openph Privacy Policy

1 Introduction & Scope

openph ("the Company," "we," "us," "our") values the privacy of every Filipino player who uses the openph Platform. This Privacy Policy describes how openph collects, uses, discloses, stores, and protects personal data in connection with the operation of the online gaming platform accessible at openph.org.

This Privacy Policy applies to:

• All registered Account holders on the openph Platform;
• Visitors to the openph.org website who have not yet registered an Account;
• Persons who have submitted a registration form, KYC documents, or support inquiries regardless of whether Account registration was completed;
• Former Account holders whose data is retained pursuant to legal obligations described in Section 9 of this Policy.

This Privacy Policy does not apply to third-party websites, applications, or services that may be linked from or accessible through the openph Platform. openph is not responsible for the data privacy practices of third parties.

This Privacy Policy is written in English in accordance with the openph Terms & Conditions. In the event of any conflict between the English version and any translation, the English version shall prevail.

2 Data Controller & Data Protection Officer

For the purposes of the Philippine Data Privacy Act of 2012 (Republic Act 10173) and its Implementing Rules and Regulations, openph acts as the Data Controller in respect of personal data collected through the Platform.

openph has appointed a Data Protection Officer (DPO) responsible for overseeing compliance with this Privacy Policy and applicable data protection law. The DPO may be contacted at:

openph's data processing activities are registered with the National Privacy Commission (NPC) of the Philippines as required under applicable regulations. The NPC may be contacted at the official government website of the National Privacy Commission should you wish to file a complaint.

3 Personal Data We Collect

3.1 Registration and Identity Data

When you create an openph Account, we collect the following categories of personal data:

• Full legal name (as it appears on your Philippine government-issued ID);
• Date of birth (to verify the minimum age of twenty-one (21) years);
• Email address (used as primary Account identifier and for communications);
• Philippine mobile number (used for Two-Factor Authentication, OTP delivery, and account notifications);
• Username or display name, if different from your registered name.

3.2 Identity Verification (KYC) Data

To comply with PAGCOR licensing requirements and Anti-Money Laundering Council (AMLC) obligations, openph collects:

• Copies of government-issued Philippine photo identification documents (e.g., Passport, Driver's License, UMID, SSS ID, Voter's ID, PhilHealth ID);
• Selfie or live verification photographs as may be requested by the openph KYC system;
• Proof of address (utility bill, bank statement header) for enhanced due diligence in applicable circumstances;
• Proof of ownership of payment methods used for deposits (e.g., GCash account registration details in the Player's name, bank account documentation).

3.3 Financial Transaction Data

openph collects records of all financial transactions associated with your Account, including:

• Deposit amounts, dates, methods, and reference numbers;
• Withdrawal requests, amounts, payment methods, and processing records;
• Bonus credits, wagering activity, and cashback calculations;
• Wallet balance history and account statement records.

openph does not store full payment card numbers. Card payment processing is handled by certified third-party payment processors who are independently PCI-DSS compliant. GCash and Maya transaction data is processed through their respective APIs under the terms of openph's agreements with those payment providers.

3.4 Gaming Activity Data

• Game session logs, bet histories, outcomes, and session durations;
• Game preferences, favourite titles, and lobby navigation patterns;
• Sports betting selections, wager amounts, and settlement records;
• Live casino session recordings (where game sessions are recorded as part of the game provider's standard operation).

3.5 Technical and Device Data

• IP address and geolocation data at the time of login and session activity;
• Device type, operating system, browser type and version;
• Device identifiers (where permitted by device settings);
• Session timestamps, login history, and access logs;
• Cookie and tracking data as described in Section 7.

3.6 Communications Data

• Customer support chat transcripts and email correspondence;
• Feedback, survey responses, and complaint records;
• Records of marketing communication preferences and opt-out actions.

4 How We Collect Personal Data

openph collects personal data through the following channels:

• Directly from you: When you register an Account, complete KYC verification, make deposits or withdrawals, contact customer support, respond to surveys, or participate in promotions;
• Automatically: Through cookies, server logs, and similar technologies when you access and interact with the openph Platform (see Section 7);
• From third-party payment providers: Transaction confirmation data from GCash, Maya, BPI, BDO, and other payment processors integrated with the Platform;
• From identity verification services: Results from third-party KYC verification platforms used to authenticate identity documents and perform liveness checks;
• From regulatory databases: openph may check player details against PAGCOR's self-exclusion register and other legally required screening databases.

