How to Delete Personal Data From an Online Lending App in the Philippines

I. Introduction

Online lending apps often require borrowers or applicants to submit personal information before a loan is approved or released. This may include a mobile number, government ID, selfie, address, employment details, bank or e-wallet account, emergency contacts, device information, and sometimes access to phone contacts, photos, location, or other device data.

In the Philippines, a borrower or applicant is not powerless after submitting personal data to an online lending app. The Data Privacy Act of 2012, its implementing rules, and related issuances of the National Privacy Commission recognize rights of data subjects, including the right to be informed, object, access, correct, and in appropriate cases, block, remove, or destroy personal data.

However, deletion is not always automatic. A lending company may retain some information when retention is required by law, needed to establish or defend legal claims, necessary for legitimate business records, or required by financial, tax, anti-money laundering, audit, consumer protection, or regulatory obligations. The correct remedy is therefore not simply “delete everything immediately,” but to make a proper data subject request requiring the app or lending company to delete data that it no longer has a lawful basis to retain, stop unlawful processing, withdraw unnecessary permissions, and cease disclosure or misuse.

This article explains how to delete personal data from an online lending app in the Philippine context, what rights apply, what documents to prepare, where to complain, and what to do if the lending app refuses or ignores the request.

II. What Personal Data Online Lending Apps Commonly Collect

Online lending apps may collect several categories of personal information.

A. Identity Data

This may include:

  1. Full name;
  2. Date of birth;
  3. Place of birth;
  4. Civil status;
  5. Nationality;
  6. Gender or sex;
  7. Government-issued ID;
  8. ID number;
  9. Selfie or facial image;
  10. Signature;
  11. Tax identification number, if requested;
  12. Other identity verification records.

B. Contact Data

This may include:

  1. Mobile number;
  2. Email address;
  3. Home address;
  4. Work address;
  5. Social media account;
  6. Emergency contact details;
  7. Character reference details;
  8. Family contact information.

C. Financial and Employment Data

This may include:

  1. Employer name;
  2. Job title;
  3. Salary;
  4. Payslip;
  5. Bank account;
  6. E-wallet account;
  7. Loan history;
  8. Credit score or internal risk profile;
  9. Payment behavior;
  10. Debt collection records;
  11. Other lending app accounts.

D. Device and Technical Data

This may include:

  1. Device ID;
  2. IP address;
  3. Location data;
  4. App usage data;
  5. Operating system details;
  6. SIM-related information;
  7. Advertising ID;
  8. Installed app metadata;
  9. Login and authentication logs.

E. Contacts, Photos, and Media

Some abusive lending apps have been reported to access or misuse:

  1. Phone contacts;
  2. Photos;
  3. Videos;
  4. Messages;
  5. Call logs;
  6. Social media contacts;
  7. Stored documents.

Accessing or using this kind of information for harassment or public shaming can raise serious data privacy and cybercrime concerns.

III. Legal Basis: Data Privacy Rights in the Philippines

The Philippine Data Privacy Act gives individuals rights over their personal data. In the lending app setting, the user is the data subject, while the lending company, app operator, or financing company is typically a personal information controller or personal information processor, depending on its role.

The rights most relevant to deletion include:

  1. Right to be informed;
  2. Right to object;
  3. Right to access;
  4. Right to rectification;
  5. Right to erasure or blocking;
  6. Right to damages;
  7. Right to file a complaint.

The right to erasure or blocking is sometimes called the right to deletion, removal, destruction, or suppression of data. It allows a data subject to require that personal data be removed or blocked under legally recognized circumstances.

IV. What “Deletion” Means

Deletion may mean different things depending on the data and system involved.

It may include:

  1. Removing the user’s profile from the app;
  2. Deleting uploaded IDs and selfies;
  3. Removing contact list data;
  4. Stopping use of personal data for marketing;
  5. Deactivating or closing the account;
  6. Deleting unnecessary loan application data;
  7. Removing data from active databases;
  8. Blocking access to data;
  9. Destroying stored files;
  10. Anonymizing data so it can no longer identify the user;
  11. Stopping disclosure to collectors, affiliates, or third-party processors;
  12. Removing unlawfully posted or shared personal information.

A company may not be able to erase every record if lawful retention applies, but it should stop processing data that is no longer necessary or lawful.

V. When a Borrower May Request Deletion

A user may request deletion or blocking of personal data when:

  1. The loan application was abandoned or denied, and the app no longer needs the data;
  2. The loan has been fully paid and retention is no longer necessary except for legally required records;
  3. Consent is withdrawn for optional processing;
  4. The app collected excessive personal data;
  5. The app accessed contacts, photos, or files unrelated to lending;
  6. The app used personal data for harassment or public shaming;
  7. The app disclosed data to unauthorized persons;
  8. The app sent messages to contacts without lawful basis;
  9. The app continued marketing despite opt-out;
  10. The data is outdated, false, or unlawfully obtained;
  11. The lending company is unregistered or operating illegally;
  12. The app has no privacy notice or fails to identify a legitimate controller;
  13. The user wants account closure and deletion of unnecessary data;
  14. The user is a victim of identity theft or fraudulent loan application.

VI. When the Lending App May Refuse Full Deletion

A lending app may lawfully refuse immediate full deletion if it has a valid legal basis to retain certain records.

Common reasons include:

  1. The user has an outstanding loan;
  2. Records are needed to collect a legitimate debt;
  3. Records are needed for accounting and audit;
  4. Records are required for tax compliance;
  5. Records are needed for anti-fraud and identity verification;
  6. Records are needed to comply with financial regulations;
  7. Records must be retained under lending, financing, or corporate rules;
  8. Records are needed to establish, exercise, or defend legal claims;
  9. The company must preserve records due to a pending complaint, dispute, or investigation;
  10. Retention is required by law or lawful order.

However, even when some retention is allowed, the app should not keep or use more data than necessary. For example, it may retain loan transaction records but should not continue accessing or using the borrower’s phone contacts for harassment.

VII. Deletion Versus Account Closure

Deleting personal data is not always the same as closing the app account.

A. Account Closure

Account closure means the user’s app account is deactivated or closed. The user may no longer access the app or borrow through it.

B. Data Deletion

Data deletion means personal data is removed, blocked, anonymized, or destroyed to the extent legally required.

A lending company may close the account but retain some records. Conversely, it may remove optional data while keeping the account open for payment records. A good request should ask for both account closure and deletion or blocking of unnecessary personal data.

VIII. Deletion Versus Withdrawal of Consent

A user may withdraw consent for processing that depends on consent. However, not all processing depends only on consent.

For lending, some processing may be based on:

  1. Contract;
  2. Compliance with law;
  3. Legitimate interest;
  4. Protection of legal claims;
  5. Consent;
  6. Other lawful criteria.

