How to Delete Personal Data From an Online App Under the Data Privacy Act

I. Introduction

Online apps collect personal data every day. A person may download a shopping app, lending app, e-wallet, delivery app, social media app, dating app, job platform, ride-hailing app, game, health app, school portal, productivity tool, or subscription service and be asked to provide name, mobile number, email address, address, government ID, selfie, birthday, contacts, location, photos, payment information, employment details, and device data.

At first, the data may be collected for account creation, verification, service delivery, payment, security, or customer support. But later, the user may want the app to delete the data because the account is no longer used, the app is suspicious, the user received spam, the service ended, the user withdrew consent, the data is outdated, the app was hacked, or the company is using the data in a way the user did not expect.

In the Philippines, personal data is protected under the Data Privacy Act of 2012, its implementing rules, and issuances of the National Privacy Commission. A user, called a data subject, has rights over personal data. One of the most important rights is the ability to ask that personal data be corrected, blocked, removed, or destroyed in proper cases.

This article explains how a person in the Philippines may request deletion of personal data from an online app, what rights apply, when deletion may be granted, when the app may legally refuse immediate deletion, how to write a request, what evidence to keep, and what remedies are available if the app ignores or denies the request.

II. What Is Personal Data?

Personal data is information that identifies or can identify a person.

Examples include:

  1. Full name;
  2. Address;
  3. Mobile number;
  4. Email address;
  5. Birthday;
  6. Age;
  7. Sex;
  8. Civil status;
  9. Government ID number;
  10. Passport details;
  11. Driver’s license details;
  12. Tax identification number;
  13. SSS, GSIS, PhilHealth, or Pag-IBIG number;
  14. Selfie or facial image;
  15. Photograph;
  16. Signature;
  17. Voice recording;
  18. Video recording;
  19. Location data;
  20. Device ID;
  21. IP address;
  22. Account username;
  23. Payment details;
  24. Bank or e-wallet information;
  25. Employment details;
  26. School records;
  27. Health information;
  28. App usage history;
  29. Contact list;
  30. Chat messages;
  31. Transaction records;
  32. Uploaded files.

Personal data may be ordinary personal information, sensitive personal information, or privileged information. Sensitive personal information receives stronger protection.

III. Sensitive Personal Information

Sensitive personal information includes data that may expose a person to serious risk if misused.

Examples include:

  1. Race or ethnic origin;
  2. Marital status;
  3. Age;
  4. Color;
  5. Religious, philosophical, or political affiliation;
  6. Health information;
  7. Education records;
  8. Genetic or sexual life information;
  9. Court proceedings;
  10. Government-issued identification numbers;
  11. Social security numbers;
  12. Licenses and permits;
  13. Tax returns;
  14. Financial account details where covered by privacy rules.

Many online apps collect sensitive data, especially lending apps, e-wallets, finance apps, job platforms, health apps, insurance apps, and identity verification systems.

A deletion request involving sensitive personal information should be treated seriously because misuse can lead to identity theft, harassment, discrimination, financial loss, or reputational damage.

IV. The Data Subject

The person whose personal data is collected is called the data subject.

A data subject has rights under Philippine privacy law, including the right to:

  1. Be informed;
  2. Object;
  3. Access;
  4. Rectify or correct;
  5. Erase or block in proper cases;
  6. Be indemnified for damages where applicable;
  7. Data portability in proper cases;
  8. File a complaint with the National Privacy Commission.

A user asking an app to delete personal data is exercising privacy rights as a data subject.

V. The Personal Information Controller and Processor

An online app may involve a personal information controller and a personal information processor.

A. Personal Information Controller

The personal information controller determines why and how personal data is processed. In practical terms, this is usually the company operating the app, platform, website, or service.

Examples:

  1. Lending company operating an online loan app;
  2. E-wallet provider operating a payment app;
  3. Delivery platform collecting customer addresses;
  4. Dating app operator collecting profiles and photos;
  5. Marketplace app collecting seller and buyer details;
  6. Health app operator collecting medical information;
  7. School portal operator collecting student records.

B. Personal Information Processor

The personal information processor processes data on behalf of the controller. Examples include cloud hosting providers, customer support vendors, payment processors, verification vendors, analytics providers, marketing vendors, and outsourced collection agencies.

A user usually sends the deletion request to the controller, not merely the processor.

VI. What Does “Delete Personal Data” Mean?

In privacy practice, deletion may mean different things depending on the situation.

It may include:

  1. Deleting the user account;
  2. Removing personal information from active systems;
  3. Blocking further processing;
  4. Destroying stored personal data;
  5. Removing uploaded IDs, selfies, or documents;
  6. Removing profile photos;
  7. Deleting contact list data;
  8. Deleting marketing records;
  9. Deleting location history;
  10. Removing data from public view;
  11. Deleting personal data from backups where technically feasible;
  12. Anonymizing data so the person can no longer be identified;
  13. De-linking data from the account;
  14. Stopping further sharing with third parties;
  15. Notifying processors to delete or stop processing data.

A request should be specific about what the user wants deleted.

VII. Right to Erasure or Blocking

Under Philippine data privacy principles, a data subject may demand the suspension, withdrawal, blocking, removal, or destruction of personal data in proper circumstances.

