Privacy Policy – phmaca Online Casino Philippines

1. Definitions

In this Privacy Policy, the following terms shall have the meanings set out below:

"phmaca," "we," "us," or "our" — the operator of the phmaca online gaming platform at phmaca.org, licensed by PAGCOR.
"Personal Data" — any information that directly or indirectly identifies a natural person, including name, email address, mobile number, government ID details, IP address, and financial account information.
"Processing" — any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
"Data Subject" or "you" — the individual whose Personal Data is processed by phmaca, being a registered player or website visitor.
"Personal Information Controller (PIC)" — phmaca, as the entity that determines the purposes and means of processing Personal Data.
"DPA" — Republic Act No. 10173, the Data Privacy Act of 2012 of the Philippines.
"NPC" — the National Privacy Commission, the Philippine regulatory authority overseeing data privacy compliance.
"PAGCOR" — the Philippine Amusement and Gaming Corporation, phmaca's gaming regulator.
"KYC" — Know Your Customer, the mandatory identity and age verification process required for all phmaca accounts.

2. Identity of the Personal Information Controller

phmaca is the Personal Information Controller responsible for the Personal Data collected through the phmaca Platform. phmaca determines the purposes for which your data is collected and the means by which it is processed.

phmaca operates under a PAGCOR licence and is subject to the data privacy obligations imposed by the DPA, its Implementing Rules and Regulations, and relevant NPC issuances. phmaca has appointed a Data Protection Officer (DPO) as required by the DPA. Contact details for the DPO are set out in Section 14.

This Policy applies to all Personal Data processed by phmaca in connection with your use of the Platform, including data collected prior to account registration (e.g., browsing data) and data collected after account closure (e.g., transaction records retained for legal compliance).

3. Categories of Personal Data We Collect

phmaca collects the following categories of Personal Data from players and website visitors:

3.1 Identity and Contact Data

Full legal name as it appears on your government-issued ID;
Date of birth (for age verification — players must be 21 or above);
Gender (where provided);
Email address;
Philippine mobile number; and
Residential address.

3.2 Identity Verification (KYC) Documents

Scanned or photographed copy of a government-issued photo ID (passport, PhilSys ID, UMID, driver's licence, or PRC ID);
Proof of address document (utility bill, bank statement, or barangay clearance); and
Selfie or liveness check image where required for remote identity verification.

3.3 Financial Data

GCash mobile number and account name;
PayMaya account details;
Bank account details (BPI, BDO, Metrobank) where used for deposits or withdrawals;
Transaction history including deposit amounts, withdrawal amounts, dates, and reference numbers; and
Account wallet balance records.

3.4 Gaming Activity Data

Game session records including games played, bets placed, outcomes, and session duration;
Bonus and promotion redemption history; and
Responsible gaming tool settings and usage (deposit limits, self-exclusion records).

3.5 Technical and Usage Data

IP address and approximate geolocation derived from IP;
Device type, operating system, and browser;
Login timestamps and session activity logs; and
Cookie and similar tracking data as described in Section 10.

3.6 Communications Data

Content of support chat transcripts, emails, and support ticket submissions; and
Records of any complaints or dispute correspondence.

Sensitive data handling: Government ID documents and KYC materials are classified as sensitive personal information under the DPA. phmaca applies heightened security measures to this category of data and limits access to authorised KYC compliance personnel only.

4. How We Collect Your Data

phmaca collects Personal Data through the following methods:

Collection Method	Data Collected
Account registration form	Name, date of birth, email, mobile number, password
KYC document submission	Government ID scans, proof of address, selfie/liveness image
Deposit and withdrawal transactions	Payment method details, transaction amounts and references
Platform gameplay	Game session data, bet history, responsible gaming settings
Browser and device (automatic)	IP address, device type, browser, session logs
Cookies and tracking technologies	Session cookies, analytics, fraud detection signals
Support communications	Chat transcripts, email content, complaint records
Third-party verification services	Identity verification results from accredited KYC providers

5. Purposes for Which We Process Your Data

phmaca processes your Personal Data for the following purposes:

