28ph Privacy Policy

This Privacy Policy ("Policy") is issued by 28ph ("28ph", "we", "us", "our") and governs the collection, use, storage, disclosure, and protection of personal data obtained through the 28ph online casino platform, including the website at 28ph.one, all associated mobile interfaces, and any related services (collectively, the "Platform").

28ph is committed to upholding the data privacy rights of all persons who interact with the Platform, including registered members, visitors, and prospective players. This Policy is drafted in compliance with the Data Privacy Act of 2012 (Republic Act No. 10173), its Implementing Rules and Regulations, and the relevant issuances of the National Privacy Commission (NPC) of the Republic of the Philippines.

This Policy applies to all personal data processed by 28ph, whether submitted directly by the data subject, collected automatically through Platform usage, or obtained from third-party sources in the course of providing services. By accessing or using the Platform, you acknowledge and consent to the data practices described in this Policy.

28ph collects the following categories of personal data in the course of operating the Platform and providing services to Filipino players:

28ph does not collect sensitive personal information as defined by the Data Privacy Act (e.g., racial or ethnic origin, political opinions, religious beliefs, health data) except where such information is incidentally contained in identity documents submitted for verification purposes, in which case it is not extracted, stored separately, or processed beyond the document review.

28ph collects personal data through the following channels:

• Direct submission: Information you provide when registering an account, completing identity verification, making a deposit or withdrawal, contacting support, or participating in promotions.
• Automated collection: Technical and usage data collected automatically as you interact with the Platform, including through server logs, session tracking, and embedded analytics tools.
• Cookies and similar technologies: Browser cookies, pixel tags, and local storage mechanisms that record your preferences and browsing behaviour on the Platform (see Section 9).
• Payment processors: Transaction confirmation data shared by GCash, PayMaya, BPI, BDO, Metrobank, or InstaPay when you initiate a deposit or withdrawal through the Platform.
• Identity verification providers: Data returned by third-party Know Your Customer (KYC) and anti-money laundering (AML) service providers engaged by 28ph to validate identity documents and screen against regulatory watchlists.
• Publicly available sources: Publicly accessible government databases and registers consulted for compliance purposes, such as PAGCOR exclusion registers.

28ph processes personal data only for the purposes listed below. We do not process personal data for any purpose that is incompatible with the purpose for which it was originally collected.

• Account creation and management: To register your 28ph account, authenticate your identity, maintain account records, and enable account security features including two-factor authentication.
• Service delivery: To operate the Platform, process bets and wagers, credit winnings, and provide access to all games and features available to registered 28ph members.
• Payment processing: To process deposits and withdrawals via GCash, PayMaya, and Philippine bank channels, and to maintain accurate financial records of all account transactions.
• Identity verification and KYC: To verify your age (21+), identity, and source of funds in compliance with PAGCOR-standard requirements and the Anti-Money Laundering Act.
• Fraud prevention and security: To detect, investigate, and prevent fraudulent transactions, multiple account abuse, bonus exploitation, money laundering, and unauthorised account access.
• Responsible gaming monitoring: To identify usage patterns consistent with problem gambling and to facilitate the effective operation of deposit limits, session limits, and self-exclusion tools.
• Customer support: To respond to your support queries, complaints, and account-related requests, and to maintain records of those interactions for quality assurance.
• Regulatory compliance: To fulfil our obligations under applicable Philippine law, including reporting requirements under the Anti-Money Laundering Act and compliance with PAGCOR directives.
• Marketing communications: To send promotional offers, bonus notifications, and platform updates to members who have not opted out of marketing communications (see Section 10 for opt-out rights).
• Platform improvement: To analyse aggregated and anonymised usage data for the purpose of improving platform performance, game offerings, and user experience.