5 Legal Basis & Purposes of Processing

openph processes your personal data on the following legal bases under the Data Privacy Act of 2012 (RA 10173):

6 Sharing Your Personal Data

openph does not sell, rent, or trade your personal data. We share your data only in the following circumstances:

6.1 Service Providers and Data Processors

openph engages carefully selected third-party service providers who process data on our behalf under contractual data processing agreements consistent with the Data Privacy Act. These include:

• Payment processors: GCash (GXI), Maya (Voyager Innovations), BPI, BDO, and other payment infrastructure providers required to process your deposits and withdrawals;
• KYC / Identity verification providers: Third-party services used to verify government IDs and conduct liveness detection;
• Game content providers: Game software suppliers whose titles are accessible through the openph Platform; these providers receive session data necessary to operate and validate game outcomes;
• Cloud infrastructure and hosting providers: Providers of the server infrastructure on which the openph Platform operates, subject to appropriate data security agreements;
• Customer support platforms: Live chat and email ticketing systems used to manage and resolve player support requests.

6.2 Regulatory and Legal Disclosure

openph is required by Philippine law to disclose personal data to:

• PAGCOR — for licensing compliance, audit, and regulatory reporting purposes;
• Anti-Money Laundering Council (AMLC) — for suspicious transaction reports and covered transaction reports required under Republic Act 9160;
• Bureau of Internal Revenue (BIR) — for applicable gaming tax reporting obligations;
• Philippine law enforcement agencies — pursuant to a valid court order, subpoena, or lawful request under Philippine procedural law;
• National Privacy Commission — in connection with data breach notifications or regulatory inquiries.

6.3 Business Transfers

In the event of a merger, acquisition, restructuring, or sale of all or part of openph's business, your personal data may be transferred to the acquiring entity as part of that transaction. openph will notify affected Players of any such transfer via email to the registered email address, and will ensure that any successor entity is bound by privacy obligations consistent with this Policy.

7 Cookies & Tracking Technologies

7.1 What Are Cookies

Cookies are small text files placed on your device by the openph Platform when you visit. They allow the Platform to recognize your device, remember your preferences, maintain your login session, and collect analytical data about Platform usage. openph uses both session cookies (deleted when you close your browser) and persistent cookies (retained for a specified period).

7.2 Types of Cookies Used

• Essential / Strictly Necessary Cookies: Required for the basic functioning of the Platform — maintaining your login session, processing transactions, and ensuring security. These cannot be disabled without rendering the Platform unusable.
• Functional Cookies: Remember your preferences (language, display settings, game history) to improve your experience across sessions.
• Analytical Cookies: Collect aggregated, anonymized data about how Players navigate and use the Platform, helping openph identify and improve problem areas. These do not identify individual Players.
• Security Cookies: Used to detect and prevent fraudulent activity, bot access, and unauthorized login attempts.

7.3 Managing Cookies

You may configure your browser to reject or delete cookies. Note that disabling essential cookies will significantly impair the functionality of the openph Platform — including the ability to remain logged in and process transactions. Browser-level cookie management settings vary by browser and device — consult your browser's help documentation for specific instructions.

8 Data Security

openph implements a comprehensive set of technical and organizational security measures to protect your personal data against unauthorized access, loss, destruction, alteration, or disclosure:

• 256-bit SSL/TLS encryption for all data transmitted between your device and the openph Platform;
• Encryption of sensitive data at rest, including password hashing using industry-standard algorithms;
• Role-based access controls limiting employee access to personal data on a strict need-to-know basis;
• Multi-factor authentication required for all openph staff with access to production systems;
• Regular third-party security penetration testing and vulnerability assessments;
• Intrusion detection and real-time monitoring systems for all production infrastructure;
• Segregated storage of player funds in accounts separate from operational funds;
• Regular security training for all openph employees with access to personal data.

9 Data Retention

openph retains personal data for as long as necessary to fulfill the purposes for which it was collected, and to comply with mandatory legal retention periods under Philippine law. The following retention periods apply:

Upon expiry of the applicable retention period, openph will securely delete or anonymize personal data in a manner consistent with applicable security standards and regulatory guidance.

10 Cross-Border Data Transfers

openph's primary data processing operations are conducted within the Philippines. However, certain service providers — including cloud hosting infrastructure, game software providers, and identity verification services — may process data in data centers located outside the Philippines.

Where personal data is transferred outside the Philippines, openph ensures that such transfers are conducted in compliance with Section 21 of the Data Privacy Act of 2012 and applicable NPC guidelines, including through one or more of the following safeguards:

• Contractual data processing agreements incorporating standard contractual clauses approved by the NPC or equivalent international standard;
• Transfers to jurisdictions recognized by the NPC as providing an adequate level of data protection;
• Binding corporate rules applicable to corporate group transfers, where relevant.

Information about the specific safeguards applicable to any cross-border transfer of your personal data may be requested from the openph Data Protection Officer.

