PRIVACY POLICY

Last Updated: April 2026

I. INTRODUCTION

Ipay Financial Services International Inc. (“Ipay”, “we”, “our”, or “us”) respects the privacy and confidentiality of personal data and is committed to ensuring that all personal information processed through our systems is handled responsibly, securely, and in compliance with applicable data protection laws, including the Data Privacy Act of 2012 and its Implementing Rules and Regulations.

This Privacy Notice outlines how we collect, process, use, store, disclose, retain, and protect personal data in connection with our payment facilitation services, merchant integrations, operational support functions, and related business activities.

We implement appropriate organizational, technical, and physical safeguards to ensure that personal data is protected throughout its lifecycle — from collection to secure disposal. We are committed to transparency, accountability, and the lawful processing of personal information entrusted to us by merchants, partners, and authorized users of our services.

By engaging with our services, accessing our platforms, or submitting personal information to Ipay, you acknowledge that you have read and understood this Privacy Notice.

II. INFORMATION WE COLLECT

In the course of providing our payment facilitation and related services, we may collect and process the following categories of personal data, where necessary and proportionate to legitimate business, contractual, or regulatory requirements:

1. Identification Information

  • Full name
  • Business or registered trade name
  • Position, designation, or role within an organization
  • Government-issued identifiers (e.g., tax identification numbers or other identifiers required by applicable law and regulatory authorities)

2. Contact Information

  • Email address
  • Mobile or telephone number
  • Office or registered business address

3. Transaction-Related Information

  • Payment references and transaction identifiers
  • Transaction amounts, dates, and related details
  • Billing records and settlement information
  • Merchant transaction summaries and history

4. Merchant Account Information

  • Business registration and licensing details
  • Information relating to authorized representatives or signatories
  • Bank account details for settlement and payout purposes
  • Platform access credentials and integration-related identifiers

5. Technical and System Information

  • Internet Protocol (IP) address
  • Device identifiers and system configuration details
  • Browser type and version
  • Login timestamps and authentication logs
  • System activity logs
  • Audit trail records for security and compliance monitoring

Data Minimization Commitment

We collect only personal data that is relevant, necessary, and proportionate to:

  • The provision of our services
  • Compliance with contractual obligations
  • Regulatory and legal requirements
  • Fraud prevention, security, and risk management

We do not intentionally collect personal data that is unrelated to legitimate business or regulatory purposes.

III. PURPOSE OF PROCESSING

We process personal data strictly for legitimate, specified, and lawful purposes consistent with applicable data protection laws and regulatory requirements.

Personal data may be processed for the following purposes:

1. Service Delivery and Operations

  • To provide, operate, and maintain payment facilitation and related services
  • To enable merchant onboarding, verification, and account administration
  • To manage merchant integrations and system connectivity
  • To facilitate transaction processing, settlement, reconciliation, and reporting

2. Transaction Monitoring and Risk Management

  • To monitor transactions for accuracy and operational integrity
  • To detect, prevent, and investigate fraudulent, suspicious, or unauthorized activities
  • To implement security controls and safeguard systems from misuse or intrusion
  • To maintain audit trails and system logs for compliance and accountability

3. Legal and Regulatory Compliance

  • To comply with applicable laws, regulatory obligations, and lawful orders
  • To meet reporting requirements to relevant regulatory authorities
  • To fulfill obligations relating to anti-fraud, financial monitoring, and other statutory requirements

4. Customer Support and Communication

  • To respond to inquiries, service requests, or complaints
  • To provide operational notifications and service-related communications
  • To address technical concerns and platform-related issues

5. Service Improvement and System Enhancement

  • To analyze system performance and usage trends
  • To improve platform functionality, reliability, and security
  • To enhance user experience and operational efficiency

Lawful and Limited Processing

Personal data is processed only:

  • For clearly defined and documented purposes
  • In a manner consistent with transparency and fairness
  • Based on a valid legal basis (e.g., contractual necessity, legal obligation, legitimate interest, or consent where required)
  • In accordance with data minimization and proportionality principles

We do not use personal data for purposes that are incompatible with those described above unless permitted or required by law.

IV. LEGAL BASIS FOR PROCESSING

We process personal data only when a lawful basis exists under applicable data protection laws, including the Philippine Data Privacy Act.

Depending on the context of the engagement, processing may be based on one or more of the following legal grounds:

1. Contractual Necessity

Processing is necessary for:

  • The performance of a contract with merchants or business partners
  • The implementation of pre-contractual measures (e.g., merchant onboarding, account verification)
  • The fulfillment of service obligations related to payment facilitation and related services

2. Compliance with Legal and Regulatory Obligations

Processing is required to comply with:

  • Applicable laws and regulatory issuances
  • Reporting obligations to regulatory authorities
  • Financial monitoring and anti-fraud requirements
  • Record-keeping and audit requirements

3. Legitimate Business Interests

Processing may be necessary for legitimate business purposes, provided such interests are not overridden by the fundamental rights and freedoms of data subjects, including:

  • Fraud prevention and risk management
  • System security and integrity
  • Internal administration and operational efficiency
  • Service quality monitoring and improvement

4. Regulatory Compliance Requirements

As a regulated entity, we may process personal data to comply with supervisory, licensing, audit, and reporting requirements imposed by competent authorities.

5. Consent (Where Applicable)

Where required by law, we will obtain the consent of the data subject before processing personal data. Consent may be withdrawn at any time, subject to legal or contractual limitations.

V. Data Sharing and Disclosure

We do not sell personal data.

Personal data may be disclosed only when necessary and appropriate for legitimate business or regulatory purposes.

