Generally, an online lender in the Philippines may not contact your relatives to collect your debt when you never identified them as guarantors or co-makers. The lender cannot justify the calls simply by saying that you allowed its app to access your phone contacts. Contact-list permission is not blanket authority to copy everyone’s details, disclose your loan, pressure family members, or use them as collection targets.
The answer can differ when the relative expressly agreed to be a guarantor or co-maker. A person named only as a character reference, however, does not automatically become responsible for the loan. This distinction matters because some collection agents deliberately blur the roles to frighten relatives into paying.
Can an online lender contact relatives who were never listed?
For debt collection, the general rule is straightforward:
| Person contacted | Is collection contact generally allowed? | Why |
|---|---|---|
| Relative never listed in the loan application | No | Family relationship alone does not make the person liable or a lawful collection target |
| Person found only in the borrower’s phone contacts | No | Contact access cannot be used for debt collection outside permitted persons |
| Character reference named by the borrower | Not for collection | The lender may verify identity or application information but may not demand payment from the reference |
| Guarantor who expressly agreed and separately consented | Yes, within lawful limits | The guarantor may have contractual responsibility |
| Co-maker or co-borrower who signed the loan documents | Yes, within lawful limits | The person may be directly liable under the contract |
| Spouse, parent, sibling, child, or employer who did not sign | No | Relationship or association with the borrower does not create automatic liability |
The National Privacy Commission’s NPC Circular No. 2022-02, which amended the rules for lending and financing companies, specifically provides that a lender conducting debt collection may contact only the borrower’s guarantor. Contacting other persons in the borrower’s contact list is prohibited.
The Securities and Exchange Commission’s rules on unfair debt collection also prohibit lenders and financing companies from contacting people in a borrower’s contact list other than persons named as guarantors or co-makers, even when the borrower supposedly consented to contact access. The relevant issuance is the SEC Memorandum Circular No. 18, Series of 2019. (SEC Appointment System)
Allowing contact access does not authorize harassment
Many online lending apps ask for access to contacts, messages, photos, location, camera, microphone, or social-media information. Borrowers often click “Allow” because the application will not proceed otherwise.
That does not give the lender unlimited rights.
Under the Data Privacy Act of 2012, or Republic Act No. 10173, personal data must be processed according to three central principles:
- Transparency: The person must be properly informed about what information will be collected, why it is needed, how it will be used, and who will receive it.
- Legitimate purpose: The information must be used for a lawful and clearly declared purpose.
- Proportionality: The lender may collect only data that is relevant, necessary, and not excessive for that purpose.
Valid consent must also be freely given, specific, and informed. A vague statement buried in a privacy policy does not automatically authorize every possible use of a borrower’s contacts. (National Privacy Commission)
NPC Circular No. 2022-02 requires “just-in-time” notices when an app requests sensitive permissions. The notice should appear when the permission is requested and should explain the specific purpose of the access. The lender may not engage in “unbridled processing,” including:
- Harvesting an entire contact list without necessity;
- Using contact information to harass or embarrass the borrower;
- Collecting a debt through people other than authorized guarantors;
- Using data for purposes unrelated to the loan application; and
- Conducting unfair or abusive collection activities.
Where a lender asks for a character reference or guarantor, the information should be entered through a separate interface, and the app should access only the minimum data necessary for that purpose. (National Privacy Commission)
A character reference is not a guarantor
A lender may ask for the name and number of a character reference to verify the borrower’s identity or confirm information in the application.
That person does not become liable for the loan merely because the borrower supplied the person’s contact details.
Under NPC Circular No. 2022-02:
- A character reference may be contacted only for identity or information verification;
- The reference may not be contacted for debt collection;
- The reference may not be used for marketing, cross-selling, or unrelated offers; and
- The person does not become a guarantor without a separate, express undertaking and separate consent.
A collector therefore cannot properly tell a character reference:
“You were listed in the application, so you must pay.”
Nor may the collector repeatedly call the reference, disclose the borrower’s balance, threaten to include the reference in a case, or pressure the reference to find money for the borrower.
Relatives are not automatically responsible for the debt
A parent, spouse, sibling, adult child, cousin, friend, employer, or coworker is not responsible for an online loan merely because of the relationship.
Article 1311 of the Civil Code of the Philippines states that contracts generally bind only the parties who entered into them and, in appropriate cases, their assigns and heirs. A relative who did not sign the agreement is ordinarily not a party to the loan contract. (Lawphil)
The rules on guaranty are equally important:
- Under Article 2047, a guarantor is someone who binds himself or herself to fulfill the borrower’s obligation if the borrower fails to do so.
