ph38 Privacy Policy

ph38 ("ph38," "we," "us," or "our") is the operator of the online gaming platform accessible at ph38.app, offering live casino games, slots, number games (Keno, Triple), Bingo, and sports betting to registered players in the Philippines. ph38 acts as the Personal Information Controller (PIC) in respect of the personal data it processes about you, as defined under the Data Privacy Act of 2012 (RA 10173).

This Privacy Policy applies to all personal data collected through the ph38 website, mobile-optimized platform, customer support channels, and any other service operated by ph38. By registering an account or using any ph38 service, you acknowledge that you have read and understood this Privacy Policy.

ph38 collects the following categories of personal data, depending on how you interact with the platform:

ph38 does not collect sensitive personal information (as defined under RA 10173) beyond what is strictly necessary for identity verification and regulatory compliance. ph38 does not collect biometric data except where required by specific regulatory directives.

ph38 collects personal data through the following means:

• Direct Submission: Information you provide when registering an account, completing KYC verification, making deposits or withdrawals, contacting customer support, or updating your account settings.
• Automated Collection: Technical data collected automatically when you access the ph38 platform, including IP address, device identifiers, browser information, and session activity logs.
• Cookies and Similar Technologies: ph38 uses cookies and similar tracking technologies to maintain session state, remember preferences, and analyze platform usage. See Section 9 for details.
• Third-Party Sources: ph38 may receive data from payment processors (e.g., transaction confirmation from GCash or PayMaya), identity verification service providers, and fraud prevention services, solely for the purposes described in this policy.
• Regulatory Sources: In limited circumstances, ph38 may receive data from PAGCOR or other regulatory bodies as part of compliance obligations.

ph38 processes your personal data for the following purposes:

• Account Management: To create, maintain, and administer your ph38 account, including verifying your identity and eligibility to use the platform.
• Service Delivery: To provide access to games, process deposits and withdrawals, credit bonuses, and deliver all other platform services you have requested.
• Regulatory Compliance: To comply with obligations under the Data Privacy Act of 2012, Anti-Money Laundering Act (AMLA), PAGCOR regulations, and other applicable Philippine laws, including KYC verification and transaction monitoring.
• Fraud Prevention & Security: To detect, investigate, and prevent fraudulent activity, unauthorized account access, money laundering, and other prohibited conduct.
• Responsible Gaming: To monitor gaming activity for signs of problem gambling, enforce deposit limits and self-exclusion requests, and provide responsible gaming tools and interventions where appropriate.
• Customer Support: To respond to your inquiries, resolve disputes, and improve the quality of our support services.
• Platform Improvement: To analyze usage patterns, troubleshoot technical issues, and develop new features and services on the ph38 platform.
• Marketing Communications: To send you promotional offers, bonus notifications, and platform updates, where you have provided consent or where permitted under applicable law. You may opt out at any time through your account settings.
• Legal Claims: To establish, exercise, or defend legal claims in connection with your use of the ph38 platform.

ph38 processes your personal data on the following legal bases under the Data Privacy Act of 2012 (RA 10173) and its Implementing Rules and Regulations:

• Contractual Necessity: Processing is necessary to perform the contract between you and ph38 — specifically, to provide the gaming services you have registered for and to process your financial transactions.
• Legal Obligation: Processing is required to comply with ph38's obligations under Philippine law, including AMLA, PAGCOR regulations, and tax reporting requirements.
• Legitimate Interests: Processing is necessary for ph38's legitimate interests in fraud prevention, platform security, responsible gaming enforcement, and service improvement, provided these interests are not overridden by your rights and freedoms.
• Consent: For marketing communications and certain non-essential cookies, ph38 relies on your freely given, specific, and informed consent. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
• Vital Interests: In exceptional circumstances, ph38 may process data to protect your vital interests or those of another person, such as in a responsible gaming intervention.

ph38 may share your personal data with the following categories of recipients, strictly on a need-to-know basis and subject to appropriate data protection safeguards:

• Payment Processors: GCash, PayMaya/Maya, BPI, BDO, Metrobank, UnionBank, Landbank, PNB, Security Bank, and debit card processors — solely to facilitate deposits and withdrawals.
• Identity Verification Providers: Third-party KYC and AML screening services engaged by ph38 to verify your identity and screen against sanctions and watchlists.
• Game Content Providers: Licensed game studios and live dealer providers whose games are available on the ph38 platform, to the extent necessary to deliver the gaming service.
• Technology Service Providers: Cloud hosting, cybersecurity, analytics, and customer support platform providers engaged by ph38 under strict data processing agreements.
• Regulatory Authorities: PAGCOR, the Anti-Money Laundering Council (AMLC), the National Privacy Commission (NPC), and other competent Philippine authorities, where disclosure is required by law or regulatory directive.
• Law Enforcement: Philippine law enforcement agencies, where ph38 is legally required or permitted to disclose data in connection with the investigation or prosecution of criminal offenses.
• Business Transfers: In the event of a merger, acquisition, or sale of all or part of ph38's business, your data may be transferred to the acquiring entity, subject to equivalent data protection obligations.

ph38 retains your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. The following general retention periods apply:

