ph358 Privacy Policy

This Privacy Policy ("Policy") describes how ph358 ("ph358," "we," "us," "our") collects, processes, stores, shares, and protects the personal data of individuals ("Data Subject," "you," "your") who register for and use the ph358 online gaming platform at ph358.org.

This Policy is issued in compliance with Republic Act No. 10173, also known as the Data Privacy Act of 2012 ("DPA"), its Implementing Rules and Regulations ("IRR"), and the issuances of the National Privacy Commission ("NPC") of the Philippines. It also reflects ph358's obligations under applicable PAGCOR licensing conditions and the Anti-Money Laundering Act ("AMLA").

By registering an account on ph358 or by continuing to use the platform after this Policy has been made available to you, you acknowledge that you have read and understood this Policy and that you consent to the collection and processing of your personal data as described herein. Where processing is based on consent, you may withdraw consent at any time subject to the limitations described in Section 11 of this Policy.

The data controller responsible for your personal data is ph358, the operator of the ph358 online gaming platform operating under a PAGCOR license. ph358 has appointed a Data Protection Officer ("DPO") who is registered with the National Privacy Commission as required under Section 21 of the DPA IRR.

For all data privacy inquiries, requests to exercise your data subject rights, or complaints relating to ph358's handling of your personal data, please contact our Data Protection Officer using the contact details provided in Section 16 of this Policy.

ph358 collects the following categories of personal data from players and website visitors:

3.1 Registration and Identity Data

• Full legal name as it appears on your government-issued identification document;
• Date of birth and age verification information;
• Philippine mobile number (used as primary login identifier);
• Email address;
• Chosen username and account password (stored in hashed, non-reversible form);
• Residential address within the Philippines.

3.2 KYC and Identity Verification Data

• Scanned or photographed copies of Philippine government-issued identity documents (passport, LTO driver's license, UMID, PhilSys National ID, PhilHealth ID, Pag-IBIG card);
• Selfie or facial photograph for liveness verification where applicable;
• Source of funds documentation where required for enhanced due diligence under AMLA.

3.3 Financial and Transaction Data

• GCash account reference number (not full GCash credentials);
• PayMaya account reference number;
• Bank account details where bank transfer is used as payment method;
• Deposit amounts, dates, and transaction reference numbers;
• Withdrawal requests, amounts, and processing status;
• Running wallet balance and transaction history.

3.4 Gaming Activity Data

• Games played, game session duration, wager amounts, and outcomes;
• Betting history across all game categories (slots, live casino, sports, sabong, bingo);
• Bonus and promotional credit activity and wagering progress;
• Responsible gaming tool settings (deposit limits, session limits, self-exclusion status).

3.5 Technical and Device Data

• IP address and approximate geolocation derived therefrom;
• Device type, operating system, browser type and version;
• Session timestamps and login history;
• Cookie identifiers and tracking pixel data (see Section 7).

3.6 Communications Data

• Customer support chat transcripts and email correspondence;
• Complaint records and dispute submissions;
• Marketing preference settings and communication opt-in or opt-out records.

ph358 collects personal data through the following means:

• Directly from you during account registration, KYC submission, deposit and withdrawal processing, customer support interactions, and when you update your account profile;
• Automatically through the ph358 platform as you browse, log in, and play games — including through cookies, server logs, and session tracking technologies;
• From payment providers such as GCash, PayMaya, and banking partners, who share transaction confirmation and reference data with ph358 to process and reconcile financial transactions;
• From identity verification service providers who assist ph358 in processing KYC documentation and performing liveness checks as part of PAGCOR-mandated player verification;
• From fraud prevention and AML compliance services that provide risk scoring and screening against sanction lists, politically exposed persons (PEP) lists, and law enforcement watchlists as required under AMLA.

ph358 processes your personal data for the following specific, legitimate purposes:

Under the Data Privacy Act of 2012, ph358 processes your personal data on one or more of the following legal bases:

• Contractual Necessity: Processing required to perform the contract between ph358 and you — the provision of gaming services — including account management, payment processing, and game delivery;
• Legal Obligation: Processing required for ph358 to comply with applicable Philippine law, including PAGCOR licensing conditions, the Anti-Money Laundering Act, the Data Privacy Act, tax reporting obligations, and any court orders or regulatory directives;
• Legitimate Interests: Processing necessary for ph358's legitimate business interests, including fraud prevention, platform security, responsible gaming monitoring, and customer service improvement, where these interests are not overridden by your fundamental rights;
• Consent: Processing for purposes where ph358 relies on your freely given, specific, informed, and unambiguous consent — primarily marketing communications. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

ph358 uses cookies and similar tracking technologies on ph358.org to ensure platform functionality, improve user experience, and support security operations. The following cookie categories are used:

• Strictly Necessary Cookies: Required for the platform to function. These include session authentication cookies, security tokens, and load-balancing identifiers. These cannot be disabled without impairing platform functionality.
• Functional Cookies: Remember your preferences such as language settings, game lobby display preferences, and responsible gaming tool configurations, to personalise your experience on ph358.
• Analytics Cookies: Collect aggregated, anonymised data about how users navigate ph358 to help us improve platform design, page performance, and game discovery. Analytics data is not linked to individually identifiable players.
• Security Cookies: Support fraud detection, device fingerprinting for authentication purposes, and detection of abnormal account access patterns.

ph358 does not sell, rent, or trade personal data to unaffiliated third parties for their own commercial purposes. ph358 shares personal data with third parties only in the following limited circumstances:

• Payment Processors: GCash (GXI), PayMaya (Maya Bank), BPI, BDO, Metrobank, UnionBank, and other payment partners receive necessary financial data to process your deposit and withdrawal transactions;
• KYC and Identity Verification Providers: Third-party identity verification services that process your KYC documents on ph358's behalf under strict data processing agreements;
• Game Providers: Software providers whose games are available on ph358 may receive anonymised or pseudonymised game session data to support game performance and integrity monitoring. These providers do not receive your full identity or financial data;
• Regulatory and Law Enforcement Authorities: PAGCOR, the Anti-Money Laundering Council (AMLC), the Bureau of Internal Revenue (BIR), the National Privacy Commission, and law enforcement authorities receive data as required by law, including mandatory regulatory reports and responses to lawful legal process;
• IT and Security Service Providers: Cloud infrastructure, cybersecurity, and platform support providers who process data on ph358's behalf under written data processing agreements that require them to maintain data protection standards equivalent to ph358's obligations;
• Professional Advisors: Legal counsel, accountants, and auditors where necessary for professional advisory services, subject to professional confidentiality obligations.

ph358 implements a comprehensive set of technical and organisational security measures to protect personal data against unauthorised access, loss, alteration, disclosure, or destruction:

• Encryption in Transit: All data transmitted between your device and ph358 is encrypted using TLS 1.2 or higher (256-bit SSL). This covers login sessions, payment data, and all platform interactions;
• Encryption at Rest: Sensitive personal data, including KYC documents, financial data, and password hashes, is encrypted at rest using AES-256 encryption;
• Password Security: Account passwords are hashed using a strong one-way hashing algorithm and are never stored in plaintext. ph358 staff cannot retrieve your password — only reset it through a verified account recovery process;
• Access Controls: Access to personal data is restricted to ph358 personnel and authorised processors on a strict need-to-know basis. All internal access to production data systems is logged and audited;
• Two-Factor Authentication: Ph358 offers two-factor authentication (2FA) to all players and requires 2FA for all internal staff accessing production systems;
• Security Testing: ph358 conducts regular vulnerability assessments and penetration testing of its platform infrastructure. Identified vulnerabilities are remediated according to a risk-prioritised patching schedule;
• Incident Response: ph358 maintains a documented data breach response plan aligned with the NPC's Breach Notification Requirements under NPC Circular 16-03.

ph358 retains personal data for the duration of the player account's active status and for a defined period thereafter, as required by law or legitimate business necessity:

Following the expiry of applicable retention periods, ph358 securely destroys or anonymises personal data in a manner that prevents recovery or identification.