Under the Data Privacy Act of 2012, 28ph processes personal data on the following legal bases:

• Contractual necessity: Processing required to perform the contract between you and 28ph, including account management, game operation, and payment processing.
• Legal obligation: Processing required to comply with applicable Philippine law, including KYC, AML, and regulatory reporting obligations.
• Legitimate interests: Processing carried out for fraud prevention, security monitoring, responsible gaming oversight, and platform improvement, where those interests are not overridden by your privacy rights.
• Consent: Processing for marketing communications and non-essential cookies, for which your consent is obtained at the point of collection and may be withdrawn at any time.

28ph does not sell, rent, or trade your personal data to third parties for their own commercial purposes. We share personal data only in the following circumstances and only to the extent strictly necessary:

• Payment service providers: GCash (Mynt), PayMaya (Voyager Innovations), BPI, BDO, Metrobank, and InstaPay — solely to process your deposits and withdrawals.
• Identity verification providers: Third-party KYC and AML screening services engaged by 28ph to verify identity documents and conduct regulatory watchlist checks.
• Cloud and infrastructure providers: Hosting, storage, and security technology providers whose services underpin the operation of the Platform, operating under strict data processing agreements.
• Analytics providers: Providers of anonymised, aggregated platform analytics used for performance monitoring and product improvement. No individually identifiable data is shared for this purpose.
• Regulatory and law enforcement authorities: The Philippine National Privacy Commission, PAGCOR, the Anti-Money Laundering Council (AMLC), or other competent Philippine authorities, where required by law or a valid regulatory directive.
• Professional advisers: Legal counsel, auditors, and compliance consultants engaged by 28ph under confidentiality obligations for the purpose of obtaining professional advice.

All third parties who receive personal data from 28ph are required to process that data only for the specified purpose, under confidentiality obligations, and in compliance with applicable Philippine data protection law.

28ph retains personal data for no longer than is necessary to fulfil the purposes for which it was collected, subject to the following minimum retention periods imposed by applicable law:

• Account and identity records: Retained for a minimum of five (5) years following account closure, as required by anti-money laundering regulations and PAGCOR compliance obligations.
• Financial transaction records: Retained for a minimum of five (5) years from the date of the transaction, in compliance with the Anti-Money Laundering Act.
• Support and communications records: Retained for two (2) years following the resolution of the relevant interaction, for quality assurance and dispute resolution purposes.
• Technical and usage logs: Retained for a maximum of twelve (12) months, after which they are anonymised or securely deleted.
• Self-exclusion records: Retained for the full duration of the exclusion period and for five (5) years thereafter, to prevent re-registration in violation of a self-exclusion order.

Upon expiry of the applicable retention period, personal data is securely deleted or anonymised in a manner that prevents re-identification.

28ph implements technical, organisational, and administrative safeguards designed to protect your personal data against unauthorised access, accidental loss, destruction, alteration, or disclosure. Our primary security measures include:

• 256-bit SSL/TLS encryption applied to all data transmitted between your device and the 28ph Platform;
• Encryption at rest for all personally identifiable data and financial records stored in 28ph's infrastructure;
• Access controls restricting personal data access to authorised personnel with a documented operational need, enforced through role-based permissions and multi-factor authentication for internal systems;
• Intrusion detection and monitoring systems that continuously scan for anomalous access patterns consistent with unauthorised intrusion or data exfiltration;
• Regular security assessments including penetration testing and vulnerability scanning conducted by independent security professionals;
• Incident response procedures enabling 28ph to detect, contain, and report data breaches to the National Privacy Commission within 72 hours of discovery, where the breach poses a real risk of serious harm to data subjects.

28ph uses cookies and similar tracking technologies to operate the Platform effectively, remember your session state, and improve your experience. The following types of cookies are used:

• Strictly necessary cookies: Essential for core Platform functionality including maintaining your logged-in session, processing transactions, and enforcing security controls. These cookies cannot be disabled without rendering the Platform non-functional.
• Functional cookies: Used to remember your preferences (e.g., language, display settings) and personalise your experience. These are enabled by default but may be disabled through your browser settings without impairing core Platform functionality.
• Analytics cookies: Anonymised cookies used to measure page-level traffic patterns and Platform usage for internal improvement purposes. These cookies do not track individual behaviour across third-party websites.
• Marketing cookies: Used with your consent to deliver relevant promotional messaging within the Platform. You may withdraw consent for marketing cookies at any time.

