If an online lending app has accessed your contacts, messaged your relatives, threatened to shame you online, or used your ID photo to pressure you to pay, the issue is not only about debt. It is also about data privacy, consumer protection, and possibly cybercrime. Philippine law allows lenders to collect what is genuinely needed to evaluate and collect a loan, but it does not give them a free pass to harvest your phonebook, humiliate you, or use your personal data as a collection weapon.
What personal data do online lending apps usually collect?
Online lending apps may ask for information such as:
- Full name, address, mobile number, email address
- Government ID, selfie, signature, birthday, civil status
- Employment or income details
- Bank, e-wallet, or remittance details
- Device data, app activity, location, photos, camera access, or contact-list access
- Names and numbers of character references, co-makers, or guarantors
Under the Data Privacy Act of 2012, Republic Act No. 10173, personal information is information from which your identity is apparent or can reasonably be identified, while sensitive personal information includes government-issued numbers, health information, and other protected categories. “Processing” is broad. It includes collecting, storing, using, sharing, deleting, or even viewing your data. (National Privacy Commission)
In practical terms: when a loan app asks permission to access your contacts, uploads your ID photo, stores your selfie, checks your repayment behavior, or sends your data to a collector, it is processing personal data.
Your basic rights under Philippine data privacy law
As a borrower, applicant, character reference, or guarantor, you are a data subject. A data subject is the person whose personal information is being processed.
Your key rights include:
- Right to be informed — you should know what data is collected, why it is collected, who receives it, how long it will be stored, and how to contact the company.
- Right to access — you may ask what personal data the lender has about you.
- Right to correct — you may dispute inaccurate or outdated information.
- Right to object or withdraw consent — especially for marketing, cross-selling, or unnecessary sharing.
- Right to blocking, removal, or destruction — when data is unlawfully obtained, used for unauthorized purposes, or no longer necessary.
- Right to damages — if you suffer injury because your data was inaccurate, incomplete, unlawfully obtained, or used without authority.
- Right to data portability — for electronically processed personal data in a structured format. (National Privacy Commission)
The National Privacy Commission, or NPC, is the government body that implements the Data Privacy Act. It can receive complaints, investigate, facilitate settlement, adjudicate privacy disputes, and issue orders involving personal information. (National Privacy Commission)
The special rules for online lending apps in the Philippines
The most important privacy rule for lending apps is NPC Circular No. 20-01, the “Guidelines on the Processing of Personal Data for Loan-Related Transactions.” It applies to lending companies, financing companies, online lending apps, third-party collectors, and even persons acting as lenders, whether or not they have the required authority from the Securities and Exchange Commission.
The Circular recognizes the exact problem many borrowers experience: some apps access a borrower’s contact list, camera, location, storage, and other phone data, then allegedly use the borrower’s data or contacts in ways that damage reputation and violate privacy rights.
What online lenders are allowed to collect
A lender may process personal data when there is a lawful basis under the Data Privacy Act. For loan apps, the legitimate purposes usually include:
- Know-your-customer or identity verification
- Evaluating a loan application
- Determining creditworthiness
- Preventing fraud
- Servicing or collecting a valid loan
- Complying with legal or regulatory requirements
But the lender must follow the principle of data minimization: collect only data that is adequate, relevant, suitable, necessary, and not excessive for the stated purpose.
What online lenders are not allowed to do
Online lending apps are prohibited from requiring unnecessary permissions involving personal or sensitive personal information. App permissions must be suitable, necessary, and not excessive. Once the purpose has been achieved, the app should prompt the borrower to turn off or disallow the permission.
For example, camera or gallery access may be reasonable at the start of the application if it is used to take a selfie or upload an ID for KYC. But once the photo is taken and saved, the app should turn off the permission by default or prompt the borrower to revoke it. The borrower’s photo must not be used to harass or embarrass the borrower.
Most importantly, NPC Circular No. 20-01 prohibits access to contact details — including phone contacts, email lists, harvested social media contacts, or copied contacts — for debt collection or harassment. The app must provide a separate interface where borrowers can voluntarily provide character references or co-makers of their own choosing.
Character references are not automatically guarantors
This is one of the most misunderstood issues in online lending.
A character reference is usually someone who can confirm your identity or contact details. A guarantor is different. A guarantor agrees to answer for the debt if the borrower defaults.
The 2026 joint advisory of the DICT, NPC, and SEC states that online lending platforms must have separate interfaces for character references and guarantors. A guarantor must have expressly consented to assume responsibility for the loan. Without that separate consent, a character reference should not be treated as someone liable for payment.
