phmacoa Privacy Policy

phmacoa ("we," "our," or "us") operates the online gaming platform at phmacoa.club, providing Filipino players with access to live casino games, JILI slots, virtual sports betting, bingo, and Super Keno under the regulatory oversight of the Philippine Amusement and Gaming Corporation (PAGCOR).

As a data controller operating in the Philippines, phmacoa is bound by the requirements of Republic Act No. 10173 (the Data Privacy Act of 2012), its Implementing Rules and Regulations, and the issuances of the National Privacy Commission ("NPC"). phmacoa is registered with the NPC as required for organisations processing sensitive personal information.

This Privacy Policy sets out the basis on which any personal data we collect from you, or that you provide to phmacoa, will be processed. This policy is incorporated by reference into phmacoa's Terms and Conditions, and together with those Terms, governs your relationship with the phmacoa platform.

This Privacy Policy applies to all personal data collected and processed by phmacoa in connection with:

• The registration, verification, and ongoing management of Member accounts on phmacoa.club;
• All gaming activity conducted by Members on the phmacoa platform, including live casino, slots, bingo, Super Keno, and virtual sports;
• All financial transactions, including deposits, withdrawals, and bonus distributions, processed through phmacoa's payment systems;
• All communications between Members and phmacoa's customer support team via live chat, email, or other channels;
• All marketing and promotional communications sent by phmacoa to Members who have provided consent;
• Technical data collected automatically through cookies, server logs, and analytics tools as Members interact with the phmacoa website.

This policy does not apply to third-party websites or services that may be linked to or from phmacoa.club, including the websites of payment providers such as GCash, Maya, BPI, or BDO. phmacoa encourages Members to review the privacy policies of any third-party services they use.

phmacoa collects the following categories of personal data about Members and prospective Members:

phmacoa does not collect or store full payment card numbers. All payment processing is handled by regulated third-party payment providers, and phmacoa receives only the minimum payment reference information required to reconcile transactions.

phmacoa collects personal data through the following means:

• Direct provision by the Member: Data submitted during account registration, identity verification, payment transactions, customer support interactions, and survey participation.
• Automated technical collection: Device, usage, and technical data collected automatically via server logs, cookies, and analytics tools when a Member accesses or browses phmacoa.club. See Section 10 for full details of phmacoa's cookie practices.
• Third-party payment providers: Transaction confirmation data from GCash, Maya, QR Ph, BPI, BDO, Metrobank, and other payment partners. This is limited to what is necessary to verify deposit and withdrawal transactions.
• Identity verification services: In connection with regulatory KYC (Know Your Customer) obligations, phmacoa may use third-party identity verification service providers to verify documents submitted by Members. These providers are contractually bound to process data only for the purposes specified by phmacoa.
• PAGCOR and regulatory bodies: phmacoa may receive information about Members from PAGCOR, including self-exclusion list data and regulatory compliance information.

phmacoa processes Members' personal data for the following purposes:

• Account registration and management: To create, maintain, and administer Member accounts, including processing account updates and closures.
• Identity verification and KYC compliance: To verify Member identity and age (minimum 21 years) as required by PAGCOR regulations and Philippine anti-money laundering laws.
• Service delivery: To provide Members with access to all phmacoa game products, process bets, determine outcomes, and credit winnings.
• Payment processing: To process deposit and withdrawal transactions via phmacoa's supported Philippine payment methods, including GCash, Maya, QR Ph, and bank transfers.
• Security and fraud prevention: To detect, investigate, and prevent fraudulent transactions, account takeovers, money laundering, and other unlawful activity on the platform.
• Regulatory compliance: To comply with PAGCOR licensing requirements, AMLC (Anti-Money Laundering Council) reporting obligations, NPC data privacy requirements, and all other applicable Philippine laws and regulations.
• Customer support: To respond to Member enquiries, complaints, account issues, and responsible gaming requests.
• Responsible gaming: To monitor gaming patterns for indicators of problem gambling, administer deposit limits and self-exclusion requests, and fulfil phmacoa's responsible gaming obligations under PAGCOR's framework.
• Platform improvement: To analyse usage data and gaming activity trends in order to improve phmacoa's platform, user interface, and game offerings.
• Marketing communications: Where a Member has provided explicit consent, to send personalised promotional offers, bonus notifications, and platform updates. Members may withdraw this consent at any time.