You may control cookie settings through your browser's privacy controls. Disabling strictly necessary cookies will prevent the Platform from functioning correctly. Disabling other cookies will not prevent Platform access but may reduce the quality of your experience.

As a data subject under the Data Privacy Act of 2012, you hold the following rights with respect to your personal data processed by 28ph. These rights may be exercised by contacting us at [email protected]:

• Right to be informed: The right to be notified of the fact that your personal data is being or will be processed, including the purposes and legal bases for processing, as set out in this Policy.
• Right to access: The right to obtain a copy of your personal data held by 28ph, together with information about how it is being processed and the recipients to whom it has been disclosed.
• Right to correction: The right to request the correction of inaccurate, incomplete, or outdated personal data held on your 28ph account.
• Right to erasure or blocking: The right to request the deletion or blocking of personal data where processing is no longer necessary for the purpose for which it was collected, subject to applicable legal retention requirements.
• Right to data portability: The right to receive a copy of your personal data in a structured, commonly used, and machine-readable format, where technically feasible.
• Right to object: The right to object to the processing of your personal data for direct marketing purposes or on the basis of legitimate interests, where your privacy rights override those interests in the specific circumstances.
• Right to damages: The right to claim compensation from 28ph for any damages you have suffered as a direct result of a violation of the Data Privacy Act attributable to 28ph's actions or omissions.
• Right to file a complaint: The right to lodge a complaint with the National Privacy Commission (NPC) of the Philippines if you believe your data privacy rights have been violated.

28ph will respond to all verified data subject rights requests within thirty (30) days of receipt. We may require identity verification before fulfilling access or correction requests to prevent unauthorised disclosure.

The 28ph Platform is strictly restricted to persons 21 years of age or older, in accordance with Philippine gaming law and PAGCOR-standard age requirements. 28ph does not knowingly collect personal data from anyone under the age of 21.

If 28ph discovers that personal data has been collected from a person under the age of 21, that data will be immediately deleted, the associated account will be permanently closed, and any funds deposited will be returned through the original payment method following applicable compliance review. Any winnings accumulated during the period of underage use are subject to forfeiture.

As an online platform serving Filipino players, some of the technology infrastructure and service providers engaged by 28ph may process personal data in jurisdictions outside the Philippines. Where cross-border transfers of personal data occur, 28ph ensures that appropriate safeguards are in place, including:

• Data processing agreements with all offshore service providers that impose data protection obligations equivalent to those required under the Data Privacy Act of 2012;
• Transfer only to jurisdictions that offer an adequate level of data protection as determined by the National Privacy Commission, or to providers who have implemented approved contractual safeguards;
• Restriction of transferred data to the minimum necessary for the specific processing purpose.

For information about specific cross-border transfers affecting your data, including the countries involved and the safeguards in place, you may submit a written request to [email protected].

28ph reserves the right to update or amend this Privacy Policy at any time to reflect changes in our data processing practices, applicable law, or NPC guidance. Where amendments are material — meaning they substantially affect your privacy rights or our data processing obligations — 28ph will provide prior notice via your registered mobile number or email address at least seven (7) days before the changes take effect.

The current version of this Policy is always accessible at 28ph.one/privacy-policy and is identified by the "Last Updated" date at the top of this document. Your continued use of the Platform following the effective date of any amendment constitutes your acknowledgment of the updated Policy.

For all data privacy inquiries, data subject rights requests, or complaints regarding 28ph's handling of your personal data, please contact our Data Protection Officer (DPO) through the following channel:

If you are not satisfied with 28ph's response to your data privacy concern, you have the right to escalate your complaint to the National Privacy Commission (NPC) of the Philippines, which is the competent supervisory authority for data protection matters in the Philippines. Information on filing an NPC complaint is available through the NPC's official government channels.