Withdrawing consent is strongest for optional processing, such as marketing, unnecessary device permissions, contact harvesting, promotional messages, or disclosure to affiliates. It may not erase records needed to document a loan contract or unpaid balance.

IX. Special Concern: Contact List Access

Contact list access is one of the most sensitive issues in online lending apps.

Some apps request permission to access contacts, then use those contacts to shame, threaten, or pressure borrowers. This may involve unlawful or excessive processing if the contacts were not necessary for the loan, if contacts did not consent, or if the data was used for harassment.

A deletion request should specifically demand:

  1. Deletion of all uploaded or scraped phone contacts;
  2. Cessation of messages or calls to contacts;
  3. Disclosure of whether contact data was shared with collectors;
  4. Identification of third parties that received contact data;
  5. Written confirmation that contact data has been removed or blocked;
  6. Preservation of evidence if harassment occurred.

Even if the borrower has an outstanding loan, contacting unrelated persons in an abusive, deceptive, or humiliating manner may raise legal issues.

X. Special Concern: Uploaded Government IDs and Selfies

Uploaded IDs and selfies may be misused for identity theft or fraudulent accounts.

A deletion request should ask the lending app to:

  1. Delete unnecessary copies of IDs and selfies;
  2. Stop using the ID for marketing or profiling;
  3. Confirm whether the ID was shared with third parties;
  4. Retain only what is legally required for loan, audit, or anti-fraud purposes;
  5. Securely store any retained copy;
  6. Block further unauthorized access;
  7. Notify the user if a data breach occurred.

If the app is unregistered, fraudulent, or suspected of identity theft, the user should preserve evidence before deletion, because the data may be needed for complaints.

XI. Special Concern: Harassment and Public Shaming

Online lending harassment may include:

  1. Threatening messages;
  2. Calling family members or co-workers;
  3. Posting the borrower’s photo online;
  4. Sending defamatory messages to contacts;
  5. Accusing the borrower of fraud or theft;
  6. Threatening arrest;
  7. Threatening to send edited photos;
  8. Releasing private data;
  9. Using obscene or abusive language;
  10. Creating group chats to shame the borrower.

In such cases, deletion is only one remedy. The borrower may also consider complaints for data privacy violations, cyber-related offenses, unfair debt collection, harassment, or abusive lending practices.

Before requesting deletion, the borrower should preserve screenshots, call logs, names of collectors, phone numbers, app notices, and messages.

XII. Step One: Identify the Lending Company

Before making a deletion request, identify the real company behind the app.

Look for:

  1. App name;
  2. Lending company or financing company name;
  3. SEC registration details, if shown;
  4. Certificate of authority number, if shown;
  5. Business address;
  6. Customer service email;
  7. Data protection officer contact;
  8. Privacy policy;
  9. Terms and conditions;
  10. Developer name in app store;
  11. Official website;
  12. Collection agency name, if any;
  13. Phone numbers and email addresses used.

If the app hides its identity or provides no privacy contact, that itself may be a compliance red flag.

XIII. Step Two: Secure Evidence Before Deleting the App

Do not immediately uninstall the app without preserving evidence, especially if there has been harassment or unauthorized data use.

Save:

  1. Screenshots of app profile;
  2. Screenshots of loan details;
  3. Privacy policy;
  4. Permissions requested by the app;
  5. Uploaded documents;
  6. Chat or SMS messages;
  7. Call logs;
  8. Collection notices;
  9. Payment receipts;
  10. Proof of full payment, if applicable;
  11. Contacts who received messages;
  12. App store listing;
  13. Customer service replies;
  14. Data deletion requests sent.

Uninstalling the app may remove useful evidence.

XIV. Step Three: Revoke App Permissions

Before or while making a deletion request, revoke unnecessary permissions on the device.

Common permissions to revoke:

  1. Contacts;
  2. Photos and videos;
  3. Camera;
  4. Microphone;
  5. Location;
  6. SMS;
  7. Call logs;
  8. Storage;
  9. Nearby devices;
  10. Background data access, if unnecessary.

Revoking permissions stops future access from the device, but it does not delete data already collected by the app. A separate deletion request is still needed.

XV. Step Four: Pay or Dispute Any Outstanding Loan

If there is an outstanding legitimate loan, the app may retain records needed for collection and legal documentation.

The borrower should determine:

  1. Is the loan real and released?
  2. How much was actually received?
  3. What fees were deducted?
  4. What is the due date?
  5. What payments were made?
  6. Are charges lawful and disclosed?
  7. Is the app registered or authorized?
  8. Is the debt disputed?
  9. Are collectors using unlawful methods?
  10. Has the loan been fully paid?

If the loan is fully paid, request a certificate of full payment or account closure confirmation. This strengthens the deletion request.

If the loan is disputed, request a statement of account and preserve evidence.

XVI. Step Five: Send a Written Data Deletion Request

The request should be in writing and sent to the lending company’s official customer service, data protection officer, or privacy contact.

Use email if possible. If only in-app support exists, take screenshots. If the company has a physical address, a written letter may also be sent.

The request should clearly state:

  1. Full name;
  2. Registered mobile number or account ID;
  3. Email address used;
  4. Specific data to be deleted;
  5. Account closure request;
  6. Withdrawal of consent for optional processing;
  7. Request to stop contacting third parties;
  8. Request to identify retained data and legal basis;
  9. Request for written confirmation;
  10. Deadline for response.

XVII. Sample Data Deletion Request

Subject: Request for Deletion, Blocking, and Cessation of Processing of Personal Data

To the Data Protection Officer / Privacy Office / Customer Support of [Name of Lending App or Company]:

I am [full name], registered with your app under mobile number [number] and/or email address [email].

I am exercising my rights as a data subject under Philippine data privacy law. I request the deletion, blocking, destruction, or anonymization of my personal data that is no longer necessary for any lawful purpose, including but not limited to uploaded IDs, selfies, contact list data, device data, photos, location data, marketing data, and other personal information collected through your app.

I also withdraw my consent to any optional processing, marketing, profiling, sharing with affiliates, access to my contacts, and disclosure to third parties not necessary for a lawful and legitimate purpose.

If you claim that any data must be retained, please identify the specific data retained, the legal basis for retention, the retention period, and the persons or entities with whom the data has been shared.

I further request that you stop contacting, messaging, or disclosing my personal information to my family, friends, employer, co-workers, phone contacts, or any third party, except where expressly authorized by law.

Please confirm in writing within a reasonable period that my request has been acted upon.

This request is made without prejudice to any complaint I may file before the National Privacy Commission, SEC, law enforcement, or other appropriate agency for any unlawful processing, harassment, unauthorized disclosure, or misuse of my personal data.

Sincerely,

[Name] [Mobile Number] [Email Address] [Date]

XVIII. Step Six: Request Information on Data Sharing

Deletion should include not only the app itself but also third parties that received the data.

