How to Delete Personal Information from Online Lending Apps in the Philippines

A Legal Article on Borrower Data Privacy, App Permissions, Harassment, and Remedies

Introduction

Online lending apps have become common in the Philippines because they offer fast loan applications, minimal paperwork, and quick disbursement. Many borrowers use them for emergencies, daily expenses, medical needs, tuition, business capital, or debt consolidation. But these conveniences have also created serious data privacy concerns.

A frequent complaint is that online lending apps collect excessive personal information, access phone contacts, photos, messages, location data, device information, social media accounts, or other sensitive data, and later use that information for aggressive collection tactics. Some borrowers report harassment, public shaming, threats, repeated calls, disclosure of debts to contacts, unauthorized posting of personal information, or use of their data even after the loan has been paid.

The central legal question is:

Can a borrower require an online lending app to delete personal information?

In the Philippine context, the answer is generally yes, subject to legal limitations. A borrower has rights under the Data Privacy Act of 2012, its implementing rules, and related privacy regulations. These rights include the right to be informed, the right to object, the right to access, the right to correct, the right to block, remove, or destroy personal information, and the right to file complaints for violations.

However, deletion is not always absolute. A lending company may retain certain information when retention is required by law, regulation, contract enforcement, accounting, anti-fraud, litigation, tax, credit reporting, or legitimate business purposes. The key issue is whether the continued processing or retention is lawful, necessary, proportionate, transparent, and consistent with the purpose for which the information was collected.

1. What Personal Information Do Online Lending Apps Collect?

Online lending apps may collect a wide range of personal information from borrowers. Some data is necessary for legitimate lending operations, while other data may be excessive or abusive depending on the circumstances.

Commonly collected information includes:

  • Full name;
  • Date of birth;
  • Sex;
  • Civil status;
  • Home address;
  • Email address;
  • Mobile number;
  • Government ID details;
  • Selfie or facial image;
  • Signature;
  • Employment details;
  • Employer name and address;
  • Income information;
  • Bank account or e-wallet details;
  • Loan application data;
  • Credit history;
  • Payment history;
  • Device information;
  • IP address;
  • Location data;
  • App usage data;
  • Contact list;
  • Character references;
  • Uploaded documents;
  • Communications with customer service or collection agents.

Some apps may also request permissions to access contacts, camera, microphone, storage, SMS, location, calendar, call logs, or social media data. Not all of these permissions are automatically unlawful, but each must have a lawful basis and must be necessary and proportionate to the stated purpose.

2. What Is Personal Information Under Philippine Law?

Under Philippine data privacy principles, personal information generally refers to information from which an individual’s identity is apparent or can reasonably and directly be ascertained, or information that can identify an individual when combined with other information.

Examples include:

  • Name;
  • Address;
  • Phone number;
  • Email address;
  • Government ID number;
  • Photo;
  • Signature;
  • Employment details;
  • Loan account details;
  • Device identifiers linked to a person.

There is also sensitive personal information, which receives stronger protection. This may include data about age, marital status, health, education, genetic or sexual life, government-issued identifiers, licenses, tax returns, and other information specifically protected by law.

In lending apps, government IDs, biometric selfies, financial details, and loan data may involve sensitive or high-risk processing because misuse can lead to identity theft, harassment, discrimination, or reputational harm.

3. The Data Privacy Act and Borrower Rights

The primary law protecting borrowers’ personal data is the Data Privacy Act of 2012. It applies to personal information controllers and processors that collect, use, store, disclose, or otherwise process personal information.

Online lending companies, financing companies, lending companies, app operators, collection agencies, and third-party service providers may fall under these rules if they process borrower data.

Borrowers have several important rights:

  1. Right to be informed;
  2. Right to object;
  3. Right to access;
  4. Right to rectification;
  5. Right to erasure or blocking;
  6. Right to damages;
  7. Right to data portability, where applicable;
  8. Right to file a complaint.

The right most directly related to deletion is the right to erasure or blocking, sometimes described as the right to remove, withdraw, order blocking, or destroy personal information under certain circumstances.

4. Is There a “Right to Be Forgotten” in the Philippines?

The Philippines does not use the phrase “right to be forgotten” in exactly the same way as some foreign jurisdictions, but the Data Privacy Act provides similar protection through the right to suspend, withdraw, order blocking, removal, or destruction of personal information from a filing system under certain circumstances.

A borrower may request deletion or blocking when personal information is:

  • Incomplete;
  • Outdated;
  • False;
  • Unlawfully obtained;
  • Used for unauthorized purposes;
  • No longer necessary for the purpose for which it was collected;
  • Processed based on consent that has been withdrawn;
  • Processed in violation of the borrower’s rights;
  • Subject to unauthorized disclosure;
  • Used for harassment, shaming, threats, or abusive collection.