- Under Article 2055, a guaranty is not presumed. It must be express and cannot be extended beyond what was agreed. (Lawphil)
This means that a lender cannot create a guaranty merely by placing someone’s name in an app, importing the person’s number from a contact list, or declaring during a collection call that the person is now responsible.
What if the relative is the borrower’s spouse?
Marriage alone does not automatically make one spouse personally liable for every debt incurred by the other.
Questions involving conjugal or community property can be more complicated. Liability may depend on matters such as:
- Who signed the loan;
- Whether the money benefited the family;
- The couple’s property regime;
- When the obligation was incurred; and
- Whether the creditor is pursuing personal liability or property belonging to the marital partnership.
Even where marital property may eventually become relevant, a collector still cannot lawfully use abusive calls, unauthorized disclosures, or contact-list harvesting as a shortcut.
Can the lender tell your family about the loan?
Generally, a lender should not disclose your loan, overdue balance, payment history, identification documents, or alleged misconduct to relatives who have no legitimate role in the transaction.
Information showing that a person borrowed money, missed payments, or owes a particular balance is personal data. Sending that information to an unrelated third party is another form of data processing and requires a lawful basis.
Potentially improper disclosures include:
- Telling a parent that the borrower has an unpaid balance;
- Sending a sibling screenshots of the loan account;
- Calling coworkers and describing the borrower as a “scammer”;
- Posting the borrower’s name or photograph in a family or workplace group chat;
- Sending a fabricated arrest notice to relatives;
- Threatening to notify everyone in the borrower’s contacts; and
- Asking family members to contribute money because they are “also responsible.”
Even a message that does not state the exact balance can still be problematic when its obvious purpose is to use an unlisted relative as a collection channel. The rule is not limited to detailed disclosures: for debt collection, contacting persons in the borrower’s contact list other than permitted guarantors is itself prohibited.
Articles 19, 20, 21, and 26 of the Civil Code may also become relevant when collection conduct violates another person’s dignity, privacy, peace of mind, or rights and causes damage. The exact civil remedy will depend on the evidence and circumstances. (Lawphil)
What an online lender may legally do
A privacy violation does not automatically erase a valid loan. A legitimate lender may still use lawful collection methods, including:
- Contacting the borrower through reasonable channels;
- Sending an accurate written demand;
- Offering restructuring, extensions, or settlement terms;
- Using lawful credit-reporting systems;
- Assigning the account to a properly authorized collection agency; and
- Filing a civil case to recover an enforceable debt.
A lender or collector may not substitute public humiliation, threats, deception, or contact-list harassment for the legal collection process.
The 1987 Philippine Constitution expressly states that no person shall be imprisoned for debt. Nonpayment of an ordinary loan is generally a civil matter. A borrower may still face a separate criminal case when independent facts establish an offense—for example, fraud or another act specifically punishable by law—but imprisonment cannot be threatened merely because an account is overdue. (Lawphil)
What to do when an online lender contacts unlisted relatives
1. Preserve evidence before deleting the app
Collect evidence while it remains available. Save:
- The app’s complete name and app-store page;
- The developer or publisher’s name;
- The lender’s corporate name;
- The privacy notice shown during registration;
- Screenshots of permission requests;
- The loan agreement and disclosure statement;
- Statements of account and payment receipts;
- Messages sent to you and your relatives;
- Call logs showing dates, times, and numbers;
- Names used by collection agents;
- Group-chat posts or social-media messages;
- Emails and demand letters; and
- Evidence showing that the contacted relatives were never listed.
Ask each contacted relative to prepare a short written account containing:
- The date and time of each contact;
- The number or account used;
- What the collector said;
- What information about the borrower was disclosed;
- Whether threats or insults were used; and
- Whether the relative ever agreed to be a guarantor, co-maker, or reference.
Screenshots should show the full screen where possible, including the sender, date, time, account name, and surrounding conversation. Avoid cropping out details that establish authenticity.
Be cautious about secretly recording live telephone calls. Republic Act No. 4200, the Anti-Wiretapping Act, restricts secret recording of private communications without authorization from all parties. Preserve text messages, voicemails, call logs, and screenshots, or obtain clear consent before recording a live call. (Lawphil)
2. Revoke unnecessary app permissions
After saving evidence, review the app’s permissions and disable access that is no longer necessary, particularly access to:
- Contacts;
- SMS or call logs;
- Photos and files;
- Location;
- Camera; and
- Microphone.
Uninstalling the app may stop future access to the device, but it does not automatically delete information already copied to the lender’s systems. A written data request is therefore still useful.
3. Send a written cease-contact and privacy request
Send the request to the lending company, its collection agency, and its data protection officer when contact details are available.
