How to Delete Personal Information From a Lending App

A legal article in the Philippine context

I. Overview

Deleting personal information from a lending app in the Philippines is a data privacy, consumer protection, and financial records issue. Borrowers often want their data deleted after paying a loan, uninstalling an app, experiencing harassment, discovering unauthorized access to contacts, or receiving collection messages even after full settlement.

In the Philippines, a borrower has rights under the Data Privacy Act of 2012, general privacy principles, consumer protection rules, and applicable financial regulations. These rights include the right to be informed, to access personal data, to object to certain processing, to request correction, to request blocking or removal in proper cases, and to complain when personal data is misused.

However, the right to delete personal information is not absolute. A lending app may be legally allowed or required to retain certain records for legitimate purposes, such as accounting, audit, fraud prevention, regulatory compliance, tax documentation, anti-money laundering obligations, legal defense, or proof of loan transactions. The proper legal remedy is therefore not always total deletion of all records. In many cases, the borrower should demand cessation of unlawful processing, deletion of unnecessary data, correction of inaccurate data, removal from marketing or contact lists, restriction of access, blocking of data used for harassment, and confirmation that contact-list data and other excessive data have been erased.

The central rule is: a lending app may process only personal data that is lawful, necessary, proportionate, transparent, and connected to a legitimate purpose. Once the purpose has been fulfilled, or once processing becomes unlawful, excessive, inaccurate, or abusive, the borrower may demand appropriate deletion, blocking, correction, or restriction.

II. Why Lending Apps Collect Personal Information

Online lending apps collect personal information to evaluate loan applications, verify identity, assess credit risk, disburse proceeds, collect payments, comply with law, prevent fraud, and communicate with borrowers.

Common data collected may include:

  1. Full name;
  2. Date of birth;
  3. Address;
  4. Mobile number;
  5. Email address;
  6. Employment details;
  7. Employer name and contact details;
  8. Government-issued ID;
  9. ID number;
  10. Selfie or facial image;
  11. Bank account or e-wallet details;
  12. Loan application details;
  13. Income information;
  14. Device information;
  15. IP address;
  16. Location data;
  17. Contact list;
  18. Photos or storage data;
  19. SMS or call information;
  20. Social media information;
  21. References;
  22. Payment history;
  23. Credit behavior;
  24. Collection records;
  25. Complaint records.

Some of this data may be reasonably necessary for lending. Other data, especially broad access to contact lists, photos, storage, location, and device content, may be excessive depending on how it is collected and used.

III. Personal Information and Sensitive Personal Information

The Data Privacy Act distinguishes between ordinary personal information and sensitive personal information.

A. Personal Information

Personal information is information from which a person’s identity is apparent or can be reasonably and directly ascertained. It may include:

  1. Name;
  2. Address;
  3. Mobile number;
  4. Email address;
  5. Employment details;
  6. Account details;
  7. Photographs;
  8. Loan records;
  9. Device identifiers;
  10. Contact information.

B. Sensitive Personal Information

Sensitive personal information receives stronger protection. It may include:

  1. Government-issued ID numbers;
  2. Financial information;
  3. Health information;
  4. Biometric information;
  5. Information relating to proceedings or offenses;
  6. Data about race, religion, marital status, age, or similar legally protected categories, depending on context.

Lending apps often collect sensitive personal information when they require ID cards, selfies, bank details, income documents, or other financial records.

IV. Data Privacy Principles

A lending app must comply with the basic principles of data privacy.

A. Transparency

The borrower must be informed of what personal data is collected, why it is collected, how it will be used, who will receive it, how long it will be retained, and how the borrower can exercise privacy rights.

A vague privacy policy is not enough if the app collects invasive data without clear explanation.

B. Legitimate Purpose

The lender must process data for a lawful and legitimate purpose. Identity verification, loan processing, fraud prevention, and lawful collection may be legitimate. Public shaming, harassment of contacts, threats, and unauthorized disclosure are not legitimate purposes.

C. Proportionality

The lender must collect and use only data that is necessary and not excessive. If a loan can be processed without copying the borrower’s entire phonebook, then contact-list scraping may be disproportionate.

Proportionality is often the strongest issue in lending app complaints.

V. Is There a Right to Deletion?

Philippine data privacy law recognizes rights that may support deletion, blocking, removal, destruction, or restriction of personal data in proper cases. A borrower may request deletion or blocking when personal data is:

  1. Incomplete;
  2. Outdated;
  3. False;
  4. Unlawfully obtained;
  5. Used for unauthorized purposes;
  6. No longer necessary for the purpose collected;
  7. Used for harassment;
  8. Excessive or disproportionate;
  9. Processed despite withdrawal of consent where consent is the basis;
  10. Processed in violation of the borrower’s rights;
  11. Retained beyond a lawful period;
  12. Shared with unauthorized third parties.

The borrower should frame the request carefully. Instead of simply saying “delete everything,” it is often better to demand specific actions:

  1. Delete all contact-list data;
  2. Delete uploaded photos not needed for legal records;
  3. Delete marketing data;
  4. Stop processing data for collection after full payment;
  5. Block data from collection agents;
  6. Correct payment status;
  7. Remove inaccurate delinquency records;
  8. Stop contacting third persons;
  9. Delete data obtained without consent;
  10. Confirm retention only of legally required records.

VI. Deletion Is Not Always Immediate or Total

A lending app may refuse full deletion of all records if it has a lawful basis to retain some data.

Possible lawful retention purposes include:

  1. Proof of loan contract;
  2. Payment records;
  3. Accounting and audit;
  4. Tax compliance;
  5. Regulatory reporting;
  6. Anti-fraud investigation;
  7. Defense against legal claims;
  8. Compliance with court orders;
  9. Credit reporting obligations, if lawful and accurate;
  10. Complaint handling;
  11. Prevention of duplicate fraudulent applications;
  12. Statutory recordkeeping.

