Here’s a comprehensive, practice-oriented explainer for the Philippine setting. Per your instruction, I’m not using search. Treat this as general legal information you can use to brief counsel or prepare complaints—not legal advice.

Borrower Rights Against Online Lending App Harassment (Philippines)

1) Who regulates what (quick map)

SEC (Securities and Exchange Commission): Regulates lending companies (LCs) and financing companies (FCs), including online lending platforms (OLPs) that are non-bank. The SEC issues permits, can suspend/revoke licenses, and enforces anti-harassment / unfair collection rules for LCs/FCs.
BSP (Bangko Sentral ng Pilipinas): Oversees banks/e-money issuers and their third-party collectors under consumer protection and fair debt collection standards.
NPC (National Privacy Commission): Enforces the Data Privacy Act (DPA)—covers contact scraping, contact-list “shaming,” excessive permissions, unlawful disclosure of debts, and security lapses.
DOJ-NBI Cybercrime / PNP: Handles crimes like grave threats, extortion, libel, cyber-libel, identity theft, illegal access, and doxxing.
Courts (civil & criminal): Grant damages, injunctions (via regular civil actions), and hear criminal complaints (e.g., threats, coercion, libel). Small claims can be used for pure money claims (no injunctions).

Why this matters: Harassment by an online lender can be attacked administratively (SEC/NPC), criminally, and civilly, often in parallel.

2) Behaviors that are typically unlawful or sanctionable

While exact phrasing varies by regulator, these recurring abusive practices from OLPs/collectors usually violate Philippine rules:

“Contact-list shaming” and mass texts/calls to friends, employers, relatives.
- Privacy breach: Processing and disclosure of your contacts’ data without lawful basis violates the DPA’s principles of transparency, legitimate purpose, and proportionality.
- Unfair collection: Reaching out to third parties to publicly shame or coerce payment is an unfair debt collection practice and sanctionable by the SEC (for LCs/FCs) or BSP (for bank-related cases).
Threats, intimidation, and profanity.
- May constitute grave threats, grave coercion, unjust vexation, or light coercion under the Revised Penal Code; also cybercrime if done online.
- Harassing calls at unreasonable hours, insults, slurs, doctored images—all red flags.
Defamation / cyber-libel and doxxing.
- Posting or messaging defamatory content about you or your debt to your contacts or on social media (including fake “wanted” posters) can be libel/cyber-libel.
- Publishing your personal data (numbers, ID photos) to force payment can trigger DPA and cybercrime liability.
Excessive app permissions and covert data harvesting.
- Blanket access to contacts, photos, SMS, location, microphone that is not necessary to provide the loan is typically non-compliant with the DPA’s proportionality rule.
- “Consent” buried in long app terms is not valid if it is not specific, informed, and freely given; bundling access with loan approval is suspect.
False legal notices and impersonation.
- Pretending to be “from court,” “from NBI/PNP,” or “from SEC,” attaching bogus “warrants,” or threatening immediate arrest for nonpayment (a civil debt) is unlawful misrepresentation and may be estafa, usurpation of authority, or unfair collection.
Unauthorized disclosure to your employer (or threats of workplace embarrassment).
- Disclosing debt information to your HR/colleagues without basis breaches privacy and fair collection standards.

Key takeaway: You owe money ≠ they can harass you. Debt collection must be lawful, reasonable, and respectful of privacy.

3) Your core legal rights (anchor points)

A) Right to privacy & data protection (DPA)

Control over personal data: You have the right to be informed, to object, to access, to correct, to withdraw consent, to erasure/blocking, and to lodge a complaint with the NPC.
Lawful basis required: Lenders must prove a valid basis for each kind of processing (e.g., identity verification vs. accessing your entire contact list).
Proportionality: Data collected must be necessary and relevant. Scraping contact lists to pressure payment is over-collection.

B) Right to fair debt collection

Lenders/collectors must identify themselves, contact you in reasonable times and manners, avoid threats, profanities, false representations, and third-party shaming.
The SEC (for non-bank lenders) and BSP (for banks) can fine, suspend, or revoke licenses for violations.

C) Right to truthful information and due process

You’re entitled to accurate statements of account, clear fees/charges, and a complaints process.
You have the right to dispute erroneous balances and request itemization.

D) Right to seek remedies

Administrative: File with SEC (unfair collection; unregistered lending), NPC (privacy breaches).
Criminal: NBI/PNP for threats, libel/cyber-libel, extortion, illegal access.
Civil: Sue for damages (moral, exemplary, actual), injunction to stop harassment, and attorney’s fees.

4) What you can do immediately (playbook)

Step 1 — Preserve evidence

Screenshots/screen recordings of messages, caller IDs, voice mails, app permission prompts, app store pages, and timestamps.
Export chat threads and download metadata where possible.
Save call logs, emails, and any posts tagging your contacts or employer.

Step 2 — Cut off unlawful data flows

In your phone’s settings, revoke app permissions (Contacts, SMS, Storage, Location, Camera/Mic).
If needed, uninstall the app after preserving evidence.
Change passwords for email/cloud accounts that could be accessed.

