phl99 Privacy Policy

This Policy applies to all personal data processed by phl99 in connection with the operation of the phl99.vip platform, including the casino gaming lobby, live dealer services, sports betting, bingo, Super Keno, and all associated account, payment, customer support, and marketing functions.

This Policy applies to all registered players, prospective users who visit phl99.vip, and individuals who interact with phl99 through any communication channel including Live Chat, email, or customer support. It covers personal data collected directly from you, data collected automatically through your use of the Platform, and data collected from third parties as described in Section 3.

For the purposes of the Data Privacy Act of 2012, phl99 acts as the Personal Information Controller ("PIC") in respect of the personal data of its registered players and website visitors. As PIC, phl99 determines the purposes and means of processing personal data collected through phl99.vip.

phl99 has appointed a Data Protection Officer ("DPO") as required under the Data Privacy Act. The DPO is responsible for overseeing phl99's data protection programme, ensuring compliance with applicable data privacy law, and serving as the point of contact for data subject rights requests and privacy-related enquiries.

Contact details for phl99's Data Protection Officer are provided in Section 15 of this Policy.

When you register for a phl99 account, transact on the Platform, or contact phl99 support, you provide us with personal data including:

• Identity data: Full legal name, date of birth, nationality, and copies of government-issued identification documents (UMID, SSS ID, Driver's License, Passport, PhilHealth ID, or Voter's ID);
• Contact data: Philippine mobile number, email address, and residential address;
• Financial data: GCash number, Maya account details, bank account information (BPI, BDO, Metrobank), and transaction history including deposits, withdrawals, and wager records;
• Account credentials: Username and hashed password (plaintext passwords are never stored);
• Support communications: Records of Live Chat conversations and email exchanges with phl99 support staff.

When you access phl99.vip, we automatically collect technical data about your device and browsing activity, including:

• IP address and approximate geolocation data;
• Device type, operating system, and browser type and version;
• Pages visited, session duration, click paths, and feature usage within the Platform;
• Cookie identifiers and similar tracking data (see Section 7);
• Game session data including game titles played, wager amounts, results, and session timestamps.

phl99 may receive personal data about you from third parties in the following circumstances:

• Payment processors (GCash, Maya, BPI, BDO, Metrobank, 7-Eleven CLiQQ, Coins.ph) for transaction verification and fraud screening;
• Identity verification service providers engaged to validate government-issued ID documents;
• Anti-fraud and anti-money laundering screening databases as required under PAGCOR and AMLC compliance obligations;
• Game software providers (JILI, Pragmatic Play, etc.) in respect of game session data generated within their respective gaming engines.

phl99 processes your personal data for the following purposes:

Under the Data Privacy Act of 2012, phl99 relies on the following legal grounds for processing personal data:

• Contract performance: Processing necessary to create and maintain your phl99 account, process deposits and withdrawals, and fulfil the gaming services you access on the Platform;
• Legal obligation: Processing required to comply with PAGCOR licensing conditions, Anti-Money Laundering Act obligations, NPC data privacy requirements, and other applicable Philippine laws;
• Legitimate interests: Processing for fraud prevention, security monitoring, responsible gaming enforcement, and platform improvement, where phl99's interests are not overridden by your privacy rights;
• Consent: Processing for marketing communications and non-essential cookies, where you have given explicit, informed, and freely given consent. You may withdraw consent at any time.

phl99 engages the following categories of service providers who process personal data on phl99's behalf, under binding data processing agreements that require them to maintain appropriate security measures and process data only as instructed by phl99:

• Payment processing and e-wallet providers (GCash, Maya, BPI, BDO, Metrobank, Coins.ph);
• Identity and KYC verification service providers;
• Cloud infrastructure and hosting providers;
• Game software providers (in respect of game session data);
• Customer support platform providers;
• Anti-fraud and anti-money laundering screening service providers.

phl99 may disclose personal data to the following authorities where required or permitted by Philippine law, without your prior consent:

• PAGCOR, in connection with licensing obligations, audits, and regulatory investigations;
• The Anti-Money Laundering Council (AMLC), for Covered Transaction Reports and Suspicious Transaction Reports required under RA 9160;
• The Bureau of Internal Revenue (BIR), for applicable tax reporting obligations;
• The Philippine National Police (PNP) or National Bureau of Investigation (NBI), pursuant to a valid court order or lawful warrant.

phl99.vip uses cookies and similar technologies to operate the Platform effectively and improve your experience. The following categories of cookies are used:

• Strictly necessary cookies: Essential to Platform functionality. These include session authentication cookies, security cookies, and load-balancing cookies. These cannot be disabled without impairing core Platform functions.
• Functional cookies: Enable personalisation features such as remembering your language preferences, last-visited game category, and account settings. These are enabled by default but can be disabled.
• Analytics cookies: Used to collect aggregated, anonymised data on how visitors use phl99.vip — pages visited, session duration, common navigation paths. This data helps phl99 improve the Platform. Your consent is obtained before these are activated.
• Fraud prevention cookies: Device fingerprinting and security tokens used to detect and prevent fraudulent account activity. These are activated as part of phl99's legitimate interest in platform security.