However, lawful retention does not permit the lender to keep using data for harassment, marketing, public shaming, or unauthorized disclosure.

The proper balance is: retain only what the law requires or legitimate business necessity justifies; delete or anonymize what is unnecessary, excessive, unlawfully obtained, or no longer needed.

VII. When a Borrower Has Fully Paid the Loan

After full payment, the lender may no longer have a legitimate basis to continue collection activity. The borrower should demand:

  1. Account closure;
  2. Certificate of full payment;
  3. Correction of account status;
  4. Stoppage of all collection calls and messages;
  5. Recall of account from collection agencies;
  6. Deletion of unnecessary personal data;
  7. Deletion of contact-list data;
  8. Cessation of contact with references, employer, relatives, and phonebook contacts;
  9. Correction of credit reporting;
  10. Removal from marketing lists;
  11. Written confirmation of retained records and legal basis for retention.

The lender may retain payment and contract records, but it should not continue using the borrower’s data for debt collection after settlement.

VIII. When the Loan Is Still Unpaid

If the loan remains unpaid, the lender may still process some borrower information for lawful collection. However, even then, processing must be fair, lawful, proportionate, and not abusive.

The lender may generally keep:

  1. Loan contract;
  2. Borrower identity data;
  3. Payment history;
  4. Statement of account;
  5. Official contact details;
  6. Lawful collection records.

But the lender should not:

  1. Contact unrelated phonebook contacts;
  2. Shame the borrower online;
  3. Post the borrower’s photo;
  4. Send threats to relatives;
  5. Use obscene language;
  6. Disclose the loan to the employer without lawful basis;
  7. Use fake legal notices;
  8. Process excessive device data;
  9. Continue using data for undisclosed purposes.

A borrower with an unpaid loan may still demand deletion of excessive or unlawfully obtained data, but the lender may retain data necessary for legitimate collection and legal claims.

IX. When the Loan Was Never Applied For by the Person

If a person receives collection messages from a lending app but never applied for the loan, the situation may involve identity theft, fraud, or erroneous data processing.

The person should immediately demand:

  1. Copy of the loan application;
  2. Proof of identity verification used;
  3. Disbursement details;
  4. Account or e-wallet where proceeds were sent;
  5. IP address or device information used for application, where available;
  6. Deletion or blocking of the false account;
  7. Cessation of collection;
  8. Correction of records;
  9. Removal from credit reporting;
  10. Investigation for identity theft.

The person should also consider filing a police report, data privacy complaint, and complaint with the proper regulator.

X. When the App Accessed Phone Contacts

Many abusive lending app cases involve contact scraping. The borrower installs the app, grants permissions, and later the app contacts relatives, friends, co-workers, employers, or random phonebook entries.

This may raise serious privacy issues.

A. Why Contact Access Is Questionable

A lender may ask for references, but copying the entire contact list may be excessive. Contact persons are not borrowers and may not have consented to their data being processed.

B. What to Demand

The borrower should demand:

  1. Deletion of all contact-list data obtained from the device;
  2. Identification of third parties to whom contact data was disclosed;
  3. Cessation of messages to all contacts;
  4. Written confirmation that contacts were not retained or shared;
  5. Removal of all contact data from collection systems;
  6. Sanctions against collectors who used the data for harassment.

C. Contacts May Also Complain

People contacted by the lender may also have privacy rights. If their names, numbers, or relationship to the borrower were processed without lawful basis, they may file their own complaints or provide witness statements.

XI. When the App Posted Personal Information Online

If a lending app or collector posted the borrower’s name, photo, ID, loan details, accusations, or shame messages online, the borrower should act quickly.

A. Immediate Steps

  1. Take screenshots;
  2. Save the URL;
  3. Capture date and time;
  4. Capture account name and profile link;
  5. Save comments, shares, and reactions;
  6. Report the post to the platform;
  7. Demand immediate takedown;
  8. Demand deletion from lender’s systems;
  9. File data privacy and cybercrime-related complaints, where appropriate.

B. Deletion Demand

The borrower should demand:

  1. Immediate takedown of all public posts;
  2. Deletion of images, IDs, and loan details used for shaming;
  3. Written confirmation that collectors are prohibited from reposting;
  4. Identification of persons who posted or authorized the post;
  5. Preservation of internal records for investigation.

Deletion should not destroy evidence before the borrower has preserved it. Save evidence first, then demand takedown.

XII. Uninstalling the App Is Not Enough

Uninstalling the lending app from a phone does not necessarily delete data already uploaded to the lender’s servers.

Uninstalling may:

  1. Remove the app from the device;
  2. Stop some future data access;
  3. Prevent new permissions;
  4. Reduce notifications.

But it does not necessarily:

  1. Delete borrower records from the lender;
  2. Delete contact-list data already uploaded;
  3. Delete ID photos from the lender;
  4. Stop collection agencies;
  5. Correct account status;
  6. Remove credit reports;
  7. Delete data shared with third parties.

A formal deletion or restriction request is still needed.

XIII. Revoking App Permissions

The borrower should revoke unnecessary app permissions in phone settings.

Common permissions to review:

  1. Contacts;
  2. Camera;
  3. Photos and videos;
  4. Files and storage;
  5. Location;
  6. Microphone;
  7. SMS;
  8. Phone logs;
  9. Notifications;
  10. Nearby devices;
  11. Accessibility access.

Revocation helps prevent further data access, but it does not delete data already collected.

XIV. Deleting the Account Inside the App

Some lending apps provide an account deletion feature. If available, the borrower may use it after saving evidence and payment records.