Step 3 — Send formal notices

DPA Rights Invocation / Cease-and-Desist to the lender and its collector(s):
- Withdraw consent to any non-essential processing (e.g., contacts).
- Object to processing for contact-list shaming or third-party disclosure.
- Demand erasure/blocking of unlawfully obtained contact data.
- Demand a copy of their privacy notice, data flows, lawful bases, and the identity of any processors/third parties.
Fair Collection Demand: Instruct them to channel communications to one number/email, 9am–5pm (or reasonable window), no third-party contacts, no threats, no false legal claims.
Employer/contacts advisory (optional): Brief HR or key contacts that any lender outreach about your debt is unauthorized and may violate privacy and labor policies; ask them to forward any messages for evidence.

Step 4 — File complaints (pick all that apply)

SEC (if it’s a lending/financing company/OLP): unfair debt collection, operating without license, misleading representations.
NPC: unlawful processing/disclosure, excessive permissions, data breach.
NBI Cybercrime/PNP: threats, extortion, cyber-libel, doxxing, identity theft, illegal access.
Civil court: injunction to stop harassment + damages.

Step 5 — Negotiate or restructure (if you want to settle)

Ask for statement of account, waiver of penalties/fees, and a written repayment plan.
Pay only via traceable channels. Keep receipts.

5) Criminal and civil angles (what fits where)

Grave threats / extortion: Menacing messages (“we will arrest you,” “we’ll post your nudes,” “we’ll harm your family”) can be criminal.
Grave coercion / unjust vexation: Forcing you or your contacts to do acts against will (e.g., public confessions) through intimidation.
Libel / cyber-libel: False and malicious imputations (e.g., “swindler,” “wanted”) posted/sent online.
Violation of the DPA: Unauthorized processing, unauthorized disclosure, failure to implement security measures, or failure to honor data subject rights—administrative and criminal penalties may attach.
Civil damages: Claim moral (anguish), exemplary (to deter), actual (lost wages, costs), attorney’s fees.
Small claims: If you seek pure money claims (e.g., refund of unlawful fees or liquidated damages) without injunction; otherwise file a regular civil action.

6) Special situations

Unregistered/rogue OLP: If the entity lacks an SEC license but extends loans/collects debts, report to SEC; criminal estafa or illegal lending angles may exist.
Third-party collectors: The principal lender remains responsible for its agents’ unlawful acts; name both in complaints.
Identity theft / loan made under your name: File immediately with NBI/PNP; send the lender a fraud dispute, require KYC artifacts they relied on, and insist on account freeze pending investigation.
Employer pressure: If collectors harass your employer or disclose your debt, that can be both a privacy and defamation issue; get HR to document and cease-and-desist them.

7) Practical templates (short, adaptable)

A) DPA Rights & Cease-and-Desist (to lender/collector)

Subject: Data Privacy Rights Invocation & Cease-and-Desist I am invoking my rights under the Data Privacy Act to object to any processing and disclosure of my personal data for third-party debt shaming, including contacting persons in my phone or workplace. I withdraw any consent to access my contacts, photos, SMS, or location, which are not necessary for loan servicing. I demand erasure/blocking of any data taken from my device outside legitimate KYC. Confirm in writing within 5 days: (1) what data you hold, (2) lawful bases, (3) third parties you shared with, and (4) measures to prevent further harassment. All communications must be in writing to [email], weekdays [time window] only.

B) Fair Collection Letter

Subject: Unfair Collection Practices – Demand to Stop Your repeated threats, defamatory messages, and contacts to my family/employer are unlawful. Cease immediately. Future contact must be professional, without threats or misrepresentation, and only via [channel] during [time window]. Non-compliance will be reported to the SEC/NPC and law enforcement, and pursued for damages.

8) Evidence checklist (build your case)

Copies of the loan agreement, privacy policy, and screenshots of permission prompts.
Call logs, audio recordings (if legal to record your side of the call), voicemails.
Chat exports (WhatsApp, FB Messenger, SMS), including headers.
Screenshots of defamatory posts or messages to contacts; ask contacts to forward messages with timestamps.
Employer HR memos/email confirming any collector outreach.
Proof of financial/psychological harm (doctor consults, missed work, receipts).

9) Responsible repayment vs. abusive collection (know the line)

You remain liable on a valid loan (principal + lawful charges).
But collection must be lawful. You can pay/settle while enforcing your rights: insist on one channel, professional tone, and a clear statement of account; reject harassment, threats, third-party disclosure, or fake legal notices.

10) Fast decision guide

Being threatened / contacts harassed? → Preserve evidence → Cease-and-Desist + DPA rights letter → File SEC/NPC complaints → NBI/PNP if criminal acts → Consider civil action for injunction/damages.
Excessive permissions/contact scraping? → Revoke permissions → Demand erasure → NPC complaint.
Want to settle? → Request SOA, negotiate penalty waivers, get written plan, pay via traceable channels.

11) Common myths—debunked

“If you uninstall the app, they can have you arrested.” ❌ Debt is civil, not criminal. Harassment/threats can be criminal—against them.
“You consented to contact scraping, so it’s legal.” ❌ Consent must be specific, informed, freely given; bundled or coerced consents and disproportionate data collection violate the DPA.
“Posting your debt publicly is allowed so others can pressure you.” ❌ Unlawful disclosure and defamation risks; also an unfair collection practice.

Final notes

Keep your communications calm and written.
If harassment is severe or ongoing, consult a Philippine lawyer to draft a stronger demand, file administrative complaints, and, if necessary, pursue injunctive relief and damages.
If you want, share: (1) whether the lender is bank or non-bank app, (2) examples of the messages they sent, and (3) what permissions the app asked for. I can help tailor a complaint bundle (SEC/NPC + criminal affidavit) and refine your cease-and-desist letters.