1. Who We Are
phaa ("phaa," "we," "us," "our") is the operator of the online gaming platform accessible at phaa.asia, serving players in the Republic of the Philippines. phaa operates under PAGCOR licensing context and is subject to Philippine data privacy obligations under Republic Act No. 10173, the Data Privacy Act of 2012 (DPA), and its Implementing Rules and Regulations (IRR) as administered by the National Privacy Commission (NPC).
phaa acts as the Personal Information Controller (PIC) in respect of personal data collected through the phaa platform. Questions, requests, or concerns regarding personal data may be directed to phaa's Data Protection Officer (DPO) at the contact details provided in Section 15 of this Policy.
2. Personal Data We Collect
phaa collects personal data necessary for the lawful provision of online gaming services, regulatory compliance, and the security of the platform. The categories of personal data collected include:
| Category |
Examples |
Purpose |
| Identity Data |
Full legal name, date of birth, gender, nationality |
KYC verification, age verification, regulatory compliance |
| Contact Data |
Mobile number (+63 format), email address, residential address |
Account communication, 2FA delivery, support |
| Identity Document Data |
Government ID type and number (SSS, UMID, Passport, Driver's License, PhilSys), selfie image |
KYC verification, anti-money laundering compliance |
| Financial Data |
GCash/Maya account reference, bank account name and number, transaction amounts, deposit/withdrawal history |
Payment processing, fraud prevention, AML compliance |
| Gaming Activity Data |
Game session logs, bet history, win/loss records, bonus usage |
Service provision, responsible gaming monitoring, dispute resolution |
| Technical Data |
IP address, device fingerprint, browser type, operating system, session duration |
Security monitoring, fraud detection, platform optimisation |
| Communications Data |
Live chat transcripts, email correspondence, support ticket content |
Customer service, quality assurance, dispute evidence |
| Marketing Preferences |
Promotional opt-in/opt-out status, preferred notification channel |
Targeted promotions (where consented), communication management |
phaa does not collect sensitive personal information beyond what is strictly necessary for identity verification and regulatory compliance purposes. phaa does not collect biometric data beyond selfie images used solely for KYC facial matching.
3. How We Collect Your Data
phaa collects personal data through the following means:
- Direct Collection: Information you provide during account registration, KYC submission, payment processing, support interactions, and promotional opt-ins.
- Automated Collection: Technical data collected automatically when you access phaa.asia, including through cookies, log files, and device fingerprinting technology as described in Section 8.
- Third-Party Sources: Identity verification data confirmed through accredited KYC service providers; payment transaction data from payment processors (GCash, Maya, BPI, BDO, Metrobank); fraud risk scores from fraud detection service providers.
- PAGCOR and Regulatory Authorities: In limited circumstances, phaa may receive data from PAGCOR or other Philippine regulatory authorities in connection with compliance inquiries or player dispute resolution processes.
4. How We Use Your Personal Data
phaa uses personal data collected from players for the following purposes:
- Account Management: Creating, maintaining, verifying, and securing your phaa account.
- KYC & Age Verification: Confirming that you meet the minimum age requirement of 21 years and verifying your identity as required by PAGCOR and Philippine anti-money laundering regulations.
- Payment Processing: Processing deposits and withdrawals in PHP via your preferred payment method; detecting and preventing fraudulent transactions.
- Gaming Services: Delivering the games, sportsbook, bingo, and live casino services that constitute the phaa platform; maintaining game session records and bet history.
- Security & Fraud Prevention: Monitoring account activity for suspicious behaviour; detecting multi-accounting, bonus abuse, and prohibited activities as defined in the Terms and Conditions.
- Regulatory Compliance: Meeting phaa's obligations under PAGCOR licensing requirements, the Anti-Money Laundering Act (AMLA) of the Philippines, and the Data Privacy Act of 2012.
- Responsible Gaming: Monitoring gaming behaviour patterns to identify players who may be experiencing gambling-related harm; enforcing self-exclusion and deposit limit requests.
- Customer Support: Responding to queries, resolving disputes, and providing technical assistance.
- Marketing Communications: Sending promotional offers, loyalty programme updates, and event notifications — only to players who have opted in to marketing communications. Players may withdraw marketing consent at any time via account settings.
- Platform Improvement: Analysing aggregated, anonymised usage data to improve platform performance, game selection, and user experience.
