phyata Privacy Policy

This Privacy Policy ("Policy") sets out how phyata collects, uses, stores, shares, and protects the personal information of individuals who register for and use the phyata online gaming platform at phyata.vip ("Platform"). It applies to all Players, prospective registrants, and visitors to the Platform.

phyata is committed to upholding the data privacy rights of all Filipino users in accordance with Republic Act No. 10173 — the Data Privacy Act of 2012 and its Implementing Rules and Regulations ("IRR"), as enforced by the National Privacy Commission ("NPC") of the Philippines. phyata also complies with all applicable PAGCOR data handling requirements as a condition of its operating license.

By registering an account on phyata or continuing to use the Platform after the effective date of this Policy, you acknowledge that you have read this Policy and consent to the collection, use, and processing of your personal data as described herein. If you do not accept this Policy, you must cease using the Platform immediately.

For the purposes of the Data Privacy Act of 2012 and its IRR, phyata is the Personal Information Controller in respect of the personal data it collects and processes in connection with the Platform and its gaming services.

phyata is responsible for establishing the purposes for which your personal data is collected, the means by which it is processed, and the safeguards applied to its storage and use. phyata has appointed a Data Protection Officer ("DPO") responsible for overseeing compliance with this Policy and applicable data protection laws. The DPO can be contacted via the email address provided in Section 17 of this Policy.

phyata collects personal data across three broad categories: data you provide directly, data generated by your use of the Platform, and data collected through technical means.

Data Category	Examples	Purpose
Identity Data	Full legal name, date of birth, nationality	Account registration, KYC age and identity verification (PAGCOR requirement)
Contact Data	Philippine mobile number, email address, residential address	Account communication, OTP delivery, withdrawal correspondence
Identity Documents	Philippine government-issued ID images (PhilSys, UMID, Passport, Driver's License, etc.)	KYC verification as required by PAGCOR regulations
Financial Data	GCash account number, Maya account, bank account details (for withdrawals)	Processing deposits and withdrawals; anti-money laundering compliance
Account Credentials	Username, hashed password, security questions	Account authentication and security
Support Data	Content of live chat conversations, support emails, complaint submissions	Resolution of support queries, quality assurance, dispute evidence

Data Category	Examples
Transaction Data	Deposit and withdrawal records, transaction reference numbers, amounts, timestamps
Gaming Data	Game history, round results, bet amounts, session duration, bonus usage records
Responsible Gaming Data	Deposit limits set, cooling-off periods, self-exclusion requests
Compliance Data	KYC verification status and timestamps, AML screening results, risk scoring

When you access the Platform, phyata's systems automatically collect certain technical information, including: IP address, device type and operating system, browser type and version, screen resolution, referring URL, pages visited and time spent, and cookie identifiers. This data is used for security monitoring, fraud detection, and improving platform performance.

phyata collects your personal data through the following means:

• Directly from you — when you complete the registration form, submit KYC documents, contact support, or update your account profile
• Automatically — through cookies, server logs, and analytics tools when you browse or use the Platform
• From payment processors — transaction confirmation data received from GCash, Maya, BPI, BDO, and other payment service providers when you initiate a deposit or withdrawal
• From third-party identity verification services — where phyata uses specialist KYC technology to verify document authenticity during the identity verification process
• From fraud prevention partners — risk indicators and device fingerprinting data used to detect fraudulent account activity

Under the Data Privacy Act of 2012 and its IRR, phyata processes your personal data on the following legal bases:

• Contractual Necessity: Processing required to perform the contract between you and phyata — specifically, to operate your account, process deposits and withdrawals, and provide access to gaming services.
• Legal Obligation: Processing required to comply with PAGCOR regulatory requirements, KYC and AML obligations, tax reporting obligations, and court or government orders.
• Consent: Where you have given specific, informed, and freely-given consent — for example, for marketing communications. Consent may be withdrawn at any time without affecting the lawfulness of processing prior to withdrawal.
• Legitimate Interests: Processing for purposes that phyata has a legitimate business interest in pursuing, including fraud prevention, platform security, responsible gaming monitoring, and service improvement — provided these interests are not overridden by your data protection rights.

