phiwin Privacy Policy

phiwin ("phiwin," "we," "us," or "our"), the operator of the online gaming platform accessible at phiwin.vip, is the Personal Information Controller (PIC) for the purposes of the Philippine Data Privacy Act of 2012 (Republic Act No. 10173, "DPA") in respect of all personal data collected through the phiwin Platform.

As Personal Information Controller, phiwin determines the purposes and means of processing your personal data and is accountable for ensuring that all processing is carried out lawfully, transparently, and with appropriate safeguards as required under the DPA and its implementing rules and regulations (IRR) issued by the National Privacy Commission (NPC).

Where phiwin engages third-party service providers to process personal data on its behalf, those providers act as Personal Information Processors (PIP) and are contractually bound to process data only under phiwin's documented instructions and to implement appropriate security measures.

phiwin collects and processes the following categories of personal data, depending on how you interact with the Platform:

phiwin collects personal data through the following channels and mechanisms:

• Direct submission: Information you provide when registering an Account, completing KYC verification, making deposits or withdrawal requests, contacting customer support, or responding to surveys or promotions;
• Automated technical collection: Data collected automatically when you access the phiwin Platform, including IP address, device identifiers, browser type, session duration, pages visited, and interaction patterns through cookies and similar tracking technologies;
• Payment providers: Transaction confirmation data received from GCash, PayMaya, BPI, BDO, Metrobank, UnionBank, and other payment processors when you initiate deposits or withdrawals;
• KYC and identity verification services: Data received from third-party identity verification providers engaged by phiwin to validate documents submitted during the KYC process;
• Fraud detection and security systems: Automated systems that analyse behavioural patterns, login anomalies, and transaction signals for fraud prevention and account security purposes;
• Regulatory sources: In certain circumstances, phiwin may receive information from PAGCOR, the AMLC, or other regulatory bodies as part of compliance obligations.

phiwin processes your personal data on the following legal bases under the DPA and its IRR:

1. Contractual necessity: Processing required to perform our obligations under the Terms & Conditions you have accepted — including account management, payment processing, game provision, and customer support;
2. Legal obligation: Processing required to comply with applicable Philippine laws and regulations, including PAGCOR directives, the Anti-Money Laundering Act (AMLA), and KYC requirements imposed by law;
3. Legitimate interests: Processing necessary for phiwin's legitimate business interests, including fraud prevention, platform security, responsible gaming monitoring, and business analytics — where such interests are not overridden by your rights and interests;
4. Consent: Where phiwin relies on your consent as a legal basis (e.g., for direct marketing communications), you may withdraw that consent at any time without affecting the lawfulness of prior processing.

phiwin uses the personal data we collect for the following purposes:

• Account management: Creating, maintaining, and securing your phiwin Account; processing login authentication including two-factor verification via your Philippine mobile number;
• KYC and age verification: Verifying your identity and confirming that you are 21 years of age or older, as required by PAGCOR for all licensed gaming operations;
• Payment processing: Processing deposits from and withdrawals to your GCash, PayMaya, BPI, BDO, Metrobank, or UnionBank accounts in Philippine Peso;
• Game provision: Delivering all gaming services including live casino, slots, sports betting, bingo, and sabong; maintaining game history and transaction records;
• Responsible gaming: Monitoring gaming behaviour to identify potential problem gambling; applying deposit limits, session controls, cooling-off periods, and self-exclusion restrictions as set by you or required by policy;
• Customer support: Responding to your queries, complaints, and technical issues through live chat and email support;
• Fraud prevention and security: Detecting and preventing fraud, money laundering, account hijacking, collusion, and other prohibited activities; maintaining platform integrity;
• Regulatory compliance: Meeting reporting obligations to PAGCOR, the AMLC, the NPC, and other competent Philippine authorities;
• Platform improvement: Analysing aggregated usage data to improve the Platform, game library, user experience, and payment processes — conducted on anonymised or pseudonymised data where possible;
• Marketing: Sending promotional offers, bonuses, and platform updates to players who have opted in to receive such communications — subject to your right to opt out at any time.

6.1 General Principle. phiwin does not sell, rent, or trade your personal data to any third party for commercial purposes. Data is disclosed to third parties only to the extent necessary for legitimate operational, legal, or regulatory purposes as described below.

6.2 Service Providers (Personal Information Processors). phiwin engages the following categories of third-party service providers who may process personal data on phiwin's behalf:

• Payment processing partners (GCash, PayMaya, Philippine banks) for deposit and withdrawal processing;
• KYC and identity verification providers for document verification;
• Cloud infrastructure and hosting providers for secure platform operation;
• Game software providers (e.g., Pragmatic Play, PG Soft, Jili, Evolution) who may receive anonymised session data for game delivery;
• Customer support platform providers for live chat functionality;
• Fraud detection and cybersecurity service providers;
• Email and SMS delivery providers for account notifications and OTP delivery.