This right is often called the right to erasure, deletion, blocking, or removal.

A deletion request may be proper when:

  1. The data is incomplete, outdated, false, or unlawfully obtained;
  2. The data is being used for an unauthorized purpose;
  3. The data is no longer necessary for the purpose for which it was collected;
  4. The user withdraws consent and there is no other legal basis for processing;
  5. The app unlawfully disclosed the data;
  6. The data is being used for harassment or profiling beyond the disclosed purpose;
  7. The app violates the user’s privacy rights;
  8. The data subject objects to processing and there is no overriding lawful basis;
  9. The app no longer provides the service to the user;
  10. The retention period has expired;
  11. The account has been closed;
  12. The app’s processing is excessive or disproportionate.

The right to deletion is powerful but not absolute.

VIII. Deletion Is Not Always Immediate or Absolute

An online app may sometimes refuse or delay deletion if it has a lawful basis to retain certain data.

Possible lawful reasons for retention include:

  1. Compliance with law;
  2. Tax, accounting, audit, or regulatory requirements;
  3. Anti-money laundering obligations;
  4. Fraud prevention;
  5. Legal claims or dispute resolution;
  6. Contract enforcement;
  7. Consumer complaint records;
  8. Transaction history needed for warranties or refunds;
  9. Security logs needed to investigate abuse;
  10. Court order or lawful government request;
  11. Records required by a regulator;
  12. Legitimate business records within lawful retention periods.

For example, an e-wallet or finance app may not be able to delete all transaction and identity verification records immediately because financial regulations may require retention. A lending app may retain records of an unpaid loan. A shopping app may retain invoice and tax records for a period. A health app may be subject to health record rules.

However, even when full deletion is not possible, the app should explain what data must be retained, why it must be retained, how long it will be retained, and what data can be deleted or blocked immediately.

IX. Difference Between Account Deletion and Data Deletion

Deleting an app from a phone is not the same as deleting personal data.

Also, deleting an account is not always the same as deleting all data.

A. Deleting the App

If the user uninstalls the app, data may remain in the company’s servers.

B. Deleting the Account

Account deletion may remove login access and public profile, but the company may retain backend records.

C. Deleting Personal Data

Data deletion targets the actual personal information held by the company, subject to lawful retention.

Users should not assume that uninstalling the app deletes their data.

X. When Should a User Request Deletion?

A user may request deletion when:

  1. The user no longer uses the app;
  2. The account was created by mistake;
  3. The app is suspicious;
  4. The user receives spam or unauthorized marketing;
  5. The user wants to withdraw consent;
  6. The app accessed contacts unnecessarily;
  7. The app posted or shared personal information;
  8. The user’s loan, subscription, or transaction has ended;
  9. The user uploaded government IDs and wants them removed;
  10. The user suspects identity theft;
  11. The app has no account deletion option;
  12. The app ignores privacy requests;
  13. The app refuses to remove outdated or wrong information;
  14. The user wants to stop profiling or targeted advertising;
  15. The user wants to prevent future misuse.

The request should be made in writing so there is proof.

XI. Before Sending a Deletion Request

Before requesting deletion, the user should secure evidence and records.

This is important because deletion may remove information needed for complaints, refunds, disputes, warranties, or claims.

Before deletion, save:

  1. Account screenshots;
  2. Profile details;
  3. Uploaded documents list;
  4. Transaction history;
  5. Receipts;
  6. Payment confirmations;
  7. Chat support records;
  8. Privacy policy;
  9. Terms and conditions;
  10. App permissions;
  11. Marketing messages;
  12. Proof of harassment, if any;
  13. Screenshots of data misuse;
  14. Company name and contact details;
  15. Data protection officer contact details;
  16. Ticket numbers or complaint references.

A user should not destroy evidence before filing a privacy complaint if the app has violated privacy rights.

XII. Step 1: Identify the App Operator

The user should identify the company responsible for the app.

Check:

  1. App name;
  2. Developer name in app store;
  3. Company name in terms and conditions;
  4. Company name in privacy policy;
  5. Website;
  6. Customer service email;
  7. Data protection officer email;
  8. Office address;
  9. Business registration details, if available;
  10. In-app help center;
  11. Email confirmation messages;
  12. Payment receipt details;
  13. SMS sender name;
  14. Social media pages.

Many apps use brand names different from registered company names. The request should include both app name and company name if known.

XIII. Step 2: Review the Privacy Policy

The privacy policy should explain:

  1. What personal data is collected;
  2. Purposes of processing;
  3. Legal basis for processing;
  4. Whether data is shared with third parties;
  5. Data retention period;
  6. Data subject rights;
  7. Contact details of the data protection officer;
  8. How to request deletion;
  9. Security measures;
  10. Complaint procedure.

If the privacy policy has no deletion process or data protection officer contact, that fact may be relevant in a complaint.

XIV. Step 3: Use In-App Deletion Tools

Some apps have account deletion features.

Common locations:

  1. Settings;
  2. Account;
  3. Privacy;
  4. Security;
  5. Help center;
  6. Data and privacy;
  7. Manage account;
  8. Delete account;
  9. Close account;
  10. Request data deletion.

