phpopen Privacy Policy

phpopen ("we," "us," or "our") is the operator of the online gaming platform accessible at phpopen.app, offering casino games, sports betting, bingo, Tongits Go, and related services to registered players in the Philippines. phpopen is the Data Controller for the personal information processed pursuant to this Privacy Policy.

As a Data Controller, phpopen determines the purposes and means of processing your personal data. phpopen has appointed a Data Protection Officer (DPO) who is responsible for overseeing compliance with the Data Privacy Act of 2012 (RA 10173) and the implementing rules and regulations issued by the National Privacy Commission (NPC) of the Philippines. Contact details for the DPO are provided in Section 14 of this Policy.

phpopen collects the following categories of personal data:

phpopen does not intentionally collect sensitive personal information (as defined under RA 10173) such as racial or ethnic origin, political opinions, religious beliefs, or health data, except where specifically required by law (for example, disability information provided voluntarily in connection with a responsible gaming request).

phpopen collects personal data through the following methods:

• Direct submission: Information you provide when creating an account, completing KYC verification, making deposits or withdrawals, setting account preferences, or contacting customer support.
• Automated collection: Technical and behavioral data collected automatically when you visit and use the phpopen platform, including through cookies, web beacons, and server-side logging. See Section 7 for full details on cookies.
• Third-party payment providers: Transaction confirmation data received from GCash, PayMaya, BPI, BDO, Metrobank, Visa/Mastercard networks, and cryptocurrency processing services when you conduct financial transactions on phpopen.
• KYC and identity verification services: phpopen may use third-party identity verification partners to validate the documents you submit during KYC. These partners process your document images under strict data processing agreements.
• Fraud prevention and AML screening services: phpopen may receive risk signals or watchlist matching results from compliance screening providers to meet Anti-Money Laundering Act (RA 9160, as amended) obligations.

phpopen uses your personal data for the following purposes:

1. Account creation and management: To register your phpopen account, verify your identity, maintain accurate account records, and enable you to log in and access platform features.
2. Service delivery: To provide access to casino games, sports betting markets, bingo, Tongits Go, and all other phpopen services available to registered players.
3. Payment processing: To process your deposits and withdrawal requests through supported Philippine payment channels including GCash and PayMaya, and to maintain complete financial records as required by law.
4. KYC and regulatory compliance: To verify your age (21+ requirement under PAGCOR regulations), confirm your identity prior to releasing withdrawal funds, and maintain records required under RA 10173, RA 9160 (AMLA), and applicable PAGCOR regulations.
5. Responsible gaming: To monitor account activity for patterns consistent with problem gambling behavior, administer deposit limits and self-exclusion requests, and respond to responsible gaming enquiries.
6. Fraud prevention and security: To detect and prevent unauthorized account access, bonus abuse, money laundering, collusion, and other prohibited conduct as defined in the phpopen Terms & Conditions.
7. Customer support: To respond to your support requests, complaints, and formal dispute submissions in a timely and accurate manner.
8. Platform improvement: To analyze aggregated and de-identified usage data to improve the phpopen platform's performance, game library, payment flows, and user experience.
9. Marketing communications: To send you promotional offers, bonus notifications, and platform updates — but only where you have opted in to receive such communications and subject to your right to withdraw consent at any time.
10. Legal compliance: To comply with any legal obligation, court order, or regulatory directive issued by Philippine authorities including the NPC, AMLC, PAGCOR, or other competent bodies.

Under the Data Privacy Act of 2012 (RA 10173), phpopen processes your personal data on the following legal bases:

• Contractual necessity: Processing required to perform the contract between you and phpopen — including account management, game access, and payment processing — is necessary to deliver the services you have requested.
• Legal obligation: Processing required to comply with applicable Philippine law, including KYC obligations under PAGCOR regulations, AML reporting requirements under RA 9160, data breach notification obligations under RA 10173, and tax reporting obligations.
• Legitimate interests: Processing carried out for phpopen's legitimate business interests — including fraud detection, platform security, responsible gaming monitoring, and platform performance analysis — where those interests are not overridden by your rights and freedoms.
• Consent: Processing for marketing communications and certain preference-based profiling where your express opt-in consent has been obtained. You may withdraw this consent at any time without affecting the lawfulness of processing prior to withdrawal.

phpopen does not sell your personal data. We do not share your data with third parties for their independent marketing or commercial purposes. We share your personal data only in the following circumstances:

• Payment providers: GCash, PayMaya, BPI, BDO, Metrobank, Visa/Mastercard network processors, and cryptocurrency payment gateways receive the data necessary to process your deposit and withdrawal transactions. These providers are independently regulated and operate under their own privacy policies.
• KYC and identity verification partners: Third-party identity verification service providers receive your KYC document images and identity data solely for the purpose of verifying your identity on behalf of phpopen. These partners are bound by data processing agreements that prohibit use for any other purpose.
• Game content providers: Third-party game developers (including JILI, PG Soft, Pragmatic Play, and others) may receive session tokens and minimal technical data necessary to deliver their game content. These providers do not receive your full account profile or financial data.
• Regulatory and law enforcement authorities: phpopen will disclose personal data to the National Privacy Commission (NPC), Anti-Money Laundering Council (AMLC), PAGCOR, Bureau of Internal Revenue (BIR), Philippine National Police, or any other competent Philippine authority where required by law, court order, or valid legal process.
• Fraud prevention and AML compliance services: Compliance screening and fraud detection service providers receive the minimum data necessary to perform watchlist screening and risk scoring as required by RA 9160.
• IT and platform infrastructure providers: Cloud hosting, content delivery, cybersecurity, and platform monitoring service providers who process data on phpopen's behalf under strict data processing agreements.

