ph368 Privacy Policy

This Privacy Policy ("Policy") describes how ph368 ("ph368," "we," "us," or "our") collects, uses, stores, discloses, and protects the personal information of individuals ("you" or "Player") who access or use the ph368 online gaming platform at ph368.asia (the "Platform").

ph368 operates as a personal information controller under Republic Act No. 10173, the Data Privacy Act of 2012 ("DPA"), and its Implementing Rules and Regulations, as administered by the National Privacy Commission of the Philippines ("NPC"). ph368 is also subject to applicable data protection obligations under its PAGCOR licensing framework.

This Policy applies to all personal information collected through the Platform, whether provided directly by you, generated through your use of the Platform, or obtained from authorised third-party sources. By registering for an Account or otherwise using the Platform, you acknowledge that you have read this Policy and consent to the collection and processing of your personal information as described herein.

ph368 acts as the personal information controller responsible for all personal data collected and processed through the Platform. ph368 operates under PAGCOR authorization and maintains a designated Data Protection Officer ("DPO") as required under Section 21 of the Data Privacy Act of 2012.

All data processing activities conducted by ph368 are registered with the National Privacy Commission in accordance with NPC Registration requirements applicable to personal information controllers of ph368's scale and sensitivity of data handled. Players may request confirmation of NPC registration details by contacting ph368's DPO at the address set out in Section 16 of this Policy.

ph368 collects the following categories of personal data:

ph368 does not collect sensitive personal information — such as health data, biometric data, or racial/ethnic origin — except where specifically required for responsible gaming assessments or regulatory compliance, and only with your explicit consent or under a lawful basis prescribed by the Data Privacy Act.

ph368 collects personal data through the following methods:

• Direct Collection: Information you provide when registering an Account, completing identity verification, making deposits or withdrawal requests, contacting customer support, or participating in promotions.
• Automated Collection: Technical and usage data collected automatically through cookies, web beacons, server logs, and similar technologies when you access and interact with the Platform. See Section 9 for details on cookie use.
• Third-Party Sources: Identity verification data from PAGCOR-approved KYC service providers; fraud screening data from anti-money laundering compliance partners; payment verification data from GCash, Maya, and our banking partners. All third-party data sources operate under contractual data processing agreements with ph368.

ph368 processes your personal data on the following legal bases under the Data Privacy Act:

• Performance of a Contract: Processing necessary to create and maintain your ph368 Account, execute deposits and withdrawals, process bets, and deliver gaming services you have requested.
• Compliance with Legal Obligations: Processing required to comply with PAGCOR regulations, the Anti-Money Laundering Act of 2001 (as amended), Republic Act No. 9160, the Data Privacy Act, and other applicable Philippine laws. This includes identity verification, AML transaction monitoring, and regulatory reporting.
• Legitimate Interests: Processing necessary to protect the security and integrity of the Platform, detect and prevent fraud and abuse, maintain Platform performance and reliability, and conduct responsible gaming assessments.
• Consent: Processing for marketing communications, where you have opted in to receive promotional emails or SMS. You may withdraw consent at any time without affecting the lawfulness of prior processing.

ph368 does not sell, rent, or trade your personal data to any third party for their own commercial purposes. Your data is shared only in the following limited circumstances:

• Regulatory Authorities: PAGCOR receives gaming and player data as required under ph368's operating license. The Anti-Money Laundering Council (AMLC) receives transaction reports as required under the AMLA. The National Privacy Commission may receive data in connection with any investigation or compliance review.
• Payment Service Providers: GCash, Maya, BPI, BDO, UnionBank, and other payment processors receive financial data necessary to process your deposits and withdrawals. These providers operate under their own privacy policies and are separately regulated.
• Game Providers: Third-party game studios whose content appears on the ph368 Platform (such as PG Soft, Pragmatic Play, JDB, and others) receive session data necessary to operate their games. Game provider data processing is governed by contractual agreements with ph368.
• KYC and Compliance Partners: Identity verification and AML screening service providers process identity documents and screening data under strict confidentiality agreements with ph368.
• Technology and Infrastructure Providers: Cloud hosting, cybersecurity, and platform infrastructure providers who process data on ph368's behalf under data processing agreements that require equivalent data protection standards.
• Law Enforcement: Where ph368 is required by lawful order, court process, or other legal obligation to disclose personal data to law enforcement or other government authorities.

ph368 retains personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law and regulation:

• Account Data: Retained for the duration of your Account and for a period of five (5) years following Account closure, in compliance with PAGCOR record-keeping requirements.
• Financial Transaction Data: Retained for a minimum of five (5) years following the transaction date, as required under the Anti-Money Laundering Act.
• KYC Documentation: Retained for five (5) years following Account closure or the date of the last transaction, whichever is later, in accordance with PAGCOR and AMLA requirements.
• Customer Support Records: Retained for three (3) years following the closure of each support interaction, to support dispute resolution and quality improvement.
• Technical and Usage Data: Retained for up to twenty-four (24) months from collection for platform security and performance analysis purposes.