For debt collection, the advisory also says lenders may only contact the guarantor. Contacting people in the borrower’s contact list other than those named as guarantors is prohibited.
“You consented” is not always a valid excuse
Many abusive apps rely on one argument: “You agreed when you clicked allow.”
That is not always enough.
Under the Data Privacy Act, consent must be freely given, specific, and informed. It must relate to a clear purpose. The 2026 DICT-NPC-SEC advisory warns that some online lending platforms use deceptive design patterns, such as pre-ticked boxes, interfaces that make consent easy but withdrawal difficult, or highlighted options that push users toward more data sharing. The advisory states that deceptive design patterns undermine data privacy principles and may invalidate consent.
So if an app forced broad contact access before you could even see the loan terms, hid the privacy notice, made withdrawal nearly impossible, or used your contacts for shaming instead of a lawful loan purpose, the lender cannot simply hide behind a generic “I agree” button.
Other Philippine laws that may apply
Financial consumer protection
Republic Act No. 11765, the Financial Products and Services Consumer Protection Act of 2022, protects financial consumers’ rights to fair treatment, transparency, data privacy, and timely complaint handling. It covers digital financial products and services, including credit accessed through digital channels.
The law also gives financial regulators, including the SEC, enforcement powers over financial service providers under their jurisdiction. It expressly prohibits financial service providers from employing abusive collection or debt recovery practices and requires them to respect client data privacy.
SEC rules on lending and collection
The SEC regulates lending and financing companies. The SEC’s own issuer list identifies SEC Memorandum Circular No. 18, Series of 2019 as the rule prohibiting unfair debt collection practices by financing and lending companies, and SEC Memorandum Circular No. 19, Series of 2019 as the rule on disclosure requirements in advertisements and reporting of online lending platforms. (SEC Appointment System)
Under the 2026 joint advisory, unfair collection practices include threats of violence or criminal means to harm a person’s body, reputation, or property, and threats to take actions that cannot legally be taken.
Lending company registration
Republic Act No. 9474, the Lending Company Regulation Act of 2007, requires a lending company to be organized as a corporation. The SEC has also directed the public to check the lists of lending or financing companies and recorded online lending platforms on its website. (Lawphil)
Do not assume an app is lawful just because it appears in an app store, has a nice logo, uses Tagalog ads, or claims to be “SEC registered.” Check the corporate name, certificate of authority, app name, website, and whether the online lending platform itself is recorded.
Civil Code and criminal laws
Even outside data privacy law, Philippine law protects dignity and privacy. Articles 19, 20, and 21 of the Civil Code require people to act with justice and good faith, and may require compensation when someone willfully or negligently causes damage contrary to law, morals, good customs, or public policy. (Lawphil)
If collectors post defamatory accusations online, threaten violence, impersonate officials, or publicly shame borrowers, possible criminal issues may arise under the Revised Penal Code and the Cybercrime Prevention Act, Republic Act No. 10175. The Supreme Court has also explained in Causing v. People that cyber libel under RA 10175 implements the Revised Penal Code provisions on libel when committed through a computer system. (Supreme Court E-Library)
How to protect your data before using an online lending app
Verify the lender first. Check whether the company is listed as a lending or financing company with authority to operate, and whether the online lending platform is recorded. Be careful with apps using a different public brand name from the corporate name.
Read the privacy notice before uploading your ID. Look for the purpose of processing, categories of data collected, recipients, retention period, automated scoring, data protection officer contact details, and complaint channel.
Avoid apps that demand full contact-list access. A legitimate app may ask you to type or select specific references, but blanket harvesting of your phonebook for debt collection is prohibited.
Limit phone permissions. On Android or iOS, deny or revoke permissions for contacts, location, camera, gallery, microphone, and storage unless they are clearly necessary at that stage. Camera access for a one-time selfie does not mean permanent gallery access is justified.
Do not provide someone else’s number casually. Tell your character references before entering their details. Do not list someone as guarantor unless that person knowingly agrees to be legally responsible.
Save all loan documents immediately. Keep screenshots or PDFs of the privacy notice, loan agreement, disclosure statement, repayment schedule, fees, interest, penalties, and app page. Some apps change or disappear after complaints begin.
Use payment channels that create receipts. Save GCash, Maya, bank, or remittance confirmation numbers. Avoid paying to personal accounts unless the lender clearly identifies them as authorized channels.
What to do if an online lending app is already harassing you
Preserve evidence before blocking. Screenshot messages, call logs, social media posts, app notifications, payment demands, threats, and public-shaming posts. Capture the sender’s number, username, date, time, and full message thread.
Record the timeline. Write a simple chronology: when you downloaded the app, when you applied, what permissions were requested, when you received the loan, when you paid, when harassment started, and who was contacted.
Identify the company behind the app. Check the app store listing, privacy policy, website, text messages, collection notices, SEC records, and payment recipient names. If the app uses several names, list all of them.
Send a data privacy request to the lender or its data protection officer. Ask what personal data they hold, where they got it, whom they shared it with, why they contacted third parties, how long they will retain it, and how you can request deletion or blocking of unnecessary data.
Tell collectors to communicate only through lawful channels. Keep the message short. Ask them to identify the company, account, authority to collect, and official payment channel. Avoid insults or threats in response.
Warn your contacts calmly. If relatives, co-workers, or employers are being messaged, tell them not to pay, not to share more information, and to save screenshots. They may also be data subjects if their numbers were harvested.
File with the correct agency. Data misuse goes to the NPC. Unfair debt collection and unregistered lending activity go to the SEC. Threats, fraud, hacking, impersonation, or cyber harassment may go to cybercrime authorities.
Where to file complaints
| Problem | Government office | What to prepare |
|---|---|---|
| Contact-list harvesting, unauthorized use of ID photos, unlawful sharing of personal data, refusal to delete unnecessary data | National Privacy Commission | Complaint-affidavit, valid ID, screenshots, app privacy notice, proof of permission requests, list of affected contacts |
| Abusive collection, public shaming, threats to contact employer, unrecorded online lending platform | Securities and Exchange Commission, Financing and Lending Companies Department | App name, corporate name, loan details, collection messages, screenshots, proof of payment, app store link |
| Threats, scams, impersonation, fake loan agents, hacking, cyber harassment | DICT Cyber Hotline, NBI Cybercrime Division, PNP Anti-Cybercrime Group | Screenshots, call logs, URLs, account links, phone numbers, e-wallet or bank details, chronology |
| Defamatory posts, threats, coercion, repeated harassment by identifiable persons | PNP, NBI, prosecutor’s office, or local police depending on facts | Printed screenshots, sworn statement, witnesses, proof of identity of sender if available |
The 2026 DICT-NPC-SEC advisory identifies the SEC iMessage portal for unfair debt collection complaints, the 1-4SEC hotline, the DICT Cyber Hotline, the NBI Cybercrime Division, and the PNP Anti-Cybercrime Group for harassment, threats, fraud, and scams.
The SEC iMessage system is the SEC’s web-based platform for public inquiries, complaints, incidents, and requests. (Securities and Exchange Commission)
How to file a data privacy complaint with the NPC
The NPC requires a formal complaint in a specific format. Its complaint page instructs complainants to download the form, print and fill it out, have it notarized, and submit it either in person, by courier, or by scanned email to the NPC complaints address. (National Privacy Commission)
The current NPC complaint-affidavit form reminds complainants to fill out the form completely, attach all evidence, and provide a valid government-issued ID such as a passport, driver’s license, PRC ID, Postal ID, voter’s ID, GSIS card, SSS card, TIN card, or student ID.
Evidence that usually matters
Attach clear copies of:
- Your valid government ID
- Complaint-affidavit or sworn narrative
- Screenshots of app permissions requested
- Screenshots of the privacy notice and loan terms
- Screenshots of threats, shaming, or messages to contacts
- Names and numbers of collectors, if visible
- App store page, website, or APK source
- Loan amount, date of disbursement, payment schedule
- Receipts and proof of payments
- Statements from contacted relatives, co-workers, or references
- Any request you sent asking the lender to stop, correct, delete, or explain the data processing
Fees and expected timeline
NPC Circular No. 2023-01 sets a ₱500 filing fee for complaints, additional fees for claims of damages, a ₱500 motion for reconsideration fee, and a ₱1,000 application fee for a cease-and-desist order, with bond rules depending on the request. Indigent litigants may be exempt if they submit the required barangay certificate of indigency and affidavits.
Actual timelines vary. Simple complaints may move faster if evidence is complete and the respondent is identifiable. Cases involving multiple apps, fake corporate identities, foreign operators, or missing records can take longer because the NPC or other agencies may need to verify entities, request records, or coordinate with other offices.