Under the Data Privacy Act of 2012, phmacoa processes personal data on the following legal bases:

• Contractual necessity: Processing required to enter into and perform the Member agreement — including account creation, game service delivery, and payment processing — is necessary for the fulfilment of phmacoa's contractual obligations to the Member.
• Legal obligation: Processing required to comply with PAGCOR regulations, AMLC reporting duties, NPC registration and compliance requirements, and other applicable Philippine law obligations.
• Legitimate interest: Processing carried out in pursuit of phmacoa's legitimate business interests, including fraud prevention, platform security, and analytics, where such interests are not overridden by Members' privacy rights.
• Consent: Where processing is not otherwise justified by the above bases — particularly for marketing communications — phmacoa will seek the Member's freely given, specific, and informed consent before processing commences. Consent may be withdrawn at any time without penalty.

phmacoa does not sell, rent, or trade Members' personal data to third parties for their own commercial purposes. phmacoa will share Member data only in the following circumstances and only to the extent necessary:

• PAGCOR and regulatory authorities: phmacoa is required to share Member data with PAGCOR, the AMLC, the NPC, and other competent Philippine government authorities upon lawful request or as mandated by applicable regulations. This includes suspicious transaction reports, self-exclusion list data, and KYC documentation.
• Payment processing partners: Transaction data shared with GCash, Maya, BPI, BDO, Metrobank, and other payment providers strictly as required to process deposit and withdrawal transactions. These providers are independently regulated in the Philippines.
• Identity verification service providers: Personal data and ID document images shared with phmacoa's KYC verification partners for the sole purpose of fulfilling PAGCOR identity verification requirements.
• Game software suppliers: Technical game session data shared with JILI, Pragmatic Play, PG Soft, and other game providers as required for game operation, outcome certification, and technical support. These suppliers do not receive personal identity information beyond what is technically necessary.
• Cloud infrastructure and IT service providers: Data processed by phmacoa's hosting, security, and technical infrastructure providers under strict data processing agreements that require compliance with the DPA.
• Law enforcement: Where required by Philippine law, court order, or to protect the legal rights, safety, or property of phmacoa or third parties.

phmacoa retains personal data only for as long as necessary to fulfil the purposes for which it was collected, subject to the following minimum retention periods:

Upon expiry of the applicable retention period, phmacoa will securely delete or anonymise personal data in accordance with industry-standard data destruction procedures, unless continued retention is required by a specific ongoing legal obligation.

phmacoa has implemented the following technical and organisational security measures to protect Members' personal data against unauthorised access, disclosure, alteration, or destruction:

• 256-bit SSL/TLS encryption for all data transmitted between Members' devices and phmacoa's servers, equivalent to the encryption standard used by Philippine banks and major financial institutions;
• Bcrypt password hashing — Member passwords are never stored in plain text. Even phmacoa's own systems cannot retrieve a Member's password, only reset it via OTP;
• Multi-factor authentication via SMS OTP, required for every new login session, preventing unauthorised account access even when a password is compromised;
• Role-based access controls limiting access to Member personal data to only those phmacoa employees whose roles require it, with comprehensive audit logging of all data access events;
• Firewall and intrusion detection systems monitoring phmacoa's infrastructure for anomalous access patterns and potential security threats;
• Regular security audits and penetration testing conducted by qualified security professionals to identify and remediate vulnerabilities;
• Data minimisation practices ensuring phmacoa collects and retains only the personal data strictly necessary for stated processing purposes.

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of affected Members, phmacoa will notify the National Privacy Commission (NPC) within 72 hours of becoming aware of the breach, and will notify affected Members without undue delay, in accordance with the DPA's breach notification requirements.

phmacoa uses cookies and similar tracking technologies on phmacoa.club. A cookie is a small text file stored on your device by your browser when you visit a website. phmacoa uses the following categories of cookies:

• Strictly necessary cookies: Essential for the operation of the phmacoa platform — including maintaining your login session, remembering your language preferences, and enabling the secure processing of transactions. These cannot be disabled without affecting platform functionality.
• Performance and analytics cookies: Collecting anonymised data about how Members interact with phmacoa.club — pages visited, time on page, error events — to help phmacoa improve platform performance and user experience. Data collected by analytics cookies does not identify individual Members.
• Functional cookies: Remembering optional preferences such as game lobby display settings, last visited game category, and notification preferences to personalise your phmacoa experience.
• Security cookies: Supporting phmacoa's fraud detection and account security systems by detecting anomalous browsing patterns and flagging potentially unauthorised access attempts.

phmacoa does not use third-party advertising or tracking cookies that would allow external advertising networks to build profiles of Members' behaviour across other websites. Members may manage cookie preferences through their browser settings; however, disabling strictly necessary cookies will impair the functionality of the phmacoa platform.