Upon expiry of applicable retention periods, ph368 will securely delete or anonymise personal data in accordance with National Privacy Commission guidelines on personal data disposal.

ph368 implements appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, alteration, disclosure, or destruction. These measures include:

• SSL/TLS encryption for all data transmitted between your device and ph368 servers.
• AES-256 encryption for sensitive data stored at rest, including financial records and identity documents.
• Cryptographic hashing and salting of all account passwords — plain-text passwords are never stored.
• Role-based access controls ensuring that ph368 employees can only access personal data necessary for their specific job functions.
• Regular penetration testing and vulnerability assessments conducted by independent security professionals.
• Multi-factor authentication on all internal systems that have access to player personal data.
• Comprehensive data breach response procedures aligned with NPC Circular No. 16-03 on personal data breach management.

ph368 uses cookies and similar technologies (web beacons, local storage) to operate the Platform, maintain your session, and improve your experience. The categories of cookies ph368 uses are:

• Strictly Necessary Cookies: Essential for the Platform to function. These enable your login session, maintain your game state, and process transactions. The Platform cannot function without these cookies. They cannot be disabled.
• Functional Cookies: Remember your preferences such as display language, preferred payment method, and responsible gaming settings. Disabling these will not affect Platform function but may reset your preferences on each visit.
• Analytics Cookies: Measure Platform performance — page load times, error rates, and feature usage — to help ph368 identify and fix technical issues. Data is aggregated and does not identify individual players.

ph368 does not use third-party advertising cookies, tracking pixels from social networks, or any cookies that build individual behavioural profiles for advertising purposes. You may manage cookie settings through your browser's privacy controls. Disabling strictly necessary cookies will prevent you from logging in to your ph368 Account.

Under the Philippine Data Privacy Act of 2012, you have the following rights regarding your personal data held by ph368:

To exercise any of the above rights, submit a written request to ph368's Data Protection Officer using the contact details in Section 16. ph368 will acknowledge your request within three (3) business days and respond substantively within thirty (30) calendar days. Identity verification may be required before a request can be processed to protect against fraudulent access attempts.

All registration applications are subject to age verification as part of the Know-Your-Customer process. Where ph368 discovers or has reason to believe that an Account has been registered by a person under 21, ph368 will immediately suspend the Account, conduct an investigation, and report the matter to PAGCOR as required by regulatory obligations.

If you are a parent or guardian and believe your child under 21 has registered an Account with ph368, contact our support team immediately via live chat or support email. ph368 will act promptly to suspend the Account, investigate the matter, and return any funds deposited, subject to applicable verification and regulatory requirements.

Some of ph368's third-party service providers — including game providers, cloud infrastructure providers, and KYC service partners — may process personal data outside the Philippines. Where such cross-border transfers occur, ph368 ensures that adequate protection is in place through one or more of the following mechanisms:

• Contractual data processing agreements incorporating standard data protection clauses aligned with NPC requirements for cross-border data transfers.
• Assessment and confirmation that the recipient country's data protection laws provide a level of protection at least equivalent to the Philippine Data Privacy Act.
• The transfer is necessary for the performance of your gaming services contract with ph368 and no less privacy-invasive means of achieving the same purpose exists.

You may request information about the countries to which your data is transferred and the safeguards in place by contacting ph368's Data Protection Officer.

ph368 may send you promotional communications — including bonus offers, game announcements, deposit promotions, and platform updates — by SMS to your registered Philippine mobile number or by email, where you have opted in to receive such communications during registration or through your Account settings.

You may withdraw your consent to marketing communications at any time by:

• Updating your communication preferences in your ph368 Account settings.
• Replying STOP to any promotional SMS received from ph368.
• Contacting ph368 customer support via live chat or email to update your preferences.

Withdrawal of consent to marketing will not affect your receipt of transactional communications — such as deposit confirmations, withdrawal notifications, Account security alerts, and regulatory notices — which are necessary for the operation of your Account and cannot be opted out of while your Account remains active.

ph368 maintains a personal data breach management and notification procedure aligned with NPC Circular No. 16-03. In the event of a personal data breach that poses a real risk of serious harm to affected data subjects:

• ph368 will notify the National Privacy Commission within seventy-two (72) hours of becoming aware of the breach, where feasible.
• ph368 will notify affected data subjects without undue delay, providing information about the nature of the breach, categories of data affected, likely consequences, and measures taken or proposed.
• ph368 will document all breaches, including those that do not meet the NPC notification threshold, in an internal breach register maintained by the Data Protection Officer.

Immediate containment and remediation of confirmed breaches is a priority for ph368's security team. Players who suspect their ph368 Account has been compromised should contact support immediately via live chat to initiate an emergency account freeze.

ph368 may update this Privacy Policy from time to time to reflect changes in our data processing practices, applicable law, or regulatory requirements. The effective date at the top of this Policy will be updated whenever material changes are made.

Where changes are material — meaning they significantly affect how your personal data is processed or your rights as a data subject — ph368 will notify you by email to your registered address or by a prominent notice on the Platform. Continued use of the Platform after notification of changes constitutes your acknowledgement of the updated Policy.

We encourage you to periodically review this Policy to stay informed about how ph368 is protecting your information.

For all data privacy matters — including exercising your data subject rights, submitting a privacy complaint, or requesting information about ph368's data processing activities — please contact ph368's Data Protection Officer through the following channels:

• Data Privacy Enquiries Email: [email protected] (plain text — not a clickable link). Please include "Data Privacy Request" in your subject line.
• Live Chat: Available 24/7 on the ph368 Platform. Request to speak with the Data Privacy team for formal matters.

ph368's DPO is registered with the National Privacy Commission in accordance with NPC advisory requirements. All formal data subject rights requests are handled by the DPO's office and are tracked to ensure timely responses within the timeframes specified in this Policy.

If you are not satisfied with ph368's response to a data privacy complaint, you have the right to escalate your complaint directly to the National Privacy Commission of the Philippines through the NPC's complaints process.