Include:
- Your full name and account or loan reference number;
- The name of the lending app;
- The relatives’ names or numbers that were contacted;
- A statement that they were never guarantors or co-makers;
- Dates and examples of the unauthorized contacts;
- A demand to stop contacting those persons;
- A request for the source and legal basis for processing their information;
- A request for the identities or categories of recipients who received the data;
- A request to block or erase unlawfully obtained contact data;
- A request to preserve collection logs and internal records; and
- A request for written confirmation of the action taken.
A practical notice may read:
I dispute your authority to contact [name and number], who was never identified as a guarantor or co-maker and did not consent to debt-collection communications. Stop all collection contact with this person. Please identify the source, purpose, legal basis, and recipients of the personal data used, preserve all related records, and confirm whether the data has been blocked or erased. This request does not prevent lawful communications directly concerning my account through my authorized contact details.
The borrower and the contacted relative may each have privacy rights. The borrower may object to the disclosure or misuse of loan information. The relative may object to the collection and use of the relative’s own name, telephone number, messages, or other personal data.
The Data Privacy Act’s implementing rules recognize rights that include access, objection, correction, erasure or blocking, and compensation for damage caused by inaccurate, incomplete, outdated, unlawfully obtained, or unauthorized use of personal data. (National Privacy Commission)
4. Keep the debt issue separate from the privacy complaint
Do not assume that harassment cancels the debt. Ask the lender for:
- An updated statement of account;
- A breakdown of principal, interest, penalties, and fees;
- The lender’s complete corporate identity;
- Official payment channels; and
- Written settlement or restructuring terms, when appropriate.
Do not send payment to an employee’s or collector’s personal account unless the lender has formally verified that payment channel. Keep every receipt.
Also do not ignore a genuine summons, subpoena, court order, or official notice. Verify documents directly with the issuing court or agency rather than relying on a collector’s telephone number.
5. File a complaint with the SEC
Complaints involving unfair collection by lending and financing companies may be submitted through SEC iMessage. The system includes a category for complaints concerning financing and lending companies and allows users to create and track a ticket. (Securities and Exchange Commission)
Attach, when available:
| Evidence | Why it matters |
|---|---|
| Loan agreement or disclosure statement | Identifies the lender and contractual parties |
| App-store screenshot | Connects the app name to its developer |
| Privacy notice and permission screens | Shows what the borrower was told |
| Messages and call logs | Establishes the collection conduct |
| Relative’s affidavit or written statement | Confirms direct contact and what was said |
| Proof the relative was not listed | Counters claims that the person was a guarantor |
| Cease-contact request and delivery proof | Shows that the lender was formally notified |
| Payment records | Clarifies the account and prevents false balance claims |
Use the legal name of the lending or financing company when possible. Many apps use a brand name that differs from the registered corporation. The loan agreement, disclosure statement, privacy notice, app-store developer information, or payment instructions may reveal the actual entity.
6. File a complaint with the National Privacy Commission
A borrower or contacted relative may file a privacy complaint through the NPC complaint process.
The NPC generally requires:
- A notarized complaint-assisted form or verified complaint;
- Copies of supporting evidence;
- Affidavits of witnesses, where relevant; and
- Authorization documents when a representative files for the complainant.
A representative generally needs a special power of attorney. Complaints may be submitted personally, by mail or courier, or through the authorized NPC email channel. Electronically submitted documents should be digitally signed in PDF form when practicable. (National Privacy Commission)
According to the NPC’s published procedure:
- The Complaints and Investigation Division generally has 30 calendar days to determine whether to give due course to the complaint or dismiss it without prejudice;
- A complete administrative case may take approximately 10 to 12 months; and
- An application for a temporary ban on data processing may take around one to two weeks, subject to a hearing, position papers, and possible bond requirements. (National Privacy Commission)
Actual timing may vary depending on the completeness of the documents, service of notices, responses from the lender, conferences, and the agency’s caseload.
7. Use the BSP process when the lender is BSP-supervised
Most stand-alone lending apps operated by lending or financing companies fall under SEC supervision. A bank, digital bank, or another institution supervised by the Bangko Sentral ng Pilipinas follows a different consumer-assistance route.
The usual process is:
- Complain first through the institution’s Financial Consumer Protection Assistance Mechanism;
- Keep the reference number and written response; and
- Escalate the matter to the BSP Consumer Assistance Mechanism if the institution does not resolve the complaint or fails to act.
BSP-supervised financial service providers are required to maintain a free consumer-assistance mechanism. (Bangko Sentral ng Pilipinas)
8. Report threats, extortion, or impersonation separately
A privacy or SEC complaint does not replace criminal reporting when collectors engage in conduct such as:
- Threatening physical harm;
- Demanding payment through extortion;
- Impersonating police officers, judges, prosecutors, or court personnel;
- Sending fabricated warrants or criminal complaints;
- Publishing intimate or altered images;
- Taking over online accounts; or
- Making clearly defamatory public posts.
