phataya Privacy Policy

This Privacy Policy ("Policy") is issued by phataya ("phataya," "Company," "we," "us," "our"), the operator of the online gaming platform accessible at phataya.co and its associated mobile applications and services (the "Platform"). This Policy applies to all personal data collected from individuals ("Users," "Players," "you") who register, access, or interact with the Platform in any capacity.

This Policy is to be read alongside phataya's Terms and Conditions. In the event of a conflict between this Policy and the Terms and Conditions on a privacy matter, this Policy shall prevail.

phataya acts as the Personal Information Controller (PIC) as defined under Republic Act No. 10173 (the Data Privacy Act of 2012, "DPA") and its Implementing Rules and Regulations ("IRR") with respect to personal data processed in connection with the Platform. phataya has registered with the National Privacy Commission (NPC) of the Philippines as required by applicable law.

This Policy does not apply to third-party websites, payment processors, or service providers that maintain their own privacy policies. phataya is not responsible for the privacy practices of third parties, even where links to their services appear on or are integrated within the Platform.

phataya collects personal data that is necessary, proportionate, and relevant to the purposes described in this Policy. The categories of personal data we collect include:

phataya does not intentionally collect sensitive personal information such as racial or ethnic origin, political opinions, religious beliefs, or health information unless specifically required for responsible gaming compliance or regulatory purposes, and only with your explicit consent or as legally mandated.

phataya processes your personal data for the following purposes:

• Account Creation and Management: To register your account, verify your identity, maintain your account in good standing, and authenticate your logins via OTP and device verification.
• Service Delivery: To provide access to games, process deposits and withdrawals, credit winnings, apply bonuses, and deliver all Platform features and functions.
• KYC and AML Compliance: To verify your identity and age (21+), detect and prevent money laundering, fraud, and other financial crimes in compliance with Philippine Anti-Money Laundering Act (AMLA) requirements and PAGCOR regulations.
• Customer Support: To respond to your queries, resolve disputes, investigate complaints, and provide technical assistance.
• Responsible Gaming: To monitor gaming behaviour for signs of problem gambling, enforce self-imposed limits, process self-exclusion requests, and fulfil our duty of care obligations.
• Security and Fraud Prevention: To detect unauthorised access attempts, investigate suspicious account activity, enforce geolocation restrictions, and protect Platform integrity.
• Marketing Communications: To send you promotional offers, bonus notifications, and Platform updates — but only where you have provided consent or where permitted under applicable law. You may opt out at any time.
• Analytics and Platform Improvement: To understand how the Platform is used, optimise game offerings, improve user experience, and resolve technical issues.
• Legal and Regulatory Compliance: To comply with PAGCOR reporting requirements, NPC obligations, court orders, and other applicable Philippine laws.

Under the Data Privacy Act of 2012, phataya processes your personal data on the following lawful bases:

• Contract Performance: Processing necessary to perform the contract between you and phataya — including account management, game delivery, and payment processing.
• Legal Obligation: Processing required to comply with applicable Philippine laws, including AMLA, PAGCOR regulations, tax obligations, and NPC requirements.
• Legitimate Interests: Processing necessary for phataya's legitimate interests, including fraud prevention, Platform security, and service improvement — provided these interests are not overridden by your fundamental rights.
• Consent: Processing based on your freely given, specific, informed, and unambiguous consent — including consent to marketing communications and non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of prior processing.

phataya does not sell your personal data to third parties. We share personal data only in the following circumstances and only to the extent necessary:

• Payment Processors: GCash, Maya, BPI, BDO, UnionBank, and other payment service providers receive transaction-relevant data to process deposits, withdrawals, and refunds. These providers operate under their own privacy policies and are bound by data processing agreements with phataya.
• Game Providers: Game software providers (such as Pragmatic Play, PG Soft, Evolution Gaming) receive session-level gaming data necessary to operate game rounds. Game providers do not receive your full identity or financial data.
• KYC/AML Verification Partners: Identity verification service providers process KYC documents on phataya's behalf under strict data processing agreements.
• Regulatory Authorities: phataya discloses data to PAGCOR, the Anti-Money Laundering Council (AMLC), the National Privacy Commission, and other Philippine government authorities when required by law, regulation, or lawful order.
• Law Enforcement: phataya cooperates with Philippine law enforcement agencies when presented with valid legal process.
• Corporate Transactions: In the event of a merger, acquisition, or asset sale involving phataya, your personal data may be transferred as part of that transaction, subject to equivalent privacy protections.