phpopen uses cookies and similar tracking technologies on the phpopen.app platform. A cookie is a small text file placed on your device when you visit a website, used to remember information about your visit and improve your experience.

phpopen uses the following categories of cookies:

phpopen does not use advertising or retargeting cookies that track your browsing activity across other websites. You can manage cookie preferences through your browser settings. Disabling strictly necessary cookies will impair or prevent your ability to log in and use the platform.

phpopen retains your personal data for as long as necessary to fulfill the purpose for which it was collected, or as required by applicable Philippine law. The following retention guidelines apply:

• Account and identity data: Retained for the duration of your active account, plus a minimum of five (5) years following account closure, as required for AMLA compliance and regulatory audit purposes.
• Financial transaction records: Retained for a minimum of five (5) years from the date of each transaction, consistent with RA 9160 (AMLA) record-keeping requirements and BIR obligations.
• KYC documents: Retained for five (5) years after account closure or the last transaction date, whichever is later.
• Gaming history: Retained for three (3) years from the date of each game session.
• Customer support records: Retained for two (2) years from the date of each support interaction, extended where the matter relates to an ongoing dispute or regulatory inquiry.
• Marketing preference data: Retained for as long as you hold a phpopen account or until you withdraw consent to marketing communications, whichever is earlier.

Upon expiry of the applicable retention period, personal data is securely deleted or anonymized such that it can no longer be attributed to any identified or identifiable individual. Securely deleted data cannot be recovered.

phpopen implements technical and organizational security measures appropriate to the sensitivity of the personal data it holds, including:

• Encryption: All data transmitted between your device and phpopen's servers is encrypted using TLS 1.3. Data stored in phpopen's databases is encrypted at rest using AES-256.
• Access controls: Access to systems holding personal data is restricted to staff with a verified operational need. All access events are logged and subject to regular audit review.
• Password security: Account passwords are stored using one-way cryptographic hashing (bcrypt with salt). phpopen staff cannot retrieve your plain-text password.
• Two-factor authentication: phpopen offers SMS-based 2FA for all player accounts and uses multi-factor authentication internally for all staff access to production systems.
• Intrusion detection: phpopen operates continuous network monitoring and intrusion detection systems covering all production infrastructure.
• Data breach response: phpopen maintains a documented personal data breach response plan. In the event of a breach likely to result in risk to affected individuals, phpopen will notify the National Privacy Commission (NPC) within 72 hours of becoming aware of the breach, and will notify affected players promptly in accordance with NPC-issued guidelines.

The Data Privacy Act of 2012 (RA 10173) grants you the following rights in relation to your personal data held by phpopen. phpopen will respond to all verified rights requests within fifteen (15) business days of receipt.

The phpopen platform is strictly intended for adults aged 21 years and older in compliance with PAGCOR regulations governing online casino gaming in the Philippines. phpopen does not knowingly collect personal data from individuals under 21 years of age.

During registration, every applicant is required to confirm that they are at least 21 years old. This representation is verified during the KYC process through government-issued identification documents showing date of birth. Any account found to belong to an individual under 21 will be immediately closed and all associated data deleted, except where retention is required for regulatory reporting purposes.

If you believe a minor has registered an account on phpopen, please contact the support team immediately using the contact information provided in Section 14 of this Policy.

Some of phpopen's third-party service providers — including cloud infrastructure, content delivery networks, and KYC verification services — may process data on servers located outside the Philippines. Where such cross-border transfers occur, phpopen ensures that:

• The recipient country provides an adequate level of data protection, or
• Appropriate safeguards are in place, such as data processing agreements incorporating standard contractual clauses consistent with NPC guidelines, or
• The transfer is necessary for the performance of a contract between you and phpopen (such as processing a payment transaction through an international card network).

phpopen will not transfer personal data to a jurisdiction that does not offer adequate protections unless one of the above safeguards is in place. Where required, phpopen will seek NPC approval for cross-border transfers in accordance with NPC Circular 16-01 and its amendments.

phpopen may update this Privacy Policy from time to time to reflect changes in its data processing practices, applicable law, or NPC guidance. The "Effective Date" at the top of this page will be updated when changes are made.

Where a change is material — meaning it significantly affects the rights of players or the nature of data processing — phpopen will provide advance notice via one or more of the following methods: a notice on the phpopen.app homepage, an in-platform notification displayed upon login, or an email to your registered email address. The notice will be provided at least 14 days before the change takes effect where practicable.

Your continued use of the phpopen platform after the effective date of an updated Privacy Policy constitutes your acknowledgment of the changes. If you do not agree with a material change to this Policy, you may close your account by contacting the support team.

The most current version of this Privacy Policy is always available at phpopen.app/privacy-policy.

If you have any questions about this Privacy Policy, wish to exercise your data subject rights, or wish to report a suspected privacy breach, please contact phpopen's Data Protection Officer using the details below.

phpopen will acknowledge receipt of your request within two (2) business days and provide a substantive response within fifteen (15) business days. Where additional time is required for complex requests, phpopen will notify you of the expected response timeline.

If you are not satisfied with phpopen's response to your privacy concern, you have the right to lodge a complaint with the National Privacy Commission (NPC) of the Republic of the Philippines. The NPC is the supervisory authority responsible for enforcing RA 10173 and can be reached through their official government website and offices in Manila.

For information about the specific rules governing your phpopen account — including payment terms, bonus conditions, and player obligations — please review the Terms & Conditions. For information about player protection tools and responsible gaming resources, please visit the Responsible Gaming page.