phshy Privacy Policy

1.1 Purpose. This Privacy Policy describes the personal data that phshy collects in connection with the operation of the phshy online gaming platform, the purposes for which that data is processed, the legal bases on which processing is justified, and the rights available to data subjects under Philippine law. phshy is committed to handling personal data responsibly, transparently, and in compliance with applicable data protection legislation.

1.2 Applicable Law. phshy processes personal data in accordance with the Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012 ("DPA"), and the implementing rules and regulations issued by the National Privacy Commission ("NPC") of the Philippines. Where phshy processes data from individuals located in other jurisdictions, applicable local data protection laws may also apply.

1.3 Data Controller. phshy acts as the personal data controller in respect of all personal data collected through the phshy Platform. As data controller, phshy is responsible for determining the purposes and means of processing your personal data and for ensuring that such processing complies with applicable law.

1.4 Related Documents. This Privacy Policy should be read alongside phshy's Terms & Conditions, Responsible Gaming Policy, and Cookie Policy, all of which form part of the overall framework governing your use of the phshy Platform. In the event of any inconsistency between this Privacy Policy and another phshy document on a privacy-related matter, this Privacy Policy shall prevail.

2.1 Categories of Data. phshy collects personal data in the following categories, depending on how you interact with the Platform:

2.2 Sensitive Personal Information. Under the Philippine DPA, certain categories of personal information are classified as "sensitive" and subject to heightened protection. phshy may process the following sensitive personal information in connection with PAGCOR-mandated compliance requirements: government identification numbers (PhilSys, TIN, SSS/GSIS numbers), financial account information, and, where required for responsible gaming assessments, information relating to health or vulnerability. phshy processes sensitive personal information only to the extent strictly necessary for the purposes identified in this Policy and subject to appropriate security measures.

2.3 Data You Provide Voluntarily. In addition to data collected as part of standard platform operations, you may voluntarily provide phshy with additional personal data through survey participation, promotional entries, or voluntary profile customization. Such data is processed only for the stated purpose of the activity in connection with which it was provided.

3.1 Purposes of Processing. phshy processes personal data for the following specific, legitimate purposes:

• Account Registration and Management: To create and maintain your phshy account, verify your identity, and manage your account settings and preferences;
• KYC and Anti-Money Laundering Compliance: To fulfill obligations under PAGCOR regulations and the Anti-Money Laundering Act (AMLA) of the Philippines, including identity verification and suspicious transaction monitoring;
• Transaction Processing: To process deposits and withdrawals via GCash, PayMaya, BPI, BDO, Metrobank, and other accepted payment channels, and to maintain accurate transaction records;
• Game Delivery and Platform Operation: To deliver gaming content, maintain game session records, calculate and credit winnings, and operate the phshy Platform generally;
• Customer Support: To respond to your inquiries, resolve disputes, and provide technical assistance;
• Fraud Prevention and Security: To detect, investigate, and prevent fraudulent activity, unauthorized account access, money laundering, and other prohibited conduct;
• Regulatory Reporting: To comply with mandatory reporting obligations to PAGCOR, the Anti-Money Laundering Council (AMLC), the Bureau of Internal Revenue (BIR), and other Philippine regulatory authorities;
• Responsible Gaming: To implement and monitor responsible gaming measures, including deposit limits, self-exclusion, and age verification, as required by PAGCOR;
• Marketing and Promotions: To send you information about phshy promotions, bonuses, and platform updates where you have not opted out of such communications;
• Platform Improvement: To analyze aggregated and anonymized usage data to improve the phshy Platform's features, performance, and user experience.

4.1 Bases Under the DPA. phshy processes personal data only where a lawful basis exists under the Philippine Data Privacy Act. The relevant bases are as follows:

• Consent: Where you have given phshy express consent to process your personal data for a specific purpose, such as marketing communications or the processing of sensitive personal information;
• Contractual Necessity: Where processing is necessary for the performance of phshy's obligations under the Terms & Conditions to which you are a party, such as account management and transaction processing;
• Legal Obligation: Where processing is necessary for phshy to comply with a legal obligation under Philippine law, including PAGCOR licensing requirements, AMLA obligations, and NPC data protection requirements;
• Legitimate Interests: Where processing is necessary for phshy's legitimate interests — including fraud prevention, platform security, and business analytics — and those interests are not overridden by your rights and interests as a data subject.

4.2 Withdrawal of Consent. Where phshy processes your personal data on the basis of consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing that occurred prior to withdrawal. Withdrawal of consent may limit phshy's ability to provide certain features or services to you.

