phshy Privacy
Policy

This Privacy Policy ("Policy") describes how phshy ("phshy," "we," "us," or "our"), operating the online gaming platform at phshy.club, collects, uses, stores, discloses, and protects the personal information of individuals ("Data Subjects," "Players," "Users," "you") who access or use the phshy platform and its associated services.

This Policy applies to all personal data collected through the phshy platform, including data submitted during account registration, identity verification (KYC), deposit and withdrawal transactions, customer support interactions, and general browsing activity on phshy.club. It applies to all Users of the platform, regardless of their geographic location, provided they access phshy's services.

This Policy should be read in conjunction with phshy's Terms and Conditions and Responsible Gaming Policy, both of which are published on the phshy platform. By registering a phshy account or using the phshy platform, you acknowledge that you have read and understood this Privacy Policy and consent to the processing of your personal data as described herein.

phshy may update this Policy from time to time. The current version will always be accessible at phshy.club/privacy-policy. Material changes will be communicated to registered Players by email prior to taking effect, as detailed in Section 14 of this Policy.

For the purposes of the Philippine Data Privacy Act (RA 10173) and applicable data protection legislation, phshy acts as the Personal Information Controller with respect to all personal data collected from Players through the phshy.club platform.

As Personal Information Controller, phshy determines the purposes for which and the means by which personal data is processed. phshy has appointed a Data Protection Officer (DPO) in accordance with RA 10173. The DPO's contact details are provided in Section 15 of this Policy.

Certain personal data processing activities — particularly those related to game provision, payment processing, and fraud detection — are carried out by third-party service providers acting as Personal Information Processors on phshy's behalf. These processors operate under written data processing agreements that impose data protection obligations consistent with RA 10173 and this Policy. A description of the categories of processors and the nature of their processing activities is provided in Section 7 of this Policy.

phshy collects personal data in the categories described below. The specific data elements collected may vary depending on the services accessed, the Player's account tier, and applicable regulatory requirements.

phshy does not collect sensitive personal information as defined under Section 3(l) of RA 10173 (such as race, religion, health data, or political affiliation) except where strictly required by applicable law or regulatory obligation — for example, where a responsible gaming intervention requires the processing of information relating to a Player's self-declared mental health or addiction status, which is handled with the highest level of confidentiality.

phshy collects personal data through the following means:

• Direct submission by the Player: Data provided during account registration, KYC document uploads, payment method registration, customer support contacts, and account settings updates;
• Automatic technical collection: Data collected automatically when a Player accesses the phshy platform, including IP address, device identifiers, browser data, session duration, and navigation behavior — collected through server logs, cookies, and similar tracking technologies (see Section 11);
• Payment processor data: Transaction confirmation data received from GCash, PayMaya, BPI, BDO, Metrobank, and other payment processors when a deposit or withdrawal is processed;
• Third-party verification services: Identity data returned by KYC verification service providers as part of phshy's compliance screening process;
• Anti-fraud and AML screening: Data from anti-money laundering screening databases and fraud detection services used to verify the legitimacy of account activity and payment transactions;
• Gaming activity logs: Server-side records generated automatically by phshy's gaming systems each time a bet is placed, a game is launched, or a game round is completed.

phshy processes personal data for the following specific, legitimate purposes:

• Account creation and management: To register and maintain Player accounts, authenticate login sessions, and manage account preferences and settings;
• Identity verification and KYC compliance: To verify the identity, age (21+ requirement), and payment method ownership of Players as required by PAGCOR compliance obligations and anti-money laundering regulations;
• Payment processing: To process deposit and withdrawal transactions via GCash, PayMaya, BPI, BDO, Metrobank, and other supported Philippine payment methods, and to maintain accurate financial records;
• Gaming service delivery: To provide access to slot games, live casino tables, sports betting markets, e-sports markets, bingo rooms, and other games on the phshy platform;
• Fraud prevention and security: To detect and prevent unauthorized account access, identity fraud, payment fraud, collusion, money laundering, and other prohibited conduct under phshy's Terms and Conditions;
• Responsible gaming: To monitor gaming behavior patterns for indicators of problem gambling, to apply Player-requested account limits and self-exclusion measures, and to fulfil phshy's responsible gaming obligations;
• Regulatory compliance: To comply with PAGCOR reporting requirements, Anti-Money Laundering Council (AMLC) obligations under RA 9160, and any other applicable Philippine regulatory requirements;
• Customer support: To respond to Player queries, resolve disputes, and maintain records of support interactions;
• Platform improvement: To analyze aggregated usage patterns and technical performance data in order to improve the phshy platform's features, performance, and user experience;
• Marketing communications: To send promotional offers, bonus notifications, and platform updates to Players who have provided consent for such communications, or where phshy has a legitimate interest in notifying Players of relevant offers.

