philwin Privacy Policy

philwin ("philwin," "we," "us," or "our") operates the online gaming platform accessible at philwin.one. We are a PAGCOR-licensed online casino and sportsbook serving Filipino players across the Philippines. This Privacy Policy ("Policy") describes how philwin collects, uses, discloses, stores, and protects your personal information when you access or use our Platform, create an account, make a transaction, or otherwise interact with our services.

This Policy is issued in compliance with Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012 ("DPA"), its Implementing Rules and Regulations ("IRR"), and the applicable issuances of the National Privacy Commission (NPC) of the Philippines. philwin is registered as a personal information controller with the NPC as required under applicable regulations.

This Policy should be read together with philwin's Terms and Conditions, which govern your overall use of the Platform and are incorporated herein by reference.

For the purposes of the Data Privacy Act of 2012 and this Policy, philwin acts as the Personal Information Controller (PIC) in respect of the personal data it collects from players and website visitors. As PIC, philwin determines the purposes for which and the means by which personal data is processed.

Where philwin engages third-party service providers — such as payment processors, KYC verification services, and game technology providers — to process personal data on its behalf, those third parties act as Personal Information Processors (PIPs) and are bound by contractual data processing agreements that require them to maintain the same standards of data protection required under Philippine law.

philwin has designated a Data Protection Officer (DPO) as required by NPC regulations. The DPO oversees philwin's data protection program, ensures compliance with the DPA, and serves as the primary point of contact for data subjects exercising their rights. Contact details for the DPO are provided in Section 15 of this Policy.

philwin collects personal data only to the extent necessary for the lawful purposes described in this Policy. The categories of personal data we collect include:

philwin collects personal data through the following means:

1. Directly from you — when you register an account, complete KYC verification, make a deposit or withdrawal, submit a support request, participate in a promotion, or communicate with philwin through any channel.
2. Automatically through technology — when you access the Platform, technical data such as your IP address, device information, browser type, and session activity is automatically recorded through cookies, server logs, and similar technologies. See Section 9 for more on cookies.
3. From third-party service providers — philwin may receive data from KYC verification partners, payment processors, and fraud prevention services in the course of processing your transactions or verifying your identity. All such partners are bound by data processing agreements and applicable Philippine law.
4. From publicly available sources — in limited circumstances for fraud prevention or regulatory compliance purposes, philwin may cross-reference data against publicly available Philippine government databases or watchlists (e.g., AMLC or PDEA-related compliance checks).

philwin processes your personal data for the following purposes:

• Account registration and management: Creating and maintaining your philwin account, verifying your identity, and managing your profile and preferences.
• Age and eligibility verification: Confirming that you meet the mandatory 21+ age requirement under PAGCOR regulations before allowing access to gaming services.
• Transaction processing: Processing deposits, withdrawals, and related financial transactions through GCash, Maya, BPI, BDO, and other supported payment methods.
• KYC and anti-money laundering compliance: Fulfilling our legal obligations under Republic Act No. 9160 (Anti-Money Laundering Act) and PAGCOR's Know Your Customer requirements.
• Fraud prevention and security: Detecting, investigating, and preventing fraudulent activity, account takeovers, and other security threats.
• Platform operation and improvement: Analyzing usage patterns to improve game selection, platform performance, user experience, and technical reliability.
• Customer support: Responding to inquiries, resolving disputes, and providing assistance through live chat, email, and other support channels.
• Responsible gaming: Monitoring gaming behavior to identify potential problem gambling indicators, administering self-exclusion requests, and implementing player-elected limits in compliance with PAGCOR's responsible gaming framework.
• Promotions and loyalty programs: Administering bonuses, cashback offers, VIP tier benefits, and other promotional activities — where you have not opted out of marketing communications.
• Legal and regulatory compliance: Meeting our obligations under Philippine law, PAGCOR licensing conditions, NPC regulations, and responding to lawful requests from government authorities.

Under the Data Privacy Act of 2012, philwin relies on the following lawful bases for processing your personal data:

• Consent (Section 13(a), DPA): Where you have given your freely given, specific, informed, and unambiguous consent to processing — for example, for marketing communications or optional data collection beyond what is required for platform operation. You may withdraw consent at any time without affecting the lawfulness of prior processing.
• Contractual necessity (Section 13(b), DPA): Processing necessary for the performance of the contract between you and philwin — specifically, to provide the gaming services you have registered for, process your transactions, and manage your account.
• Legal obligation (Section 13(c), DPA): Processing required to comply with Philippine law, including PAGCOR licensing requirements, the Anti-Money Laundering Act, the Data Privacy Act itself, and tax obligations.
• Legitimate interests (Section 13(f), DPA): Processing necessary for the legitimate interests of philwin or third parties — including fraud prevention, platform security, and service improvement — where such interests are not overridden by your rights and freedoms as a data subject.

philwin does not sell your personal data to third parties. We share personal data only in the circumstances described below, and only to the extent strictly necessary:

• Payment processors: GCash (GXI), Maya, GrabPay, BPI, BDO, Metrobank, and other payment service providers receive transaction data necessary to process deposits and withdrawals.
• KYC and identity verification providers: Third-party identity verification services receive identity documents and biometric data for KYC compliance purposes. All providers are bound by NPC-compliant data processing agreements.
• Game technology providers: Game Providers (such as JILI, PG Soft, and Evolution) receive a technical player identifier and session data necessary to deliver games. No sensitive personal data is shared with Game Providers beyond what is technically necessary.
• Regulatory authorities: PAGCOR, the Anti-Money Laundering Council (AMLC), the National Privacy Commission (NPC), the Bureau of Internal Revenue (BIR), and other competent Philippine government authorities may receive data where legally required or pursuant to a valid legal order.
• Fraud prevention services: Industry fraud prevention networks may receive limited transactional and identity data where necessary to protect philwin and its players from fraud and financial crime.
• Professional advisors: Legal counsel, auditors, and other professional service providers may access personal data under obligations of professional confidentiality where necessary to obtain advice or conduct audits.

philwin retains personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable law. The following general retention periods apply:

Upon expiry of the applicable retention period, personal data is securely deleted or anonymized in accordance with NPC guidance on data disposal. Where data cannot be immediately deleted due to legal hold requirements, it is segregated and access-restricted pending lawful disposal.

philwin uses cookies and similar tracking technologies — including session tokens, local storage, and analytics pixels — to operate the Platform, maintain session security, and analyze user behavior for service improvement purposes.