Ask the lending company:

  1. What personal data was collected?
  2. What data came from device permissions?
  3. Was the contact list uploaded?
  4. Was data shared with collection agencies?
  5. Was data shared with affiliates?
  6. Was data shared with credit bureaus or databases?
  7. Was data stored outside the Philippines?
  8. What is the retention period?
  9. What data was deleted?
  10. What data was retained and why?

This is important because the lending app may have already shared the data with collectors or processors.

XIX. Step Seven: Demand Cessation of Third-Party Contact

If collectors are contacting the borrower’s contacts, include a specific demand.

I specifically demand that you and your agents, collectors, service providers, and representatives immediately stop calling, texting, messaging, or otherwise contacting my phone contacts, family members, employer, co-workers, references, or any third person for the purpose of collecting, shaming, threatening, or disclosing information about me or any alleged loan.

I further demand deletion or blocking of any phonebook, contact list, or third-party personal data obtained from my device or account, except where you can prove a lawful basis for retention and processing.

XX. Step Eight: Ask for Account Closure and Certificate of Full Payment

If the loan is fully paid, request proof.

Please confirm that my loan account is fully paid and closed. Kindly issue a certificate or written confirmation of full payment, account closure, and cessation of further collection activity.

Upon closure, please delete, block, anonymize, or destroy all personal data no longer necessary for lawful retention, and confirm the categories of data retained, if any.

A certificate of full payment helps prevent repeated collection, relending, or future misuse.

XXI. Step Nine: Follow Up and Set a Deadline

A reasonable follow-up period may be stated in the request. If the company ignores the request, the user should send a follow-up and preserve proof.

The follow-up should include:

  1. Date of original request;
  2. Copy of original request;
  3. Reminder of data subject rights;
  4. Demand for written response;
  5. Notice that a complaint may be filed.

XXII. Sample Follow-Up Letter

Subject: Follow-Up on Data Deletion Request

To [Company/App]:

I refer to my data deletion and account closure request dated [date]. As of today, I have not received a complete written response.

Please act on my request and confirm what personal data has been deleted, blocked, anonymized, or retained, including the legal basis and retention period for any data you continue to keep.

If I do not receive a proper response, I will consider filing a complaint with the National Privacy Commission and other appropriate government agencies.

Sincerely,

[Name]

XXIII. Step Ten: File a Complaint if the App Refuses or Misuses Data

If the online lending app refuses deletion without lawful basis, ignores the request, continues harassment, or discloses data to contacts, the borrower may file complaints with appropriate agencies.

Possible complaint forums include:

  1. National Privacy Commission;
  2. Securities and Exchange Commission, for lending or financing company issues;
  3. Bangko Sentral ng Pilipinas, if a BSP-supervised financial institution or payment provider is involved;
  4. Philippine National Police Anti-Cybercrime Group;
  5. National Bureau of Investigation Cybercrime Division;
  6. Prosecutor’s office, if criminal acts are involved;
  7. Courts, for damages or injunction in appropriate cases;
  8. App store reporting channels;
  9. Digital wallet or payment provider complaints, if payment abuse occurred.

The strongest privacy-related forum is usually the National Privacy Commission.

XXIV. Complaint Before the National Privacy Commission

A complaint may be filed when the lending app:

  1. Collects excessive data;
  2. Accesses contacts without lawful basis;
  3. Discloses personal data to contacts;
  4. Posts or threatens to post personal data;
  5. Uses data for harassment;
  6. Refuses to respond to a data subject request;
  7. Retains data without lawful basis;
  8. Fails to provide a privacy notice;
  9. Shares data with unauthorized collectors;
  10. Fails to secure personal data;
  11. Uses false or misleading consent;
  12. Processes data for purposes not disclosed.

The complaint should include evidence and a clear narrative.

XXV. Evidence for an NPC Complaint

Prepare:

  1. Copy of data deletion request;
  2. Proof the request was sent;
  3. App privacy policy;
  4. Screenshots of permissions requested;
  5. Screenshots of account profile;
  6. Screenshots of uploaded data, if visible;
  7. Harassing messages;
  8. Messages sent to contacts;
  9. Affidavits or screenshots from contacts;
  10. Call logs;
  11. Full payment proof;
  12. Statement of account;
  13. App store listing;
  14. Company identity or SEC details, if available;
  15. Customer support replies or refusal;
  16. Timeline of events.

The complaint should be organized and factual.

XXVI. Sample NPC Complaint Narrative

I am filing this complaint against [name of lending app/company] for unlawful processing, unauthorized disclosure, and refusal to delete or block my personal data.

On [date], I installed and registered with [app name] using mobile number [number]. The app required me to submit [IDs/selfie/employment details] and requested access to my contacts and other device data.

On [date], I requested deletion, blocking, and cessation of processing of my personal data, especially my contact list and uploaded documents. Despite my request, the company failed/refused to respond and continued to [state acts: contact my phone contacts, send threatening messages, disclose my alleged loan, use my photo, etc.].

Attached are screenshots of my request, proof of sending, messages from the app/collectors, screenshots from my contacts, payment proof, and the app’s privacy policy.

I respectfully request investigation and appropriate relief, including deletion or blocking of unlawfully processed data, cessation of unauthorized disclosure, and other remedies allowed by law.

XXVII. Complaint Before the SEC

The SEC regulates lending companies and financing companies. If the app is operated by a lending or financing company, or if it claims to be one, the SEC may be relevant.

Complaints may involve:

  1. Unregistered lending operations;
  2. Abusive debt collection;
  3. Unfair lending practices;
  4. False or misleading app identity;
  5. Excessive or hidden charges;
  6. Harassment;
  7. Misuse of borrower data by online lending operators;
  8. Operating despite revocation or suspension;
  9. Failure to disclose terms;
  10. Use of unauthorized collection practices.

A data deletion complaint may be paired with an SEC complaint if the app’s business practices are abusive or illegal.

XXVIII. Complaint to Law Enforcement

If the app or collectors threaten, extort, harass, defame, use obscene content, impersonate officials, or publish personal data online, law enforcement may be appropriate.

Possible criminal concerns include:

  1. Grave threats;
  2. Unjust vexation;
  3. Coercion;
  4. Cyber libel;
  5. Identity theft;
  6. Computer-related fraud;
  7. Illegal access;
  8. Data privacy offenses;
  9. Other crimes depending on the facts.

Preserve all evidence before blocking or deleting messages.

XXIX. App Store Complaints

Users may also report the app to the platform where it is distributed.

An app store complaint may state:

  1. The app collects excessive data;
  2. It accesses contacts or media without proper need;
  3. It harasses users;
  4. It discloses borrower data;
  5. It uses misleading identity;
  6. It refuses deletion requests;
  7. It engages in predatory lending.

This may help get the app reviewed or removed, but it is not a substitute for legal complaint.

XXX. Can the Borrower Demand Deletion While the Loan Is Unpaid?

Yes, but the request may be partially granted.

