Privacy Policy

This Privacy Policy ("Policy") sets out the principles, practices, and procedures governing the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure, or destruction of personal information by PERA SAYO LENDING INC. ("we", "us", "our", or "the Company") from users ("you", "your", or "Data Subject") of our mobile application (the "App"). This Policy applies to all users of the App, including registered and unregistered users, and is binding on the Company and all its authorized representatives.

1. Definitions and Interpretation

For the purposes of this Policy:

• Personal Information (PI): Any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual (e.g., registered mobile number, User Avatar).
• Sensitive Personal Information (SPI): Personal information about an individual's race, ethnic origin, marital status, age, color, religious, philosophical or political affiliations, health, education, genetic information, sexual orientation, criminal record, or any other personal information as defined by DPA 2012 (note: the Company does not collect SPI).
• Data Subject: Any natural person whose personal information is processed by the Company.
• Processing: Any operation or set of operations performed upon personal information, including but not limited to collection, storage, retrieval, use, disclosure, and deletion.
• OTP (One-Time Password): A temporary numeric code sent to your registered mobile number to verify your identity for account creation or access.

2. Collection of Personal Information

2.1 Types of Personal Information Collected

We collect only the following limited personal information to provide and maintain our service:

• Registered Mobile Number: Provided voluntarily by you during account registration.
• User Avatar: Provided voluntarily by you if you choose to upload a profile image (no avatar is required to use core App functions).
• Non-Personal Data: We may collect anonymous, aggregated, or de-identified data (e.g., App usage metrics, device type, OS version) that cannot be used to identify you, for the sole purpose of improving App performance and user experience.

2.2 Legal Basis for Collection

We collect and process your personal information only on the following legal bases (pursuant to DPA 2012):

• Performance of a contract: To create and maintain your account, and provide the core lending-related services you request.
• Compliance with legal obligations: To comply with regulatory requirements set by the Securities and Exchange Commission (SEC) of the Philippines and Bangko Sentral ng Pilipinas (BSP).
• Your explicit consent: To access Camera and Storage/Photos permissions for avatar upload (consent may be withdrawn by disabling the permissions in your device settings at any time).

3. Use of Personal Information and Device Permissions

3.1 Purpose of Use

Your personal information is used exclusively for the following purposes, and no additional uses will be made without your prior informed consent:

• Registration and account management: Verify your identity, create and secure your App account, and facilitate account recovery (if requested).
• Profile personalization: Display your chosen User Avatar on your profile interface (no other use of the avatar data is made).
• Communication: Send service-related notifications (e.g., account security alerts, OTP codes) to your registered mobile number (we do not send promotional or marketing messages unless you opt in).
• Compliance: Fulfill reporting and record-keeping obligations to Philippine regulatory authorities.
• Dispute resolution: Address and resolve any inquiries, complaints, or disputes you may raise regarding the App or our services.

3.2 Device Permissions

All device permissions requested by the App are action-triggered, non-persistent, and purpose-limited:

• Camera Permission: Activated only when you select the "Take Photo for Avatar" option in the App. Access to the camera is terminated immediately after you either capture a photo (and choose to use it as an avatar) or cancel the action. We do not access the camera in the background, nor do we capture or store any photos other than the one you explicitly select as your avatar.
• Storage/Photos Permission: Activated only when you select the "Select Photo from Gallery" option in the App. We only access the specific photo file you select for upload as your avatar; we do not browse, access, or store any other files, photos, or data in your device's storage. Access is revoked immediately after the upload process is complete (whether successful or cancelled).

Note: You may revoke Camera and/or Storage/Photos permissions at any time through your device's settings. Revocation of these permissions will only prevent you from uploading a new avatar; it will not affect your ability to use other core functions of the App, nor will it result in the deletion of an existing avatar (unless you request account/data deletion).

4. Data Security, Retention, and Transmission

4.1 Data Security Measures

We implement industry-leading technical, organizational, and physical security measures to protect your personal information from unauthorized access, disclosure, alteration, or destruction, including:

• Encryption: All personal data (mobile number, avatar) is encrypted in transit (via HTTPS/SSL 3.0+ and TLS 1.2+) and at rest (AES-256 encryption for stored data).
• Access Controls: Only authorized personnel (e.g., Data Protection Officer, IT staff) with a legitimate business need have access to personal data, and all access is logged and audited regularly.
• Secure Storage: Personal data is stored on secure servers located in the Philippines, protected by firewalls, intrusion detection systems, and regular security patches.
• Data Minimization: We only collect and store the minimum personal data necessary to provide our services (no excessive or unnecessary data is collected).
• Security Training: All employees undergo regular training on data privacy and security practices, and are bound by confidentiality agreements.