Before deleting the account, the borrower should save:

  1. Loan agreement;
  2. Loan account number;
  3. Payment records;
  4. Receipts;
  5. Full payment confirmation;
  6. Statement of account;
  7. Chat messages;
  8. Harassment evidence;
  9. Privacy policy;
  10. Terms and conditions.

The borrower should not delete access to evidence before a dispute is resolved.

XV. Requesting a Certificate of Full Payment First

If the loan has been paid, it is advisable to request a certificate of full payment before or alongside deletion.

This certificate should state:

  1. Borrower’s full name;
  2. Loan account number;
  3. Date of full payment;
  4. Amount paid;
  5. Confirmation that no balance remains;
  6. Name of lender;
  7. Authorized representative or official channel;
  8. Date of issuance.

This document protects the borrower if the lender later claims unpaid balance.

XVI. Identifying the Proper Entity Behind the App

Many lending apps use brand names that differ from the registered company name. A deletion request should be sent to the correct legal entity.

The borrower should identify:

  1. App name;
  2. Registered company name;
  3. SEC registration details, if available;
  4. Certificate of authority details, if available;
  5. Business address;
  6. Customer service email;
  7. Data Protection Officer contact;
  8. Privacy policy contact information;
  9. Collection agency name, if applicable;
  10. Payment channels.

If the borrower does not know the registered company, the app store listing, privacy policy, loan agreement, official receipt, or payment instructions may provide clues.

XVII. Data Protection Officer

Organizations that process personal data should have a person or office responsible for data protection compliance. The borrower should address privacy-related requests to the lender’s Data Protection Officer or designated privacy contact.

A deletion request should ideally be sent to:

  1. Data Protection Officer email;
  2. Customer service email;
  3. Official complaint channel;
  4. Registered office address;
  5. In-app support, if available.

The borrower should keep proof of sending.

XVIII. What to Include in a Deletion Request

A deletion request should be clear, specific, and evidence-based.

It should include:

  1. Borrower’s full name;
  2. Registered mobile number;
  3. Email address used in the app;
  4. Loan account number;
  5. App name;
  6. Date of loan;
  7. Payment status;
  8. Specific data requested to be deleted;
  9. Reason for deletion;
  10. Demand to stop processing;
  11. Demand to stop contacting third persons;
  12. Demand for confirmation;
  13. Attachments, such as proof of full payment;
  14. Valid ID, if reasonably required for verification;
  15. Deadline for response.

The borrower should not send more personal data than necessary. If identity verification is required, redact sensitive details when possible unless full copy is legally necessary.

XIX. Sample Deletion Request After Full Payment

Subject: Request for Deletion, Blocking, and Restriction of Personal Data After Full Payment

I am a borrower of [App Name] under Loan Account No. ________. I fully paid the loan on ________ through ________, with reference number ________. Attached is proof of payment.

Since the purpose of collection has been fulfilled, I request the following:

  1. Close my loan account and mark it fully paid;
  2. Issue a certificate or written confirmation of full payment;
  3. Stop all collection calls, texts, emails, and messages;
  4. Recall my account from all collection agents;
  5. Delete all unnecessary personal data no longer required for legal or regulatory retention;
  6. Delete all contact-list data obtained from my device;
  7. Delete any photos, IDs, or files not legally required to be retained;
  8. Stop processing my data for marketing or promotional purposes;
  9. Stop contacting my relatives, employer, references, or phone contacts;
  10. Confirm what records you will retain, the legal basis for retention, and the retention period.

Please provide written confirmation of action taken.

XX. Sample Deletion Request for Contact-List Harassment

Subject: Demand to Delete Contact-List Data and Stop Unauthorized Third-Party Contact

I discovered that [App Name] or its collectors contacted persons from my phone contacts regarding my loan. These persons are not parties to the loan and did not consent to the processing of their personal data for collection or harassment.

I demand that you:

  1. Immediately stop contacting all persons in my contact list;
  2. Delete all contact-list data obtained from my device;
  3. Identify whether such data was shared with collection agencies or third parties;
  4. Instruct all agents to delete copies of such data;
  5. Confirm in writing that my contacts will no longer be messaged or called;
  6. Preserve internal records for investigation.

Your continued use of contact-list data for collection, shaming, or pressure is unauthorized, disproportionate, and unlawful.

XXI. Sample Request When Person Did Not Apply for the Loan

Subject: Demand to Stop Processing and Delete Fraudulent Loan Account

I received collection messages from [App Name] regarding Loan Account No. ________, but I did not apply for this loan and did not receive any proceeds.

I demand that you:

  1. Stop all collection activity immediately;
  2. Provide a copy of the loan application and verification documents allegedly used;
  3. Provide the disbursement account or channel where proceeds were sent;
  4. Block the disputed account pending investigation;
  5. Delete or restrict all personal data unlawfully processed under my name;
  6. Correct any credit reporting or internal delinquency record;
  7. Stop contacting my relatives, employer, and other third persons;
  8. Provide written confirmation of your investigation.

I reserve the right to file complaints for identity theft, unauthorized processing of personal information, and other legal violations.

XXII. Sample Request to Stop Marketing

Subject: Withdrawal of Consent to Marketing and Request for Removal From Promotional Lists

I request that [App Name] remove my name, mobile number, email address, device identifiers, and account details from all marketing, promotional, reloan, and advertising lists.

I withdraw any consent previously given for marketing communications. Please stop sending loan offers, promotional messages, app notifications, emails, calls, and SMS. This request does not affect any lawful recordkeeping you may be required to perform, but it bars further marketing use of my personal data.

Please confirm removal from your marketing database.