If an in-app deletion request is available, take screenshots before and after submitting. Save confirmation messages or ticket numbers.

If the in-app tool is incomplete or unclear, send a written request by email as well.

XV. Step 4: Send a Written Data Deletion Request

A written request should be sent to the company, customer support, and data protection officer if available.

The request should clearly state:

  1. Full name;
  2. Registered email or mobile number;
  3. App account username or ID;
  4. Request to delete, block, or remove personal data;
  5. Specific data to be deleted;
  6. Withdrawal of consent, where applicable;
  7. Objection to further processing, where applicable;
  8. Request to stop sharing with third parties;
  9. Request for confirmation;
  10. Request for explanation if deletion is refused;
  11. Deadline for response;
  12. Attachments proving identity, if necessary.

Do not send more sensitive documents than necessary. If identity verification is required, provide the minimum needed.

XVI. Sample Basic Data Deletion Request

Subject: Request for Deletion of Personal Data Under the Data Privacy Act

Date: [Insert Date]

To: The Data Protection Officer / Privacy Team [Company or App Name]

Dear Sir/Madam:

I am a user of [app name] with registered mobile number/email [insert] and account name/user ID [insert, if any].

I am requesting the deletion, blocking, removal, or destruction of my personal data processed in connection with my account, subject to any lawful retention requirements.

This request covers, where applicable:

  1. My account profile;
  2. Name, mobile number, email address, and address;
  3. Uploaded government IDs, selfies, photos, and documents;
  4. Contact list data, if collected;
  5. Location data;
  6. Device data;
  7. Marketing and profiling data;
  8. Any personal data shared with third-party processors, collectors, advertisers, or service providers.

I withdraw my consent to further processing where consent is the basis for processing, and I object to any further use of my personal data for marketing, profiling, harassment, or purposes unrelated to the service.

Please confirm in writing:

  1. What data has been deleted or blocked;
  2. What data, if any, must be retained;
  3. The legal basis and retention period for any retained data;
  4. The third parties to whom my data was disclosed;
  5. The steps taken to notify processors or third parties to delete or stop processing my data.

Please treat this as a formal exercise of my rights as a data subject.

Sincerely, [Name] [Contact Details]

XVII. Sample Request for Online Lending App Data Deletion

Subject: Request to Delete Personal Data and Stop Third-Party Contact

Date: [Insert Date]

To: The Data Protection Officer / Privacy Team [Online Lending App / Company Name]

Dear Sir/Madam:

I am a user/borrower of [app name] with registered mobile number [insert] and account ID [insert, if any].

I request the deletion, blocking, or removal of my personal data that is no longer necessary or lawfully retained, including any excessive data collected through the app.

This request includes:

  1. Phone contacts collected from my device;
  2. Photos, selfies, IDs, and uploaded documents;
  3. Employer, workplace, and reference information;
  4. Device, location, and app permission data;
  5. Marketing and profiling data;
  6. Any personal data disclosed to third-party collectors or service providers.

I specifically object to the use of my personal data and phone contacts for collection harassment, public shaming, third-party disclosure, or any purpose not lawfully disclosed and justified.

Please confirm:

  1. Whether my phone contacts were accessed or stored;
  2. Whether my data was shared with any collection agency or third party;
  3. What data has been deleted or blocked;
  4. What data you claim must be retained, the legal basis for retention, and the retention period;
  5. What steps you have taken to stop collectors or third parties from processing my personal data unlawfully.

This request is without prejudice to my right to file a complaint with the National Privacy Commission and other proper agencies.

Sincerely, [Name] [Contact Details]

XVIII. Sample Account Closure and Deletion Request

Subject: Account Closure and Personal Data Deletion Request

Dear [Company/App Name]:

Please close my account under registered email/mobile number [insert] and delete or block my personal data, subject only to lawful retention requirements.

I no longer use the app and withdraw consent for further processing where consent is the basis for processing.

Please confirm when the account has been closed and identify any personal data retained, the reason for retention, and the retention period.

Thank you.

[Name]

XIX. Step 5: Ask What Data Cannot Be Deleted Yet

If the company says it cannot delete all data, ask for a written explanation.

A proper response should identify:

  1. Specific data retained;
  2. Legal basis for retention;
  3. Purpose of retention;
  4. Retention period;
  5. Who can access the retained data;
  6. Whether the data will be blocked from further use;
  7. Whether it will be deleted after the retention period;
  8. Whether third-party processors were instructed to delete or block data.

A vague response such as “we retain data for business purposes” may be insufficient if it does not explain lawful basis and necessity.

XX. Step 6: Request Blocking Instead of Full Deletion

If full deletion cannot be done immediately, the user may request blocking or restriction.

Blocking means the company stops actively using the data except for lawful retention purposes.

For example:

  1. The company may retain transaction records for legal compliance;
  2. But it should stop marketing to the user;
  3. It should stop sharing data with advertisers;
  4. It should stop collection harassment;
  5. It should stop public disclosure;
  6. It should restrict access internally;
  7. It should delete unnecessary copies;
  8. It should mark the account as closed.

Blocking is useful when the company claims it must retain some records but has no reason to keep using them actively.