While we take all reasonable steps to protect your personal data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we commit to notifying you and relevant authorities in accordance with DPA 2012 in the event of a data breach that poses a risk to your rights and freedoms.

4.2 Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law:

• Registered Mobile Number: Retained for the duration of your account existence, plus 1 year after account deletion (to comply with BSP record-keeping requirements). After this period, the number is permanently deleted or anonymized.
• User Avatar: Retained only for the duration of your account existence; deleted immediately upon account deletion (no retention after deletion).
• Non-Personal Data: Aggregated, anonymous data may be retained indefinitely for analytical purposes (but cannot be linked back to you).

4.3 Data Transmission and Third-Party Access

We do not sell, trade, rent, or otherwise disclose your personal data to third parties for marketing, advertising, or commercial purposes. We may share your personal data only in the following limited circumstances:

• With your explicit written consent (e.g., if you authorize a third-party service provider to assist with your loan application).
• To comply with a legal obligation (e.g., court order, subpoena, or regulatory request from SEC, BSP, or other Philippine government authorities).
• To protect the rights, property, or safety of the Company, our users, or the public (e.g., to prevent fraud or illegal activity).
• With trusted third-party service providers who perform services on our behalf (e.g., cloud storage providers, IT support) – these providers are contractually obligated to protect your personal data and are prohibited from using it for any purpose other than providing the requested service.

Any third-party service providers we engage are located in the Philippines and comply with DPA 2012. We do not transfer personal data to jurisdictions outside the Philippines unless required by law and with your prior consent.

5. Data Subject Rights (Pursuant to DPA 2012)

As a Data Subject under the Data Privacy Act of 2012, you have the following rights with respect to your personal data:

1. Right to Access: You may request a copy of all personal data we hold about you, including details of how it is collected, used, stored, and disclosed.
2. Right to Rectification: You may request correction or updating of inaccurate, incomplete, or outdated personal data (e.g., if you need to change your registered mobile number).
3. Right to Erasure/Deletion: You may request permanent deletion of your account and all associated personal data (subject to legal retention requirements).
4. Right to Object: You may object to the processing of your personal data for reasons related to your particular situation (we will cease processing unless we have compelling legitimate grounds to continue).
5. Right to Data Portability: You may request a copy of your personal data in a structured, commonly used, and machine-readable format (e.g., CSV file) for transfer to another service provider (if technically feasible).
6. Right to Withdraw Consent: You may withdraw your consent to the processing of your personal data (e.g., camera/storage access) at any time, without affecting the lawfulness of processing based on consent before withdrawal.
7. Right to File a Complaint: You may file a complaint with the National Privacy Commission (NPC) of the Philippines if you believe your data privacy rights have been violated.

5.1 How to Exercise Your Rights

To exercise any of the above rights, please submit a written request to our Data Protection Officer via the following channels:

• Email: dpo@perasayo.com (primary channel for data subject requests)
• Support Email: support@perasayo.com (alternative channel)
• Request Requirements: Your request must include your full name, registered mobile number, a clear description of the right you wish to exercise, and proof of identity (e.g., a copy of a valid government-issued ID) to verify your identity (this is to protect your account security and prevent unauthorized requests).
• Processing Time: We will acknowledge receipt of your request within 5 working days and process it within 30 calendar days (or notify you if an extension is required, up to a maximum of 60 days, in accordance with NPC guidelines).
• Fee: We do not charge a fee for processing your request, unless the request is excessive, repetitive, or unfounded (in which case we may charge a reasonable fee based on the cost of processing).

6. Special Provisions for Minors

Our App is not intended for use by individuals under the age of 18 ("Minors"). We do not knowingly collect personal information from Minors. If we become aware that we have collected personal information from a Minor without the consent of a parent or legal guardian, we will immediately delete the data. Parents or legal guardians who believe their child has provided personal information to us may contact our Data Protection Officer to request deletion.

7. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or technological developments. Any changes will be effective 30 days after we notify you (via in-App notification, email to your registered mobile number's associated email, or a prominent notice on our App/website).

We encourage you to review this Policy periodically to stay informed about how we protect your personal data. Your continued use of the App after the effective date of changes constitutes your acceptance of the updated Policy.

All previous versions of this Policy will be archived and available upon request for a period of 3 years.

8. Contact Information