Account creation and management: Creating and maintaining your phmaca account, including authentication and profile management;
Age and identity verification (KYC): Verifying that you meet the 21+ age requirement and confirming your identity as required by PAGCOR;
Payment processing: Processing deposits and withdrawals via GCash, PayMaya, BPI, BDO, and Metrobank in Philippine Peso;
Game delivery and platform operation: Delivering game content, recording gaming sessions, and maintaining Platform integrity;
Regulatory compliance: Complying with PAGCOR licence obligations, Anti-Money Laundering Act (AMLA) requirements, BSP regulations, and applicable tax laws;
Responsible gaming: Administering deposit limits, loss limits, self-exclusion requests, and problem gambling detection;
Fraud and security: Detecting and preventing unauthorised access, bonus abuse, money laundering, and other prohibited conduct;
Customer support: Responding to your inquiries, complaints, and support requests;
Legal obligations and disputes: Establishing, exercising, or defending legal claims; complying with court orders and regulatory demands; and
Service improvement: Analysing aggregated usage data to improve Platform performance and game selection.

phmaca does not use your Personal Data for automated profiling that produces legal or similarly significant effects on you, nor do we use it for any purpose that would be incompatible with the purposes listed above without first obtaining your separate consent.

6. Legal Bases for Processing

Under the DPA, phmaca processes your Personal Data on the following legal bases:

Performance of a contract — processing necessary to carry out your account agreement with phmaca, including account registration, gameplay, and payment transactions;
Legal obligation — processing required to comply with PAGCOR regulations, AMLA requirements, BSP directives, and the DPA itself, including KYC, transaction monitoring, and record-keeping mandates;
Legitimate interests — processing necessary for fraud prevention, platform security, and the general integrity of the phmaca service, where these interests are not overridden by your fundamental rights; and
Consent — where phmaca relies on consent as a legal basis (e.g., for certain marketing communications), you may withdraw consent at any time by contacting our DPO or updating your account communication preferences, without affecting the lawfulness of processing prior to withdrawal.

7. Sharing and Disclosure of Your Data

phmaca does not sell or rent your Personal Data to any third party. We share your data only in the following limited circumstances:

7.1 Service Providers

phmaca engages third-party service providers who process Personal Data on our behalf, strictly under written data processing agreements that require them to maintain the same level of data protection as phmaca. These include:

KYC and identity verification providers;
Payment processors and e-wallet service operators (GCash, PayMaya, BPI, BDO, Metrobank);
Cloud infrastructure and hosting providers;
Game software providers (who receive session data for game operation); and
Customer support platform providers.

7.2 Regulatory and Legal Disclosures

phmaca will disclose Personal Data to regulators, law enforcement, or courts where required by applicable Philippine law, PAGCOR regulation, or valid legal process. This includes mandatory reporting under the AMLA and PAGCOR responsible gaming requirements.

7.3 Business Transfers

In the event of a merger, acquisition, or transfer of phmaca's business or assets, Personal Data may be transferred to the acquiring entity, subject to the same privacy protections described in this Policy. You will be notified prior to any such transfer.

No cross-border transfers without safeguards. Where phmaca transfers Personal Data outside the Philippines (e.g., to cloud infrastructure), we ensure appropriate safeguards are in place as required by the DPA and NPC regulations, including standard contractual clauses.

8. Data Retention

phmaca retains Personal Data only for as long as is necessary to fulfil the purposes for which it was collected, subject to any longer retention period required by law or regulation.

Data Category	Retention Period	Legal Basis
Account registration data	Duration of account + 5 years after closure	AMLA, PAGCOR compliance
KYC documents	Duration of account + 5 years after closure	RA 9160 (AMLA), PAGCOR
Transaction records	5 years from transaction date	AMLA, BSP, tax regulations
Gaming session data	3 years from session date	PAGCOR licence obligation
Support communications	3 years from last interaction	Legitimate interests (dispute resolution)
Self-exclusion records	Duration of exclusion + 5 years	PAGCOR responsible gaming
Technical / access logs	12 months	Security, fraud prevention

Upon expiry of the applicable retention period, Personal Data is securely deleted or irreversibly anonymised. Where anonymisation is applied, the resulting data no longer constitutes Personal Data and may be retained for statistical or analytical purposes without restriction.

9. Security Measures

phmaca implements appropriate technical and organisational security measures to protect your Personal Data against unauthorised access, loss, destruction, or disclosure. These measures include:

TLS 1.3 encryption for all data in transit between your browser and phmaca's servers;
AES-256 encryption for sensitive data stored at rest, including KYC documents and payment account details;
Role-based access controls limiting internal access to Personal Data to authorised personnel with a documented business need;
Multi-factor authentication required for all phmaca administrative and operational systems;
Automated anomaly detection to identify unusual access patterns or potential security incidents;
Regular security assessments including vulnerability testing of Platform systems; and
Employee training on data protection obligations under the DPA and phmaca's internal data handling policies.