Under Republic Act No. 10173 (the Data Privacy Act of 2012), you have the following rights with respect to your personal data held by phmacoa:

• Right to be informed: The right to be notified about the collection and processing of your personal data — which this Privacy Policy fulfils.
• Right to access: The right to obtain confirmation of whether phmacoa holds personal data about you, and to receive a copy of that data in a readable format.
• Right to rectification: The right to request correction of any inaccurate, incomplete, or outdated personal data phmacoa holds about you.
• Right to erasure (right to be forgotten): The right to request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, subject to applicable legal retention obligations.
• Right to object: The right to object to the processing of your personal data on the grounds of legitimate interest or for direct marketing purposes. Where you object to marketing processing, phmacoa will cease that processing immediately.
• Right to data portability: The right to receive your personal data in a structured, commonly used, machine-readable format, and to transmit that data to another controller where technically feasible.
• Right to withdraw consent: Where processing is based on your consent, the right to withdraw that consent at any time without penalty. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
• Right to complain: The right to lodge a complaint with the National Privacy Commission (NPC) if you believe phmacoa has processed your personal data in violation of the DPA.

To exercise any of the above rights, please contact phmacoa's Data Protection Officer using the details set out in Section 15. phmacoa will respond to all data subject rights requests within thirty (30) calendar days of receipt, as required by the DPA and its Implementing Rules and Regulations.

In the event that phmacoa discovers or is informed that personal data has been collected from a person under the age of 21, phmacoa will:

• Immediately suspend and permanently close the affected account;
• Delete all personal data associated with that account as promptly as technically feasible, subject to any mandatory retention obligations;
• Report the incident to PAGCOR as required by its licensing conditions;
• Refund any funds deposited by the minor in accordance with PAGCOR's applicable regulatory guidance.

Parents and legal guardians who believe a minor may have registered an account on phmacoa should contact phmacoa's Data Protection Officer immediately at the details in Section 15.

phmacoa's primary operations and data processing infrastructure are located within the Philippines. In some circumstances, personal data may be transferred to, or processed by, service providers and game suppliers operating from other countries in connection with the provision of cloud hosting, technical infrastructure, identity verification, or game software services.

Where such cross-border transfers occur, phmacoa ensures that appropriate safeguards are in place to protect the transferred data in accordance with the DPA and NPC standards. These safeguards include:

• Contractual data processing agreements incorporating standard data protection clauses approved by the NPC or equivalent competent authority;
• Transfers only to jurisdictions or entities that have been assessed as providing an adequate level of data protection;
• Technical security measures consistent with those described in Section 9 of this policy applied to all transferred data.

Members may request details of any cross-border data transfers applicable to their personal data by contacting phmacoa's Data Protection Officer.

phmacoa reserves the right to update or amend this Privacy Policy at any time to reflect changes in our processing activities, applicable Philippine law, NPC guidance, or PAGCOR regulatory requirements. The effective date at the top of this document will be updated to reflect the date of any material revision.

Where changes to this policy are material — that is, where they significantly affect Members' rights or phmacoa's data processing activities — phmacoa will provide advance notice to Members via their registered mobile number or email address, or via a prominent notice on phmacoa.club, at least seven (7) days before the revised policy takes effect.

Continued use of the phmacoa platform following the effective date of a revised Privacy Policy constitutes acceptance of the updated terms. Members who do not agree with any revisions should cease using the platform and contact phmacoa to request account closure.

The most current version of this Privacy Policy is always accessible at phmacoa.club/privacy-policy. phmacoa recommends that Members review this policy periodically to stay informed about how their personal data is handled.

phmacoa has appointed a Data Protection Officer (DPO) as required under the Data Privacy Act of 2012 for organisations processing sensitive personal information. The DPO is responsible for overseeing phmacoa's data protection compliance, handling data subject rights requests, and serving as the primary point of contact for data privacy matters.

To exercise your data subject rights, lodge a data privacy complaint, or enquire about phmacoa's personal data processing practices, you may contact the phmacoa Data Protection Officer through the following channels:

• Email: [email protected] (mark your subject line: "Data Privacy — [Your Request Type]")
• Live Chat: Available 24 hours a day, 7 days a week via the support widget on phmacoa.club

phmacoa will acknowledge all data privacy requests within three (3) business days and provide a substantive response within thirty (30) calendar days of receipt. Complex requests requiring additional investigation may take up to sixty (60) calendar days, in which case phmacoa will notify the Member of the extended timeframe with explanation.

If you are not satisfied with phmacoa's response to your data privacy concern, you have the right to escalate your complaint to the National Privacy Commission (NPC) of the Philippines, which is the government body responsible for enforcing the DPA. Information about how to file a complaint with the NPC is available through official Philippine government channels.