Even with an unpaid loan, the borrower may demand deletion or blocking of data that is unnecessary, excessive, unlawfully collected, or unlawfully used.

The lender may retain data needed for:

  1. Loan contract;
  2. Collection of legitimate debt;
  3. Accounting;
  4. Legal claims;
  5. Regulatory compliance.

But the borrower can still object to:

  1. Contact list misuse;
  2. Public shaming;
  3. Harassment;
  4. Marketing;
  5. Unnecessary profiling;
  6. Disclosure to unrelated third parties;
  7. Access to photos or media;
  8. Collection methods violating privacy rights.

An unpaid loan does not give the lender unlimited authority over the borrower’s personal data.

XXXI. Can the Borrower Demand Deletion After Full Payment?

Yes. After full payment, the lender’s justification for active processing becomes weaker, although some records may still be retained for lawful periods.

The borrower may demand:

  1. Account closure;
  2. Certificate of full payment;
  3. Deletion of unnecessary data;
  4. Blocking of archived data;
  5. End of collection activity;
  6. Removal from marketing lists;
  7. Deletion of contacts data;
  8. Confirmation of retention period for any remaining data.

The lender may retain payment and contract records for legal, accounting, audit, and regulatory reasons, but it should not continue unnecessary or abusive processing.

XXXII. Can the App Keep Data for Credit Reporting?

A lender may report legitimate credit information to authorized credit reporting systems if legally allowed and properly disclosed. However, reporting must be accurate, fair, and lawful.

The borrower may request:

  1. Copy of reported information;
  2. Correction of inaccurate information;
  3. Identification of recipients;
  4. Basis for credit reporting;
  5. Removal of unlawfully reported information.

If the lender reports false delinquency or continues reporting after full payment without basis, the borrower may seek correction.

XXXIII. Can the App Keep Screenshots of the Borrower’s ID?

It may retain identity verification records if there is a lawful basis, especially for an active or recently closed loan. However, retention should be limited, secure, and tied to legitimate purposes.

The borrower may demand deletion if:

  1. No loan was released;
  2. Application was rejected and retention is unnecessary;
  3. Data was collected by an unregistered or fraudulent app;
  4. Data is being used for harassment;
  5. Retention period has expired;
  6. The company cannot explain a lawful basis.

At minimum, the app should identify why it is keeping the ID, how long it will retain it, and how it protects it.

XXXIV. Can the App Keep the Borrower’s Contact List?

This is more doubtful and more sensitive. A lender may ask for references, but scraping an entire phonebook is often excessive relative to a loan transaction.

The borrower should specifically demand deletion of:

  1. Uploaded phonebook;
  2. Contact list;
  3. Non-borrower third-party details;
  4. Employer contacts not voluntarily provided;
  5. Family contacts collected through device access;
  6. Any contact information used for shaming or threats.

Third-party contacts are also data subjects. They did not necessarily consent to having their data collected by the lending app.

XXXV. Can the Borrower Ask the App to Delete Data From Collection Agencies?

Yes. The borrower should ask the lending company to instruct its collectors, agents, processors, and affiliates to delete or return personal data no longer needed or unlawfully obtained.

The request should include:

  1. Name of collection agencies;
  2. Data shared with them;
  3. Purpose of sharing;
  4. Legal basis;
  5. Confirmation of deletion;
  6. Cessation of calls and messages to contacts.

The principal lending company may still be responsible for how its agents process borrower data.

XXXVI. Can the Borrower Delete Data by Uninstalling the App?

No. Uninstalling the app only removes the app from the device. It does not automatically delete data already uploaded to the app’s servers or shared with third parties.

After uninstalling, the borrower should still send a deletion request and revoke permissions.

XXXVII. Can the Borrower Delete Data by Changing Phone Number?

Changing phone number may stop some calls, but it does not delete data. It may also make it harder to receive notices or prove account ownership.

It is better to:

  1. Preserve evidence;
  2. Send a written deletion request;
  3. Revoke permissions;
  4. Close the account;
  5. File complaints if harassment continues.

XXXVIII. What If the App Has No Deletion Button?

Many apps do not provide a clear deletion button. The user may still exercise data subject rights by contacting the company’s privacy office or customer support.

A deletion mechanism should not be illusory. If the app makes deletion impossible or ignores requests, that may support a privacy complaint.

XXXIX. What If the App Requires the User to Log In but the Account Is Locked?

If the account is locked, send the request by email or written letter and include enough information to identify the account, but do not submit unnecessary additional data.

State:

  1. Account mobile number;
  2. Full name;
  3. Approximate application date;
  4. Loan reference number, if known;
  5. Request for deletion or account closure;
  6. Request for alternative verification method.

Do not provide new sensitive documents unless necessary and safe.

XL. What If the App Demands Another ID Before Deleting Data?

A company may need to verify identity before acting on a deletion request, but it should not collect excessive additional data.

If the request comes from the same registered email or mobile number, additional verification may be limited.

If the app demands another government ID, the user may ask:

  1. Why it is necessary;
  2. How it will be used;
  3. Whether partial masking is allowed;
  4. Whether another verification method is available;
  5. Whether the ID will be deleted after verification.

Avoid sending more sensitive documents to suspicious or abusive apps.

XLI. What If the Lending App Is Fake or a Scam?

If the app is fake or a scam, deletion may be difficult because the operator may not comply.

The user should:

  1. Preserve evidence;
  2. Revoke permissions;
  3. Change passwords;
  4. Monitor bank and wallet accounts;
  5. Report to app store;
  6. Report to NPC;
  7. Report to law enforcement;
  8. Report to SEC if it poses as a lender;
  9. Warn contacts that scammers may message them;
  10. Monitor for identity theft.

Do not pay additional “deletion fees,” “account closure fees,” or “data removal fees” demanded by scammers.

XLII. What If the App Threatens to Post Personal Data Unless Paid?

That is a serious red flag.

The borrower should:

  1. Preserve screenshots;
  2. Do not panic-pay without verifying the debt;
  3. Report to NPC;
  4. Report to cybercrime authorities;
  5. Report to SEC if the entity is a lending company;
  6. Notify trusted contacts;
  7. Secure social media privacy settings;
  8. Keep payment proof if any payment is made;
  9. Seek legal assistance if threats continue.

Threatening to expose personal information is not a lawful collection practice.

XLIII. What If the App Posted the Borrower’s Data Online?

If personal data has been posted publicly, request immediate takedown from:

  1. Lending app;
  2. Collection agency;
  3. Social media platform;
  4. Website host, if identifiable;
  5. Group administrator, if posted in a group.

Also preserve evidence before takedown:

  1. Full screenshots;
  2. URL;
  3. Date and time;
  4. Account that posted;
  5. Comments;
  6. Shares;
  7. Persons tagged;
  8. Messages received afterward.

