLS encryption for all data transmitted between your device and the phmasaya Platform;
• Encryption of sensitive data at rest, including identity verification documents and financial data;
• Role-based access controls limiting employee access to personal data on a need-to-know basis;
• Two-factor authentication (2FA) available to all phmasaya account holders;
• Real-time login monitoring and anomaly detection systems;
• Regular security assessments and penetration testing of the Platform;
• Staff training on data privacy and security obligations under Philippine law.

While phmasaya takes all reasonable steps to protect your personal data, no online platform can guarantee absolute security. In the event of a personal data breach that is likely to result in serious harm to affected individuals, phmasaya will notify the National Privacy Commission and affected players in accordance with the requirements of the Data Privacy Act and NPC Circular No. 16-03.

10. Your Data Privacy Rights

Under the Data Privacy Act of 2012 and its Implementing Rules and Regulations, you have the following rights in respect of your personal data held by phmasaya:

• Right to be informed: You have the right to be informed of how your personal data is being collected and processed, including the purposes for which it is used and the parties with whom it is shared;
• Right of access: You have the right to request a copy of the personal data phmasaya holds about you, together with information about how it is being processed;
• Right to rectification: You have the right to request correction of any inaccurate or incomplete personal data phmasaya holds about you;
• Right to erasure: You have the right to request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, subject to phmasaya's legal retention obligations;
• Right to object: You have the right to object to the processing of your personal data for direct marketing purposes or where processing is based on phmasaya's legitimate interests;
• Right to data portability: You have the right to receive a copy of your personal data in a structured, commonly used, and machine-readable format;
• Right to lodge a complaint: You have the right to lodge a complaint with the National Privacy Commission (NPC) if you believe phmasaya has processed your personal data in violation of the Data Privacy Act.

To exercise any of the above rights, please contact phmasaya's Data Protection Officer using the contact details provided in Section 14. phmasaya will respond to all verified data subject requests within fifteen (15) business days of receipt. In complex cases, this period may be extended by a further fifteen (15) business days, with notice provided to you of the extension and the reasons therefor.

Please note that certain rights are subject to limitations under applicable law. For example, phmasaya may decline a deletion request where retention of the relevant data is required for compliance with the Anti-Money Laundering Act or other applicable Philippine legislation.

11. Children's Privacy

The phmasaya Platform is strictly intended for individuals aged twenty-one (21) years and above. phmasaya does not knowingly collect personal data from individuals under the age of 21. If phmasaya becomes aware that personal data has been collected from a person under the age of 21, it will take immediate steps to delete such data and close the associated account.

If you are a parent or guardian and believe that a minor has registered an account on phmasaya or submitted personal data to the Platform, please contact phmasaya's Data Protection Officer immediately using the contact details in Section 14. phmasaya takes underage access to its Platform extremely seriously and will act promptly on all such reports.

12. Cross-Border Data Transfers

phmasaya may transfer your personal data to third-party service providers located outside the Philippines in connection with the provision of KYC verification, fraud screening, game delivery, and platform infrastructure services. Any such cross-border transfer of personal data will be conducted in accordance with Section 21 of the Data Privacy Act and the relevant NPC guidelines on cross-border data transfers.

phmasaya ensures that all recipients of personal data outside the Philippines are bound by data processing agreements that require them to maintain data protection standards equivalent to those required under Philippine law. Where a recipient country does not provide an adequate level of data protection, phmasaya will implement appropriate contractual safeguards prior to any transfer.

13. Amendments to This Policy

phmasaya reserves the right to amend this Privacy Policy at any time to reflect changes in applicable law, regulatory requirements, or phmasaya's data processing practices. Material changes to this Policy will be communicated to registered players via the email address on file or through a prominent notice on the Platform at least seven (7) days before the changes take effect.

The effective date at the top of this Policy will be updated each time a revision is made. Your continued use of the phmasaya Platform following the effective date of any amendment constitutes your acknowledgment of the revised Policy. If you do not accept the revised Policy, you must cease using the Platform and may request closure of your account.

14. Contact & Data Protection Officer

phmasaya has appointed a Data Protection Officer (DPO) responsible for overseeing compliance with the Data Privacy Act and this Privacy Policy. If you have any questions, concerns, or requests relating to your personal data or this Policy, please contact the phmasaya DPO using the details below.

All data subject requests and privacy-related enquiries should be submitted in writing and include your full name, registered email address, and a clear description of your request or concern. phmasaya will acknowledge receipt of your request within three (3) business days.

Data Protection Officer, phmasaya
Email: [email protected]

General customer support enquiries unrelated to data privacy may be directed to our 24/7 live chat team on the Platform, or by email at: [email protected]