Preserve the original files and account links, not just forwarded screenshots. A barangay blotter can help document an incident, especially when a local person made the threat, but a barangay cannot order a nationwide lending platform to stop processing personal data. Complaints involving corporate lenders, privacy violations, or online conduct generally require action through the SEC, NPC, police, NBI, prosecutor’s office, or courts, depending on the facts.
Common situations and how the rules apply
“I clicked Allow Contacts, so the lender says I consented”
Contact permission does not override purpose limitation and proportionality. The lender still cannot use the permission as authority to collect from every person stored on the device. NPC rules expressly prohibit contact-list processing for collection outside authorized guarantors. (National Privacy Commission)
“The collector called my mother but did not mention the exact balance”
The absence of an exact balance does not necessarily make the contact proper. When the lender called an unlisted relative to pressure the borrower or locate the borrower for collection, the contact may still fall within the prohibition.
“My sister was listed as a character reference”
The lender may verify identity or application information with a character reference. It may not turn the reference into a collection target, demand payment from her, or treat her as a guarantor without a separate express agreement and consent.
“The app claims my relative was my guarantor”
Ask for the complete document showing:
- The relative’s express agreement;
- The scope of the guaranty;
- The date and method of consent;
- The identity-verification process used; and
- The electronic or handwritten signature relied upon.
A guaranty is not presumed. Merely encoding a person’s name and number does not prove that the person agreed to answer for the debt.
“The collector uses personal mobile numbers and keeps changing numbers”
Record every number, date, name, payment instruction, and message. Complaints should identify both the app’s brand and the legal company behind it. The company may remain responsible for collection activities performed by employees, agents, service providers, or collection agencies processing data on its behalf.
“I am overseas or I am a foreign national”
Philippine privacy and lending rules may still apply when a Philippine lender processes the data and conducts the collection activity. An overseas complainant may submit documents electronically where permitted or appoint a Philippine representative through a special power of attorney. Authentication or apostille requirements may depend on where the document is signed and how the receiving agency requires it to be presented.
Frequently Asked Questions
Can an online lender call my parents or siblings?
Not for debt collection when they were never named as guarantors or co-makers. The lender cannot make them collection targets merely because their numbers appeared in your phone.
Can the lender contact my employer?
An employer who is not a guarantor or co-maker generally should not be contacted to collect the loan. Disclosing the debt to supervisors, human-resources staff, or coworkers may also create privacy concerns.
Is a character reference required to pay?
No. A character reference is not automatically a guarantor. The person may be contacted for limited verification but cannot be required to pay without an express and valid contractual undertaking.
Is my spouse automatically liable for my online loan?
No. Marriage by itself does not automatically make a spouse personally liable. Liability may depend on who signed, the purpose of the loan, and the couple’s property regime.
Can a lender post my name and photograph on social media?
Publicly posting a borrower’s identity, debt, photograph, identification card, or insulting labels may violate privacy, SEC collection rules, civil rights, or other laws. Preserve the post, URL, profile information, date, comments, and audience details before requesting removal.
Does a privacy violation cancel my loan?
Not automatically. A valid debt may remain collectible through lawful methods. The privacy violation and the borrower’s payment obligation should be addressed separately.
Can I be arrested for an unpaid online loan?
A person cannot be imprisoned merely for debt. Criminal liability requires separate facts establishing an actual offense; a collector cannot create an arrest case simply by labeling nonpayment as fraud.
Can my relative file a complaint even though the loan is mine?
Yes. A relative whose personal information was collected or used, or who personally received unlawful collection messages, may be a data subject and direct complainant. The borrower may also complain about disclosure or misuse of loan information.
How long does an NPC complaint take?
The NPC states that the initial determination on whether to give due course may take up to 30 calendar days, while the complete process may take approximately 10 to 12 months. Delays can occur when evidence is incomplete, parties cannot be served, or additional proceedings are required. (National Privacy Commission)
Key Takeaways
- An online lender generally cannot contact relatives you never listed as guarantors or co-makers to collect your debt.
- Giving an app access to your contacts does not authorize unlimited copying, disclosure, harassment, or collection calls.
- A character reference is not a guarantor and may be contacted only for limited verification purposes.
- Family relationship alone does not create liability for the loan, and a guaranty must be express rather than presumed.
- Preserve screenshots, call logs, agreements, privacy notices, and relatives’ written accounts before deleting the app.
- Send a written cease-contact and data request while continuing to address any valid debt through official channels.
- Complaints may be filed with the SEC for unfair collection and with the NPC for unlawful processing or disclosure of personal data.
- A valid debt may still be collected lawfully, but collectors may not use relatives, public humiliation, deception, or threats as collection tools.