Then file appropriate privacy and cyber complaints.

XLIV. What If Contacts Were Messaged?

If contacts were messaged, ask them to send screenshots showing:

  1. Sender number or account;
  2. Date and time;
  3. Exact message;
  4. Any image or attachment;
  5. Caller ID or call logs;
  6. Group chat details, if any.

The borrower should ask the lending app to delete third-party contact data and stop contacting those people.

Contacts themselves may also have privacy rights because their data was collected and used without their direct participation in the loan.

XLV. What If the App Claims the Borrower Consented?

Many apps rely on consent through terms and conditions. But consent must be valid, specific, informed, and tied to lawful processing. Consent does not authorize everything.

Even if the borrower clicked “agree,” the app may still be questioned if it:

  1. Collected excessive data;
  2. Hid important terms;
  3. Used vague consent;
  4. Accessed contacts unrelated to lending;
  5. Disclosed data to shame the borrower;
  6. Processed data for purposes not disclosed;
  7. Used unfair or deceptive design;
  8. Made consent a condition for unnecessary processing;
  9. Refused withdrawal for optional processing.

Consent is not a license for harassment.

XLVI. What If the App’s Privacy Policy Allows Sharing?

A privacy policy may disclose sharing, but the sharing must still be lawful, necessary, fair, and not excessive.

The borrower may ask:

  1. Who received the data?
  2. What data was shared?
  3. Why was it shared?
  4. Was the recipient a collector, affiliate, processor, or credit bureau?
  5. How long will they keep it?
  6. Can it be deleted or blocked?
  7. Was the borrower informed clearly?

A broad privacy policy does not automatically justify abusive disclosure.

XLVII. Data of References and Emergency Contacts

Borrowers may voluntarily submit references or emergency contacts. However, the app should use those contacts only for legitimate and disclosed purposes.

The app should not:

  1. Shame the borrower to references;
  2. Disclose unnecessary loan details;
  3. Threaten references;
  4. Harass family members;
  5. Contact employers abusively;
  6. Pretend references are co-borrowers;
  7. collect payment from people who did not guarantee the loan.

A deletion request should ask the app to remove references once no longer necessary or after full payment.

XLVIII. Employer Contact and Workplace Harassment

Some apps contact the borrower’s employer or co-workers. This may create reputational and employment harm.

The borrower may demand that the app stop:

  1. Calling the office;
  2. Messaging HR;
  3. Disclosing the loan to supervisors;
  4. Sending defamatory messages;
  5. Threatening workplace complaints;
  6. Using employer contact data for harassment.

If the app falsely accuses the borrower of fraud or crime, additional legal remedies may apply.

XLIX. Deleting Marketing Data

Even where loan records are retained, the borrower may separately opt out of marketing.

The request should say:

  1. Stop promotional SMS;
  2. Stop push notifications;
  3. Stop email marketing;
  4. Stop telemarketing;
  5. Stop sharing data with marketing affiliates;
  6. Delete marketing profile;
  7. Remove from remarketing audiences.

Marketing is usually easier to stop than legally required loan record retention.

L. Deleting Data After Denied Application

If the app denied the loan application, the borrower may ask why data must still be retained.

A denied applicant may request deletion of:

  1. Uploaded ID;
  2. Selfie;
  3. Employment data;
  4. Contact list;
  5. Device data;
  6. Application profile;
  7. Marketing data.

The app may retain limited anti-fraud or application records for a lawful period, but it should explain the legal basis and retention period.

LI. Deleting Data After Account Inactivity

If the account has been inactive for a long time, the borrower may request account closure and deletion of unnecessary records.

The app should not indefinitely retain personal data without a lawful purpose. Retention must be tied to a legitimate reason.

LII. Deleting Data of a Fraudulent Account Opened in Your Name

If someone used your identity to open a lending app account, take immediate steps.

  1. Notify the app that the account is fraudulent;
  2. Request suspension or blocking of the account;
  3. Request deletion of unlawfully submitted data;
  4. Ask for copies of documents used;
  5. File a police or cybercrime report;
  6. File an NPC complaint if identity data was misused;
  7. Inform banks, e-wallets, and credit bureaus if necessary;
  8. Preserve all collection messages.

The app should not continue collection against a person who did not apply for or receive the loan without investigating identity theft.

LIII. Deleting Data From an Unregistered Online Lender

If the lender is unregistered, the user should still send a deletion request if contact information exists. But the user should also file complaints with relevant agencies.

An unregistered lender may be more likely to ignore privacy rights, so evidence preservation is crucial.

The user should avoid giving more personal data to an unverified entity.

LIV. What to Include in a Strong Deletion Request

A strong request includes:

  1. Name of borrower;
  2. Account mobile number;
  3. Loan reference number, if any;
  4. Statement that the request is made under data privacy rights;
  5. Request for account closure;
  6. Request for deletion or blocking of unnecessary data;
  7. Specific mention of contact list, photos, IDs, selfies, and device data;
  8. Withdrawal of consent for optional processing;
  9. Objection to marketing;
  10. Demand to stop contacting third parties;
  11. Request to identify retained data and legal basis;
  12. Request for retention period;
  13. Request for list of third-party recipients;
  14. Request for written confirmation;
  15. Warning that complaints may be filed.

LV. What Not to Say in a Deletion Request

Avoid:

  1. Threats of violence;
  2. False statements;
  3. Admission of debt if the loan is disputed;
  4. Abusive language;
  5. Unnecessary personal details;
  6. Sending new IDs unless necessary;
  7. Waiving claims;
  8. Agreeing to pay illegal fees;
  9. Deleting evidence before complaint;
  10. Posting sensitive details publicly.

Keep the request firm, factual, and documented.

LVI. Should the Borrower Use a Lawyer?

A lawyer may help if:

  1. The amount is large;
  2. There is harassment;
  3. Personal data was posted online;
  4. Employer or contacts were messaged;
  5. The borrower is being threatened;
  6. Identity theft occurred;
  7. The app refuses deletion;
  8. Multiple agencies must be approached;
  9. A civil or criminal case is being considered;
  10. The borrower needs a formal demand letter.

For simple account closure, a user may first send a direct deletion request. For serious abuse, legal assistance is advisable.

LVII. Role of a Data Protection Officer

A legitimate lending company should have a privacy contact or data protection officer. The DPO or privacy office should receive and process data subject requests.

The borrower should look for the DPO contact in:

  1. Privacy policy;
  2. App settings;
  3. Website;
  4. Terms and conditions;
  5. SEC or company disclosures;
  6. Customer service channels.

If no DPO or privacy contact is provided, send the request to official support and state that it should be forwarded to the responsible privacy officer.

LVIII. Retention Periods

A legitimate lender should not keep personal data forever without reason. Its privacy policy should state retention periods or criteria.