5.1 General Principle. phshy does not sell, rent, or otherwise commercially transfer your personal data to third parties. phshy shares personal data only in the circumstances described in this section and only to the extent necessary for the stated purpose.

5.2 Service Providers. phshy engages third-party service providers who process personal data on phshy's behalf and under phshy's instruction as data processors. These include:

• Payment Processors: GCash (GXI), PayMaya (PayMongo), BPI, BDO, Metrobank, and other payment partners, for the purpose of processing deposits and withdrawals;
• Game Providers: Licensed game studios including JILI Gaming, PG Soft, Spadegaming, Evolution Gaming, and Ezugi, for the purpose of game delivery and session authentication;
• Identity Verification Providers: Third-party KYC and document verification services engaged by phshy to fulfill PAGCOR's Know Your Customer requirements;
• Cloud and Hosting Providers: Infrastructure and data hosting services engaged by phshy to operate and maintain the phshy Platform;
• Customer Support Tools: Live chat and support ticketing platforms used to manage customer communications.

All phshy data processors are contractually required to process personal data only on phshy's instructions, to implement appropriate security measures, and to comply with applicable data protection laws.

5.3 Regulatory Disclosure. phshy is required to disclose personal data to Philippine regulatory and law enforcement authorities in circumstances including but not limited to: PAGCOR compliance audits, AMLC suspicious transaction reporting obligations, BIR tax compliance requirements, NPC data breach notifications, and lawful orders issued by Philippine courts or other government bodies. Such disclosures are made in compliance with applicable law and do not constitute unauthorized disclosure under this Policy.

5.4 Business Transfers. In the event of a merger, acquisition, restructuring, or sale of all or substantially all of phshy's business assets, personal data held by phshy may be transferred to the relevant successor entity. In such circumstances, phshy will take reasonable steps to ensure that the recipient applies equivalent data protection standards and will notify you of the transfer.

6.1 Use of Cookies. phshy uses cookies and similar tracking technologies on the Platform to support essential functionality, improve performance, and understand how users interact with the Platform. A "cookie" is a small data file stored on your device by your web browser when you visit the phshy Platform.

6.2 Types of Cookies. phshy uses the following categories of cookies:

• Essential Cookies: Required for the Platform to function correctly, including login session management, security tokens, and language preferences. These cookies cannot be disabled without affecting platform functionality;
• Performance and Analytics Cookies: Used to collect aggregated information about how users interact with the phshy Platform, enabling phshy to identify improvements and optimize performance;
• Functional Cookies: Used to remember your preferences and settings, such as your preferred game lobby view or currency display format;
• Security Cookies: Used to support phshy's fraud prevention and account security systems, including device fingerprinting and session integrity checks.

6.3 Cookie Management. You may configure your browser settings to block or delete cookies. Note that blocking essential cookies will impair your ability to use the phshy Platform. Detailed instructions for managing cookies in common browsers are available in your browser's help documentation.

6.4 Analytics. phshy may use third-party analytics tools to analyze aggregated, anonymized Platform usage data. Such tools process data in accordance with their own privacy policies and do not receive personal data that could identify individual users beyond what is necessary for analytics purposes.

7.1 Retention Principles. phshy retains personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law, whichever is longer. phshy applies the principle of storage limitation, ensuring that personal data is not retained beyond its necessary period.

7.2 Retention Periods. The following retention periods apply to the major categories of personal data held by phshy:

• Account and Identity Data: Retained for the duration of your active phshy account, and for a minimum of five (5) years following account closure, in compliance with PAGCOR record-keeping requirements and AMLA retention obligations;
• Transaction Records: Retained for a minimum of five (5) years from the date of the transaction, as required under Philippine anti-money laundering regulations;
• KYC Documents: Retained for the duration of the account relationship and for five (5) years following account closure or the last transaction, whichever is later;
• Gaming Activity Logs: Retained for a minimum of three (3) years for operational, compliance, and dispute resolution purposes;
• Customer Support Communications: Retained for two (2) years from the date of the final communication in each support interaction;
• Marketing Consent Records: Retained for the period of your account relationship plus two (2) years to demonstrate compliance with consent-based processing.

7.3 Post-Retention Disposal. Upon expiry of the applicable retention period, phshy will securely delete or anonymize your personal data in a manner that prevents reconstruction or identification. Anonymized data may be retained indefinitely for statistical and analytics purposes, as it no longer constitutes personal data.