XXI. Step 7: Request Deletion From Third Parties

Apps often share data with third parties. The deletion request should include processors and partners.

Third parties may include:

  1. Cloud service providers;
  2. Identity verification vendors;
  3. Payment processors;
  4. Analytics providers;
  5. Marketing platforms;
  6. Customer support vendors;
  7. Collection agencies;
  8. Delivery partners;
  9. Advertising networks;
  10. Fraud detection vendors;
  11. Affiliates;
  12. Data brokers, where involved.

The controller should take steps to ensure processors stop processing data or delete data where required.

XXII. Step 8: Keep Proof of the Request

Keep:

  1. Sent email;
  2. Delivery receipt;
  3. Ticket number;
  4. Chat support transcript;
  5. Screenshots of in-app request;
  6. Company response;
  7. Date and time sent;
  8. Follow-up messages;
  9. Proof of identity submitted;
  10. Any refusal or explanation.

If the company ignores the request, these records will support a complaint.

XXIII. What If the App Ignores the Request?

If the app does not respond, the user may send a follow-up.

A follow-up may say:

Subject: Follow-Up on Data Deletion Request

Dear [Company/App Name]:

I sent a request for deletion/blocking of my personal data on [date]. I have not received a proper response.

Please act on my request and confirm what data has been deleted, blocked, retained, or shared with third parties.

If I do not receive a proper response, I reserve the right to file a complaint with the National Privacy Commission and other appropriate agencies.

Sincerely, [Name]

If the company continues to ignore the request, the user may escalate.

XXIV. Filing a Complaint With the National Privacy Commission

If an app refuses, ignores, or mishandles a deletion request, the user may file a complaint with the National Privacy Commission.

A complaint may be appropriate when:

  1. The app refuses deletion without lawful basis;
  2. The app ignores data subject requests;
  3. The app collected excessive data;
  4. The app accessed contacts without proper basis;
  5. The app disclosed data to third parties;
  6. The app posted personal data;
  7. The app used data for harassment;
  8. The app has no proper privacy contact;
  9. The app continues processing after consent was withdrawn;
  10. The app fails to explain retention;
  11. The app refuses to correct false data;
  12. The app suffered a breach and failed to respond properly.

XXV. What to Include in an NPC Complaint

Prepare:

  1. Full name and contact details;
  2. Name of app and company;
  3. Account details;
  4. Privacy policy screenshots;
  5. Data collected;
  6. Data deletion request;
  7. Proof request was sent;
  8. Company response or lack of response;
  9. Evidence of misuse or unlawful processing;
  10. Screenshots of third-party disclosures;
  11. Evidence of harassment, if any;
  12. Harm suffered;
  13. Relief requested.

The complaint should be clear and chronological.

XXVI. Possible Relief From a Privacy Complaint

The user may ask for:

  1. Deletion of unlawfully processed personal data;
  2. Blocking of personal data;
  3. Cessation of processing;
  4. Removal of public posts;
  5. Correction of inaccurate data;
  6. Disclosure of third-party recipients;
  7. Action against the company for privacy violations;
  8. Direction to improve privacy practices;
  9. Indemnification where damages are proven and legally available;
  10. Other appropriate relief.

The requested relief should match the violation.

XXVII. Sample NPC Complaint Narrative

“I created an account with [app name] using mobile number [number] and email [email]. The app collected my name, phone number, government ID, selfie, address, and contact list. On [date], I requested deletion of my personal data and withdrawal of consent. I sent the request to [email/address]. The company did not respond / refused without explanation / continued using my data. On [date], the app or its representatives contacted my phone contacts and disclosed my personal information. Screenshots are attached. I request investigation, deletion or blocking of unlawfully processed data, cessation of third-party disclosure, and other appropriate relief.”

XXVIII. Apps With No Deletion Button

Some apps do not have a deletion button. That does not mean the user has no rights.

The user may still send a written request through:

  1. Customer support email;
  2. Data protection officer email;
  3. Website contact form;
  4. In-app support chat;
  5. Registered business email;
  6. Official social media page;
  7. Physical office address;
  8. App store developer contact;
  9. Privacy policy contact details.

If there is no available privacy contact, document that fact. It may support a complaint.

XXIX. Apps That Are Already Deleted From the App Store

An app may disappear from the app store, but the company may still hold personal data.

The user should try to identify:

  1. Developer name;
  2. Company name from old emails;
  3. Loan agreement or receipts;
  4. SMS sender names;
  5. Payment account names;
  6. Customer service email;
  7. Website;
  8. Privacy policy saved online;
  9. Screenshots from the app;
  10. Social media pages.

If the operator cannot be located and the data is being misused, the user may file a complaint using all available identifying details.

XXX. Deleting Data From Social Media Apps

Social media apps may retain personal data, posts, messages, photos, comments, ad profile data, and login records.

A deletion request may include:

  1. Account deletion;
  2. Removal of photos;
  3. Deletion of posts;
  4. Removal of phone number and email;
  5. Deletion of search history;
  6. Deletion of ad preferences;
  7. Deletion of uploaded contacts;
  8. Removal from public search;
  9. Deactivation of tracking or profiling;
  10. Download of data before deletion.

Users should distinguish between deactivation and permanent deletion. Deactivation may only hide the account temporarily.