phyata uses your personal data for the following purposes, consistent with the legal bases identified in Section 5:

• Creating, maintaining, and administering your phyata account
• Verifying your identity and age as required by PAGCOR regulations
• Processing deposits and withdrawals via GCash, Maya, bank transfer, and other Philippine payment methods
• Delivering gaming services including slots, bingo, fishing games, and all other platform content
• Communicating with you about your account, transactions, bonuses, and support queries
• Detecting and preventing fraud, money laundering, bonus abuse, and other prohibited conduct
• Monitoring and enforcing compliance with phyata's Terms and Conditions and applicable laws
• Operating phyata's responsible gaming programme, including enforcing deposit limits and self-exclusion requests
• Sending promotional communications where you have opted in to receive them
• Improving phyata's platform, game selection, and user experience through aggregated data analysis
• Meeting record-keeping obligations required by PAGCOR and Philippine law

phyata does not use your personal data for automated decision-making that produces legal or similarly significant effects on you without providing an opportunity for human review.

phyata does not sell, rent, or trade your personal information. phyata shares your data only in the following circumstances and only to the extent necessary for the stated purpose:

phyata shares data with carefully selected third-party service providers who process data on phyata's behalf and under phyata's instructions. These include:

• Payment processors — GCash, Maya, GrabPay, QR Ph processing partners, and Philippine bank transfer service providers, for the purpose of processing your financial transactions
• KYC verification providers — identity and document verification technology partners used to support phyata's age and identity verification process
• Fraud and AML screening services — specialist providers used to screen transactions and account activity for fraud indicators and sanctions list compliance
• Game providers — licensed game studios and content providers whose games are hosted on phyata, who receive the minimum game-session data required to operate their titles
• Platform hosting and infrastructure providers — cloud and data centre service providers used to host the Platform and its databases
• Customer support technology — live chat and help desk platform providers used to deliver phyata's 24/7 support service

All third-party processors are bound by data processing agreements that require them to process your data only on phyata's documented instructions and to maintain appropriate security standards.

phyata is legally required to disclose player data to:

• PAGCOR, as the licensing and regulatory authority, when required by its regulations or pursuant to a regulatory inquiry or audit
• The National Privacy Commission, in response to lawful orders, investigations, or complaints
• Philippine law enforcement agencies, courts, or government bodies when required by a valid court order, subpoena, or applicable law
• The Anti-Money Laundering Council (AMLC), where phyata is subject to reporting obligations under the Anti-Money Laundering Act and its amendments

phyata uses cookies and similar tracking technologies on the Platform. A cookie is a small text file placed on your device when you visit the Platform. Cookies do not carry viruses or install malware; they allow the Platform to recognize your browser and improve your experience.

phyata uses the following categories of cookies:

• Strictly Necessary Cookies: Required for the Platform to function — including session management, authentication, and security. These cannot be disabled without preventing core Platform features from working.
• Functional Cookies: Remember your preferences, such as your language settings or whether you have selected "Remember Me" on the login page.
• Analytics Cookies: Collect aggregated, anonymized data about how players use the Platform — which pages are most visited, how long sessions last, and where errors occur. This data helps phyata improve the Platform.
• Security Cookies: Used in conjunction with phyata's fraud detection systems to identify unusual access patterns and protect your account from unauthorized login attempts.

You can control most cookies through your browser settings. Note that disabling certain cookies may affect the functionality of the Platform. Strictly necessary cookies cannot be disabled while using the Platform.

phyata retains your personal data for no longer than is necessary to fulfil the purpose for which it was collected, subject to applicable legal retention obligations. The following table sets out phyata's standard retention periods:

Data Category	Retention Period	Basis
Account registration data	Duration of account + 5 years after closure	PAGCOR regulatory requirement
KYC identity documents	Duration of account + 5 years after closure	PAGCOR and AMLC regulatory requirement
Transaction records	Duration of account + 5 years after closure	AMLC and BIR record-keeping obligations
Game history records	Duration of account + 2 years after closure	Dispute resolution capability; PAGCOR audit requirements
Support communications	3 years from last interaction	Quality assurance; dispute evidence retention
Marketing consent records	Duration of consent + 3 years	Consent compliance evidence under RA 10173
Technical logs and IP records	90 days from generation	Security monitoring and fraud detection