All third-party recipients of personal data are required by phataya to implement appropriate technical and organisational security measures and to process data only for the specified purpose.

phataya retains personal data for as long as necessary to fulfil the purposes for which it was collected, including to satisfy applicable legal, regulatory, and reporting obligations. Key retention periods include:

Upon expiry of the applicable retention period, personal data is securely deleted or anonymised in accordance with phataya's data destruction procedures.

phataya implements a multi-layered security framework to protect your personal data from unauthorised access, disclosure, alteration, or destruction. Key technical and organisational measures include:

• Encryption in Transit: All data transmitted between your device and the phataya Platform is encrypted using TLS 1.3 (256-bit AES) — equivalent to the standard used by major Philippine banks.
• Encryption at Rest: Sensitive personal data stored in phataya's systems, including KYC documents and financial records, is encrypted at rest using AES-256.
• Password Security: Passwords are stored using bcrypt hashing with individual per-account salts. phataya never stores passwords in plain text.
• Two-Factor Authentication: All account logins on new devices require SMS OTP verification, providing a second layer of identity assurance.
• Access Controls: Personal data is accessible only to phataya personnel and authorised service providers on a strict need-to-know basis. Role-based access controls are enforced across all internal systems.
• Intrusion Detection: phataya operates continuous monitoring for suspicious access patterns, unauthorised login attempts, and anomalous data access events.
• Regular Security Audits: phataya engages independent third-party security professionals to conduct periodic penetration testing and vulnerability assessments of the Platform.

Notwithstanding these measures, no electronic transmission or storage system can be guaranteed to be 100% secure. In the event of a personal data breach that poses a risk to your rights and freedoms, phataya will notify affected individuals and the National Privacy Commission in accordance with NPC Circular No. 16-03 and applicable DPA requirements.

phataya uses cookies and similar tracking technologies to operate the Platform, enhance user experience, and analyse Platform usage. The types of cookies used include:

• Essential Cookies: Required for the Platform to function — including session authentication, login state maintenance, and security tokens. These cannot be disabled without affecting Platform functionality.
• Functional Cookies: Remember your preferences such as language settings, game display options, and accepted notification states.
• Analytics Cookies: Collect aggregated, anonymised information about how users navigate the Platform to help phataya improve features and identify technical issues.
• Security Cookies: Support fraud detection and bot prevention mechanisms, including device fingerprinting for suspicious login detection.

phataya does not use third-party advertising cookies or share cookie data with advertising networks. You may manage cookie preferences through your browser settings; however, disabling essential cookies will prevent full Platform functionality.

As a data subject under the Data Privacy Act of 2012, you have the following rights with respect to your personal data held by phataya:

• Right to Be Informed: The right to be informed of how your data is being collected and processed — which this Policy fulfils.
• Right of Access: The right to request a copy of the personal data phataya holds about you and information about how it is processed.
• Right to Rectification: The right to request correction of inaccurate or incomplete personal data. You may update most account details directly through your phataya account settings.
• Right to Erasure ("Right to be Forgotten"): The right to request deletion of your personal data where it is no longer necessary for the purpose collected, where consent is withdrawn, or where processing is unlawful — subject to legal retention obligations.
• Right to Object: The right to object to processing based on legitimate interests, including direct marketing. You may opt out of marketing communications at any time.
• Right to Data Portability: The right to receive your personal data in a structured, commonly used, machine-readable format.
• Right to Withdraw Consent: Where processing is based on consent, the right to withdraw that consent at any time without affecting the lawfulness of prior processing.
• Right to Lodge a Complaint: The right to lodge a complaint with the National Privacy Commission of the Philippines if you believe phataya has violated your data privacy rights.

To exercise any of these rights, contact phataya's Data Protection Officer at the contact details in Section 12. phataya will respond to valid requests within thirty (30) calendar days. We may ask you to verify your identity before processing a request.

The phataya Platform is strictly intended for individuals who are at least twenty-one (21) years of age. phataya does not knowingly collect personal data from persons under 21. Age verification is a mandatory component of the phataya registration and KYC process.

If phataya becomes aware that personal data has been collected from an individual under 21 years of age, that account will be immediately closed, all associated data will be deleted in accordance with phataya's data destruction procedures, and any funds held will be handled in accordance with PAGCOR guidelines and applicable law.

If you believe a minor has registered on the phataya Platform, please contact [email protected] immediately.

phataya may update this Privacy Policy from time to time to reflect changes in our data practices, Platform features, or applicable law. Material changes will be communicated to registered Users via in-Platform notification or SMS to the registered mobile number at least seven (7) days before the amended Policy takes effect.

The current version of this Policy is always accessible at phataya.co/privacy-policy. The "Last Updated" date at the top of this document indicates when the most recent revision was made. Continued use of the Platform after the effective date of an amendment constitutes your acceptance of the updated Policy.

phataya has designated a Data Protection Officer (DPO) as required under the Data Privacy Act of 2012. To exercise your data privacy rights, submit a data subject request, or raise a privacy concern, please contact: