phlag Privacy Policy

phlag ("phlag," "we," "us," or "our") is committed to protecting the privacy and personal data of every individual who interacts with the phlag Casino platform. This Privacy Policy describes how phlag collects, processes, stores, shares, and protects personal data in connection with the use of our online casino, sports betting, bingo, and related gaming services accessible through phlag.co.

This Policy applies to all registered players, prospective players who visit phlag.co without registering, and any other individual whose personal data phlag processes in the course of operating its platform. It covers data processed through the phlag website, any phlag mobile web application, customer support channels, marketing communications, and payment processing flows.

phlag operates for Filipino players within the Philippines and processes personal data in accordance with Republic Act No. 10173, the Philippine Data Privacy Act of 2012 ("DPA"), its Implementing Rules and Regulations, relevant issuances from the National Privacy Commission ("NPC"), and the data governance requirements applicable to PAGCOR-regulated gaming operators. Where applicable, international best practices in data protection are also observed.

For the purposes of the Philippine Data Privacy Act of 2012 and this Privacy Policy, phlag is the personal information controller in respect of all personal data collected and processed through the phlag platform. As personal information controller, phlag determines the purposes and means of the processing of your personal data and is responsible for ensuring that such processing complies with applicable Philippine data privacy laws.

phlag has appointed a Data Protection Officer ("DPO") who is responsible for overseeing phlag's data protection compliance, handling data subject rights requests, managing data breach notifications, and serving as the primary point of contact with the National Privacy Commission. Contact details for the DPO are provided in Section 15 of this Policy.

phlag's personal data processing activities are registered with the NPC as required under the DPA and NPC Circular No. 17-01 on the registration of data processing systems.

phlag collects the following categories of personal data, depending on how you interact with the platform:

3.1 Registration & Identity Data

• Legal full name as it appears on your government-issued ID
• Date of birth (collected to verify the 21+ age requirement mandated by PAGCOR)
• Philippine mobile number
• Email address
• Region and city of residence within the Philippines
• Username and encrypted password (passwords are stored in hashed form and are never accessible in plain text by phlag staff)

3.2 KYC & Verification Data

• Government-issued photo identification (PhilSys National ID, UMID, Driver's License, Passport, Voter's ID, or SSS ID) — document number, issuing authority, expiry date, and photograph
• Proof of address documents (utility bill, bank statement, or equivalent) where required
• Proof of payment method ownership where required for withdrawal processing
• Selfie or liveness verification image where required for enhanced due diligence

3.3 Financial & Transaction Data

• Deposit and withdrawal transaction records including amounts, dates, and payment method references
• GCash or Maya account reference (not stored in full — reference numbers used for reconciliation only)
• Bank account references for bank transfer payments (BPI, BDO, UnionBank) — account name and last four digits only
• Cryptocurrency wallet addresses used for USDT TRC20 transactions
• Account balance and transaction history

3.4 Gaming Activity Data

• Game session records: games played, bets placed, wagers, wins, losses, and session duration
• Sports betting selections, odds accepted, and settlement records
• Bonus and promotional credit usage records
• Loyalty programme tier and points history

3.5 Technical & Device Data

• IP address and geolocation data (country and region level) used for fraud prevention and regulatory jurisdiction verification
• Device type, operating system, and browser type and version
• Session logs including login timestamps, session duration, and activity logs
• Cookies and similar tracking technology data as described in Section 8

3.6 Communications Data

• Records of live chat, email, and any other support communications between you and phlag
• Feedback, complaint, and dispute records
• Marketing communication preference records (opt-in / opt-out status)

phlag collects personal data through the following channels:

• Directly from you: When you register for a phlag account, complete KYC verification, make deposits or withdrawal requests, contact phlag support, participate in promotions, or update your account settings.
• Automatically during platform use: Through server logs, session monitoring, fraud detection systems, and cookies and similar tracking technologies as you browse and use the phlag website and gaming platform.
• From third-party service providers: phlag's KYC verification partners may provide identity verification results, fraud risk scores, and document authentication outcomes in connection with the verification of your identity. Payment processors may provide transaction confirmation data. Game providers may transmit session and wagering data to phlag.
• From public sources: Publicly available information may be accessed where permitted by law for fraud prevention, AML/CFT screening, or responsible gaming purposes.

phlag processes your personal data for the following specific, explicit, and legitimate purposes:

Under the Philippine Data Privacy Act of 2012, phlag processes your personal data on the following legal bases:

• Contractual necessity (Section 12(b), DPA): Processing necessary to perform our contractual obligations to you as a phlag account holder — including account management, processing of gaming transactions, and payment processing.
• Legal obligation (Section 12(c), DPA): Processing required to comply with legal obligations including PAGCOR regulatory reporting, Anti-Money Laundering Act (AMLA) compliance, Data Privacy Act compliance, and NPC requirements.
• Legitimate interests (Section 12(f), DPA): Processing for phlag's legitimate business interests including fraud prevention, responsible gaming monitoring, platform security, and anonymised analytics — where such interests are not overridden by your rights and interests.
• Consent (Section 12(a), DPA): Where required by law or where phlag has sought your specific consent — in particular, for direct marketing communications and for the use of non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
• Vital interests (Section 12(e), DPA): In circumstances where processing is necessary to protect life or prevent serious harm — for example, sharing data with authorities where there is a credible threat to the safety of a person.

For sensitive personal information (government ID data, biometric data), phlag processes such information under Section 13(b) of the DPA (processing necessary for compliance with legal obligations) and Section 13(f) (processing required for the protection of lawful rights) as applicable.

phlag does not sell, rent, or commercially trade your personal data. phlag shares your personal data only in the following circumstances and only to the extent necessary:

• KYC and Identity Verification Providers: Third-party identity verification services engaged by phlag to perform document authentication, facial recognition, and fraud risk assessment as part of the KYC process. These providers act as personal information processors under a data processing agreement with phlag.
• Payment Processors: GCash, Maya, BPI, BDO, UnionBank, 7-Eleven Cliqq, USDT processors, and Coins.ph receive transaction data necessary to process your deposit and withdrawal requests.
• Game Providers: JILI Games, PG Soft, Pragmatic Play, Evolution Gaming, and other licensed game providers receive a player identifier and session data necessary to operate game sessions. These providers are bound by data processing agreements and are prohibited from using your data for purposes outside of providing games to phlag.
• Regulatory Authorities: PAGCOR, the Anti-Money Laundering Council (AMLC), the National Privacy Commission (NPC), and other competent Philippine authorities — where disclosure is required by law, court order, or regulatory instruction.
• Law Enforcement: Philippine law enforcement agencies where disclosure is required by valid legal process or where phlag believes disclosure is necessary to prevent or investigate criminal activity, fraud, or a threat to safety.
• Professional Advisers: Legal counsel, auditors, and compliance advisers engaged by phlag, subject to professional confidentiality obligations.

All third parties with whom phlag shares personal data are required by contract to implement appropriate technical and organisational data security measures and to process your data only for the specified purposes and in accordance with applicable Philippine law.

phlag uses cookies and similar tracking technologies on the phlag website and platform. Cookies are small text files placed on your device that help the platform function correctly, remember your preferences, prevent fraud, and — with your consent — deliver personalised content and measure platform performance.

8.1 Types of Cookies Used by phlag

• Strictly Necessary Cookies: Essential for the platform to function — session management, login authentication, security tokens, and fraud prevention signals. These cookies cannot be disabled without disabling core platform functionality.
• Functional Cookies: Remember your preferences such as language, region, and game lobby settings to provide a more personalised experience on phlag.
• Analytics Cookies: Used by phlag (via privacy-compliant analytics tools) to understand how players use the platform in aggregate — page visits, session lengths, feature usage, and error rates. Data collected is aggregated and does not identify individual players. These cookies require your consent.
• Responsible Gaming Cookies: Track session time locally on your device to support phlag's responsible gaming session timer features. These are functional in nature and are necessary for responsible gaming tools to operate.

8.2 Managing Cookies

You can manage or disable non-essential cookies through the phlag cookie preference centre, accessible from the phlag website footer. You can also manage cookies through your browser settings. Disabling certain cookies may affect the functionality of some phlag platform features. Strictly necessary cookies cannot be disabled without impairing your ability to use the platform.

phlag does not use third-party advertising cookies or cross-site tracking technologies that share your behaviour data with external advertisers.

phlag retains your personal data for no longer than is necessary for the purposes for which it was collected, subject to any longer retention period required by Philippine law or applicable PAGCOR and AMLC record-keeping requirements. The following general retention principles apply:

• Account Data: Retained for the duration of your active phlag account and for a period of five (5) years following account closure, consistent with AMLA record-keeping obligations applicable to PAGCOR-regulated gaming operators.
• KYC and Verification Documents: Retained for a minimum of five (5) years from the date of the relevant transaction, as required by the Anti-Money Laundering Act and PAGCOR compliance requirements.
• Transaction Records: Financial transaction data is retained for a minimum of ten (10) years from the date of the transaction in accordance with AMLA Section 9 requirements for covered persons in the gaming sector.
• Customer Support Records: Retained for three (3) years from the date of the communication, or for the duration of any ongoing dispute, whichever is later.
• Marketing Preference Data: Retained until you withdraw consent or for three (3) years of inactivity, whichever occurs first.
• Technical and Device Logs: Retained for twelve (12) months for security and fraud prevention purposes, after which they are deleted or anonymised.