Upon expiry of the applicable retention period, ph38 will securely delete or anonymize your personal data in accordance with its data disposal procedures. Anonymized data that can no longer identify you may be retained indefinitely for statistical and analytical purposes.

ph38 implements a comprehensive set of technical and organizational security measures to protect your personal data against unauthorized access, disclosure, alteration, loss, or destruction. These measures include:

• Encryption: All data transmitted between your device and the ph38 platform is encrypted using industry-standard TLS (Transport Layer Security) protocols. Sensitive data at rest is encrypted using AES-256 or equivalent standards.
• Access Controls: Access to personal data is restricted to ph38 personnel and authorized service providers who have a legitimate need to access it. Role-based access controls and multi-factor authentication are enforced for all internal systems.
• Intrusion Detection: ph38 operates continuous network monitoring and intrusion detection systems to identify and respond to security threats in real time.
• Vulnerability Management: ph38 conducts regular security assessments, penetration testing, and vulnerability scans of its platform and infrastructure.
• Staff Training: All ph38 personnel who handle personal data receive regular data privacy and security training.
• Incident Response: ph38 maintains a documented data breach response plan. In the event of a personal data breach that poses a real risk to your rights and freedoms, ph38 will notify the National Privacy Commission (NPC) within 72 hours and affected individuals without undue delay, as required by RA 10173.

ph38 uses cookies and similar technologies (such as web beacons and local storage) to operate and improve the platform. The following types of cookies are used:

• Strictly Necessary Cookies: Essential for the platform to function. These include session cookies that keep you logged in and security cookies that protect against cross-site request forgery. These cannot be disabled without breaking core platform functionality.
• Functional Cookies: Remember your preferences such as language settings, responsible gaming limits, and display preferences to provide a more personalized experience.
• Analytics Cookies: Collect aggregated, anonymized data about how players use the ph38 platform — such as which games are most popular and where users encounter difficulties — to help ph38 improve the service. These are only set with your consent.
• Security & Fraud Prevention Cookies: Help ph38 detect and prevent fraudulent activity, bot access, and account takeover attempts.

You can manage your cookie preferences through your browser settings. Note that disabling certain cookies may affect the functionality of the ph38 platform. ph38 does not use third-party advertising or retargeting cookies.

Under the Data Privacy Act of 2012 (RA 10173), you have the following rights in relation to your personal data held by ph38:

• Right to Be Informed: The right to be informed of how your personal data is collected, used, and processed — which this Privacy Policy fulfills.
• Right of Access: The right to request a copy of the personal data ph38 holds about you, along with information about how it is being processed.
• Right to Rectification: The right to request correction of inaccurate or incomplete personal data. You can update most account information directly through your ph38 account settings.
• Right to Erasure: The right to request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, subject to ph38's legal retention obligations.
• Right to Object: The right to object to the processing of your personal data for direct marketing purposes or where processing is based on legitimate interests.
• Right to Data Portability: The right to receive your personal data in a structured, commonly used, and machine-readable format, where technically feasible.
• Right to Lodge a Complaint: The right to lodge a complaint with the National Privacy Commission (NPC) if you believe ph38 has violated your data privacy rights.

To exercise any of these rights, please contact ph38's Data Protection Officer (DPO) using the contact details in Section 13. ph38 will respond to all verified requests within thirty (30) days, as required by RA 10173. ph38 may need to verify your identity before processing your request.

The ph38 platform is strictly intended for adults aged 21 years and above, in accordance with Philippine gaming regulations. ph38 does not knowingly collect personal data from individuals under the age of 21.

If ph38 discovers or is notified that personal data has been collected from a person under 21 years of age, ph38 will immediately close the associated account, delete the personal data in question, and handle any funds in accordance with applicable regulations.

If you are a parent or guardian and believe that your child has registered on the ph38 platform, please contact our support team immediately via live chat or by emailing our DPO at the address in Section 13.

ph38 may update this Privacy Policy from time to time to reflect changes in our data processing practices, applicable law, or regulatory requirements. When material changes are made, ph38 will notify registered players via email or in-platform notification at least seven (7) days before the changes take effect, where practicable.

The most current version of this Privacy Policy will always be available at ph38.app/privacy-policy. The "Effective Date" at the top of this document indicates when the current version came into force. Your continued use of the ph38 platform after the effective date of any update constitutes your acknowledgment of the revised policy.

ph38 encourages you to review this Privacy Policy periodically to stay informed about how your personal data is being protected.

ph38 has appointed a Data Protection Officer (DPO) responsible for overseeing compliance with the Data Privacy Act of 2012 and this Privacy Policy. If you have any questions, concerns, or requests regarding your personal data or this Privacy Policy, please contact us through the following channels:

• Live Chat: Available 24/7 directly within the ph38 platform. This is the fastest way to reach our support team for general privacy inquiries.
• DPO Email: [email protected] — for formal data subject rights requests, data breach notifications, and DPO-specific matters. Responses within 30 days as required by RA 10173.
• General Support Email: [email protected] — for general account and platform inquiries.

All email addresses above are displayed as plain text and are not clickable links. Please copy the address manually into your email client.