XXXI. Deleting Data From E-Wallets and Finance Apps

E-wallets and finance apps often have legal obligations to verify identity and retain transaction records. Full deletion may not be immediate.

However, users may request:

  1. Account closure;
  2. Deactivation of marketing;
  3. Deletion of unnecessary data;
  4. Blocking of data not required for compliance;
  5. Removal of saved cards;
  6. Deletion of device access records where no longer needed;
  7. Restriction of data sharing;
  8. Explanation of retention period.

The company may retain certain records for anti-fraud, regulatory, tax, audit, or legal compliance.

XXXII. Deleting Data From Lending Apps

Lending apps may retain data if there is an outstanding loan, dispute, regulatory requirement, or lawful claim.

But they should not retain or use excessive data for harassment.

Users may request:

  1. Deletion of contact list data;
  2. Deletion of unnecessary photos or files;
  3. Removal of data shared with collectors;
  4. Blocking of marketing;
  5. Correction of inaccurate loan records;
  6. Deletion after full payment and required retention period;
  7. Confirmation that no third-party contact will occur;
  8. Statement of account;
  9. Identification of third-party collectors.

If the app contacts unrelated persons, the user may file privacy and regulatory complaints.

XXXIII. Deleting Data From Shopping and Delivery Apps

Shopping and delivery apps may retain order history, receipts, and delivery records for legitimate purposes. But users may request deletion or restriction of:

  1. Saved addresses;
  2. Saved payment methods;
  3. Profile photos;
  4. Marketing preferences;
  5. Search history;
  6. Wishlist data;
  7. Chat records no longer needed;
  8. Location permissions;
  9. Device identifiers;
  10. Inactive account data.

The user should remove saved cards and addresses through the app, then send a deletion request for backend data.

XXXIV. Deleting Data From Dating Apps

Dating apps often collect sensitive profile data, photos, location, sexual preferences, messages, and identity verification data.

Users may request:

  1. Permanent deletion of profile;
  2. Removal of photos;
  3. Deletion of messages where possible;
  4. Deletion of location data;
  5. Removal from matching systems;
  6. Deletion of identity verification data where no longer needed;
  7. Blocking of marketing;
  8. Deletion of behavioral profiling data.

Simply deleting the app from the phone may not delete the dating profile.

XXXV. Deleting Data From Health Apps

Health apps may collect sensitive health data. Deletion may be limited by medical record or legal retention requirements.

Users may request:

  1. Account closure;
  2. Deletion of wellness data;
  3. Deletion of uploaded documents;
  4. Restriction of data sharing;
  5. Correction of inaccurate health data;
  6. Copy of data before deletion;
  7. Explanation of required retention.

Because health data is sensitive, privacy and security obligations are stricter.

XXXVI. Deleting Children’s Data

Children’s personal data requires special care. Parents or legal guardians may request deletion when an app collected a child’s data without proper authority or continues processing unnecessary data.

Requests may involve:

  1. Child’s name;
  2. Photos;
  3. School data;
  4. Location;
  5. Game account data;
  6. Chat data;
  7. Learning app records;
  8. Health data;
  9. Parent contact details.

The requester should state their authority as parent or guardian and provide minimal proof where necessary.

XXXVII. Withdrawing Consent

A user may withdraw consent when consent is the basis for processing.

Withdrawal of consent may affect:

  1. Marketing messages;
  2. Promotional emails;
  3. Profiling;
  4. Sharing with advertisers;
  5. Access to contacts;
  6. Optional data collection;
  7. Location tracking;
  8. Personalized recommendations;
  9. Public visibility settings.

However, withdrawal of consent does not automatically erase data if the app has another lawful basis to retain it, such as legal compliance or contract obligations.

XXXVIII. Objecting to Processing

A user may object to processing in proper cases, especially when data is used for direct marketing, profiling, excessive tracking, harassment, or purposes beyond what was disclosed.

The objection should state:

  1. What processing is objected to;
  2. Why it is unlawful, excessive, or no longer necessary;
  3. What action is requested;
  4. Whether deletion, blocking, or correction is requested.

XXXIX. Correcting Data Before Deletion

Sometimes deletion is not the best first remedy. If the app holds wrong information, the user may request correction.

Examples:

  1. Wrong name;
  2. Wrong birthday;
  3. Wrong loan status;
  4. Wrong payment record;
  5. Wrong employer;
  6. Wrong address;
  7. Wrong account linked to user;
  8. False fraud tag;
  9. Incorrect blacklist entry;
  10. Wrong ID document.

Correction matters because wrong data may affect credit, access to services, employment, or reputation.

XL. Downloading Data Before Deletion

Before deleting an account, the user may request a copy of their data.

This is useful for:

  1. Payment disputes;
  2. Consumer complaints;
  3. Loan disputes;
  4. Identity theft investigation;
  5. Proof of transactions;
  6. Warranty claims;
  7. Tax or accounting needs;
  8. Evidence of harassment;
  9. Knowing what data was collected.

After deletion, access may become harder.

XLI. Marketing Opt-Out vs. Deletion

Unsubscribing from marketing is not the same as deleting personal data.