This means borrowers may request deletion of unnecessary or unlawfully processed data, especially data copied from phone contacts, device storage, photos, or social media if such collection was not necessary, properly disclosed, or lawfully justified.

5. Personal Information Controller and Processor

A lending company or app operator is usually the personal information controller because it decides why and how borrower data is collected and used.

A third-party service provider, such as a cloud hosting company, collection agency, verification provider, SMS provider, or analytics vendor, may be a personal information processor if it processes data on behalf of the lender.

This distinction matters because the borrower should usually direct deletion requests to the lending company or app operator as the controller. The controller is responsible for ensuring that processors also delete or stop processing the data when required.

6. Can You Demand Deletion If You Still Have an Outstanding Loan?

A borrower may request deletion of unnecessary or unlawfully collected data even if the loan is unpaid. However, the lender may legally retain data necessary to administer and collect the loan.

For example, if the loan remains unpaid, the lender may usually retain:

  • Borrower name;
  • Contact details;
  • Loan agreement;
  • Payment schedule;
  • Outstanding balance;
  • Transaction history;
  • Proof of disbursement;
  • Payment records;
  • Identity verification documents, where lawfully required;
  • Communications related to the loan;
  • Documents needed for lawful collection or legal action.

But even if the loan is unpaid, the lender should not use excessive or abusive data practices. The lender generally should not harass contacts, shame the borrower, threaten violence, disclose the debt to unrelated persons, or continue processing unnecessary data such as full phonebook contacts if such processing is not lawful, necessary, or proportionate.

Therefore:

Unpaid loan does not mean no privacy rights. Privacy rights do not automatically erase lawful debt obligations.

7. Can You Demand Deletion After Fully Paying the Loan?

After full payment, the borrower has stronger grounds to request deletion or blocking of personal data that is no longer necessary.

However, the lender may still retain certain records for lawful retention purposes, such as:

  • Accounting;
  • Auditing;
  • Tax records;
  • Anti-fraud monitoring;
  • Regulatory compliance;
  • Dispute resolution;
  • Credit reporting, if lawful;
  • Legal claims;
  • Required retention periods under applicable rules.

But the lender should not retain data indefinitely without a valid basis. It should not continue using the borrower’s information for marketing, repeated loan offers, harassment, profiling, or unauthorized sharing if the borrower has objected or withdrawn consent where applicable.

After full payment, the borrower may demand:

  • Deactivation of account;
  • Deletion of unnecessary profile data;
  • Removal from marketing lists;
  • Deletion of uploaded documents no longer needed;
  • Deletion of unlawfully accessed contacts;
  • Withdrawal of app permissions;
  • Blocking of further processing;
  • Confirmation of retention periods for records that cannot yet be deleted.

8. Consent Is Not Unlimited

Many lending apps rely on consent through app permissions, privacy policies, loan agreements, or checkboxes. But consent must be meaningful. A borrower’s consent should be informed, specific, freely given, and evidenced.

A borrower may challenge consent if:

  • The privacy policy was vague;
  • The app forced broad permissions unrelated to the loan;
  • Consent was bundled with unrelated purposes;
  • The app did not explain how contacts would be used;
  • The borrower was not told that contacts would be called or messaged;
  • The app collected more data than necessary;
  • The app used data for harassment or public shaming;
  • The app shared data with unknown third parties;
  • Consent was obtained through misleading design;
  • The borrower had no real choice.

Even if the borrower clicked “I agree,” the lender must still comply with legality, fairness, transparency, proportionality, and purpose limitation.

9. Data Minimization and Proportionality

One of the most important privacy principles is that a company should collect only the data necessary for a legitimate purpose.

In lending, it may be reasonable to collect identity, contact, income, employment, and payment information. But it may be questionable or excessive to collect the borrower’s entire contact list, gallery, messages, call logs, or unrelated personal files.

A data deletion request is stronger when the borrower can argue that the data collected was excessive or not necessary.

Examples of potentially excessive collection include:

  • Full phonebook access when only references are needed;
  • Access to photos unrelated to identity verification;
  • Access to SMS messages without clear necessity;
  • Access to call logs;
  • Continuous location tracking;
  • Access to social media accounts;
  • Uploading contacts to a server without clear notice;
  • Collecting data from non-borrowers without consent;
  • Accessing data after loan approval or repayment.