5. Legal Basis for Processing
Under the Data Privacy Act of 2012 (Republic Act No. 10173), phaa processes personal data on the following legal bases:
- Contractual Necessity: Processing required to perform the gaming services contract — account registration, payment processing, game delivery, and customer support.
- Legal Obligation: Processing required to comply with PAGCOR licensing requirements, AMLA reporting obligations, and NPC data processing standards.
- Legitimate Interests: Processing for fraud prevention, platform security, and responsible gaming monitoring, where such interests do not override players' fundamental rights.
- Consent: Processing for marketing communications and optional personalisation features, where you have provided explicit opt-in consent. Consent may be withdrawn at any time without affecting the lawfulness of prior processing.
6. Data Sharing & Disclosure
phaa does not sell, rent, or trade your personal data to third parties for their own commercial purposes. phaa shares personal data only in the following circumstances:
- Game Providers: Game session data is shared with the relevant game provider (e.g., JILI, PG Soft, Evolution Gaming) to the extent technically required to deliver the game. Game providers are contractually prohibited from using this data for any purpose other than game delivery.
- Payment Processors: Financial data necessary to process deposits and withdrawals is shared with the relevant payment processor (GCash, Maya, BPI, BDO, Metrobank, etc.).
- KYC Service Providers: Identity document data is shared with accredited identity verification service providers for KYC processing. These providers are bound by confidentiality agreements and data processing restrictions.
- Fraud Detection Services: Technical and behavioural data is shared with fraud risk assessment providers to protect the integrity of the platform.
- Regulatory Authorities: phaa is required to disclose player data to PAGCOR, the Anti-Money Laundering Council (AMLC), the NPC, or other Philippine government authorities when legally compelled to do so.
- Professional Advisers: Legal counsel, auditors, and compliance consultants who are subject to professional confidentiality obligations.
- Corporate Transactions: In the event of a merger, acquisition, or business transfer, player data may be transferred to a successor entity subject to equivalent data protection obligations.
No Overseas Transfers Without Safeguards: phaa does not transfer personal data outside the Philippines except where adequate data protection safeguards are in place, as required by the DPA and NPC guidelines.
7. International Data Transfers
Some of phaa's third-party service providers — including game delivery infrastructure providers and fraud detection platforms — may process data on servers located outside the Philippines. In all cases, phaa ensures that such transfers are subject to contractual data protection clauses that meet or exceed the standards required by Republic Act No. 10173 and NPC regulations.
Where personal data is transferred to a jurisdiction that the NPC has not recognised as providing adequate data protection, phaa requires the recipient to implement appropriate technical and contractual safeguards, including standard contractual clauses approved for cross-border data transfers under Philippine law.
8. Cookies & Tracking Technologies
phaa uses cookies and similar tracking technologies on phaa.asia to provide essential platform functionality, enhance security, and improve user experience. The following types of cookies are used:
- Strictly Necessary Cookies: Required for the platform to function. These include session authentication cookies, security tokens, and load balancing cookies. These cannot be disabled without breaking the platform.
- Functional Cookies: Store your preferences such as language setting, game display preferences, and "keep me signed in" session state.
- Analytics Cookies: Aggregated, anonymised data on how players navigate phaa.asia, used to identify performance bottlenecks and improve the platform. No personally identifiable information is included in analytics reporting.
- Security Cookies: Device fingerprinting cookies used to detect login anomalies, multi-accounting attempts, and fraudulent access patterns.
You may manage cookie preferences through your browser settings. Disabling strictly necessary cookies will prevent you from accessing the phaa platform. phaa does not use third-party advertising or cross-site tracking cookies.
9. Data Retention
phaa retains personal data for as long as necessary to fulfil the purposes for which it was collected, subject to the following minimum retention periods driven by regulatory obligations:
- KYC and identity documents: Minimum 5 years from account closure, as required by PAGCOR and AMLC regulations.
- Financial transaction records: Minimum 5 years from the date of transaction, as required by Philippine anti-money laundering laws.
- Gaming activity logs: Minimum 3 years from the date of each session, for dispute resolution and regulatory audit purposes.
- Customer support communications: 2 years from the date of the last interaction in a support thread.
- Marketing consent records: For the duration of the account and 1 year following account closure, as evidence of consent basis.