All service providers are bound by contractual data processing agreements requiring them to process personal data only under phiwin's instructions and to maintain appropriate security standards.

6.3 Regulatory and Legal Disclosures. phiwin is required by Philippine law to disclose certain data to:

• PAGCOR — as required under phiwin's gaming licence and applicable PAGCOR regulations;
• The Anti-Money Laundering Council (AMLC) — for covered and suspicious transaction reporting under the AMLA;
• The National Privacy Commission (NPC) — in the event of a notifiable personal data breach;
• Philippine law enforcement or courts — in response to a valid court order, subpoena, or lawful directive from a competent government authority.

7.1 What Are Cookies. Cookies are small text files placed on your device by the phiwin Platform when you visit or log in. They enable the Platform to recognise your device, maintain your session, and remember preferences across visits.

7.2 Types of Cookies Used by phiwin.

• Strictly necessary cookies: Essential for platform operation — session authentication, security tokens, login state management. These cannot be disabled without severely affecting platform functionality.
• Functional cookies: Remember your preferences such as language settings, preferred game categories, and responsible gaming notification intervals.
• Analytics cookies: Aggregate, anonymised data used by phiwin to understand how players use the Platform — pages visited, session duration, feature usage. This data does not identify individual players.
• Security cookies: Used by fraud detection systems to identify anomalous behaviour patterns that may indicate account compromise or prohibited activity.

7.3 Managing Cookies. You may manage cookie preferences through your browser settings. Disabling strictly necessary cookies will impair your ability to log in and use the Platform. phiwin does not use third-party advertising or remarketing cookies.

8.1 Retention Principle. phiwin retains personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable Philippine law and regulation. Retention periods are determined with reference to legal requirements, business necessity, and the rights of data subjects.

8.2 Specific Retention Periods.

• Active Account data: Retained for the duration of your active Account relationship with phiwin, plus a post-closure period as required by law;
• KYC and identity documents: Retained for a minimum of five (5) years following Account closure, consistent with AMLA record-keeping requirements;
• Financial transaction records: Retained for a minimum of five (5) years in compliance with AMLA and PAGCOR requirements;
• Gaming history and bet records: Retained for a minimum of three (3) years;
• Customer support records: Retained for three (3) years from the date of the interaction;
• Marketing consent records: Retained for the duration of your opt-in plus a minimum of three (3) years to evidence consent.

8.3 Deletion. Upon expiry of the applicable retention period, personal data will be securely deleted or anonymised in accordance with phiwin's data disposal procedures. Anonymised data retained for analytics purposes does not identify individuals and falls outside the scope of this Privacy Policy.

9.1 Technical Safeguards. phiwin implements a comprehensive range of technical security measures to protect your personal data against unauthorised access, disclosure, alteration, and destruction:

• 256-bit SSL/TLS encryption for all data in transit between your device and phiwin servers;
• Encryption of sensitive data at rest, including government ID images and financial account references;
• Multi-factor authentication requirements for administrative access to systems containing personal data;
• Firewall protection, intrusion detection systems, and continuous security monitoring;
• Regular third-party security audits and penetration testing of platform infrastructure;
• Secure development practices including input validation and protection against common web application vulnerabilities.

9.2 Organisational Safeguards. phiwin's organisational data protection measures include:

• Role-based access controls limiting employee access to personal data on a strict need-to-know basis;
• Regular data protection training for all staff handling personal data;
• Documented data processing procedures and internal privacy policies;
• A designated Data Protection Officer (DPO) responsible for overseeing DPA compliance;
• Vendor due diligence processes for all third-party processors.

9.3 Breach Response. In the event of a personal data breach, phiwin will follow its Incident Response Plan, assess the risk to data subjects, notify the National Privacy Commission within seventy-two (72) hours of becoming aware of a notifiable breach, and notify affected players without undue delay where the breach poses a real risk to their rights and freedoms.

The phiwin Platform primarily processes and stores data within infrastructure located in or connected to the Philippines. However, certain third-party service providers — including cloud hosting infrastructure providers and game software suppliers — may be located in, or process data from, jurisdictions outside the Philippines.

Where personal data is transferred outside the Philippines, phiwin ensures that appropriate safeguards are in place as required under Section 21 of the DPA and its IRR, including:

• Standard contractual clauses with the receiving processor requiring compliance with DPA-equivalent protections;
• Transfer only to jurisdictions determined by the NPC to offer an adequate level of data protection; or
• Other lawful transfer mechanisms as may be prescribed by the NPC from time to time.

phiwin does not transfer your personal data internationally for purposes beyond those set out in this Privacy Policy. Game software providers receive only the minimum anonymised session data necessary for game delivery and do not receive personally identifiable information unless strictly required.