10. Common Abuses by Online Lending Apps

Borrowers often seek deletion because of abusive practices. Common complaints include:

  • Calling the borrower’s entire contact list;
  • Informing family, friends, employer, or co-workers about the debt;
  • Threatening criminal cases without basis;
  • Threatening barangay blotter, arrest, or imprisonment;
  • Using insulting or humiliating language;
  • Posting the borrower’s photo online;
  • Creating group chats to shame the borrower;
  • Sending defamatory messages to contacts;
  • Falsely accusing the borrower of fraud or theft;
  • Using edited photos or fake notices;
  • Pretending to be lawyers, police, or court officers;
  • Repeated calls at unreasonable hours;
  • Contacting references excessively;
  • Using personal information for intimidation;
  • Refusing to delete data after payment.

Such conduct may raise issues under data privacy law, lending and financing regulations, cybercrime law, civil law, criminal law, consumer protection principles, and rules on unfair debt collection.

11. Is Contact-Shaming Legal?

Contact-shaming refers to contacting the borrower’s phone contacts, relatives, co-workers, or social media connections to pressure the borrower to pay, especially by disclosing the debt or insulting the borrower.

This practice is legally risky and may be unlawful depending on the facts.

A lender may have a legitimate interest in contacting a borrower or authorized reference for verification or collection. But disclosing debt information to unrelated persons, humiliating the borrower, or using contacts to shame the borrower can violate privacy and other legal rights.

The following may be improper:

  • Telling contacts that the borrower owes money;
  • Sending screenshots of the borrower’s ID;
  • Calling the employer to shame the borrower;
  • Posting borrower details in group chats;
  • Threatening contacts;
  • Demanding payment from contacts who are not guarantors;
  • Sharing loan details with persons not authorized to receive them.

A person listed as a reference is not automatically liable for the borrower’s debt unless they separately agreed to be a co-maker, guarantor, surety, or debtor.

12. App Permissions: What to Do Immediately

A borrower who wants to stop further collection of personal data should immediately review app permissions.

Practical steps include:

  1. Open phone settings;
  2. Go to apps or application manager;
  3. Select the lending app;
  4. Review permissions;
  5. Revoke access to contacts, camera, microphone, location, SMS, storage, photos, calendar, and call logs if not needed;
  6. Disable background data if appropriate;
  7. Turn off notifications if abusive;
  8. Log out of the app;
  9. Take screenshots before uninstalling;
  10. Uninstall the app only after preserving evidence if there is abuse.

Revoking permissions stops future access from the device but may not delete data already collected and uploaded to the lender’s servers. A separate deletion request is still necessary.

13. Should You Delete the App Immediately?

Deleting or uninstalling the app may stop the app from accessing the device going forward, but it does not automatically delete the account or personal data stored by the lender.

Before deleting the app, consider preserving evidence:

  • Screenshots of permissions requested;
  • Privacy policy;
  • Terms and conditions;
  • Loan agreement;
  • Account profile;
  • Payment records;
  • Chat messages;
  • Collection threats;
  • Calls and SMS logs;
  • Names and numbers of collectors;
  • Proof of full payment;
  • Harassing messages sent to contacts.

After saving evidence, uninstalling may be appropriate, especially if the app appears abusive or continues to access unnecessary data.

14. Difference Between Uninstalling the App and Deleting Personal Data

These are not the same.

Uninstalling the App

This removes the app from your phone and may stop future device access.

Deleting the Account

This may close your app profile, but the company may still retain records.

Deleting Personal Information

This asks the company to remove, block, destroy, or stop processing your personal data, subject to legal retention.

Revoking Consent

This tells the company that you no longer consent to certain processing, such as marketing, contact access, or sharing with third parties.

Objecting to Processing

This challenges the company’s continued use of your data for purposes you dispute.

A complete privacy request should usually include deletion, blocking, withdrawal of consent, objection to processing, and request for confirmation.

15. How to Draft a Data Deletion Request

A deletion request should be addressed to the lending company’s Data Protection Officer, customer support, compliance officer, or official email address.

The request should include:

  • Borrower’s full name;
  • Registered mobile number;
  • Loan account number, if any;
  • App name;
  • Statement that the borrower is exercising rights under the Data Privacy Act;
  • Specific request to delete, block, or destroy unnecessary personal information;
  • Request to stop contacting third parties;
  • Request to stop marketing;
  • Request to confirm what data will be retained and why;
  • Proof of payment, if fully paid;
  • Request for written confirmation;
  • Deadline for response;
  • Warning that failure may result in complaint to regulators.

16. Sample Data Deletion Request

Subject: Request for Deletion, Blocking, and Cessation of Processing of Personal Information

To the Data Protection Officer / Compliance Officer:

I am [Full Name], registered in your lending app under mobile number [number] and loan account number [account number, if available].

