phaa Casino – Privacy Policy

This Privacy Policy explains how phaa ("phaa," "we," "us," or "our") collects, uses, stores, and protects the personal information of players who access and use the phaa platform at phaa.win. phaa is committed to handling your personal data with transparency, security, and full respect for your rights as a data subject under applicable Philippine law.

21+ The phaa platform is strictly for adults aged 21 and above.

1. Who We Are and How to Contact Us

phaa is the operator of the online gaming platform accessible at phaa.win (the "Platform"). phaa operates in accordance with applicable Philippine gaming regulations and is subject to the data protection requirements of the Republic of the Philippines, including the Data Privacy Act of 2012 (Republic Act No. 10173) and its Implementing Rules and Regulations (the "DPA").

As the personal information controller under the DPA, phaa is responsible for determining the purposes and means by which your personal data is processed. For any privacy-related queries, data subject requests, or concerns, you may contact phaa's Data Protection Officer as follows:

Email: [email protected] (mark the subject line "Data Privacy Request")
Live Chat: Available 24/7 within the phaa Platform

phaa aims to respond to all data privacy enquiries within five (5) business days of receipt.

2. What Personal Data We Collect

phaa collects the following categories of personal data from Players:

Category	Examples of Data Collected
Identity Data	Full legal name, date of birth, gender, nationality, government-issued ID number (e.g., PhilSys ID, passport number, driver's licence)
Contact Data	Email address, Philippine mobile number, residential address
Account Data	Username, account ID, account preferences, communication preferences, responsible gaming settings
Financial Data	GCash reference numbers, Maya transaction IDs, bank transfer references, deposit and withdrawal history, account balance history
Transaction Data	Details of all bets placed, games played, bonus claims, winnings, and losses within the phaa Platform
Technical Data	IP address, device type, browser type and version, operating system, session timestamps, login history
KYC Verification Data	Copies of government-issued identification documents, selfie verification images, proof of address documents
Communications Data	Content of support chat transcripts, email correspondence, and feedback submitted to phaa

phaa does not collect sensitive personal data such as racial or ethnic origin, religious beliefs, or medical history, unless specifically required by applicable law or regulatory obligations (for example, where a Player discloses a gambling addiction in the context of a self-exclusion request).

3. How We Collect Your Data

phaa collects personal data through the following means:

Direct collection: Data you provide when registering a phaa account, completing KYC verification, making a deposit or withdrawal, contacting support, or updating your account preferences.
Automated collection: Technical data collected automatically when you access the phaa Platform, including through cookies, session logs, and analytics tools. See Section 9 (Cookies) for details.
Third-party sources: Data received from payment processors (such as GCash, Maya, BPI, BDO, Metrobank) in connection with deposit and withdrawal transactions; data received from identity verification service providers during KYC processes; data received from fraud prevention and anti-money laundering screening services.
Publicly available sources: In limited circumstances, phaa may supplement account data with information from publicly available sources for AML/KYC compliance purposes.

4. Purposes and Legal Bases for Processing

phaa processes your personal data for the following purposes and on the following legal bases under the DPA:

Purpose	Legal Basis
Creating and managing your phaa account	Performance of contract
Processing deposits and withdrawals	Performance of contract
KYC identity verification and age verification (21+)	Legal obligation; compliance with gaming regulations
Anti-money laundering and fraud prevention screening	Legal obligation; legitimate interests
Delivering responsible gaming tools and monitoring for problem gambling indicators	Legal obligation; legitimate interests; vital interests of the data subject
Providing customer support and resolving disputes	Performance of contract; legitimate interests
Sending account notifications (deposit confirmations, withdrawal alerts, security alerts)	Performance of contract
Sending marketing communications and promotional offers	Consent (you may withdraw consent at any time)
Platform analytics and service improvement	Legitimate interests
Compliance with applicable laws and regulatory reporting obligations	Legal obligation

Where phaa processes your personal data on the basis of legitimate interests, those interests are to operate a safe, secure, and compliant online gaming platform and to protect the interests of phaa and its Players.