We may share personal data with:

1. Authorized Internal Personnel

Access is limited to employees, consultants, and authorized personnel strictly on a need-to-know basis and subject to confidentiality obligations.

2. Regulated Financial Institutions

Where required for transaction processing, settlement, reconciliation, and compliance monitoring.

3. Payment Partners and System Integrations

For the purpose of facilitating merchant platform connectivity and payment-related services, subject to contractual safeguards.

4. Technology and Infrastructure Service Providers

Including providers supporting:

  • Hosting and system infrastructure
  • Platform maintenance and support
  • Security monitoring and logging
  • Data storage and backup services

Such providers are contractually required to:

  • Implement appropriate technical and organizational safeguards
  • Process personal data only for authorized purposes
  • Maintain strict confidentiality

5. Regulatory and Government Authorities

When disclosure is:

  • Required by law
  • Necessary to comply with lawful orders
  • Required for regulatory reporting and oversight

Safeguards for Data Sharing

All third-party disclosures are governed by:

  • Confidentiality obligations
  • Data protection clauses in contracts
  • Security requirements aligned with industry standards
  • Risk assessment and due diligence procedures

Personal data is not shared beyond what is necessary for the stated purposes.

VI. DATA RETENTION

We retain personal data only for as long as necessary to fulfill legitimate business and regulatory purposes.

Personal data may be retained to:

  • Fulfill the purposes for which it was collected
  • Provide and maintain payment-related services
  • Comply with legal, statutory, and regulatory requirements
  • Meet audit, reporting, and record-keeping obligations
  • Resolve disputes and investigate incidents
  • Enforce contractual agreements and protect legal rights

Retention periods may vary depending on:

  • The nature of the data
  • Regulatory requirements applicable to financial and payment-related services
  • Operational necessity

When personal data is no longer required for the stated purposes, it is:

  • Securely deleted using approved deletion procedures, or
  • Irreversibly anonymized so that it can no longer be associated with an identifiable individual

Secure disposal procedures are implemented to prevent unauthorized recovery, access, or reconstruction of deleted data.

VII. Security Measures

We implement appropriate organizational, technical, and physical safeguards to protect personal data against unauthorized access, disclosure, alteration, loss, or destruction.

1. Organizational Safeguards

  • Documented privacy and information security policies
  • Defined access approval workflows
  • Confidentiality obligations for employees and authorized personnel
  • Role segregation and least-privilege access principles
  • Periodic access reviews

2. Technical Safeguards

  • Role-based access controls
  • Secure authentication mechanisms
  • Strong password policy enforcement
  • Encryption of sensitive data where applicable
  • Secure system configurations
  • System monitoring and audit logging
  • Incident response procedures

3. Physical Safeguards

  • Restricted office access
  • Visitor logging procedures
  • Controlled access to workstations and physical records
  • Secure storage of sensitive documents

These safeguards are periodically reviewed and updated to address emerging risks and evolving regulatory requirements.

VIII. Your Rights as a Data Subject

In accordance with the Philippine Data Privacy Act and related regulations, individuals may exercise the following rights, subject to lawful limitations:

  • Right to Access. Request confirmation of whether personal data is being processed and obtain a copy of such data.
  • Right to Rectification. Request correction of inaccurate, incomplete, or outdated personal data.
  • Right to Erasure or Blocking. Request deletion, suspension, or blocking of personal data where legally permissible.
  • Right to Object. Object to processing based on legitimate interest or direct marketing, where applicable.
  • Right to Withdraw Consent. Withdraw consent at any time, where processing is based on consent.
  • Right to Data Portability. Request a copy of personal data in a structured, commonly used format, where technically feasible.
  • Right to be Informed. Be informed about how personal data is collected and processed.
  • Right to Lodge a Complaint. File a complaint with the relevant data protection authority if rights are believed to have been violated.

Requests may be submitted using the contact details provided below.

We may request reasonable verification of identity before acting on any request to protect personal data from unauthorized disclosure.

Responses will be provided within applicable regulatory timelines.

IX. Data Breach Notification

In the event of a personal data breach that may pose a real risk to the rights and freedoms of individuals, we will take immediate and appropriate action in accordance with applicable data protection laws and regulatory requirements.

Our response will include:

  • Prompt internal reporting to designated security and data protection officers
  • Immediate investigation to determine the nature, scope, and impact of the incident
  • Implementation of containment measures to prevent further unauthorized access, disclosure, or loss
  • Preservation of relevant logs and evidence for forensic analysis
  • Risk assessment to determine potential harm to affected individuals

Where required by law, we will:

  • Notify the appropriate regulatory authority within prescribed timelines
  • Inform affected individuals without undue delay if there is a high risk to their rights and freedoms
  • Provide guidance on protective measures that individuals may take

All incidents are documented, reviewed, and subject to corrective action to prevent recurrence.

X. Updates to This Privacy Notice

We may update this Privacy Notice from time to time to ensure continued compliance and transparency.

Updates may occur due to:

  • Changes in applicable laws or regulatory requirements
  • Enhancements to our services or operational processes
  • Improvements to security and privacy practices
  • Organizational or structural changes

When material changes are made:

  • The revised version will be posted on our official website
  • The “Last Updated” date will be revised accordingly
  • Where required, affected individuals may be notified through appropriate communication channels

We encourage individuals to review this Privacy Notice periodically to stay informed about how we protect personal data.

XI. Contact Information

For privacy-related concerns, requests, or complaints, you may contact:

Data Protection Officer (DPO)

Ipay Financial Services International Inc.

Email: dpo@ipays.ph

Address:
371 Aguirre Ave.
BF Homes, Parañaque City

We will respond to requests within the timelines required by law.

Back to Proposal Form