If you've used an online lending app in the Philippines and now want your personal data removed—whether because the loan is settled, the application was denied, or you're concerned about how the app collected or used your information—you have clear rights under Philippine law. The Data Privacy Act of 2012 gives individuals the ability to request the blocking, removal, or destruction of their personal data from these platforms when specific conditions are met. This article explains exactly what those rights cover, when they apply to lending apps, and the practical steps to exercise them, including what to do if the app does not cooperate.

Your Rights as a Data Subject

Under the Data Privacy Act of 2012 (Republic Act No. 10173), every person whose personal information is collected, stored, or processed by a company is a “data subject.” Lending apps and their operators are “personal information controllers” (PICs) and must respect several key rights, including the right to be informed about processing, the right to access your data, the right to correct inaccuracies, the right to object to processing, and the right to erasure or blocking.

The right to erasure or blocking lets you ask the app to suspend, withdraw, remove, or destroy your personal data from its systems (including backups) and those of its processors or affiliates. This right is not unlimited, but it is a powerful tool when your data is no longer needed, was collected excessively, or is being used in ways the law does not allow.

Legal Basis for Requesting Data Deletion

The right to erasure or blocking comes directly from the Data Privacy Act of 2012 and its Implementing Rules and Regulations (IRR), particularly the provisions detailing data subject rights. You may exercise this right when you can show substantial proof that any of the following applies:

• Your personal data is incomplete, outdated, false, or was unlawfully obtained.
• It is being used for a purpose you did not authorize.
• It is no longer necessary for the purpose for which it was collected.
• It concerns private information that is prejudicial to you (unless justified by freedom of speech or other legal grounds).
• You object to the processing and there is no other lawful basis for keeping it.
• The processing itself is unlawful.
• The lending app or its processors violated your data privacy rights.

These grounds are especially relevant to online lending apps. Many apps have been found to collect excessive data, such as full access to phone contacts, call logs, or location data, beyond what is reasonably needed for loan processing. The National Privacy Commission (NPC) has issued rules prohibiting the indiscriminate harvesting of contact lists for debt collection, and a March 2026 joint advisory from the Department of Information and Communications Technology (DICT), NPC, and Securities and Exchange Commission (SEC) reinforces that personal data must be retained only as long as necessary for the stated purpose, to defend legal claims, or as required by law—after which it must be securely disposed of.

Lending apps must also comply with SEC rules on fair debt collection. Violations, such as using your data to shame or harass you or your contacts, strengthen your case for erasure.

Important Limitations on Deletion Requests

Lending apps may lawfully refuse or limit your request in certain situations. They can keep data when it is still necessary to:

• Fulfill the original purpose of collection (for example, an active loan).
• Comply with a legal obligation, such as anti-money laundering record-keeping requirements (commonly five years for customer identification and transaction records).
• Establish, exercise, or defend legal claims (such as ongoing collection efforts or court cases).
• Meet legitimate business purposes consistent with industry retention standards.

Even when full deletion is not possible, you can still request that processing be restricted to only the legally required purposes and that the data not be used for marketing, profiling, or sharing with unrelated parties. If the app has already shared your data with third-party collectors or credit bureaus, ask the app (as the controller) to instruct those parties to stop processing or delete it as well. Credit reporting is handled separately under the Credit Information System Act, so you may need to file a dispute directly with the Credit Information Corporation (CIC) or the relevant credit bureau for any inaccuracies there.

Step-by-Step Guide to Requesting Deletion from an Online Lending App

Start by making a direct, written request to the app. Most will respond if the request is clear and properly documented.

1. Review the app’s privacy policy and locate the right contact. Look in the app settings, the company’s website footer, the Google Play or App Store listing, or the privacy notice itself for the Data Protection Officer (DPO) email or a dedicated privacy request channel. Note the exact company name behind the app, as many operate under registered lending or financing company names regulated by the SEC.

2. Prepare your identity verification. Have a clear scanned or photographed copy of one valid government-issued ID (passport, driver’s license, UMID, or PhilID). Foreigners or OFWs can usually use a passport copy.

3. Draft and send a formal written request. Use email (preferred for records) or any in-app/web form the app provides. Be specific about the data categories if you know them (for example, all personal information tied to your account, accessed contacts, device data, or marketing profiles). Clearly state the grounds that apply to your situation and ask for written confirmation of what will be deleted, what will be retained (and why), and confirmation that the action will extend to backups, processors, and affiliates.