5. Data Sharing and Third-Party Disclosure

phaa does not sell your personal data to third parties. phaa may share your personal data with the following categories of recipients, strictly to the extent necessary for the purposes described in this Policy:

Payment processors: GCash, Maya, BPI, BDO, Metrobank, and other payment service providers, solely for the purposes of processing deposits and withdrawals.
Identity verification providers: Third-party KYC and age verification service providers engaged to assist phaa in fulfilling its regulatory obligations.
Fraud prevention and AML service providers: Third-party screening services used to detect and prevent fraud, money laundering, and other financial crimes.
Game software providers: Software licensors who supply games available on the phaa Platform may receive limited technical data (e.g., session tokens, bet data) solely for the purpose of delivering their games.
Cloud and IT service providers: Hosting, infrastructure, and IT support providers who process personal data on behalf of phaa as data processors under binding data processing agreements.
Regulatory and law enforcement authorities: PAGCOR, the National Privacy Commission of the Philippines, the Anti-Money Laundering Council (AMLC), and other competent authorities where disclosure is required by applicable law, court order, or regulatory direction.

All third parties with whom phaa shares personal data are required to maintain appropriate security measures and to use the data solely for the disclosed purpose.

6. International Data Transfers

6.1 Some of phaa's third-party service providers are located outside the Philippines. Where personal data is transferred outside the Philippines, phaa takes appropriate steps to ensure that an adequate level of data protection applies to such transfers, consistent with the requirements of the DPA.

6.2 phaa implements contractual safeguards — including standard data protection clauses — in agreements with recipients of personal data located in jurisdictions that may not provide an equivalent level of data protection to that afforded under Philippine law.

6.3 By registering a phaa account and using the Platform, you acknowledge that your personal data may be transferred to, stored in, and processed in jurisdictions outside the Philippines in accordance with this Policy.

7. Data Retention

7.1 phaa retains personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable legal and regulatory obligations.

7.2 Account data and transaction records are retained for a minimum of five (5) years following account closure, in accordance with anti-money laundering record-keeping obligations applicable under Philippine law.

7.3 KYC verification documents are retained for a minimum of five (5) years following the end of the business relationship, unless a longer period is required by applicable law.

7.4 Where a Player has exercised their right to erasure (see Section 8), phaa will delete or anonymise personal data to the extent permitted by applicable legal and regulatory obligations. Data subject to ongoing legal proceedings, regulatory investigations, or AML retention requirements may be retained beyond the standard retention period.

7.5 Self-exclusion records are retained for a minimum of five (5) years following the expiry of the exclusion period, for the purpose of preventing re-registration in contravention of the exclusion.

8. Your Rights as a Data Subject

As a data subject under the DPA, you have the following rights in relation to your personal data held by phaa:

Right to be informed — the right to know what personal data phaa collects and how it is used, as set out in this Policy.
Right of access — the right to request a copy of the personal data phaa holds about you.
Right to rectification — the right to request correction of inaccurate or incomplete personal data.
Right to erasure — the right to request deletion of your personal data, subject to phaa's legal and regulatory retention obligations.
Right to object — the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes.
Right to data portability — the right to receive your personal data in a structured, machine-readable format where technically feasible.
Right to withdraw consent — where processing is based on consent (e.g., marketing communications), you may withdraw your consent at any time without affecting the lawfulness of processing prior to withdrawal.
Right to lodge a complaint — the right to file a complaint with the National Privacy Commission of the Philippines if you believe your data protection rights have been infringed.

To exercise any of the above rights, submit your request to [email protected] with the subject line "Data Subject Rights Request." phaa will respond within fifteen (15) business days of receiving a verifiable request.

9. Cookies and Tracking Technologies

9.1 The phaa Platform uses cookies and similar tracking technologies to deliver, maintain, and improve the Platform, and to personalise the Player experience. A "cookie" is a small text file placed on your device when you visit a website.