A user may request both:

  1. Stop marketing messages;
  2. Delete marketing profile;
  3. Remove from mailing list;
  4. Stop SMS promotions;
  5. Stop push notifications;
  6. Stop sharing data with advertisers;
  7. Delete account data where applicable.

An app may retain a suppression list containing minimal contact information to ensure the user is not marketed to again. This should be limited and explained.

XLII. Data Retention Periods

Apps should not keep personal data forever without lawful reason. Retention should be tied to purpose.

Common retention reasons include:

  1. Active account;
  2. Contract performance;
  3. Transaction records;
  4. Legal compliance;
  5. Fraud prevention;
  6. Dispute resolution;
  7. Regulatory audit;
  8. Security logs;
  9. Tax records;
  10. Consumer complaint handling.

After the retention period, data should be deleted, anonymized, or securely destroyed.

Users may ask for the retention period in writing.

XLIII. Anonymization as an Alternative

Sometimes an app may anonymize data instead of deleting it. Anonymization means the data can no longer identify the user.

For example, a company may keep aggregated statistics such as:

  1. Number of users by city;
  2. Average transaction value;
  3. App usage trends;
  4. Fraud risk statistics;
  5. Service performance analytics.

If data is truly anonymized, it is no longer personal data. But if the company can still re-identify the user, it is not truly anonymized.

XLIV. Backups and Archived Data

Companies may claim that personal data cannot be immediately deleted from backups. This may be technically true in some systems.

But the company should explain:

  1. Whether the data is in backups;
  2. Whether backups are isolated from active use;
  3. How long backups are retained;
  4. When the data will be overwritten or deleted;
  5. Whether restored backups will respect the deletion request;
  6. Who can access archived data.

Backup retention should not be used as an excuse for continued active processing.

XLV. Deletion of Public Posts and Search Results

If an app or platform made personal data public, deletion may require more than account closure.

The user may request:

  1. Removal of public post;
  2. De-indexing from search;
  3. Deletion of cached copies where possible;
  4. Removal from group pages;
  5. Removal of tagged photos;
  6. Removal of public comments;
  7. Removal of profile from public search;
  8. Notice to third parties who received data.

If the data was copied by others, the original app may not control all copies, but it should remove what it controls and take reasonable steps where applicable.

XLVI. Identity Verification for Deletion Requests

Apps may ask the requester to verify identity before deleting data. This is reasonable because the company must avoid deleting the wrong person’s account.

However, verification should be proportionate.

The app should not demand excessive new personal data if it already has sufficient means to verify the user.

Good verification methods include:

  1. Confirmation through registered email;
  2. OTP to registered mobile number;
  3. In-app authenticated request;
  4. Partial ID confirmation;
  5. Account security questions;
  6. Minimal document verification where necessary.

If the app demands a new government ID for a simple deletion request without clear reason, the user may ask why it is necessary.

XLVII. Authorized Representatives

A data subject may act through an authorized representative in proper cases.

This may apply when the user is:

  1. A minor;
  2. Elderly;
  3. Ill;
  4. Deceased, with heirs or legal representatives acting for estate matters;
  5. Abroad;
  6. Unable to access the account;
  7. Represented by counsel.

The app may require authorization documents, such as:

  1. Authorization letter;
  2. Valid ID of data subject;
  3. Valid ID of representative;
  4. Proof of relationship;
  5. Special power of attorney, where appropriate;
  6. Guardianship documents, where applicable.

The app should request only what is necessary.

XLVIII. Deleting Data of a Deceased Person

Family members may want to delete or memorialize accounts of a deceased person.

Requirements may include:

  1. Death certificate;
  2. Proof of relationship;
  3. Proof of authority;
  4. Account details;
  5. Specific request for deletion, memorialization, or data access;
  6. Legal documents if estate issues are involved.

Data of deceased persons may still involve privacy, dignity, fraud prevention, and estate concerns. Apps may have special processes for deceased users.

XLIX. If the App Says the Data Belongs to the Company

An app may say user data is part of its business records. This may be partly true for transaction records, but personal data rights still apply.

A company may own its database system, software, and business records, but it does not mean it can freely misuse personal data. Personal data must still be processed lawfully.

The user may still ask for deletion, blocking, correction, restriction, or explanation of retention.

L. If the App Says Consent Cannot Be Withdrawn

Consent may generally be withdrawn when consent is the legal basis for processing. But withdrawal may not affect processing based on other lawful grounds.

A proper company response should distinguish:

  1. Data processed based on consent;
  2. Data processed based on contract;
  3. Data retained for legal compliance;
  4. Data retained for legal claims;
  5. Data processed based on legitimate interest, where applicable.

A blanket statement that consent can never be withdrawn is questionable.

LI. If the App Says “We Need It for Legal Purposes”

The user should ask for specifics.

The app should explain:

  1. What law or obligation requires retention;
  2. What exact data must be retained;
  3. How long it must be retained;
  4. Whether the data will be blocked from other uses;
  5. Whether unnecessary data can be deleted;
  6. Whether third-party sharing will stop;
  7. Whether marketing and profiling will stop.

Legal retention does not justify unrelated processing.

LII. If the App Continues Marketing After Deletion Request

Continued marketing after opt-out or deletion request may indicate improper processing.