XXIII. What the Lending App Should Do After Receiving the Request

A responsible lender should:

  1. Acknowledge the request;
  2. Verify the requester’s identity;
  3. Check account status;
  4. Determine what data can be deleted;
  5. Determine what data must be retained;
  6. Stop unlawful processing immediately;
  7. Notify collection agents;
  8. Correct inaccurate records;
  9. Delete unnecessary data;
  10. Restrict retained data;
  11. Stop marketing communications;
  12. Provide written response;
  13. Explain legal basis for any retained data;
  14. Provide complaint escalation channel.

Failure to respond may support a complaint.

XXIV. When the Lender Refuses Deletion

A lender may refuse total deletion if it has a lawful basis for retention. However, it should explain the basis.

A proper refusal should state:

  1. Which data will be retained;
  2. Why it must be retained;
  3. Legal or business basis for retention;
  4. Retention period;
  5. Security safeguards;
  6. Whether data will be shared;
  7. Whether collection or marketing will stop;
  8. How the borrower can appeal or complain.

A vague refusal such as “we cannot delete your data” without explanation may be challenged.

XXV. Data That May Be Retained Lawfully

A lending app may be justified in retaining:

  1. Loan contract;
  2. Payment records;
  3. Receipts;
  4. Official transaction logs;
  5. Identity verification records reasonably necessary to prove the transaction;
  6. Complaint records;
  7. Accounting records;
  8. Regulatory compliance records;
  9. Records needed for legal defense;
  10. Fraud prevention records.

But retention should be limited and secure. The data should not be used for unrelated purposes.

XXVI. Data That Should Usually Be Deleted or Restricted After Purpose Ends

Depending on the facts, the borrower may demand deletion or restriction of:

  1. Contact-list data;
  2. Photos from the device not needed for the loan;
  3. Location logs not necessary for records;
  4. Marketing profile;
  5. Promotional lists;
  6. Collection notes after account closure, except internal compliance records;
  7. Duplicative ID copies;
  8. Unnecessary selfies or images;
  9. Chat data not needed for compliance;
  10. Third-party contacts;
  11. Device permissions and identifiers not needed after closure;
  12. Data held by unauthorized collectors.

The lender must justify continued retention of such data.

XXVII. Contacting Collection Agencies

If the lender endorsed the account to a collection agency, deletion or restriction must extend to the agency.

The borrower should demand that the lender:

  1. Recall the account;
  2. Inform collectors that the account is paid or disputed;
  3. Instruct collectors to stop processing data;
  4. Instruct collectors to delete unnecessary copies;
  5. Stop further disclosure;
  6. Provide the name of collection agency;
  7. Provide confirmation that third-party processing has ended.

If the collection agency continues harassment, it may be separately liable.

XXVIII. Credit Reporting Records

Deletion from the lending app does not automatically delete credit bureau or credit information records. If the app reported the loan to a credit database, the borrower should request correction or update.

The borrower may demand:

  1. Update account as fully paid;
  2. Correct inaccurate delinquency status;
  3. Remove disputed or unlawful charges;
  4. Rectify identity theft records;
  5. Provide information on where the data was reported;
  6. Confirm correction was sent to credit reporting entities.

Credit records may not be deleted simply because the borrower dislikes them, but they must be accurate, fair, and lawfully processed.

XXIX. Data Retention Period

Borrowers should ask how long the lender will retain data.

A proper retention policy should specify:

  1. Categories of data;
  2. Purpose of retention;
  3. Retention period;
  4. Legal basis;
  5. Deletion or anonymization schedule;
  6. Security safeguards;
  7. Third-party processors;
  8. Contact for privacy requests.

Indefinite retention without justification may be questionable.

XXX. Withdrawal of Consent

Many apps rely on user consent for some forms of data processing. A borrower may withdraw consent for processing that is based solely on consent, such as marketing or optional data use.

However, withdrawal of consent does not automatically erase processing based on other lawful grounds, such as contract performance, legal compliance, or legitimate claims.

For example:

  1. The borrower may withdraw consent to marketing;
  2. The borrower may demand deletion of contact-list data;
  3. The lender may still retain loan contract records for lawful purposes;
  4. The lender may still process data needed for a pending legal claim.

Consent withdrawal is strongest against optional or excessive processing.

XXXI. Right to Object

A borrower may object to processing based on improper, excessive, or unauthorized purposes.

The borrower may object to:

  1. Marketing;
  2. Contact-list use;
  3. Public posting;
  4. Third-party disclosure;
  5. Data sharing with unrelated affiliates;
  6. Profiling beyond loan necessity;
  7. Processing after full payment for collection;
  8. Processing based on inaccurate account status.

Once the borrower objects, the lender should stop processing unless it can show a lawful basis.

XXXII. Right to Correction

Sometimes the issue is not deletion but correction.

The borrower may request correction of:

  1. Wrong name;
  2. Wrong phone number;
  3. Wrong payment status;
  4. Incorrect outstanding balance;
  5. False delinquency;
  6. Wrong employer;
  7. Duplicate account;
  8. Wrong ID number;
  9. Wrong credit report;
  10. Wrong collection endorsement.

Correction is important because lenders may claim they cannot delete records but must still ensure accuracy.

XXXIII. Right to Access

Before demanding deletion, the borrower may request access to personal data held by the lender.

The borrower may ask:

  1. What personal data do you hold?
  2. Where did you obtain it?
  3. Why are you processing it?
  4. Who received it?
  5. Was it shared with collection agencies?
  6. Was it shared with credit bureaus?
  7. How long will it be retained?
  8. What data was collected from my device?
  9. Did you collect my contacts?
  10. Did you collect location or photo data?

This access request helps identify what to delete.

XXXIV. Right to Data Portability

Where applicable, a borrower may request a copy of personal data in a structured or commonly used format, especially transactional data. This may help the borrower preserve records before account deletion.