Retention may be based on:

  1. Loan term;
  2. Dispute period;
  3. Accounting requirements;
  4. Tax records;
  5. Regulatory audit;
  6. Anti-fraud monitoring;
  7. Legal claims;
  8. Complaint handling.

The borrower may ask for the specific retention period for each category of data.

LIX. Secure Deletion

A request should ask not only for deletion but secure deletion.

Secure deletion means:

  1. Active databases updated;
  2. Uploaded files removed or blocked;
  3. Backups handled under retention protocols;
  4. Third-party processors instructed;
  5. Access logs preserved where needed;
  6. Marketing lists updated;
  7. Contact list data removed;
  8. Future processing stopped.

Some data may remain in backups temporarily, but it should not be actively used and should be deleted according to backup retention schedules.

LX. Anonymization as an Alternative

If a lender needs statistics but not identity, it may anonymize data. Proper anonymization means the data can no longer identify the borrower.

For example, the company may retain aggregate loan statistics without the borrower’s name, phone number, ID, or account details.

Anonymization can satisfy privacy goals while allowing legitimate analytics.

LXI. Blocking as an Alternative

Blocking means restricting further processing even if data is not immediately destroyed.

Blocking may be appropriate where:

  1. A legal dispute is pending;
  2. Data must be preserved as evidence;
  3. The company must retain records but should not use them for marketing or collection harassment;
  4. Deletion is temporarily impossible but further use must stop.

A borrower may request blocking of data pending investigation.

LXII. Correcting Data Instead of Deleting

If the app reports incorrect information, the remedy may be correction rather than deletion.

Examples:

  1. Wrong outstanding balance;
  2. Incorrect late payment status;
  3. Loan marked unpaid despite full payment;
  4. Wrong name or phone number;
  5. Wrong employer information;
  6. Fraudulent account.

The borrower should request correction, not only deletion, especially where credit records are affected.

LXIII. Deletion and Evidence Preservation Conflict

If the borrower intends to file a complaint, complete deletion by the app may remove evidence. The borrower should preserve their own copies first.

In some cases, the request may ask the app to:

  1. Stop unlawful processing;
  2. Block public disclosure;
  3. Preserve records for investigation;
  4. Delete only unnecessary data;
  5. Provide a copy of personal data before deletion.

This is important where the borrower needs proof of abuse.

LXIV. Requesting Access Before Deletion

A borrower may first request a copy of data being processed.

An access request may ask:

  1. What data do you hold about me?
  2. Where did you obtain it?
  3. Why are you processing it?
  4. Who received it?
  5. How long will you retain it?
  6. What automated decisions were made?
  7. What data came from my device?
  8. What data came from third parties?

After receiving the response, the borrower can make a more precise deletion request.

LXV. Sample Access and Deletion Request Combined

Subject: Request for Access, Account Closure, and Deletion of Personal Data

To [Company/App]:

I request a copy or summary of all personal data your company processes about me, including identity documents, selfies, loan application data, device data, contact list data, location data, communications, payment records, and data shared with collection agencies or third parties.

I also request account closure and deletion, blocking, anonymization, or destruction of all personal data no longer necessary for a lawful purpose.

For any data you claim must be retained, please identify the data, purpose, legal basis, retention period, and third-party recipients.

I withdraw consent to optional processing, marketing, profiling, contact list processing, and sharing not necessary for a lawful purpose.

Please provide written confirmation.

[Name] [Registered mobile number] [Date]

LXVI. If the App Responds With a Generic Refusal

A generic refusal may say: “We cannot delete your data under company policy.”

This is insufficient if it does not explain the legal basis, data categories, and retention period.

The borrower may reply:

Your response does not identify the specific personal data you are retaining, the legal basis for retention, or the retention period. Please provide a specific response to my data subject request.

Company policy alone is not a sufficient explanation if it is not tied to a lawful basis for continued processing. I reiterate my request for deletion, blocking, or anonymization of data no longer necessary for lawful purposes, especially contact list data, marketing data, device data, and personal data disclosed to third parties.

LXVII. If the App Says Deletion Is Impossible Because of System Limitations

System limitations are generally not a complete excuse for ignoring data rights. The company should at least block, restrict, anonymize, or stop unnecessary processing.

The borrower may reply:

If immediate deletion is not technically possible, please block or restrict further processing of the data, stop all unnecessary use and disclosure, remove me from marketing and contact lists, and provide your timeline for permanent deletion or anonymization.

Please also identify the specific technical limitation and the safeguards applied while the data remains stored.

LXVIII. If the App Continues Harassment After Deletion Request

Continuing harassment after a deletion request strengthens the case for complaint.

The borrower should:

  1. Preserve new messages;
  2. Record dates and times;
  3. Ask contacts for screenshots;
  4. Send a final warning;
  5. File NPC complaint;
  6. File SEC complaint if a lender is involved;
  7. Consider cybercrime report;
  8. Avoid engaging with abusive collectors except through documented channels.

LXIX. Demand to Collection Agency

If a collection agency is contacting the borrower or third parties, send a separate request.

Subject: Demand to Cease Unauthorized Processing and Contact

To [Collection Agency/Collector]:

I demand that you stop processing and disclosing my personal data and stop contacting my family, employer, co-workers, phone contacts, or any third party regarding any alleged loan with [lending app/company].

Please identify the source of the personal data you are using, the legal basis for processing it, and the authority under which you are acting.

I also demand deletion or return of any personal data not necessary for a lawful purpose, including any phonebook or contact list data obtained from my device or from the lending app.

This demand is without prejudice to complaints before the National Privacy Commission, SEC, law enforcement, and other appropriate agencies.

LXX. Protecting Yourself After Sending the Request

After sending the request:

  1. Save proof of sending;
  2. Screenshot replies;
  3. Revoke app permissions;
  4. Change passwords;
  5. Enable two-factor authentication;
  6. Monitor e-wallet and bank accounts;
  7. Watch for unauthorized loans;
  8. Warn close contacts if harassment is likely;
  9. Check credit or lending records if available;
  10. Keep all evidence in a folder.

LXXI. Deleting Personal Data From the Phone

Apart from deletion from the lending app’s servers, the borrower may remove local data from the phone.

Steps may include:

  1. Clear app cache;
  2. Clear app storage;
  3. Revoke permissions;
  4. Uninstall app;
  5. Delete downloaded loan documents, if desired;
  6. Remove suspicious files;
  7. Check device administrator permissions;
  8. Scan for malware;
  9. Update operating system;
  10. Change passwords.

However, do not delete evidence needed for complaints unless copies are safely preserved.

LXXII. Securing Social Media Accounts

If the app or collectors threaten to contact or shame contacts:

  1. Set profiles to private;
  2. Hide friends list;
  3. Limit who can tag or mention you;
  4. Review old public posts;
  5. Remove phone number visibility;
  6. Block suspicious accounts;
  7. Preserve threatening messages before blocking;
  8. Warn close contacts not to engage.