The user should:

  1. Screenshot marketing messages;
  2. Save sender number or email;
  3. Send a follow-up objection;
  4. Ask to be removed from marketing lists;
  5. File a complaint if it continues.

Marketing should stop when the user validly objects, subject to reasonable processing time.

LIII. If the App Shares Data With Collectors

If a lending, subscription, or service app shares data with collectors, the user may ask:

  1. Who are the collectors?
  2. What data was shared?
  3. What is their authority?
  4. What is the purpose?
  5. Are they processors or independent controllers?
  6. Are they allowed to contact third parties?
  7. How will the company stop abusive processing?
  8. Will data be deleted after collection ends?
  9. What safeguards exist?

The company remains responsible for lawful data handling, especially if collectors process data on its behalf.

LIV. If the App Is Abroad

Many apps are operated by foreign companies. Philippine data privacy law may still be relevant if the app processes personal data of individuals in the Philippines or has sufficient Philippine connection.

Practical enforcement may be harder, but the user can still:

  1. Use the app’s privacy request process;
  2. Contact the data protection officer;
  3. File a complaint where applicable;
  4. Report the app to app stores;
  5. Report abuse to payment channels;
  6. Stop using the app;
  7. Revoke permissions;
  8. Secure accounts.

For foreign apps, also check whether the app offers privacy rights under its own jurisdictional policy.

LV. Reporting to App Stores

If an app refuses deletion or abuses data, the user may report the app to the app store.

Possible grounds:

  1. Privacy violation;
  2. Unauthorized contact access;
  3. Harassment;
  4. Deceptive lending;
  5. Fake financial services;
  6. Misuse of personal data;
  7. Scam behavior;
  8. Lack of deletion mechanism;
  9. Abusive permissions.

App store reporting does not replace legal complaint, but it may help prevent further harm.

LVI. Data Breach Concerns

If the user’s data was leaked, hacked, exposed, or accessed by unauthorized persons, the issue may involve a personal data breach.

Signs include:

  1. Sudden spam after using the app;
  2. Unknown loan applications;
  3. Identity theft;
  4. Unauthorized account access;
  5. Public exposure of user data;
  6. Messages from strangers with private information;
  7. Data being sold or shared;
  8. Unauthorized transactions.

The user should ask the app whether a breach occurred and what measures were taken.

LVII. Deletion After Data Breach

After a breach, a user may request deletion or blocking of unnecessary data. However, the company may need to retain some records to investigate the breach, comply with law, or address claims.

The company should still secure the data, restrict access, and delete what is no longer needed.

LVIII. Security Steps While Waiting for Deletion

The user should protect themselves while waiting for the app to act.

Practical steps:

  1. Revoke app permissions;
  2. Uninstall app after saving evidence;
  3. Change passwords;
  4. Enable two-factor authentication;
  5. Remove saved cards;
  6. Monitor bank and e-wallet accounts;
  7. Check email security;
  8. Watch for phishing;
  9. Warn contacts if contact list was accessed;
  10. Report suspicious transactions;
  11. Keep evidence;
  12. Avoid clicking links from unknown senders.

Deletion is not the only protection. Account security matters too.

LIX. Revoking App Permissions

On the phone, users may revoke permissions for:

  1. Contacts;
  2. Camera;
  3. Microphone;
  4. Photos;
  5. Files;
  6. Location;
  7. SMS;
  8. Call logs;
  9. Notifications;
  10. Background activity.

Revoking permission stops future access from the device but does not automatically delete data already uploaded to the company’s servers.

LX. Removing Saved Payment Methods

Before account deletion, remove:

  1. Saved debit cards;
  2. Saved credit cards;
  3. Bank accounts;
  4. E-wallet links;
  5. Auto-debit authorizations;
  6. Subscription payments;
  7. Stored billing addresses.

Also check whether recurring subscriptions must be cancelled separately through the app store, bank, or payment provider.

LXI. Deleting Data From the Device

Aside from server-side deletion, the user may clear local data.

This may involve:

  1. Logging out;
  2. Clearing app cache;
  3. Clearing app storage;
  4. Deleting downloaded files;
  5. Removing saved images;
  6. Removing offline documents;
  7. Deleting screenshots if no longer needed;
  8. Removing browser cookies;
  9. Clearing autofill information.

Keep evidence first if a complaint may be filed.

LXII. Minimize Future Data Collection

To reduce future risk:

  1. Read app permissions before installing;
  2. Avoid apps requiring unnecessary contact access;
  3. Use separate email for apps;
  4. Avoid uploading unnecessary IDs;
  5. Do not save cards unless needed;
  6. Use privacy settings;
  7. Disable location access when not needed;
  8. Avoid suspicious lending apps;
  9. Check privacy policy;
  10. Use official apps only;
  11. Avoid logging in through social media if unnecessary;
  12. Regularly delete unused accounts.

Prevention is easier than deletion.

LXIII. Common Mistakes by Users

Users often weaken their deletion request by:

  1. Only uninstalling the app;
  2. Not sending a written request;
  3. Not identifying the account;
  4. Deleting evidence before complaint;
  5. Sending too many extra IDs;
  6. Not saving ticket numbers;
  7. Confusing deactivation with deletion;
  8. Ignoring retained transaction records;
  9. Not asking for third-party deletion;
  10. Not following up;
  11. Using emotional or threatening language;
  12. Assuming all data must be deleted immediately.