XXXV. Privacy Policy Review

The borrower should review the app’s privacy policy. Important sections include:

  1. Data collected;
  2. Purpose of collection;
  3. App permissions;
  4. Third-party sharing;
  5. Collection agencies;
  6. Credit reporting;
  7. Retention period;
  8. Deletion request procedure;
  9. Data Protection Officer contact;
  10. Jurisdiction and dispute process.

If the app’s actual conduct differs from its privacy policy, this supports a complaint.

XXXVI. App Permissions and Excessive Consent

Some lending apps request broad permissions at installation. Consent may be invalid or questionable if it is bundled, forced, unclear, or excessive.

Problematic practices include:

  1. “Accept all” permission before seeing loan terms;
  2. Contact-list access required for small loans;
  3. Storage access not clearly explained;
  4. Location tracking unrelated to loan;
  5. SMS access used for profiling without clear notice;
  6. Use of contacts for shaming;
  7. No option to refuse optional data processing;
  8. Privacy policy written in vague language.

The borrower may argue that consent was not validly obtained for excessive data processing.

XXXVII. Data of Third Persons

Lending apps may process data of people who are not borrowers, including references, relatives, employers, and phone contacts.

This is a serious issue because third persons often did not consent.

A borrower may request deletion of third-party data uploaded from the borrower’s phone. Third persons may also directly demand:

  1. Stop contacting them;
  2. Delete their number;
  3. Explain how their data was obtained;
  4. Stop associating them with the borrower’s loan;
  5. File privacy complaints.

A reference is not automatically a co-maker, guarantor, or debtor.

XXXVIII. Special Protection for Employers and Workplace Contacts

Contacting an employer about a borrower’s loan can cause reputational and employment harm. The borrower may demand deletion of employer contacts unless necessary and lawfully obtained.

The lender should not:

  1. Disclose loan details to HR;
  2. Shame the borrower at work;
  3. Threaten workplace visits;
  4. Send fake legal notices to the employer;
  5. Demand salary deduction without authority;
  6. Contact co-workers from the phonebook.

If the borrower provided employer information for income verification, the lender’s use should be limited to that purpose unless another lawful basis exists.

XXXIX. When Data Is Used for Harassment

Data deletion becomes urgent when the lender uses data for harassment.

Examples:

  1. Sending messages to all contacts;
  2. Posting ID and photo online;
  3. Calling the employer;
  4. Threatening relatives;
  5. Creating group chats;
  6. Sending defamatory messages;
  7. Releasing loan details;
  8. Using vulgar language;
  9. Sending fake legal notices;
  10. Continuing collection after full payment.

In these cases, the borrower should demand not only deletion but also cessation, takedown, investigation, and sanctions.

XL. Filing a Complaint With the National Privacy Commission

If the lending app ignores the request, refuses without basis, misuses data, or continues harassment, the borrower may file a complaint with the National Privacy Commission.

A. Possible Grounds

  1. Unauthorized processing;
  2. Excessive data collection;
  3. Malicious disclosure;
  4. Unauthorized disclosure;
  5. Improper disposal or retention;
  6. Failure to secure personal data;
  7. Failure to respect data subject rights;
  8. Failure to respond to access, correction, deletion, or blocking requests;
  9. Contact-list harassment;
  10. Public shaming.

B. Evidence

Attach:

  1. Loan records;
  2. Privacy request sent to the app;
  3. Proof of receipt;
  4. App privacy policy;
  5. Screenshots of app permissions;
  6. Messages from collectors;
  7. Messages sent to contacts;
  8. Social media posts;
  9. Proof of full payment, if applicable;
  10. Written responses or refusal;
  11. ID of complainant;
  12. Affidavits of contacted persons, if available.

C. Relief

The borrower may request:

  1. Deletion or blocking of unlawfully processed data;
  2. Cessation of processing;
  3. Takedown of posts;
  4. Correction of inaccurate records;
  5. Investigation;
  6. Penalties where applicable;
  7. Referral for prosecution in serious cases.

XLI. Complaint With the Lending or Financing Regulator

If the app is operated by a lending or financing company, the borrower may also complain to the regulator supervising such companies.

Possible issues include:

  1. Abusive collection;
  2. Harassment;
  3. Contact-list shaming;
  4. Failure to disclose data practices;
  5. Unfair lending practices;
  6. Excessive fees;
  7. Failure to issue payment confirmation;
  8. Continued collection after full payment;
  9. Unregistered app operation;
  10. Failure to respond to complaints.

Data privacy complaint and lending regulation complaint may be filed separately because they address different violations.

XLII. Cybercrime and Criminal Remedies

If the lending app or collectors use personal information for threats, cyberlibel, identity theft, fake documents, or public shaming, criminal remedies may be considered.

Possible criminal issues include:

  1. Cyberlibel;
  2. Grave threats;
  3. Light threats;
  4. Unjust vexation;
  5. Coercion;
  6. Falsification;
  7. Identity theft;
  8. Unauthorized access;
  9. Malicious disclosure of personal data;
  10. Usurpation of authority if pretending to be police, court, or government officers.

The borrower should preserve electronic evidence before requesting takedown.

XLIII. Civil Remedies

A borrower may seek civil remedies if misuse or refusal to delete data caused harm.

Possible civil claims include:

  1. Damages for violation of privacy;
  2. Moral damages for humiliation, anxiety, or besmirched reputation;
  3. Actual damages for job loss or financial harm;
  4. Exemplary damages for oppressive conduct;
  5. Injunction to stop disclosure;
  6. Takedown orders;
  7. Correction of records;
  8. Attorney’s fees where justified.

Civil remedies may be appropriate for severe harassment, employer contact, public posts, or continued collection after full payment.

XLIV. Preservation of Evidence Before Deletion

A borrower should not rush to delete everything before saving evidence. If the app deletes records, the borrower may lose proof of payment, harassment, excessive charges, or privacy violations.