After the applicable retention period expires, phyata will securely delete or irreversibly anonymize your personal data. Anonymized data, which can no longer be linked to any individual, may be retained indefinitely for statistical and business analytics purposes.

phyata implements technical and organizational security measures commensurate with the sensitivity of the personal data it processes. These measures include, but are not limited to:

• 256-bit SSL/TLS encryption for all data in transit between your device and phyata's servers
• Encryption at rest for sensitive data categories including KYC documents and financial account details
• Access controls — role-based system access ensuring that employees can only access data necessary for their specific job function
• Two-Factor Authentication (2FA) — available to all Players as an additional account security layer; required for all phyata internal staff with access to player data
• Regular security audits and penetration testing of the Platform's infrastructure and application code
• Fraud detection systems that monitor real-time account activity for indicators of unauthorized access
• Physical security controls at data processing facilities used by phyata and its infrastructure partners

Under the Data Privacy Act of 2012 (RA 10173), you have the following rights as a data subject. phyata is committed to facilitating the exercise of all of these rights:

To exercise any of these rights, contact phyata's Data Protection Officer via [email protected]. phyata will respond to all data subject requests within 10 business days of receipt of a verifiable request. Some requests may require identity verification before they can be processed.

The phyata Platform is strictly restricted to individuals aged 21 years and older in accordance with Philippine law governing participation in gaming and gambling activities. phyata does not knowingly collect personal data from any individual under 21 years of age.

Certain phyata service providers — including game studios, infrastructure partners, and specialist technology vendors — may be located outside the Philippines. Where phyata transfers your personal data to a recipient in another country, it takes steps to ensure that appropriate safeguards are in place to protect your data at the same standard as required under RA 10173.

These safeguards may include data processing agreements that incorporate standard contractual clauses, contractual obligations on the recipient to maintain appropriate technical and organizational security measures, and verification that the recipient country or specific processor maintains an adequate data protection standard.

phyata will not transfer personal data internationally where it cannot establish that adequate protections are in place.

In the event of a personal data breach that is likely to result in a real risk of harm to affected data subjects, phyata will comply with its notification obligations under RA 10173 and the NPC's breach notification regulations, including:

• Notifying the National Privacy Commission within 72 hours of becoming aware of a notifiable breach
• Notifying affected data subjects in a manner and within a timeframe consistent with NPC requirements
• Providing affected subjects with information on the nature of the breach, the data affected, phyata's response measures, and guidance on steps they can take to protect themselves

phyata maintains a documented incident response plan and conducts regular review exercises to ensure its breach response capabilities remain current.

If you have a concern about how phyata has handled your personal data, you should first contact phyata's Data Protection Officer at [email protected], providing a clear description of your concern and any relevant reference numbers or dates. phyata will acknowledge your complaint within 5 business days and provide a substantive response within 20 business days.

If you are not satisfied with phyata's response, or if you prefer to contact the regulator directly, you have the right to lodge a complaint with the National Privacy Commission (NPC) of the Philippines. The NPC is the regulatory body responsible for enforcing RA 10173 and protecting the data privacy rights of Filipino citizens.

phyata reserves the right to update this Privacy Policy at any time to reflect changes in its data processing practices, applicable laws, or PAGCOR requirements. Material changes to the Policy — including changes to the categories of data collected, new third-party sharing arrangements, or changes to your rights — will be communicated to registered Players by email or in-platform notification at least 7 calendar days before taking effect.

Non-material changes — such as clarifications, corrections of typographical errors, or updates to contact information — may be made immediately. The "Last Updated" date at the top of this Policy will always reflect the date of the most recent change, whether material or non-material.

Your continued use of the Platform after the effective date of any updated Policy constitutes your acceptance of the revised terms.

For all privacy-related queries, data subject access requests, consent withdrawal, or complaints, contact phyata's Data Protection Officer using the details below. Correspondence should clearly identify the nature of your request and your registered account email or mobile number to allow phyata to locate your records promptly.