This does not delete data from the app but reduces misuse risk.

LXXIII. Securing Contacts

If the app accessed contacts, consider informing important contacts briefly.

A simple message may say:

Hi, I’m dealing with a privacy issue involving a lending app. You might receive strange messages or calls using my name. Please ignore them, don’t share any information, and send me a screenshot if you receive anything. Thank you.

Avoid lengthy public posts that may create defamation or privacy issues.

LXXIV. Securing Financial Accounts

If you uploaded IDs, selfies, or bank details:

  1. Monitor bank accounts;
  2. Monitor e-wallets;
  3. Change passwords;
  4. Enable biometric or two-factor authentication;
  5. Report suspicious activity;
  6. Lock cards if compromised;
  7. Watch for loan applications in your name;
  8. Keep copies of reports.

If identity theft is suspected, file a police or cybercrime report.

LXXV. If the Borrower Is Being Collected for a Loan Already Paid

Request:

  1. Certificate of full payment;
  2. Updated statement of account;
  3. Deletion of collection profile;
  4. Stop-collection instruction to agents;
  5. Correction of internal records;
  6. Correction of any credit report;
  7. Written confirmation.

Send proof of payment with sensitive information masked where possible.

LXXVI. If There Was No Loan Released

If the app collected personal data but no loan was released, the borrower has a strong basis to request deletion of unnecessary application data.

The request should say:

  1. No loan was released;
  2. No continuing account exists;
  3. No debt is owed;
  4. Data is no longer necessary;
  5. Delete ID, selfie, contacts, and application data;
  6. Stop marketing and profiling;
  7. Confirm deletion.

If the app demands payment despite no released loan, preserve evidence and consider complaints.

LXXVII. If the App Charged Fees but Did Not Release Loan

This may be both a lending scam and data privacy issue.

Actions:

  1. Preserve payment receipts;
  2. Preserve chat instructions;
  3. Demand refund if money was paid;
  4. Demand deletion of personal data;
  5. Report to wallet provider if payment was sent;
  6. Report to SEC or law enforcement;
  7. File NPC complaint if data is misused.

Do not send additional fees to “delete data.”

LXXVIII. If the App Is Still on Your Phone

Before uninstalling:

  1. Screenshot account details;
  2. Screenshot loan status;
  3. Screenshot privacy settings;
  4. Screenshot permissions;
  5. Download statements if available;
  6. Save payment history;
  7. Send deletion request;
  8. Revoke permissions;
  9. Then uninstall if no longer needed.

LXXIX. If the App Was Removed From the App Store

If the app is removed but the company still processes data:

  1. Use prior email or website contacts;
  2. Search old privacy policy saved in screenshots;
  3. Contact the company name shown in loan documents;
  4. Contact collection agency if identified;
  5. File NPC complaint if no response;
  6. File SEC complaint if lender was operating abusively;
  7. Preserve app store removal evidence.

Removal from app store does not erase collected data.

LXXX. If the App Operator Is Outside the Philippines

Some apps may be operated from abroad or hide behind foreign entities. If they process data of Philippine users or operate in the Philippine lending market, Philippine agencies may still be relevant, especially if a local lending company, collection agency, payment channel, or representative is involved.

The borrower should identify:

  1. Local company name;
  2. Philippine collection agency;
  3. Payment account holder;
  4. App developer;
  5. Website operator;
  6. Customer support email;
  7. Privacy contact;
  8. App store listing.

Complaints may be harder to enforce against purely foreign operators, but local partners may still be accountable.

LXXXI. Deletion and Blacklisting

Some borrowers worry that requesting deletion will lead to “blacklisting.” A legitimate lender may maintain lawful internal risk records or credit reporting records, but it should not use deletion requests as retaliation.

A borrower has a right to exercise privacy rights. The lender may not lawfully punish the borrower for objecting to unlawful processing or harassment.

However, if the borrower has an unpaid legitimate loan, the lender may still maintain collection and credit records consistent with law.

LXXXII. Deletion and Loan Waiver

Deleting personal data does not automatically erase a valid debt. If a loan was validly released and remains unpaid, the borrower may still owe the loan even if some data is deleted or blocked.

Likewise, paying the loan does not automatically erase all data, but it strengthens the request to close the account and delete unnecessary data.

Data deletion and debt payment are related but distinct.

LXXXIII. Deletion and Credit Score

If a lender lawfully reported credit information, deletion from the app may not automatically delete credit bureau records.

The borrower should separately request correction or deletion of inaccurate or unlawful credit reporting from the relevant entity.

If the account is fully paid, request that the lender update the status as paid.

LXXXIV. Deletion and Co-Borrowers or Guarantors

If the loan has a co-borrower or guarantor, the lender may retain some records involving them. The borrower cannot necessarily demand deletion of another person’s data without authority.

However, the borrower may still demand deletion of excessive or unlawfully collected third-party contact data.

LXXXV. Deletion and Minors

If a minor’s data was collected by a lending app, the issue is serious. Minors generally lack full contractual capacity, and processing their data requires heightened care.

A parent or guardian may demand deletion, account closure, and investigation.

Documents may include:

  1. Proof of parent or guardian identity;
  2. Proof of minor’s age;
  3. Screenshots of app account;
  4. Data collected;
  5. Any collection messages.

If the app granted a loan to a minor or harassed a minor, complaints should be considered.

LXXXVI. Deletion and Deceased Borrowers

If the borrower is deceased, heirs or representatives may seek closure of the account and cessation of unnecessary processing, particularly if collectors continue harassing family members.

The representative may need:

  1. Death certificate;
  2. Proof of relationship;
  3. Authority to act for estate, if required;
  4. Account details;
  5. Payment or loan documents.

Debt claims against the estate are separate from privacy and harassment concerns.

LXXXVII. Corporate Borrowers and Personal Data

If the borrower is a sole proprietor or corporate officer who used a lending app for business purposes, personal data may still be involved.

The individual may request deletion of personal data not necessary for the business loan, especially personal contacts, photos, and private information.

For corporate borrowers, authorized representatives may need to act for the business account, but personal data rights remain with individuals.

LXXXVIII. Data Breach Concerns

If the app’s database was leaked or personal data was exposed, users may ask:

  1. What data was affected?
  2. When did the breach occur?
  3. What actions were taken?
  4. Were regulators notified?
  5. Were affected users notified?
  6. What protections are offered?
  7. Will data be deleted or secured?

If the app fails to notify or respond, complaint may be filed with the NPC.

LXXXIX. Practical Timeline

A practical timeline may be:

  1. Day 1: Preserve evidence and revoke permissions.
  2. Day 1–2: Check loan status and payment records.
  3. Day 2: Send data deletion and account closure request.
  4. Day 5–10: Follow up if no response.
  5. Day 10–15: Send final demand if harassment continues.
  6. After continued refusal: File complaint with NPC and other agencies.
  7. Ongoing: Monitor accounts, contacts, and credit records.