Before deletion, save:

  1. Loan agreement;
  2. App screenshots;
  3. Privacy policy;
  4. Terms and conditions;
  5. Payment receipts;
  6. Full payment confirmation;
  7. Balance screen;
  8. Messages from collectors;
  9. Contact harassment evidence;
  10. Social media posts;
  11. App permission screenshots;
  12. Account details;
  13. Complaint messages sent.

Preserve evidence first, then request deletion or takedown.

XLV. How to Document a Deletion Request

The borrower should create a clear record of the request.

Recommended steps:

  1. Send by email to official support and DPO email;
  2. Send through in-app support if available;
  3. Send to registered office by courier if serious;
  4. Save proof of sending;
  5. Take screenshots of submitted ticket;
  6. Record ticket number;
  7. Follow up in writing;
  8. Keep all replies;
  9. Avoid purely verbal requests;
  10. Ask for written confirmation of deletion.

If the matter escalates, this record proves that the lender was given notice.

XLVI. Reasonable Verification by the Lender

A lender may ask the requester to verify identity before deleting data. This is reasonable because the lender must avoid deleting or disclosing data to an impostor.

However, verification should be proportionate. The lender should not demand excessive new personal data.

Reasonable verification may include:

  1. Registered mobile number;
  2. Email used for account;
  3. Loan account number;
  4. Masked ID;
  5. Payment reference;
  6. Date of birth;
  7. Security question;
  8. Last payment amount.

If asked for a full ID copy, the borrower may ask if a redacted copy is acceptable, showing only necessary details.

XLVII. Deletion of Data From Device vs. Company Servers

The borrower should distinguish between:

A. Device Deletion

This includes uninstalling the app, clearing cache, revoking permissions, deleting downloaded files, and removing app data from the phone.

B. Server Deletion

This requires the lender to delete or restrict data stored in its systems, cloud servers, databases, backups, and collection platforms.

C. Third-Party Deletion

This requires deletion or restriction by collection agencies, payment processors, credit reporting entities, marketing vendors, and affiliates.

A proper deletion request should cover all three where applicable.

XLVIII. Backups and Archived Records

A lender may say that data remains in backups for a limited period. This may be acceptable if:

  1. Backups are secure;
  2. Data is not actively used;
  3. Backup retention period is limited;
  4. Data will be overwritten or deleted according to schedule;
  5. Access is restricted;
  6. Data is restored only for legitimate purposes.

The borrower may ask for the backup retention period.

XLIX. Anonymization as an Alternative

If the lender must retain transaction statistics but no longer needs identifiable data, it may anonymize records.

Anonymized data should no longer identify the borrower. Proper anonymization may allow the lender to keep aggregate records without retaining personal identity.

The borrower may request anonymization where deletion is not feasible.

L. Special Issue: Government ID and Selfie Deletion

Lending apps often require government ID and selfie verification. These are sensitive because they can be misused for identity theft.

After account closure, the borrower may request:

  1. Deletion of duplicate ID copies;
  2. Restriction of access to retained ID images;
  3. Confirmation that IDs are not shared with collectors;
  4. Deletion of biometric templates, if any;
  5. Security measures for retained verification records;
  6. Retention period for ID images.

If the lender refuses, it should explain the legal basis and retention period.

LI. Special Issue: Bank and E-Wallet Details

Bank and e-wallet details should be protected. After full payment or account closure, the borrower may demand:

  1. Deletion of saved disbursement account for future loans;
  2. Removal from auto-debit or payment authorization, if any;
  3. Confirmation that no further deductions will occur;
  4. Restriction of access to bank details;
  5. Deletion of unnecessary payment tokens;
  6. Correction of payment status.

Unauthorized deductions may raise separate legal issues.

LII. Special Issue: Location Data

Some lending apps collect location data. The borrower may question whether this is necessary for loan processing.

The borrower may demand:

  1. Deletion of historical location data;
  2. Cessation of location tracking;
  3. Explanation of why location was collected;
  4. Identification of third parties who received it;
  5. Restriction of any retained location logs.

Location data can reveal sensitive personal patterns and should not be collected excessively.

LIII. Special Issue: SMS, Call Logs, and Device Data

Some apps seek access to SMS, call logs, or device information for credit scoring. This may be intrusive.

The borrower may demand:

  1. Deletion of SMS-derived data;
  2. Deletion of call-log-derived data;
  3. Explanation of data collected;
  4. Stoppage of device profiling;
  5. Deletion of device identifiers where no longer needed;
  6. Confirmation that such data is not shared with collectors.

The app must justify why such data is necessary and proportionate.

LIV. Special Issue: Marketing and Reloan Offers

Even after full payment, many apps continue sending loan offers. The borrower may demand removal from marketing lists.

The request should include:

  1. Stop SMS loan offers;
  2. Stop app push notifications;
  3. Stop emails;
  4. Stop calls from agents;
  5. Stop sharing data with affiliates;
  6. Delete marketing profile;
  7. Do not use payment history for promotional targeting.

Marketing consent can usually be withdrawn.

LV. Special Issue: Deletion After App Ban or Closure

If a lending app has disappeared, been removed from app stores, or stopped responding, the borrower should still attempt to identify the registered company.

Possible sources:

  1. Old loan agreement;
  2. Official receipt;
  3. Payment channel;
  4. Privacy policy screenshot;
  5. App store history;
  6. SMS sender name;
  7. Email domain;
  8. Collection messages;
  9. SEC registration references;
  10. Bank or e-wallet merchant name.

If the company cannot be reached, the borrower may file complaints with available evidence.

LVI. Special Issue: Foreign Lending Apps

Some apps may be foreign-operated or use foreign servers. If they operate in the Philippines or process data of Philippine borrowers, Philippine privacy and lending rules may still be relevant depending on the circumstances.