4. Keep complete records. Screenshot or save the sent email, any delivery receipts, and all replies (or lack of replies). Note dates and times.

5. Follow up. If you receive no meaningful response within a reasonable period (many companies internally target around 30 days), send a polite follow-up referencing your original request and the Data Privacy Act.

Sample Data Erasure Request

You can adapt this template:

Subject: Data Privacy Act – Request for Erasure or Blocking of Personal Data – [Your Full Name] / Account [Number if known]

Dear Data Protection Officer,

I am exercising my right to erasure or blocking under the Data Privacy Act of 2012 and its Implementing Rules and Regulations.

My details:
Full name: [Your full name]
Registered mobile/email: [The number or email used in the app]
Account or loan reference (if any): [Number]

I request the erasure, anonymization, or blocking of my personal data from your systems, backups, and those of your processors, affiliates, and any third parties to whom it has been disclosed. This includes [list categories, e.g., all personal information, contact lists accessed, call recordings, geolocation data, device identifiers, and marketing profiles].

Grounds for this request: [Select and briefly explain those that apply, e.g., “The data is no longer necessary for the purposes for which it was collected, as my loan has been fully settled / my application was denied on [date]”; “The data was unlawfully obtained or processed beyond authorized purposes, including excessive access to my phone contacts in violation of NPC guidelines”; “I withdraw consent and there is no other lawful basis for continued processing.”]

Please provide within [reasonable number, e.g., 15–30] days:

• Written confirmation of the actions taken or to be taken.
• A description of any data you believe must be retained, the specific legal basis, and the retention period.
• Confirmation that you have instructed all processors, collectors, and affiliates to take the same actions.
• The expected completion date, including for backups.

Thank you. I look forward to your prompt response.

[Your full name]
[Your contact number and email]
[Date]

Attach your ID copy and any supporting documents (such as a loan settlement statement).

If the Lending App Does Not Respond or Denies Your Request

Ask for a written explanation that cites the exact legal basis for any denial or partial retention. You can also propose an interim measure: restrict processing of the data to only the claimed legal purpose while the matter is resolved.

If the response is unsatisfactory or there is no reply after follow-ups, escalate to the National Privacy Commission (NPC). The NPC is the government agency responsible for enforcing the Data Privacy Act and can investigate, order the app to comply with your erasure request, impose administrative penalties, and in serious cases refer matters for criminal prosecution.

How to File a Complaint with the National Privacy Commission

1. Gather strong evidence: copies of your deletion request and all follow-ups, proof the app received them, any denial or silence, your ID, and documents showing the grounds (for example, proof the loan is settled or that excessive data was collected).

2. Download the latest Complaint-Affidavit form from the NPC website (privacy.gov.ph). Fill it out completely and clearly narrate the facts in chronological order.

3. Have the completed affidavit notarized by a notary public (bring your ID and any supporting documents).

4. Submit via the NPC’s eComplaint portal (when available), by email to complaints@privacy.gov.ph, or by courier/in person to the NPC office. Include the notarized affidavit and all annexes (evidence) in PDF format where possible.

There is generally no filing fee. The NPC will docket the complaint, evaluate sufficiency, and typically order the lending app to comment or answer. The process may involve investigation and can result in an order directing deletion or other corrective action. Resolution timelines vary but often take several months depending on complexity and case volume. You can check status through NPC channels and follow up politely.

You may also report related issues (such as unfair collection practices) to the SEC at the same time.

Common Challenges and Practical Scenarios

Outstanding loan balance. Full deletion of core loan and repayment data is usually refused while the obligation exists, because the data remains necessary for collection or legal defense. You can still request restriction of processing for marketing or other non-essential uses and demand that the app stop contacting non-guarantor contacts.

Fully paid or denied application. These situations give you a stronger position once any required retention period has passed or the data is clearly no longer necessary. Document the settlement or denial date.

Data already shared with collectors or credit bureaus. The lending app remains responsible as the controller. Explicitly ask it to instruct those parties to delete or cease processing your data. Separately dispute any inaccurate credit information with the CIC or the bureau.

Foreigners and OFWs. The same rights apply when a Philippine-regulated entity processes your data. Use email for the initial request and passport copy for ID verification. NPC complaints proceed based on the location and regulation of the controller. Enforcement works the same way, though practical follow-through may take persistence.