9.2 phaa uses the following categories of cookies:

Strictly necessary cookies: Required for the Platform to function. These cookies enable core functions such as account authentication, session management, and security. They cannot be disabled.
Performance and analytics cookies: Used to collect aggregated, anonymised data about how Players use the phaa Platform, enabling phaa to improve performance and identify issues. These are set by phaa or trusted analytics partners.
Functionality cookies: Remember your preferences (such as language settings, game preferences, and responsible gaming configurations) to provide a personalised experience.
Marketing cookies: Used to display relevant promotional content about phaa to you on the phaa Platform. phaa does not use third-party advertising networks to display phaa promotions on external websites.

9.3 You may manage cookie preferences through your browser settings. Disabling strictly necessary cookies will impair the functionality of the phaa Platform and may prevent you from accessing your account.

10. Children's Privacy

The phaa Platform is strictly for individuals aged 21 years and above. phaa does not knowingly collect personal data from persons under the age of 21. If phaa becomes aware that personal data has been collected from a person under the age of 21, that account will be immediately closed, all funds will be returned to the source payment method, and the personal data will be deleted as soon as reasonably practicable.

If you believe that a person under 21 has registered a phaa account, please contact phaa immediately at [email protected] so that the matter can be investigated and resolved without delay.

11. Security Measures

phaa implements appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, or disclosure. These measures include:

256-bit SSL/TLS encryption for all data transmitted between your device and phaa servers
Encryption of personal data and payment credentials at rest on phaa's infrastructure
Role-based access controls limiting phaa staff access to personal data on a strict need-to-know basis
Two-factor authentication available (and recommended) for all phaa Player accounts
Regular security audits and penetration testing of the phaa Platform
Incident response procedures to detect, assess, and notify affected Players and authorities of any personal data breach within the timeframes required by applicable law

While phaa takes data security seriously and implements industry-standard protections, no online platform can guarantee absolute security. Players are advised to use strong, unique passwords for their phaa account, enable 2FA, and report any suspicious account activity to [email protected] immediately.

12. Changes to This Privacy Policy

12.1 phaa may update this Privacy Policy from time to time to reflect changes in applicable law, regulatory requirements, or phaa's data processing practices. Material changes will be communicated to Players via email to their registered address and/or through a prominent notice on the phaa Platform, at least seven (7) days before the changes take effect.

12.2 The most current version of this Privacy Policy is always available at phaa.win/privacy-policy. The date at the top of this document ("Last Updated") indicates when this version was last revised.

12.3 Continued use of the phaa Platform following the effective date of any revision constitutes your acknowledgement of the updated Privacy Policy.

phaa's Data Protection Commitments

256-Bit Encryption

All personal data transmitted through the phaa Platform is protected by 256-bit SSL/TLS encryption. Your account credentials, payment data, and personal information are never transmitted in plain text.

No Data Selling

phaa does not sell, rent, or trade your personal data to third-party advertisers or data brokers. Your information is used exclusively to operate the phaa Platform and meet our legal obligations.

Your Rights, Your Control

phaa respects your rights under the Philippines Data Privacy Act. You can access, correct, or request deletion of your data at any time by contacting our Data Protection Officer at [email protected].

DPA-Compliant Processing

phaa processes personal data in accordance with Republic Act No. 10173 (Data Privacy Act of 2012). All processing activities are documented and subject to regular internal review by our DPO.

Defined Retention Periods

phaa retains personal data only as long as necessary — typically 5 years post-closure for AML compliance. Data no longer required is securely deleted or anonymised per our data retention schedule.

Breach Notification

In the event of a personal data breach, phaa has procedures to notify the National Privacy Commission and affected Players within the timeframes required by Philippine law — without unnecessary delay.

Your Privacy is Safe at phaa

phaa takes your data seriously — and so does everything else about how we run this platform. Join thousands of Filipino players who trust phaa for secure, fair, and responsible online gaming. Deposit via GCash in seconds. Play 500+ certified games. 21+ only.

Create Your phaa Account Explore phaa Casino

21+ For entertainment purposes only. Please gamble responsibly. phaa.win