You may manage cookie preferences through your browser settings. Note that disabling strictly necessary cookies will impair your ability to log in and use the Platform. phl99 does not use cross-site tracking cookies or share cookie data with advertising networks.

phl99 implements technical and organisational security measures proportionate to the sensitivity of the personal data it processes and the risks associated with an online gaming and financial transactions platform. These measures include:

• Encryption in transit: All data transmitted between your device and phl99 servers is encrypted using Transport Layer Security (TLS) version 1.2 or higher with 256-bit encryption — the same standard used by major Philippine banking institutions;
• Encryption at rest: Sensitive personal data stored on phl99's infrastructure is encrypted at rest using AES-256;
• Password security: Account passwords are stored using industry-standard one-way cryptographic hashing with salting. Plaintext passwords are never stored or accessible to phl99 staff;
• Access controls: Internal access to personal data is restricted on a role-based, need-to-know basis. All internal access to production data is logged and subject to audit review;
• Security monitoring: phl99's infrastructure is subject to continuous security monitoring, including intrusion detection systems and anomaly alerting;
• Incident response: phl99 maintains a formal data breach response plan. In the event of a personal data breach that is likely to prejudice your rights, phl99 will notify affected individuals and the NPC within 72 hours of becoming aware of the breach, as required by NPC Circular 16-03.

phl99 retains personal data for the duration necessary to fulfil the purpose for which it was collected, or as required by applicable law, whichever is longer. The following retention periods apply:

• Active account data: Retained for the duration of your active account plus three (3) years following account closure, to support dispute resolution and regulatory audit obligations;
• Transaction and financial records: Retained for a minimum of five (5) years from the date of each transaction, as required by the Anti-Money Laundering Act (RA 9160, as amended by RA 10927);
• Identity verification documents: Retained for five (5) years following account closure, in accordance with PAGCOR KYC record-keeping requirements;
• Customer support communications: Retained for three (3) years from the date of the interaction;
• Marketing consent records: Retained for the duration of the consent plus three (3) years, to demonstrate compliance;
• Web analytics data: Anonymised and aggregated analytics data may be retained indefinitely in a form that no longer constitutes personal data.

Upon expiry of the applicable retention period, personal data is securely deleted or anonymised in a manner that prevents reconstruction of the original data.

As a data subject under the Data Privacy Act of 2012, you hold the following rights in respect of your personal data held by phl99:

To exercise any of the above rights, submit a written request to phl99's Data Protection Officer using the contact details in Section 15. phl99 will respond within fifteen (15) business days of receiving a verified request. Identity verification will be required before processing any data subject rights request.

If you are not satisfied with phl99's response to a data subject rights request, you may lodge a complaint with the National Privacy Commission at privacy.gov.ph.

phl99 is an online gaming platform exclusively for adults aged 21 years or older, as mandated by PAGCOR. phl99 does not knowingly collect personal data from individuals under the age of 21. The minimum age of 21 is actively enforced through mandatory identity document verification at account registration — access is not possible without presenting a valid Philippine government-issued ID confirming the applicant is at least 21 years of age.

phl99's primary data processing infrastructure is located within or proximate to the Philippines. However, certain service providers engaged by phl99 — including cloud infrastructure providers and game software developers — may process personal data in servers located outside the Philippines.

Where personal data is transferred outside the Philippines, phl99 ensures that appropriate safeguards are in place in accordance with NPC rules on cross-border data flows, including:

• Binding contractual clauses in data processing agreements with relevant third-party processors requiring them to maintain data security standards equivalent to those required under Philippine law;
• Limiting cross-border transfers to service providers in jurisdictions with data protection laws recognised as providing adequate protection;
• Ensuring that transferred data is used exclusively for the purposes described in this Policy and under the control of phl99 as Personal Information Controller.

As a PAGCOR-licensed online gaming operator, phl99 is subject to significant statutory data processing obligations that override individual data subject preferences in certain circumstances. These include:

• Anti-Money Laundering Act (RA 9160, as amended by RA 10927): phl99 is classified as a covered person under AMLA. This requires phl99 to collect and verify customer identity, maintain records of all covered transactions (transactions exceeding ₱500,000 or equivalent in a single banking day), and file Suspicious Transaction Reports with the AMLC. These obligations cannot be waived by data subject consent withdrawal.
• PAGCOR Player Identification Requirements: PAGCOR licensing conditions require phl99 to maintain accurate and verified player identity records for all registered accounts. These records must be retained for minimum periods specified by PAGCOR and must be made available to PAGCOR auditors on request.
• Responsible Gaming Monitoring: PAGCOR requires licensed operators to maintain systems for identifying at-risk players. phl99 processes gaming behaviour data — session frequency, bet sizes, loss patterns — to fulfil this obligation. This processing is based on legal obligation and cannot be disabled by individual players.

phl99 reserves the right to update or amend this Privacy Policy at any time to reflect changes in applicable law, PAGCOR regulatory requirements, NPC guidance, or phl99's data processing practices. The revised Policy will be published at phl99.vip/privacy-policy with an updated Effective Date.

Where changes are material — meaning they affect your rights or the way your personal data is processed in a significant way — phl99 will make reasonable efforts to notify registered account holders via account notification or email prior to the changes taking effect. Continued use of the Platform following the publication of an updated Policy constitutes acceptance of the revised terms.

For all privacy-related enquiries, data subject rights requests, or complaints regarding phl99's data processing practices, please contact phl99's Data Protection Officer through the following channels:

• Email (DPO): [email protected] — please include "DPO Request" in the subject line;
• Live Chat: Available 24/7 via phl99.vip — for urgent privacy or security matters, use Live Chat for the fastest response;
• Postal Address: Data Protection Officer, phl99, Philippines.

phl99 aims to acknowledge all DPO enquiries within three (3) business days and to provide a substantive response within fifteen (15) business days. Complex requests may require additional time, in which case phl99 will notify you of the extended timeline.

If you remain unsatisfied with phl99's handling of a privacy complaint after following the above process, you have the right to escalate your complaint to the National Privacy Commission of the Philippines.