While phmaca takes all reasonable steps to protect your data, no online system can guarantee absolute security. You also have a role to play — keep your account password secure, do not share your credentials, and notify us immediately at [email protected] if you suspect any unauthorised access to your account.

10. Cookies and Tracking Technologies

phmaca uses cookies and similar tracking technologies on the Platform. A cookie is a small text file stored in your browser when you visit a website.

10.1 Types of Cookies Used

Essential cookies: Required for the Platform to function, including session management, login authentication, and wallet security. These cannot be disabled without disrupting your ability to use phmaca.
Security cookies: Used to detect and prevent fraud, bot activity, and account takeover attempts. These process device fingerprint data for your account's protection.
Analytics cookies: Help phmaca understand how the Platform is used at an aggregated level — which pages are visited most, where errors occur, and how navigation flows. Data is processed in anonymised form.
Preference cookies: Remember your language preference and other personalisation settings across sessions.

10.2 Managing Cookies

You may manage or disable non-essential cookies through your browser's cookie settings. Note that disabling essential cookies will prevent you from logging in and using the Platform. phmaca does not use cookies to serve third-party advertising on its Platform.

11. Your Data Subject Rights

Under Republic Act No. 10173 (Data Privacy Act of 2012), you have the following rights in relation to your Personal Data held by phmaca. These rights are exercisable by contacting our Data Protection Officer (see Section 14).

Right to Access Request a copy of the Personal Data phmaca holds about you and how it is processed.

Right to Rectification Request correction of inaccurate or incomplete Personal Data without undue delay.

Right to Erasure Request deletion of your data where retention is no longer necessary or lawful, subject to legal hold obligations.

Right to Object Object to processing based on legitimate interests. phmaca will cease unless compelling grounds exist.

Right to Data Portability Receive your data in a structured, commonly used, machine-readable format for transfer to another controller.

Right to Complain Lodge a complaint with the National Privacy Commission if you believe phmaca has breached your privacy rights.

phmaca will respond to all data subject rights requests within 15 business days of receipt. Where additional time is required for complex requests, phmaca will notify you within the initial 15-day period with an explanation and an expected completion date.

12. Children's Privacy and Age Restriction

phmaca is strictly an adult platform. In accordance with PAGCOR regulations and Philippine law, the Platform is accessible only to individuals who are 21 years of age or older.

phmaca does not knowingly collect, use, or retain Personal Data from any person under the age of 21. All accounts undergo age verification as part of the KYC process before real-money gaming is permitted. Any account found to belong to a person under 21 will be immediately closed, and all associated data will be handled in accordance with PAGCOR's underage gambling protocols.

If you are a parent or guardian and believe your child has accessed or registered on phmaca, please contact our Data Protection Officer immediately at [email protected] so that the account can be investigated and closed promptly.

13. Changes to This Privacy Policy

13.1 phmaca may update this Privacy Policy from time to time to reflect changes in our data processing practices, applicable law, or regulatory guidance.

13.2 Material changes — those that significantly affect your rights or how we process your Personal Data — will be communicated to you via email to your registered address at least seven (7) days before they take effect. A notice will also be displayed prominently on the Platform.

13.3 The effective date at the top of this page reflects the date of the most recent version. Continued use of the Platform after the effective date of an updated Policy constitutes your acknowledgment of the changes.

13.4 If you do not agree to an updated Privacy Policy, you may close your phmaca account before the changes take effect by contacting our support team.

14. Contact and Data Protection Officer

For all privacy-related enquiries, data subject rights requests, or to report a potential data breach, please contact phmaca's Data Protection Officer:

Data Protection Officer phmaca

Email: [email protected]

Response Time: Within 15 Philippine business days of receipt

Serving: Players across the Philippines — Manila, Cebu, Davao, Quezon City, Makati, and nationwide

National Privacy Commission (NPC). If you are not satisfied with phmaca's response to a privacy concern, you have the right to lodge a complaint with the National Privacy Commission of the Philippines. Information about the NPC complaint process is available through the NPC's official Philippine government channels.

phmaca Privacy Policy

How phmaca Approaches Your Privacy

Collected Only When Necessary

Never Sold to Third Parties

Secured to Industry Standards

Your Rights Are Enforceable

RA 10173 Compliant

Breach Notification