A clear written request is stronger than repeated informal chats.

LXIV. Common Mistakes by Apps

Apps create privacy risk when they:

  1. Have no deletion mechanism;
  2. Ignore data subject requests;
  3. Collect excessive permissions;
  4. Hide privacy contacts;
  5. Retain data indefinitely;
  6. Fail to explain retention;
  7. Share data with unknown third parties;
  8. Use data for harassment;
  9. Continue marketing after objection;
  10. Refuse correction of false data;
  11. Demand excessive verification;
  12. Fail to delete data from processors;
  13. Fail to secure uploaded IDs and selfies.

These practices may support complaints.

LXV. Checklist for a Strong Deletion Request

Before sending, prepare:

  1. App name;
  2. Company name;
  3. Registered email;
  4. Registered mobile number;
  5. Account ID;
  6. Screenshots of account;
  7. Data to be deleted;
  8. Reason for deletion;
  9. Withdrawal of consent, if applicable;
  10. Objection to processing, if applicable;
  11. Request for third-party deletion;
  12. Request for retention explanation;
  13. Contact details for response;
  14. Proof of identity, if necessary and minimal.

LXVI. Checklist Before Filing a Complaint

Prepare:

  1. Copy of deletion request;
  2. Proof of sending;
  3. Company response or non-response;
  4. Follow-up request;
  5. Privacy policy;
  6. Terms and conditions;
  7. Screenshots of app permissions;
  8. Evidence of data misuse;
  9. Screenshots of continued processing;
  10. Marketing messages after opt-out;
  11. Public posts or disclosures;
  12. Third-party messages;
  13. Account screenshots;
  14. Written timeline;
  15. Harm suffered.

LXVII. Sample Timeline

Date Event Evidence
January 5 Created account with app Account screenshot
January 6 Uploaded ID and selfie App screenshot
February 1 Requested account deletion Email copy
February 10 No response received Follow-up email
February 15 App continued sending marketing SMS SMS screenshot
February 20 App disclosed data to third party Screenshot from recipient
February 22 Complaint prepared Annexes

A timeline helps regulators understand the case.

LXVIII. Frequently Asked Questions

1. Does uninstalling the app delete my personal data?

No. Uninstalling only removes the app from your device. The company may still keep data in its servers.

2. Can I force an app to delete all my data immediately?

Not always. You may request deletion, but the app may retain certain data for lawful reasons such as legal compliance, transaction records, fraud prevention, or disputes. It should explain what it retains and why.

3. Can I withdraw consent?

Yes, where consent is the basis for processing. But some data may still be retained under other lawful bases.

4. Can I ask a lending app to delete my contacts?

Yes. Contact list data is often excessive and sensitive in effect. The app should explain whether it collected contacts and what it has done with them.

5. Can the app keep my data if I still owe money?

It may retain data necessary to enforce or manage the account, but it cannot use data for harassment, public shaming, or unlawful disclosure.

6. Can I ask for deletion of my government ID and selfie?

Yes. The app should delete them if they are no longer necessary, unless there is a lawful retention reason. If retained, the app should explain why and for how long.

7. What if the app ignores my deletion request?

Send a follow-up and preserve proof. If still ignored, consider filing a complaint with the National Privacy Commission.

8. What if the app has no data protection officer email?

Use available official channels and document the absence of a privacy contact. This may support a complaint.

9. Can I ask for deletion from third-party collectors?

Yes. The controller should address data shared with processors or collectors and take steps to stop unlawful processing.

10. Should I delete my evidence after the company deletes my account?

Keep evidence if there is a pending dispute, complaint, harassment issue, refund claim, or identity theft concern.

LXIX. Conclusion

Deleting personal data from an online app in the Philippines is not simply a technical account setting. It is a legal right connected to privacy, dignity, security, and control over personal information. Under the Data Privacy Act, a user may request deletion, blocking, removal, or destruction of personal data in proper cases, especially when the data is no longer needed, was unlawfully obtained, is being misused, or is processed beyond the purpose originally disclosed.

The first step is to identify the app operator and send a clear written request to the company or its data protection officer. The request should specify the account, the data to be deleted, withdrawal of consent where applicable, objection to further processing, deletion from third-party processors, and written confirmation. If the app cannot delete everything immediately, it should explain the legal basis, purpose, and retention period for any data retained.

Users should remember that uninstalling an app does not delete server-side data. Account deletion may not erase all backend records. Financial, lending, health, and transaction-based apps may lawfully retain some records, but they should not continue using personal data for marketing, harassment, excessive profiling, or unauthorized disclosure.

If an app ignores, refuses, or mishandles a deletion request, the user may escalate to the National Privacy Commission and other proper agencies depending on the facts. The strongest complaints are organized, evidence-based, and supported by screenshots, privacy requests, app permissions, company responses, and proof of data misuse.

Personal data should not live forever in an app simply because a user once clicked “agree.” In the Philippines, companies that collect personal data must also respect the user’s right to control, correct, block, and delete it when the law requires.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login