Under the Philippine Data Privacy Act of 2012, you have the following rights with respect to your personal data held by phiwin. These rights may be exercised at any time by contacting phiwin's Data Protection Officer through the contact details in Section 16:

• Right to be Informed: The right to be notified of how your personal data is being processed, including the basis and purpose of processing, and the identity of phiwin as the data controller;
• Right of Access: The right to request a copy of the personal data phiwin holds about you, along with information about how it is being processed;
• Right to Rectification: The right to request correction of inaccurate, incomplete, or outdated personal data in your Account;
• Right to Erasure (Right to be Forgotten): The right to request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, or where you withdraw consent, subject to phiwin's legal retention obligations under the AMLA, PAGCOR regulations, and other applicable law;
• Right to Object: The right to object to processing of your personal data for direct marketing purposes or based on legitimate interests, where you have grounds relating to your particular situation;
• Right to Data Portability: The right to receive personal data you have provided to phiwin in a structured, commonly used, and machine-readable format;
• Right to Lodge a Complaint: The right to lodge a complaint with the National Privacy Commission (NPC) if you believe phiwin has processed your personal data in violation of the DPA.

12.1 Consent-Based Marketing. phiwin sends promotional emails, SMS notifications, and in-platform messages about bonuses, new games, and platform updates only to players who have opted in to receive such communications. Your consent to receive marketing is obtained at registration and can be updated at any time through your Account notification settings.

12.2 Opt-Out. You may opt out of marketing communications at any time by: (a) adjusting your notification preferences in your phiwin Account settings; (b) clicking the unsubscribe link in any promotional email; or (c) contacting phiwin customer support and requesting removal from all marketing communications.

12.3 Transactional Notifications. Opting out of marketing communications does not affect the delivery of transactional notifications — such as deposit confirmations, withdrawal processing updates, OTP messages, and security alerts — which are sent as essential account communications regardless of marketing preferences.

12.4 No Third-Party Marketing. phiwin does not disclose your contact details to any third-party advertisers or marketing agencies for their own marketing purposes.

The phiwin Platform is strictly restricted to persons aged twenty-one (21) years and above, as required by PAGCOR regulation. phiwin does not knowingly collect, process, or retain personal data from individuals under the age of 21.

Where phiwin discovers that personal data has been collected from a minor — including through an Account registered with false age information — the Account will be immediately suspended, all associated data will be handled in accordance with applicable law, and any funds deposited will be returned to the payment source, with all associated winnings voided.

The phiwin Platform may contain references or links to the websites of payment providers (such as GCash and PayMaya) and regulatory bodies. These third-party sites operate under their own privacy policies, which are independent of and unrelated to this Privacy Policy.

phiwin is not responsible for the privacy practices or content of any third-party website. We recommend reviewing the privacy policy of any third-party site before submitting personal data to it. The presence of a reference to a third-party service on the phiwin Platform does not constitute phiwin's endorsement of that service's privacy practices.

phiwin reserves the right to update or amend this Privacy Policy at any time to reflect changes in our data practices, applicable law, PAGCOR requirements, or NPC guidance. The "Last Updated" date and version number at the top of this page will be updated whenever material changes are made.

Where changes are material — such as a significant change to the categories of data collected, the purposes for which it is used, or the third parties with whom it is shared — phiwin will notify active players via their registered email address or via a notice displayed upon next login. Your continued use of the phiwin Platform following the effective date of any amendment constitutes your acceptance of the updated Privacy Policy.

Previous versions of this Privacy Policy are available on request by contacting phiwin's Data Protection Officer. phiwin recommends reviewing this page periodically to stay informed about how your data is protected.

phiwin has designated a Data Protection Officer (DPO) as required under the Philippine Data Privacy Act. The DPO is responsible for overseeing compliance with the DPA, handling data subject requests, and serving as phiwin's point of contact with the National Privacy Commission.

For any questions, concerns, or requests relating to this Privacy Policy or your personal data, including the exercise of your data subject rights, you may contact phiwin through the following:

• Email: [email protected] (plain text — not a clickable link; copy and paste into your email client)
• Live Chat: Available 24/7 through your logged-in phiwin Account — use the "Privacy / Data Request" subject option
• Platform: phiwin.vip

phiwin's customer support and DPO team include Tagalog-fluent staff to assist Filipino players across Metro Manila, Cebu, Davao, and the rest of the Philippines. Response times for data subject requests are within thirty (30) calendar days of receipt of a verifiable request, as required under the DPA.

If you are not satisfied with phiwin's handling of a data protection matter, you have the right to lodge a complaint with the National Privacy Commission of the Philippines through its official government channels.