8.1 Security Measures. phshy implements a comprehensive set of technical and organizational security measures to protect your personal data against unauthorized access, disclosure, alteration, destruction, or loss. These measures include:

• 256-bit SSL/TLS encryption for all data transmitted between your device and the phshy Platform;
• Encryption of personal data at rest using industry-standard encryption algorithms;
• Access controls restricting phshy employee access to personal data on a need-to-know basis;
• Multi-factor authentication requirements for phshy staff accessing systems containing personal data;
• Regular security vulnerability assessments and penetration testing of the phshy Platform;
• Continuous monitoring of phshy systems for suspicious activity and unauthorized access attempts;
• Staff training on data protection obligations and security best practices.

8.2 Data Breach Response. In the event of a personal data breach that poses a real risk of harm to affected data subjects, phshy will notify the National Privacy Commission within 72 hours of becoming aware of the breach, as required under the DPA. Where the breach is likely to result in significant harm to affected individuals, phshy will also notify those individuals directly. phshy maintains a documented data breach response procedure and a dedicated Data Protection Officer responsible for overseeing the breach response process.

Under the Philippine Data Privacy Act, you have the following rights in respect of personal data that phshy holds about you. phshy will respond to all valid data subject requests within thirty (30) days of receipt, unless a longer period is justified by the complexity or volume of the request.

9.1 Exercising Your Rights. To exercise any of your rights under the DPA, please contact phshy's Data Protection Officer via the contact information provided in Section 13 of this Policy. phshy may require you to verify your identity before processing a data subject request to ensure that personal data is not disclosed to unauthorized parties. phshy will not charge a fee for responding to data subject requests in the ordinary course.

10.1 Age Verification. phshy implements age verification measures during account registration and at KYC verification stages to prevent underage individuals from accessing the Platform. Where phshy identifies or has reasonable grounds to believe that personal data has been collected from an individual below the minimum age requirement, phshy will immediately suspend the relevant account, delete the personal data collected, and notify the appropriate regulatory authority if required.

10.2 Parental Responsibility. Registered phshy users are responsible for ensuring that minors who have access to their devices cannot access the phshy Platform through their accounts. phshy strongly recommends enabling the lock screen or device PIN features on any device used to access phshy, and logging out of the Platform when the device is not in your personal possession.

11.1 International Processing. In connection with the operation of the phshy Platform, personal data may be transferred to and processed in countries other than the Philippines — for example, where phshy's cloud infrastructure providers or game provider partners maintain data processing facilities. Such transfers may occur in countries whose data protection laws differ from those of the Philippines.

11.2 Safeguards. Where phshy transfers personal data outside the Philippines, it takes steps to ensure that the receiving party provides an adequate level of data protection, either through contractual data processing agreements incorporating the NPC's standard data transfer clauses, or through other appropriate safeguards. phshy does not transfer personal data to jurisdictions that are not recognized by the NPC as providing adequate protection unless appropriate contractual safeguards are in place.

12.1 Right to Amend. phshy reserves the right to update or amend this Privacy Policy at any time to reflect changes in applicable law, regulatory requirements, or phshy's data processing practices. All amendments will be effective upon posting to the phshy Platform.

12.2 Notification of Changes. Where phshy makes material changes to this Privacy Policy — changes that significantly affect the nature or scope of how your personal data is processed — phshy will notify registered users via the mobile number or email address on file, or by means of a prominent notice on the phshy Platform, at least fourteen (14) days before the changes take effect.

12.3 Continued Use. Your continued use of the phshy Platform after the effective date of any amended Privacy Policy constitutes your acceptance of the amended Policy. If you do not agree with the amended Policy, you should discontinue use of the Platform and contact phshy to request account closure.

13.1 Data Protection Officer. phshy has designated a Data Protection Officer (DPO) responsible for overseeing phshy's compliance with the Philippine Data Privacy Act and for handling data subject requests and privacy-related complaints. You may contact the phshy DPO by submitting a request through the phshy live chat platform or by written inquiry sent to the platform's support email.

13.2 NPC Complaints. If you are not satisfied with phshy's response to your data privacy concern, you have the right to lodge a complaint with the National Privacy Commission of the Philippines. Information on how to file a complaint with the NPC is available through the NPC's official government communications. phshy cooperates fully with all NPC investigations.

This Privacy Policy was last updated on 1 January 2026. phshy reserves the right to update this document at any time. The version of the Privacy Policy published on the phshy Platform at the time of any event shall govern data processing in connection with that event.