The exact timing depends on urgency, harassment, and whether the loan is active.

XC. Data Deletion Checklist

Before sending the request:

  1. Identify the app and company;
  2. Screenshot app profile and loan details;
  3. Save privacy policy;
  4. Save payment records;
  5. Save harassment evidence;
  6. Revoke permissions;
  7. Prepare account details;
  8. Draft request;
  9. Send to official channels;
  10. Save proof of sending.

XCI. Complaint Checklist

For filing a complaint:

  1. Narrative of events;
  2. Copy of deletion request;
  3. Proof of sending;
  4. App screenshots;
  5. Privacy policy;
  6. Messages from collectors;
  7. Screenshots from contacts;
  8. Payment records;
  9. Full payment certificate, if any;
  10. Company details;
  11. App store listing;
  12. Witness statements, if available;
  13. Government ID for complainant, if required by agency;
  14. Contact details.

XCII. Common Mistakes by Borrowers

  1. Uninstalling the app before saving evidence;
  2. Deleting messages from collectors;
  3. Sending additional IDs to suspicious apps;
  4. Paying “data deletion fees”;
  5. Ignoring app permissions;
  6. Posting accusations online with unverified claims;
  7. Failing to request deletion in writing;
  8. Not asking for full payment certificate;
  9. Not filing complaints when harassment continues;
  10. Assuming full payment automatically deletes data.

XCIII. Common Mistakes by Lending Apps

  1. Collecting entire contact lists unnecessarily;
  2. Using contacts for shaming;
  3. Failing to provide a clear privacy notice;
  4. Hiding the company identity;
  5. Refusing deletion without legal basis;
  6. Retaining data indefinitely;
  7. Sharing data with unauthorized collectors;
  8. Using abusive collection language;
  9. Posting borrower data online;
  10. Ignoring data subject requests;
  11. Treating consent as unlimited;
  12. Failing to secure uploaded IDs and selfies.

XCIV. Remedies Available to the Borrower

Depending on facts, the borrower may seek:

  1. Deletion of unnecessary data;
  2. Blocking of data;
  3. Account closure;
  4. Correction of records;
  5. Full payment certification;
  6. End of collection harassment;
  7. Takedown of online posts;
  8. Identification of third-party recipients;
  9. Damages;
  10. Regulatory sanctions;
  11. Criminal investigation;
  12. Civil action;
  13. App store enforcement;
  14. Correction of credit reports.

XCV. Frequently Asked Questions

1. Can I force an online lending app to delete my data?

You can request deletion, blocking, or destruction of data that is unlawfully processed or no longer necessary. The app may retain some records if required by law, needed for a loan contract, collection, audit, tax, regulatory compliance, or legal claims.

2. Can I delete my data if I still have an unpaid loan?

You may still request deletion of unnecessary or unlawfully collected data, such as contact list data or marketing data. The lender may retain data necessary to document and collect a legitimate debt.

3. Can I delete my data after fully paying the loan?

Yes. Ask for account closure, certificate of full payment, deletion of unnecessary data, and explanation of any retained records.

4. Does uninstalling the app delete my data?

No. It only removes the app from your phone. Data already uploaded to the company’s servers may remain.

5. How do I stop the app from accessing my contacts?

Revoke contact permission in your phone settings. Then send a written request demanding deletion of any contact list data already collected.

6. Can the app message my contacts?

A lender should not use your contacts for harassment, shaming, threats, or unauthorized disclosure. If this happens, preserve evidence and consider complaints with the NPC, SEC, or law enforcement.

7. What if the app refuses to delete my data?

Ask for the legal basis, data categories, and retention period. If the refusal is unsupported or abusive processing continues, file a complaint with the National Privacy Commission.

8. What if the app has no customer service or DPO contact?

Send the request to all available official channels, preserve proof, and file a complaint if there is no response. Lack of a clear privacy contact is itself a warning sign.

9. Can I ask collection agencies to delete my data?

Yes. You can demand that the lender and its collectors stop unnecessary or unlawful processing and delete or return data not needed for a lawful purpose.

10. Can I demand deletion of my ID and selfie?

Yes, especially if no loan was released, the data is no longer necessary, or the app is misusing the data. The lender may claim limited retention for legal or anti-fraud purposes, but it must explain the basis and retention period.

11. Can I ask for damages?

If unlawful processing caused harm, humiliation, financial loss, identity theft, or emotional distress, damages may be pursued through appropriate legal remedies.

12. Should I file with the NPC or SEC?

For data privacy violations, file with the NPC. For abusive lending practices or unregistered lending operations, file with the SEC. Serious threats or online abuse may also justify law enforcement action.

XCVI. Best Practices for Borrowers

Borrowers should:

  1. Use only legitimate lending companies;
  2. Read privacy policies before applying;
  3. Avoid apps requiring excessive permissions;
  4. Never grant contact access unless truly necessary;
  5. Keep screenshots of loan terms;
  6. Use written communication;
  7. Pay through official channels only;
  8. Request a full payment certificate;
  9. Revoke permissions after use;
  10. Send deletion requests in writing;
  11. File complaints when harassment occurs;
  12. Protect IDs and selfies from misuse.

XCVII. Best Practices for Lending Apps

Legitimate lenders should:

  1. Collect only necessary data;
  2. Provide a clear privacy notice;
  3. Identify the company and DPO;
  4. Avoid contact scraping;
  5. Limit access to sensitive documents;
  6. Use lawful collection practices;
  7. Train collectors;
  8. Honor data subject requests;
  9. Publish retention periods;
  10. Secure IDs and selfies;
  11. Delete or anonymize data when no longer needed;
  12. Maintain complaint channels;
  13. Avoid abusive third-party disclosure.

XCVIII. Conclusion

Deleting personal data from an online lending app in the Philippines requires more than uninstalling the app. A borrower should preserve evidence, revoke app permissions, identify the lending company, send a written data deletion and account closure request, demand cessation of unnecessary processing, and require written confirmation of what data was deleted, retained, or shared.

The borrower has rights under Philippine data privacy law, including the right to request erasure or blocking of personal data under appropriate circumstances. However, a lending app may retain certain records when necessary for a lawful loan, collection, accounting, audit, regulatory compliance, or legal claims. The key is proportionality: the lender may keep what the law allows, but it may not misuse personal data, harass contacts, publicly shame borrowers, or retain excessive data indefinitely.

If the app ignores the request, refuses without legal basis, contacts third parties, posts personal information, or uses data for harassment, the borrower may file complaints with the National Privacy Commission, SEC, cybercrime authorities, or other appropriate agencies. In serious cases, legal counsel may be needed.

The safest approach is to act quickly, document everything, communicate in writing, demand deletion of unnecessary data, stop unlawful processing, and escalate to regulators when the app fails to respect privacy rights.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login