Practical notes for OFWs and foreigners
If you are abroad, preserve your Philippine SIM, email, screenshots, app data, and payment records. For notarized complaint-affidavits or sworn statements, Philippine embassies and consulates can notarize private documents such as affidavits and special powers of attorney for use in the Philippines, usually requiring personal appearance. (Philippine Embassy)
If a document is notarized by a foreign notary instead of a Philippine consular officer, the receiving Philippine office may require apostille or authentication, depending on the country and document type. The DFA maintains an apostille service for authentication concerns. (Apostille Government)
Foreigners who borrowed from a Philippine lending app generally have the same data privacy rights when their personal data is processed in the Philippines or when the processing is linked to Philippine residents, Philippine equipment, or Philippine business operations under the Data Privacy Act’s scope and extraterritorial provisions. (National Privacy Commission)
Common mistakes that make online lending app complaints harder
Deleting messages too soon
Blocking a collector may protect your peace of mind, but delete nothing until you have saved screenshots, exported chats, and backed up call logs.
Paying an “advance fee” to release a loan
A demand for an upfront “processing,” “unlocking,” “insurance,” or “tax” fee before releasing a loan is a major red flag. Save the payment demand and report it as a possible scam.
Assuming app-store availability means SEC approval
App stores are not regulators. A listed app may still be unrecorded, misbranded, suspended, or operated by a different company from the one shown in the advertisement.
Letting collectors pressure your employer
A collector may verify or communicate through lawful channels, but public shaming, threats, or unnecessary disclosure of your debt to co-workers or employers can violate privacy and collection rules.
Posting the collector’s personal details online
It is understandable to feel angry, but posting private information about a collector can create a new privacy or defamation problem. Preserve evidence and report through proper channels instead.
Treating a character reference as a co-borrower
A character reference does not become liable for the loan simply because their number was entered in an app. A guarantor must separately consent to assume responsibility.
Frequently Asked Questions
Can an online lending app access all my contacts in the Philippines?
Not for debt collection or harassment. NPC Circular No. 20-01 prohibits harvesting phone contacts, email lists, or social media contacts for debt collection or to harass the borrower or contacts. The app should provide a separate way for you to give selected character references or co-makers.
Is it legal for a lending app to message my relatives or co-workers?
For debt collection, the 2026 DICT-NPC-SEC advisory says lenders may only contact the guarantor. Contacting people in your contact list other than guarantors is prohibited.
Can a character reference be forced to pay my online loan?
No. A character reference is not automatically a guarantor. A guarantor must have expressly consented to assume responsibility for the loan in case of default.
Can I ask a lending app to delete my data after I pay?
Yes, you may request blocking, removal, or destruction of data that is no longer necessary, unlawfully obtained, outdated, or used for unauthorized purposes. However, the lender may retain some records if needed for legal, regulatory, accounting, fraud-prevention, or dispute purposes. The key point is that data should not be retained forever for vague future use.
What if I really owe the money?
You still have privacy rights. A valid debt may be collected, but collection must be lawful, fair, and proportionate. Owing money does not authorize threats, public shaming, contact-list blasting, fake criminal accusations, or misuse of your ID photo.
What if the app says I gave consent?
Consent must be freely given, specific, and informed. Deceptive design, forced blanket permissions, hidden privacy terms, or making withdrawal unreasonably difficult may undermine or invalidate consent.
Should I file with the NPC or the SEC?
File with the NPC for misuse of personal data, contact harvesting, unauthorized sharing, or refusal to respect data subject rights. File with the SEC for unfair debt collection, unregistered or unrecorded lending activity, abusive collectors, or misleading online lending advertisements. Some cases should be reported to both.
Can public shaming online be cyber libel?
It can be, depending on the words used, publication, identification, malice, and other legal elements. The Supreme Court has stated that cyber libel under RA 10175 applies the Revised Penal Code libel provisions when committed through a computer system. (Supreme Court E-Library)
How much does an NPC complaint cost?
The basic NPC complaint filing fee is ₱500. Additional fees apply for claims of damages and certain motions or applications, such as a cease-and-desist order. Indigent litigants may request exemption if they submit the required documents.
Can I complain even if the lending app is based outside the Philippines?
Yes, if the facts connect the processing to the Philippines, such as processing data of Philippine citizens or residents, doing business in the Philippines, collecting data in the Philippines, using Philippine equipment, or operating through a Philippine-related entity. The Data Privacy Act has extraterritorial provisions. (National Privacy Commission)
Key Takeaways
- Online lending apps may collect only data that is lawful, necessary, relevant, and not excessive.
- Blanket contact-list harvesting for debt collection or harassment is prohibited.
- A character reference is not automatically a guarantor.
- Camera or gallery access for KYC should not become permanent access to your photos.
- Owing money does not erase your privacy rights.
- Save evidence before blocking collectors or uninstalling the app.
- File privacy complaints with the NPC, collection and lending complaints with the SEC, and threats or scams with cybercrime authorities.
- Use official records, screenshots, receipts, app links, and a clear timeline to make your complaint easier to act on.