The borrower should identify:

  1. Local entity;
  2. Foreign operator;
  3. Philippine representative;
  4. Privacy policy jurisdiction;
  5. Payment channels;
  6. Collection agents in the Philippines;
  7. Local registration.

Complaints may be more difficult if no local entity exists, but evidence should still be preserved.

LVII. Special Issue: Minors and Unauthorized Loans

If a minor’s personal data was used in a lending app, the issue is serious.

Concerns include:

  1. Capacity to contract;
  2. Unauthorized processing of minor’s data;
  3. Identity theft;
  4. Use of parent’s ID;
  5. Contacting minors for collection;
  6. Posting minor’s information;
  7. Harassment of a child.

Parents or guardians should immediately demand deletion, blocking, investigation, and cessation of collection.

LVIII. Special Issue: Deceased Borrower

If the borrower has died, relatives may request closure, cessation of collection, and restriction of processing, especially if collectors harass family members.

The lender may need to retain records for estate claims, but it should not harass relatives or disclose unnecessary information.

Family members should provide:

  1. Death certificate;
  2. Proof of relationship;
  3. Loan account details;
  4. Demand to stop contacting unrelated persons;
  5. Request for statement of account if estate settlement is needed.

Relatives are not automatically personally liable unless they separately obligated themselves or estate rules apply.

LIX. What If the Lender Says “You Agreed in the App”?

A lender may argue that the borrower agreed to data processing by accepting app terms. This does not automatically defeat a deletion request.

Consent may be challenged if:

  1. It was not informed;
  2. It was not specific;
  3. It was bundled with unrelated permissions;
  4. It was required for excessive data;
  5. It allowed disproportionate processing;
  6. It was used for harassment;
  7. It covered third-party contacts who did not consent;
  8. It was inconsistent with law.

The law does not allow a lender to contract out of basic privacy rights.

LX. What If the Lender Says “We Need It for Collection”?

If the loan is unpaid, some collection-related processing may be legitimate. But the lender must still show necessity and proportionality.

The borrower may respond:

  1. You may contact me through official channels;
  2. You may keep loan records necessary for lawful collection;
  3. You may not contact unrelated third persons;
  4. You may not post my data online;
  5. You may not retain excessive contact-list data;
  6. You may not use fake legal threats;
  7. You may not process inaccurate balances;
  8. You must provide a statement of account.

Lawful collection is different from data abuse.

LXI. What If the Lender Says “We Need It for Legal Compliance”?

The lender may retain certain records for legal compliance. The borrower should ask:

  1. Which specific data?
  2. Which law or regulation requires retention?
  3. How long will it be retained?
  4. Who can access it?
  5. Will it be shared with collectors?
  6. Can unnecessary data be deleted?
  7. Can retained data be restricted or archived?
  8. Can marketing use be stopped?

Legal compliance does not justify retaining everything forever.

LXII. Complaint Letter Structure

A formal complaint about refusal to delete data should include:

  1. Name of complainant;
  2. App name;
  3. Company name, if known;
  4. Loan account number;
  5. Chronology of events;
  6. Data collected;
  7. Data misuse or excessive processing;
  8. Deletion request sent;
  9. Lender’s response or failure to respond;
  10. Harm suffered;
  11. Evidence attached;
  12. Legal rights invoked;
  13. Relief requested.

The complaint should be factual and organized.

LXIII. Reliefs to Request in a Privacy Complaint

The borrower may request:

  1. Deletion of unlawfully collected data;
  2. Blocking of disputed account;
  3. Correction of payment status;
  4. Takedown of posts;
  5. Cessation of contact-list use;
  6. Identification of third-party recipients;
  7. Recall of data from collection agencies;
  8. Removal from marketing lists;
  9. Written confirmation of retention basis;
  10. Sanctions;
  11. Damages through proper forum;
  12. Referral for criminal investigation if warranted.

LXIV. Risks of Publicly Posting the Lender’s Employees

Borrowers often retaliate by posting collectors’ numbers, photos, or personal information. This can create legal risks for the borrower.

Safer approach:

  1. Preserve evidence privately;
  2. Report to authorities;
  3. Send formal complaints;
  4. Avoid doxxing;
  5. Avoid threats;
  6. Avoid posting unverified accusations;
  7. Redact personal information when sharing publicly.

The borrower’s legal position is stronger when the response remains lawful.

LXV. If the App Keeps Re-Uploading or Reposting Data

If data is repeatedly reposted after takedown, the borrower should:

  1. Capture each repost;
  2. Save URLs;
  3. Identify accounts used;
  4. Report to platform;
  5. Notify lender of continuing violation;
  6. File supplemental complaint;
  7. Request urgent action from authorities;
  8. Consider cybercrime or civil remedies.

Repeated publication may aggravate liability.

LXVI. If the App Shares Data With Affiliates

Some apps share borrower data with affiliates, related lending apps, marketing partners, or collection networks. The borrower may suddenly receive loan offers or collection messages from other app names.

The borrower should demand:

  1. List of affiliates or third parties who received data;
  2. Legal basis for sharing;
  3. Withdrawal of marketing consent;
  4. Deletion from affiliate databases;
  5. Stop to cross-app collection harassment;
  6. Confirmation that data sharing has ceased.

Data sharing must be disclosed and lawful.

LXVII. If the Borrower Used Multiple Lending Apps

A borrower using multiple apps should send separate deletion or restriction requests to each app. Deleting data from one app does not delete it from others.

Prepare a tracking sheet:

App Company Loan status Request sent Response Follow-up
App 1 Company A Paid Date Pending Date
App 2 Company B Disputed Date Refused Complaint filed

This prevents confusion and helps organize complaints.

LXVIII. Statutory and Regulatory Recordkeeping vs. Privacy Rights

The conflict between deletion and retention is common. The proper approach is not all-or-nothing.