Under the Data Privacy Act of 2012, you have the following rights regarding your personal data held by ph358. To exercise any of these rights, contact ph358's Data Protection Officer at the address in Section 16:

• Right to be Informed: You have the right to know that your personal data is being collected and processed, the purposes of processing, the categories of data involved, and your rights as a data subject — all of which this Policy addresses;
• Right of Access: You may request a copy of the personal data ph358 holds about you, together with information about how it is processed;
• Right to Rectification: You may request correction of inaccurate or incomplete personal data. For KYC data, corrections require submission of updated documentation;
• Right to Erasure or Blocking: You may request deletion or blocking of your personal data where it is no longer necessary for the purposes for which it was collected and there is no overriding legal obligation requiring retention;
• Right to Object: You may object to processing based on legitimate interests, and to processing for direct marketing purposes. Objection to marketing can be exercised at any time by updating your communication preferences in your ph358 account settings;
• Right to Data Portability: Where technically feasible and processing is based on consent or contractual necessity, you may request your personal data in a structured, commonly used electronic format;
• Right to Damages: Under the DPA, you may seek compensation for damages sustained as a result of ph358's violation of the Data Privacy Act;
• Right to File a Complaint with the NPC: If you believe your data privacy rights have been violated, you may file a complaint with the National Privacy Commission of the Philippines.

ph358 is an online gambling platform strictly restricted to individuals who are 21 years of age or older in accordance with Philippine gaming law. ph358 does not knowingly collect personal data from individuals under the age of 21.

Age verification is conducted as part of the registration and KYC process. Any account found to belong to a person under 21 will be immediately terminated, all personal data associated with the account will be deleted or retained only to the extent required by law, and the matter will be reported to PAGCOR as required under licensing conditions.

If you have reason to believe that ph358 has inadvertently collected personal data from an individual under 21 years of age, please contact ph358's Data Protection Officer immediately using the contact details in Section 16.

In the event of a personal data breach that is likely to result in a real risk of serious harm to any data subject, ph358 will comply with the NPC's mandatory breach notification requirements as set out in NPC Circular 16-03:

• ph358 will notify the National Privacy Commission within 72 hours of becoming aware of a qualifying personal data breach, unless the breach is unlikely to result in harm to data subjects;
• Where the breach is likely to pose a high risk to the rights and freedoms of affected data subjects, ph358 will notify affected players without undue delay, using the contact information registered to their ph358 account;
• Breach notifications will describe the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures ph358 has taken or proposes to take to address the breach;
• ph358 maintains a personal data breach register documenting all breaches, including those not requiring NPC notification, for the purpose of demonstrating compliance accountability.

ph358 primarily processes personal data within the Philippines. Where personal data is transferred to, or processed by, third-party service providers or game providers located outside the Philippines, ph358 ensures that adequate safeguards are in place to protect your personal data to a standard equivalent to that required by Philippine law.

Such safeguards include:

• Data Processing Agreements incorporating NPC-compliant data protection obligations binding on the recipient;
• Transfer to jurisdictions that have been assessed as providing an adequate level of data protection relative to Philippine standards;
• Where necessary, Standard Contractual Clauses or equivalent contractual mechanisms approved for cross-border data transfers under the DPA IRR.

ph358 reserves the right to update or amend this Privacy Policy at any time to reflect changes in applicable law, regulatory requirements, NPC guidance, or ph358's data processing practices. Updated versions of this Policy will be published at ph358.org/privacy-policy and will display a revised "Effective Date."

For material changes that significantly affect how ph358 processes your personal data or that require your renewed consent, ph358 will provide advance notice through your registered account — via in-platform notification and/or email to your registered address — before the changes take effect.

Continued use of ph358 following the effective date of an updated Policy constitutes acknowledgment of the revised terms. If you do not accept the updated Policy, you should cease using ph358 and may close your account by contacting customer support.

For all data privacy matters — including requests to exercise your data subject rights, questions about this Policy, or to report a privacy concern — please contact ph358's Data Protection Officer:

When contacting the ph358 DPO regarding a data subject rights request, please include your registered username, a description of your request, and sufficient identity verification information to allow ph358 to confirm your identity before processing the request.

ph358 aims to respond to all data subject rights requests within fifteen (15) business days of receiving a valid, verifiable request. Where a request is complex or involves a large volume of data, ph358 may extend the response period by a further 30 days, with written notification to the requestor.