11 Children's Privacy & Minors

The openph Platform is strictly intended for persons who are at least twenty-one (21) years of age. openph does not knowingly collect, process, or retain personal data from persons under the age of twenty-one (21).

If openph discovers or is notified that personal data of a person under the age of twenty-one has been collected — whether as a result of misrepresentation during registration or any other means — openph will:

• Immediately suspend the associated Account;
• Permanently close the Account;
• Delete the personal data of the minor subject to any mandatory legal reporting obligations;
• Refer the matter to PAGCOR and, where applicable, relevant child protection authorities, as required by Philippine law.

12 Marketing Communications

openph sends marketing communications — including promotional offers, bonus notifications, and new game announcements — only to Players who have provided explicit consent to receive such communications during registration or through their Account Settings.

Marketing communications from openph may be delivered via:

• Email to your registered email address;
• SMS to your registered Philippine mobile number;
• Push notifications through the Platform (where you have enabled browser notifications);
• In-Platform notifications within the openph lobby.

You may withdraw consent for marketing communications at any time by:

• Clicking the "Unsubscribe" link in any openph marketing email;
• Updating your communication preferences in Account Settings → Notifications;
• Contacting openph support at [email protected] with the subject line "Unsubscribe."

Withdrawal of consent for marketing communications does not affect your receipt of transactional communications — such as deposit confirmations, withdrawal notifications, account security alerts, or mandatory regulatory communications — which are sent on the basis of contract performance and legal obligation rather than consent.

13 Third-Party Services & Game Providers

The openph Platform integrates third-party game content from licensed game providers. When you launch and play a game from a third-party provider through the openph Platform, that provider's software processes certain gameplay data — including bet amounts, game outcomes, and session duration — as part of normal game operation. This data is shared between openph and the game provider under contractual terms that include data protection obligations.

Similarly, payment providers (GCash, Maya, BPI, BDO, etc.) operate under their own privacy policies in connection with transactions processed through their systems. openph's Privacy Policy governs only the data that openph itself collects and processes — the privacy practices of payment providers and game suppliers in respect of their own systems are governed by their respective privacy policies, which are available from those providers directly.

14 Data Breach Procedures

In the event of a personal data breach — meaning a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data — openph will:

• Contain and assess the breach within twenty-four (24) hours of discovery;
• Notify the National Privacy Commission (NPC) within seventy-two (72) hours of becoming aware of the breach, where required under NPC Circular 16-03 or applicable successor regulations;
• Notify affected Players without undue delay where the breach is likely to result in a high risk to their rights and freedoms — including financial loss, identity theft, or loss of confidentiality;
• Document the breach in openph's internal data breach register;
• Implement remediation measures to prevent recurrence.

Breach notifications to Players will be sent to the registered email address associated with the affected Account. Notifications will describe the nature of the breach, the categories of data affected, the likely consequences, and the measures openph is taking to address the breach.

15 Exercising Your Data Rights

To exercise any of the data rights described in this Privacy Policy and under the Data Privacy Act of 2012, please submit a written request to the openph Data Protection Officer at [email protected] with the subject line "Data Privacy Request — [Right Being Exercised]."

Your request should include:

• Your full name as registered on your openph Account;
• Your registered email address;
• The specific right you wish to exercise (e.g., Access, Rectification, Erasure, Objection, Portability);
• A clear description of the data concerned and the reason for your request;
• A copy of a valid Philippine government-issued ID (for identity verification purposes, to ensure we are responding to the correct data subject).

openph will acknowledge receipt of your request within three (3) business days and will respond substantively within ten (10) business days of receipt of a complete, verified request. In complex cases, this period may be extended by a further ten (10) business days, with notice to you of the extension and the reasons for it.

16 Changes to This Privacy Policy

openph reserves the right to update or amend this Privacy Policy at any time to reflect changes in our data processing practices, applicable law, NPC guidance, or PAGCOR regulatory requirements. Material changes to this Privacy Policy will be communicated to registered Players via email to the registered email address no less than fourteen (14) days before the amended Policy takes effect.

The effective date at the top of this Privacy Policy reflects the date of the most recent revision. The version history of this Privacy Policy is maintained by the openph Data Protection Officer and is available upon written request.

Continued use of the openph Platform following the effective date of any amendment constitutes acceptance of the revised Privacy Policy.

17 Contact & Data Protection Officer

All data privacy queries, requests, and complaints should be directed to the openph Data Protection Officer:

For general Account and Platform support inquiries unrelated to data privacy, please use the Live Chat function accessible through the openph Platform after login, or email [email protected] with your Account-related query. Live Chat is available 24 hours per day, 7 days per week.