Upon expiry of the applicable retention period, phlag will securely delete or anonymise your personal data in a manner that prevents reconstruction of the original data.

phlag implements a comprehensive set of technical and organisational security measures to protect personal data against unauthorised access, accidental loss, destruction, alteration, or disclosure. These measures include:

• Encryption in Transit: All data transmitted between your device and phlag's servers is encrypted using TLS 1.2 or higher.
• Encryption at Rest: Sensitive personal data including passwords (hashed), government ID data, and payment references are stored using current cryptographic standards.
• Access Controls: Access to personal data within phlag's systems is restricted to authorised personnel on a strict need-to-know basis, with role-based access controls and audit logging of data access events.
• Two-Factor Authentication: Available and recommended for all player accounts to prevent unauthorised account access.
• Regular Security Audits: phlag conducts regular security assessments, vulnerability scans, and penetration testing of its platform infrastructure.
• Segregated Player Funds: Player account balances are held in accounts segregated from phlag's operational funds, protecting player funds in the event of insolvency or operational disruption.
• Staff Training: phlag personnel with access to personal data receive regular data privacy and security training.

Under Republic Act No. 10173 (Data Privacy Act of 2012), you have the following rights with respect to your personal data held by phlag:

To exercise any of these rights, contact phlag's Data Protection Officer as described in Section 15. phlag will respond to all verified data subject rights requests within fifteen (15) calendar days of receipt, or within thirty (30) calendar days for complex requests, in accordance with NPC requirements. phlag may require identity verification before processing rights requests to prevent unauthorised disclosure.

If you are not satisfied with phlag's response to a data subject rights request, you have the right to lodge a complaint with the National Privacy Commission of the Philippines at privacy.gov.ph.

The phlag platform is strictly intended for individuals who are 21 years of age or older, as mandated by PAGCOR regulations governing online gambling in the Philippines. phlag does not knowingly collect personal data from anyone under the age of 21.

Age is verified during the KYC process for all players seeking to make withdrawals. Where phlag discovers that it has collected personal data from an individual under 21, phlag will immediately close the associated account, delete the personal data to the extent not required to be retained by law, and take appropriate action consistent with its PAGCOR compliance obligations.

Parents and guardians who believe a minor may have accessed the phlag platform using falsified identity information are encouraged to contact phlag immediately via Live Chat or by email to the DPO. phlag will investigate and act promptly on all such reports.

phlag primarily processes and stores personal data within the Philippines. Where phlag engages third-party service providers — including KYC verification providers, game providers, and cloud infrastructure providers — who may process personal data outside the Philippines, phlag ensures that appropriate safeguards are in place consistent with Section 21 of the DPA and NPC Circular No. 16-01 on the security of personal data in government agencies using cloud computing.

Specifically, phlag ensures that any cross-border transfer of personal data is made only:

• To countries or organisations that provide an adequate level of protection for personal data comparable to the standards of the DPA; or
• Subject to appropriate contractual safeguards, including data processing agreements that impose equivalent data protection obligations on the recipient; or
• Where the transfer is necessary for the performance of phlag's contractual obligations to you or for the implementation of pre-contractual measures taken at your request; or
• Where otherwise permitted under the DPA and NPC regulations.

phlag's third-party game providers — including companies headquartered outside the Philippines — process limited player session data (player identifiers and wagering data) necessary to deliver game services. All such providers are bound by data processing agreements requiring compliance with applicable data privacy standards.

phlag reserves the right to update or revise this Privacy Policy at any time. The "Last Updated" date at the top of this page reflects the date of the most recent substantive revision. phlag will notify registered players of material changes to this Policy via in-platform notification or email to the registered account address.

Material changes include, but are not limited to: changes to the categories of personal data collected, changes to the purposes of processing, changes to data sharing arrangements, and changes that affect your data subject rights. Changes resulting from legislative updates or new NPC guidance will be implemented promptly and notified to players.

Your continued use of the phlag platform following notification of material changes constitutes your acknowledgement of the revised Policy. If you disagree with any material changes, you may close your phlag account in accordance with the account closure procedure described in the phlag Terms & Conditions. Please review the phlag Terms & Conditions alongside this Policy.

For any questions, concerns, or requests relating to this Privacy Policy or the processing of your personal data by phlag, please contact phlag's Data Protection Officer. The DPO is responsible for overseeing phlag's data protection compliance and is the primary point of contact for data subject rights requests.

You may contact phlag's DPO by:

• Live Chat: Available 24/7 from your phlag account dashboard. Request to speak with a data privacy team member and your query will be routed to the DPO team.
• Email: The phlag DPO contact email is available on the phlag platform's Privacy & Data section within your account settings. Do not send sensitive personal data (such as ID document images) to general support channels — use the secure upload facility within your account for KYC submissions.

phlag commits to acknowledging all privacy-related enquiries within three (3) business days and to providing a substantive response or escalation update within fifteen (15) calendar days.

If you are not satisfied with phlag's response to your data privacy concern, you have the right to lodge a complaint with the National Privacy Commission of the Philippines. The NPC's contact information and complaint procedures are published on the NPC's official website at privacy.gov.ph.