Upon expiry of the applicable retention period, personal data is securely deleted or irreversibly anonymised. Players with closed accounts may request confirmation of data deletion status by contacting phaa's DPO.
10. Your Data Rights
Under the Data Privacy Act of 2012, phaa players have the following rights with respect to their personal data:
- Right to Be Informed: The right to know how your personal data is being collected and processed — which this Policy fulfils.
- Right of Access: The right to request a copy of the personal data phaa holds about you.
- Right to Rectification: The right to request correction of inaccurate or incomplete personal data.
- Right to Erasure: The right to request deletion of personal data that is no longer necessary, subject to phaa's regulatory retention obligations which may override deletion requests.
- Right to Data Portability: The right to receive personal data in a structured, commonly used format for transfer to another controller.
- Right to Object: The right to object to processing of your data for direct marketing purposes. Objection to marketing processing is absolute; objection to other processing grounds will be assessed against phaa's legitimate interests.
- Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
- Right to Lodge a Complaint: The right to lodge a complaint with the National Privacy Commission (NPC) if you believe phaa has violated your data privacy rights.
To exercise any of the above rights, submit a written request to phaa's DPO at the contact details in Section 15. phaa will respond to rights requests within 30 calendar days of receipt. Identity verification may be required before a request is processed.
11. Children's Privacy
The phaa platform is strictly prohibited for use by individuals under 21 years of age. phaa does not knowingly collect personal data from individuals under 21. If phaa becomes aware that personal data has been collected from an individual who is under 21 years of age, the account will be closed immediately, all data will be deleted (subject to any mandatory regulatory retention requirements), and the matter will be reported to PAGCOR as required.
If you believe a person under 21 has registered on phaa, please notify phaa's DPO immediately using the contact details in Section 15.
12. Security Measures
phaa implements a layered security framework to protect personal data against unauthorised access, disclosure, alteration, and destruction:
- Encryption in Transit: All data transmitted between your browser and phaa servers is encrypted using TLS 1.2 or higher (HTTPS). Payment data transmitted to payment processors uses tokenisation to minimise the transmission of raw financial credentials.
- Encryption at Rest: Sensitive personal data fields (including identity document numbers and financial account references) are encrypted at the database level using AES-256.
- Access Controls: Internal access to personal data is restricted on a strict need-to-know basis. All staff with data access are subject to confidentiality obligations and regular security training.
- Intrusion Detection: phaa's infrastructure is monitored 24/7 by automated intrusion detection systems. Anomalous access patterns trigger immediate security alerts.
- Penetration Testing: phaa's platform undergoes periodic security penetration testing by independent third-party security assessors.
Despite these measures, no internet-based platform can guarantee absolute security. Players are encouraged to use a strong, unique password and enable two-factor authentication on their phaa account to maximise protection from the account holder's side.
13. Third-Party Links
The phaa platform may contain links to the websites of game providers, payment processors, and regulatory bodies. phaa is not responsible for the privacy practices of third-party websites. This Privacy Policy applies solely to data processing activities conducted by phaa on the phaa.asia platform. phaa recommends reviewing the privacy policies of any third-party site you visit.
14. Updates to This Privacy Policy
phaa reserves the right to update this Privacy Policy at any time to reflect changes in applicable law, PAGCOR regulatory requirements, NPC guidance, or phaa's data processing practices. When material changes are made, phaa will notify registered players via the email address or mobile number associated with their account and update the "Last Updated" date at the top of this page.
Continued use of the phaa platform after the effective date of any policy update constitutes your acknowledgment of the revised Privacy Policy. If you do not accept the revised Policy, you must cease using the platform and may request account closure.
15. Contact & Data Protection Officer
For any privacy-related queries, data subject rights requests, or complaints, please contact phaa's Data Protection Officer:
- DPO Email: [email protected] (subject line: "Privacy / DPO Request")
- Response Time: Within 30 calendar days of receipt of a written request
- Live Support: 24/7 live chat on phaa.asia for general privacy inquiries
If you are not satisfied with phaa's response to a privacy complaint, you have the right to escalate your complaint to the National Privacy Commission of the Philippines:
- National Privacy Commission (NPC): [email protected] — Note: this address is provided as a regulatory reference only. phaa is not responsible for third-party contact details.