Under the Data Privacy Act of 2012 (RA 10173), phshy processes personal data on the following legal bases:

• Consent (Section 12(a), RA 10173): For processing activities where phshy seeks the Data Subject's explicit consent — including consent to receive marketing communications and consent to the processing of any sensitive personal information. Players may withdraw consent at any time without detriment, subject to the limitations described in this Policy;
• Contractual necessity (Section 12(b), RA 10173): Processing required to fulfil phshy's contractual obligations to the Player under the Terms and Conditions — including account management, payment processing, and game service delivery;
• Legal obligation (Section 12(c), RA 10173): Processing required for phshy to comply with applicable Philippine law, including PAGCOR licensing requirements, RA 9160 (Anti-Money Laundering Act), and any other regulatory obligations;
• Legitimate interests (Section 12(f), RA 10173): Processing necessary for phshy's legitimate interests in operating a secure and fair gaming platform — including fraud detection, security monitoring, platform performance analysis, and responsible gaming monitoring — where those interests are not overridden by the Data Subject's rights and freedoms.

phshy discloses personal data to the following categories of third parties, strictly for the purposes described:

• Payment processors: GCash (G-Xchange Inc.), PayMaya (Maya Philippines Inc.), Bank of the Philippine Islands (BPI), Banco de Oro (BDO), Metrobank, and other payment service providers — for the purpose of processing Player deposits and withdrawals. Only the data strictly necessary to complete each transaction is shared;
• KYC and identity verification providers: Licensed third-party identity verification services that assist phshy in verifying government-issued ID documents and confirming Player identity in compliance with PAGCOR requirements;
• Game content providers: Licensed game studios and platform providers (including but not limited to live casino studio operators) who require certain session-related technical data to deliver game content to the Player's device and record game outcomes for settlement purposes;
• Anti-fraud and AML service providers: Services that screen transactions and account activity against fraud and money laundering risk databases. These providers process data as Personal Information Processors under binding data processing agreements;
• Cloud infrastructure and hosting providers: Third-party cloud service providers that host phshy's platform infrastructure. These providers process data only on phshy's documented instructions and under strict contractual data protection obligations;
• Regulatory authorities: PAGCOR, the Anti-Money Laundering Council (AMLC), the National Privacy Commission (NPC), and other Philippine government authorities — where phshy is required by law, court order, or regulatory direction to disclose Player data;
• Legal and professional advisers: Legal counsel, auditors, and compliance consultants engaged by phshy, subject to professional confidentiality obligations.

phshy does not disclose personal data to any third party for that party's own marketing purposes. All third-party processors engaged by phshy are required to implement appropriate technical and organizational data security measures consistent with RA 10173 requirements.

Some of phshy's third-party service providers — including certain game content delivery infrastructure providers and cloud hosting providers — operate servers or data processing facilities located outside the Philippines. Where personal data is transferred to a jurisdiction outside the Philippines, phshy takes the following measures to ensure adequate protection of that data:

• Engaging only processors located in jurisdictions recognized by the NPC as providing an adequate level of data protection, or where no adequacy recognition exists, requiring processors to execute Standard Contractual Clauses or equivalent data transfer agreements that impose RA 10173-equivalent data protection obligations;
• Conducting due diligence on international processors' data security practices prior to engagement and on an ongoing basis;
• Limiting the categories and volume of personal data transferred internationally to only what is strictly necessary for the described processing purpose.

Players may request information about the specific international transfer safeguards applicable to their data by contacting phshy's Data Protection Officer at the contact details in Section 15.

phshy retains personal data only for as long as is necessary for the purposes for which it was collected, or for as long as is required by applicable Philippine law or regulatory obligation. The following retention periods apply as general guidance:

Upon expiry of the applicable retention period, personal data is securely deleted or anonymized in accordance with phshy's data disposal procedures. Anonymized, aggregated data that cannot be used to identify any individual Player may be retained indefinitely for platform analytics and improvement purposes.

phshy implements a comprehensive set of technical and organizational security measures to protect personal data against unauthorized access, accidental loss, destruction, alteration, or disclosure:

• Transport security: TLS 1.3 encryption for all data in transit between Players and phshy's platform infrastructure;
• Data at rest encryption: Personal data stored on phshy's servers — including KYC documents and financial records — is encrypted at rest using industry-standard encryption protocols;
• Access controls: Role-based access control (RBAC) ensures that phshy staff and third-party processor employees can only access personal data categories necessary for their specific job functions. Access to KYC data and financial records is restricted to compliance and finance personnel with documented business need;
• Two-factor authentication: Administrative access to phshy's data management systems requires multi-factor authentication. Players are also encouraged and supported to enable 2FA on their individual accounts;
• Regular security audits: phshy conducts periodic security assessments, penetration testing, and vulnerability scanning of its platform infrastructure;
• Incident response: phshy maintains a documented data breach incident response procedure. In the event of a personal data breach that poses a risk to Data Subjects' rights and freedoms, phshy will notify the National Privacy Commission within 72 hours of becoming aware of the breach, and will notify affected Data Subjects without undue delay where the breach poses a high risk to their rights;
• Staff training: All phshy staff who handle personal data receive training on data protection obligations under RA 10173 and phshy's internal data handling procedures.

phshy uses cookies and similar tracking technologies on the phshy.club website and platform. Cookies are small text files placed on a Player's device by the phshy platform when the platform is accessed. phshy uses the following categories of cookies:

• Strictly necessary cookies: Required for the phshy platform to function correctly — including session authentication, security token management, and load balancing. These cookies cannot be disabled without rendering the platform non-functional;
• Functional cookies: Used to remember Player preferences such as language settings, preferred game lobby layout, and recently played games. These improve the Player experience but are not strictly required for platform operation;
• Analytics cookies: Used to collect aggregated, anonymized data about how Players navigate and use the phshy platform — including page views, session duration, and feature usage patterns. This data is used to improve platform design and performance. Analytics cookies do not identify individual Players;
• Security and fraud detection cookies: Used to identify and flag unusual access patterns, suspected bot activity, and other security threats. These cookies are necessary for phshy's fraud prevention obligations.

phshy does not use third-party advertising cookies or behavioral tracking cookies that share Player data with external advertising networks. Players can manage non-essential cookie preferences through the cookie preference center accessible from the phshy platform footer. Note that disabling strictly necessary cookies will impair the platform's core functionality.

Under the Data Privacy Act of 2012 (RA 10173), every Data Subject — including all phshy Players — has the following rights with respect to their personal data. phshy is committed to honouring these rights within the timeframes prescribed by RA 10173 and NPC issuances:

• Right to be Informed: The right to know what personal data phshy collects, for what purposes, and on what legal basis — as described in this Privacy Policy;
• Right of Access: The right to obtain a copy of your personal data held by phshy, together with information about how it is processed. Requests will be fulfilled within 15 business days of receipt;
• Right to Rectification: The right to have inaccurate or incomplete personal data corrected. Players may update most contact and preference data directly through their phshy account settings; KYC-related rectification requests are processed by the compliance team;
• Right to Erasure or Blocking: The right to request deletion or blocking of personal data where: the data is no longer necessary for the original purpose; consent has been withdrawn and there is no other legal basis for processing; or the data has been unlawfully processed. Note that certain data cannot be deleted where retention is required by Philippine law (see Section 9);
• Right to Object: The right to object to processing activities based on phshy's legitimate interests — including profiling for responsible gaming purposes — where you have a particular ground relating to your situation. You may also object at any time to processing for direct marketing purposes without providing a reason;
• Right to Data Portability: The right to receive your personal data in a structured, commonly used, machine-readable format and to request that it be transmitted to another Personal Information Controller where technically feasible;
• Right to File a Complaint: The right to file a complaint with the National Privacy Commission (NPC) of the Philippines if you believe phshy has processed your personal data in violation of RA 10173. The NPC complaint procedure is available through the NPC's official channels.

To exercise any of these rights, please contact phshy's Data Protection Officer using the details provided in Section 15. phshy will require identity verification before processing any data subject rights request to ensure that personal data is not disclosed to or modified by an unauthorized party.

phshy's age enforcement mechanisms — including mandatory age declaration at registration and KYC-based identity and age verification — are designed to prevent the collection of personal data from underage individuals. If a parent or guardian has reason to believe that a person under 21 has registered an account on phshy, they should contact phshy's support team immediately using the contact details in Section 15.

phshy reserves the right to update or amend this Privacy Policy at any time to reflect changes in applicable Philippine law, NPC guidance, phshy's data processing practices, or the services offered on the phshy platform.

Where an amendment constitutes a material change to how phshy processes personal data — including any change to the purposes of processing, the categories of data collected, the third parties with whom data is shared, or the Data Subject rights available — phshy will notify registered Players by email to their registered address no less than fourteen (14) days before the amendment takes effect. The revised Policy will also be published on phshy.club/privacy-policy with the "Last Updated" date reflecting the revision date.

Non-material amendments — including clarifications, corrections of typographical errors, and formatting updates that do not affect the substance of phshy's data processing practices — may be made without prior notice and will be reflected in the updated "Last Updated" date. Players are encouraged to review this Policy periodically.

Continued use of the phshy platform following the effective date of any amended Policy constitutes acceptance of the amended terms. If you do not agree with the amended Policy, you may request account closure and the exercise of your erasure rights by contacting phshy's Data Protection Officer.

For all privacy-related queries, data subject rights requests, data breach notifications, or complaints, Players may contact phshy's designated Data Protection Officer through the following channels:

• Live Chat: Available 24/7 directly on the phshy platform — select "Privacy / Data Request" as the inquiry category for routing to the compliance team;
• Email (Data Protection Officer): [email protected] — subject line: "Data Privacy Request" — responses within 3 business days for standard requests; within 72 hours for urgent data breach notifications;

When submitting a data subject rights request, please include your full name as registered on your phshy account, your registered email address, the specific right you wish to exercise, and any additional context that will help phshy process your request efficiently. For requests involving access to or erasure of personal data, identity re-verification will be required before phshy can fulfil the request.

If you are not satisfied with phshy's response to a data privacy concern, you have the right to escalate your complaint to the National Privacy Commission (NPC) of the Philippines through the NPC's official complaint channels.

This Privacy Policy was last reviewed and updated on 1 January 2026 and supersedes all prior versions published on the phshy platform.