A lender may retain what it must, but should:

  1. Minimize retained data;
  2. Restrict access;
  3. Stop active processing;
  4. Stop marketing;
  5. Stop harassment;
  6. Delete excessive data;
  7. Anonymize where possible;
  8. Secure archives;
  9. Provide retention explanation;
  10. Delete after retention period expires.

A borrower may accept legitimate retention while insisting on deletion of abusive or excessive data.

LXIX. Practical Step-by-Step Guide

Step 1: Save Evidence

Before deleting the app or account, save loan records, payment proof, messages, and screenshots.

Step 2: Pay or Clarify the Loan Status

If paid, secure proof. If unpaid or disputed, request a statement of account.

Step 3: Revoke App Permissions

Remove access to contacts, photos, location, SMS, and storage.

Step 4: Use In-App Account Deletion if Available

Do this only after saving evidence.

Step 5: Send Written Deletion Request

Send to customer service, DPO, and official email.

Step 6: Ask for Confirmation

Request written confirmation of what was deleted, retained, and why.

Step 7: Follow Up

If no response, send a follow-up with prior reference.

Step 8: File Complaint

If ignored or refused without basis, file with the proper authority.

Step 9: Monitor Contacts and Credit Records

Ask contacts to report messages. Check for continued collection or inaccurate reporting.

Step 10: Escalate if Harassment Continues

Consider privacy, regulatory, cybercrime, criminal, or civil remedies.

LXX. Practical Checklist Before Sending a Deletion Request

Prepare:

  1. Full name used in app;
  2. Mobile number used;
  3. Email used;
  4. App name;
  5. Registered company name, if known;
  6. Loan account number;
  7. Proof of full payment, if paid;
  8. Statement of account, if disputed;
  9. Screenshots of personal data misuse;
  10. App permission screenshots;
  11. Names and numbers of collectors;
  12. Messages sent to contacts;
  13. Social media posts;
  14. Privacy policy;
  15. Demand letter draft;
  16. Valid ID for verification, preferably redacted where acceptable.

LXXI. Common Mistakes

Borrowers often make these mistakes:

  1. Uninstalling the app and assuming data is deleted;
  2. Deleting evidence before filing complaints;
  3. Sending deletion requests only through chat without proof;
  4. Ignoring full payment certification;
  5. Posting sensitive documents online;
  6. Sending IDs to fake customer support pages;
  7. Paying fixers to “delete data”;
  8. Not revoking app permissions;
  9. Not informing contacts to preserve harassment messages;
  10. Accepting vague replies from the lender;
  11. Failing to identify the actual company behind the app;
  12. Not following up in writing.

LXXII. Frequently Asked Questions

1. Can I force a lending app to delete all my personal information?

Not always. The app may retain records required for legal, accounting, regulatory, fraud prevention, or legal defense purposes. But you may demand deletion of unnecessary, excessive, unlawfully collected, or abusive data.

2. Does uninstalling the app delete my data?

No. It removes the app from your phone but does not automatically delete data already uploaded to the lender’s servers.

3. Can I demand deletion after fully paying the loan?

Yes. You can demand account closure, cessation of collection, deletion of unnecessary data, deletion of contact-list data, removal from marketing lists, and confirmation of retained records.

4. Can the app keep my loan records after payment?

Yes, to the extent needed for lawful recordkeeping, audit, tax, regulatory compliance, fraud prevention, or legal defense. But it should not use them for harassment or unrelated marketing without lawful basis.

5. Can I demand deletion of my phone contacts from their system?

Yes. Contact-list data is often excessive and may involve third persons who did not consent.

6. Can the app contact my references after deletion request?

Only if there is a lawful and proportionate basis. It should not harass references, disclose loan details unnecessarily, or contact random phonebook entries.

7. What if the app refuses to delete my data?

Ask for the legal basis and retention period. If the refusal is unjustified or the app continues misuse, file a complaint with the National Privacy Commission and other appropriate regulators.

8. What if the app posted my ID or photo online?

Save evidence first, then demand takedown and deletion. Consider privacy, cybercrime, defamation, and regulatory complaints.

9. Can I withdraw consent to marketing?

Yes. You may demand removal from promotional calls, texts, emails, notifications, and reloan offers.

10. What if I never applied for the loan?

Demand proof of application and disbursement, immediate blocking of the account, cessation of collection, deletion or restriction of falsely processed data, and investigation for identity theft.

11. Can my contacts file complaints too?

Yes. If their personal data was used or they were harassed, they may file their own privacy or harassment complaints.

12. Should I send my ID to request deletion?

The lender may reasonably verify identity, but verification should be proportionate. Use official channels only and redact unnecessary details where acceptable.

LXXIII. Conclusion

Deleting personal information from a lending app in the Philippines is not as simple as uninstalling the app. Data may remain in the lender’s servers, collection systems, backups, affiliate databases, credit reports, and third-party processors.

A borrower has the right to demand deletion, blocking, correction, restriction, and cessation of unlawful processing when data is excessive, inaccurate, unlawfully obtained, no longer necessary, or used for harassment. After full payment, the borrower should demand account closure, certificate of full payment, deletion of unnecessary data, removal from marketing lists, deletion of contact-list data, and recall from collection agencies.

At the same time, a lender may retain limited records for lawful purposes such as accounting, regulatory compliance, fraud prevention, and legal defense. The key is proportionality: the lender may keep what the law reasonably requires, but it may not continue abusive, excessive, deceptive, or unauthorized processing.

The best approach is to preserve evidence first, revoke app permissions, send a written deletion request to the lender and its Data Protection Officer, demand confirmation of action taken, and escalate to the proper authorities if the app refuses, ignores the request, contacts third persons, posts personal data, or continues harassment.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login