Ongoing harassment or shaming. Document everything with screenshots (including dates and sender details). This strengthens both your NPC complaint and any report to the SEC or law enforcement. The 2026 joint advisory and earlier NPC circulars expressly prohibit using borrower data for harassment or unauthorized contact blasting.

Backups and technical realities. Apps may retain point-in-time backups for disaster recovery, but they must label them appropriately and eventually overwrite them according to their retention schedule. Your request should cover both live systems and backups.

Documents, Timelines, and Offices Involved

For the direct request to the app:

• Valid government ID (copy)
• Loan or account details
• Any supporting proof (settlement receipt, denial notice)
  No fees. Response expected within a reasonable time (commonly targeted at 30 days by many organizations).

For NPC complaint:

• Notarized Complaint-Affidavit
• All prior correspondence and evidence
• Government ID
  No filing fee for data subjects. Submit to NPC via portal, email, or physical channels. NPC office handles investigation and orders.

Other offices you may involve:

• Securities and Exchange Commission (SEC) – for unfair collection or lending company violations.
• Credit Information Corporation (CIC) or private credit bureaus – for credit report disputes.

Frequently Asked Questions

Can I request deletion if I still have an unpaid loan?
Core data needed to manage or collect the loan can usually be retained, but you can request that the app restrict processing to only that purpose and stop using your data for anything else, such as marketing or sharing with unrelated parties.

How long does a lending app have to respond to a deletion request?
The Data Privacy Act requires action without undue delay. Many organizations aim to respond within 30 days. Send a follow-up if you hear nothing after two to three weeks and keep records.

What if the app has already shared my data with collection agencies?
Ask the lending app (the controller) to instruct all processors and third parties to delete or stop processing your data. You can also raise this in an NPC complaint.

Does this apply to foreigners or overseas Filipino workers?
Yes. If a Philippine lending company or app processes your personal data, the Data Privacy Act applies. The process is the same—start with a written request by email and use a passport copy for verification.

Will requesting deletion affect my credit score?
Deleting data from the lending app does not automatically remove or correct information already reported to credit bureaus or the CIC. File a separate dispute with those entities if you believe the information is inaccurate or outdated.

What evidence do I need for a strong request or NPC complaint?
Clear records of your communications with the app, proof of your identity, and documents supporting the grounds (such as proof the loan is settled or that the app collected data beyond what its privacy policy disclosed).

Can lending apps refuse deletion by citing AML or other laws?
They may refuse full deletion while a legal retention obligation exists, but they must still respect data minimization and restriction principles. Ask them to specify the exact legal basis and retention period in writing.

How do I file a complaint with the National Privacy Commission?
Download the current Complaint-Affidavit form from the NPC website, complete and notarize it, attach all evidence, and submit via the eComplaint portal, email to complaints@privacy.gov.ph, or in person/courier. There is no filing fee for individuals.

Is deleting my account in the app the same as full data erasure?
No. Account deletion may remove your ability to log in but does not guarantee complete removal from backend systems, backups, or third parties. Always make a separate, explicit erasure request under the Data Privacy Act.

What happens if the NPC orders the app to delete my data?
The app must comply with the order. Non-compliance can lead to further penalties. In appropriate cases, the NPC can also coordinate with other regulators or refer matters for criminal action.

Key Takeaways

• You have a statutory right under the Data Privacy Act of 2012 to request erasure or blocking of your personal data from online lending apps when it is no longer necessary, was unlawfully obtained or processed, or when other qualifying grounds exist.
• Always start with a clear, written request directly to the app’s Data Protection Officer, supported by your ID and specific grounds, and keep complete records of every communication.
• Lending apps may refuse full deletion while an active loan or legal retention obligation exists, but you can still demand restriction of processing and proper handling of third-party disclosures.
• If the app ignores or improperly denies your request, escalate to the National Privacy Commission by filing a notarized Complaint-Affidavit with supporting evidence—the NPC can investigate and order compliance.
• Special situations such as fully settled loans, excessive data collection (including contacts), or ongoing harassment give you stronger grounds; document everything and consider parallel reports to the SEC when relevant.
• The process works for both Filipinos and foreigners when Philippine-regulated entities are involved; persistence, clear documentation, and use of official NPC channels are the keys to practical results.

By following these steps methodically, you can take concrete action to protect your personal data and hold lending apps accountable under Philippine law.