The following types of cookies are used on the philwin Platform:

• Strictly Necessary Cookies: Essential for platform functionality, including maintaining your login session, load balancing, and security features. These cannot be disabled without impairing core platform functionality.
• Functional Cookies: Store your language, game, and display preferences to provide a personalized experience across sessions.
• Analytics Cookies: Used to understand how players interact with the Platform — including which games are played, how long sessions last, and which features are used most. Data is aggregated and pseudonymized.
• Security Cookies: Used for fraud detection, bot prevention, and account security, including session integrity validation and suspicious activity detection.

philwin does not use third-party advertising or behavioral tracking cookies for the purpose of serving targeted advertising on external websites. You may manage cookie preferences through your browser settings. Note that disabling strictly necessary cookies may prevent access to some Platform features.

philwin implements appropriate technical and organizational measures to protect your personal data against unauthorized access, disclosure, alteration, loss, or destruction. Our security measures include, but are not limited to:

• Encryption in transit: All data exchanged between your device and philwin's servers is encrypted using TLS 1.2 or higher (256-bit SSL).
• Encryption at rest: Sensitive data — including identity documents, payment references, and authentication credentials — is encrypted at rest using AES-256 or equivalent standards.
• Access controls: Access to personal data is restricted on a strict need-to-know basis. philwin staff access is controlled through role-based permissions, multi-factor authentication, and comprehensive audit logging.
• Two-factor authentication (2FA): philwin offers SMS-based OTP as a second authentication factor for all player accounts. Players are strongly encouraged to enable 2FA.
• Intrusion detection and monitoring: philwin employs 24/7 automated monitoring for anomalous activity, potential data breaches, and unauthorized system access attempts.
• Regular security assessments: philwin conducts regular vulnerability assessments and penetration testing of its platform infrastructure.
• Data breach procedures: In the event of a personal data breach, philwin will notify the NPC and affected data subjects within the timeframes prescribed by the DPA and NPC regulations, where required by law.

Under the Data Privacy Act of 2012, you have the following rights in relation to your personal data held by philwin. philwin will respond to all valid rights requests within the timeframes prescribed by NPC regulations:

To exercise any of these rights, please contact philwin's Data Protection Officer via the contact details in Section 15. Requests will be acknowledged within five (5) business days and substantively responded to within fifteen (15) business days, extendable by a further fifteen (15) days for complex requests with prior notification. Identity verification will be required before processing any rights request to prevent unauthorized disclosure. If you are unsatisfied with philwin's response to your request, you have the right to lodge a complaint with the National Privacy Commission.

philwin is strictly an adults-only platform. In compliance with PAGCOR's mandatory minimum age requirement, the Platform is accessible only to individuals who are 21 years of age or older. philwin does not knowingly collect personal data from persons under 21 years of age.

Where philwin discovers or has reasonable grounds to suspect that an account has been registered by a person under 21 years of age, it will immediately suspend the account, cease processing the minor's personal data, delete such data to the extent not required to be retained for regulatory or legal compliance purposes, and report the matter to PAGCOR as required by our licensing obligations.

If you are the parent or legal guardian of a person you believe has registered on philwin while under 21 years of age, please contact philwin's Data Protection Officer immediately with the relevant account details.

Some of philwin's service providers — including cloud infrastructure providers and game technology companies — may process personal data in locations outside the Philippines. Where personal data is transferred outside the Philippines, philwin ensures that appropriate safeguards are in place to provide an equivalent level of data protection to that required under the DPA, including:

• Contractual clauses that impose DPA-equivalent data protection obligations on the recipient.
• Processing only by recipients located in countries or jurisdictions that have been recognized by the NPC as providing adequate data protection standards.
• Other appropriate safeguards approved by the NPC for cross-border transfers.

philwin will not transfer personal data to a country or territory that does not provide adequate data protection safeguards unless required by Philippine law or pursuant to your explicit consent with full awareness of the associated risks.

philwin reserves the right to update or amend this Privacy Policy from time to time to reflect changes in applicable law, NPC guidance, PAGCOR requirements, or our data processing practices. When material changes are made, philwin will notify registered players via their registered email address or through an on-Platform notification prior to the changes taking effect.

The updated Policy will be published on the Platform with a revised effective date. Continued use of the philwin Platform following the effective date of any revision constitutes your acceptance of the revised Policy. We encourage you to review this Policy periodically to stay informed about how we protect your personal data.

If a proposed change would materially alter how we use personal data collected under a prior consent, we will seek fresh consent from affected data subjects before the change takes effect.

For any questions, concerns, or requests relating to this Privacy Policy or the processing of your personal data by philwin, please contact our Data Protection Officer using the following channels:

This Privacy Policy was last reviewed and published on 1 January 2026. philwin is committed to transparency in how we handle your data and welcomes any questions you may have about our privacy practices.