I am exercising my rights as a data subject under the Data Privacy Act of 2012. I request that your company immediately delete, block, remove, or destroy my personal information that is no longer necessary, unlawfully obtained, excessive, or used beyond the legitimate purpose of the loan transaction.

This request includes, but is not limited to:

  1. Data obtained from my phone contacts, call logs, SMS, photos, storage, device, or location, if collected;
  2. Data of my relatives, friends, employer, co-workers, or other third parties obtained through my device;
  3. Copies of personal documents no longer necessary for lawful retention;
  4. Marketing, profiling, and reloan offer data;
  5. Any data shared with collection agents, third-party processors, affiliates, or outsourced service providers beyond what is legally necessary.

I also withdraw consent to any unnecessary processing and object to any further use, disclosure, or sharing of my personal information for marketing, harassment, public shaming, unauthorized collection, or contact of third parties.

If you claim that certain information must be retained, please identify each category of retained data, the specific legal basis for retention, the purpose of retention, the retention period, the persons or entities with access to the data, and the safeguards applied.

Please provide written confirmation that my request has been acted upon.

Sincerely, [Name] [Date] [Contact Details]

17. Sample Short Message for App or Email Support

Subject: Delete My Personal Data

I am requesting deletion, blocking, and cessation of processing of my personal information under the Data Privacy Act. Please delete all unnecessary, excessive, unlawfully obtained, or no-longer-needed data connected to my account, including contacts or device data if collected. I also withdraw consent for marketing, third-party disclosure, and contact-shaming. Please confirm what data has been deleted and what data, if any, you claim must be retained by law.

18. If the Loan Is Fully Paid

If the loan has been fully paid, the request should emphasize that the original loan purpose has been completed.

The borrower may add:

“My loan has been fully paid as of [date]. Since the purpose of collection has been fulfilled, please delete or block all personal data no longer necessary for lawful retention and stop all further processing, marketing, collection, profiling, or third-party disclosure.”

Attach proof of payment, such as:

  • Official receipt;
  • Payment confirmation;
  • Screenshot of successful payment;
  • Email acknowledgment;
  • App status showing paid;
  • Statement of account showing zero balance.

19. If the Loan Is Still Unpaid

If the loan is unpaid, the borrower can still request deletion of excessive data and stop abusive processing.

The borrower may say:

“I understand that you may retain information necessary to administer or lawfully collect the outstanding loan. However, I object to the continued processing, use, or disclosure of excessive or unnecessary personal data, including my phone contacts, third-party contact data, photos, device data, location data, and any information used for harassment, shaming, threats, or unauthorized disclosure.”

The borrower should avoid falsely claiming full payment if the loan is unpaid. Privacy rights should be asserted truthfully.

20. Request for Access Before Deletion

Sometimes it is better to request access first before requesting deletion. This allows the borrower to know what data the company has collected.

A borrower may request:

  • Categories of personal data collected;
  • Sources of data;
  • Purposes of processing;
  • Recipients of data;
  • Third parties or collection agencies involved;
  • Copies of personal data;
  • Retention period;
  • Privacy policy relied upon;
  • Legal basis for processing;
  • Automated decision-making or profiling details;
  • Whether contacts were uploaded;
  • Whether data was shared outside the Philippines.

This can be useful before filing a complaint.

21. Sample Access Request

Subject: Request for Access to Personal Information

To the Data Protection Officer / Compliance Officer:

I am exercising my right to access my personal information under the Data Privacy Act. Please provide the following:

  1. All categories of my personal data collected through your app;
  2. All sources of such data;
  3. Purposes of processing;
  4. Legal basis for processing;
  5. Copies of personal data in your custody;
  6. Identities or categories of third parties to whom my data was disclosed;
  7. Whether my phone contacts, call logs, SMS, photos, storage, location, or device data were accessed or uploaded;
  8. Retention period for each category of data;
  9. Whether my data was used for automated scoring, profiling, marketing, or collection;
  10. Name and contact details of your Data Protection Officer.

Please provide your written response.

Sincerely, [Name]

22. Withdrawal of Consent

Where processing is based on consent, the borrower may withdraw consent. This is especially important for marketing, promotional offers, contact access, profiling, and third-party sharing.

However, withdrawal of consent does not necessarily erase the loan obligation or prevent the lender from processing information necessary to perform the contract, comply with law, or pursue lawful claims.

The borrower should be specific:

  • “I withdraw consent for marketing messages.”
  • “I withdraw consent for access to my contacts.”
  • “I withdraw consent for sharing with affiliates for promotional offers.”
  • “I withdraw consent for use of my photo outside identity verification.”
  • “I withdraw consent for contacting third parties not legally liable for my debt.”

23. Objection to Processing

The borrower may object to processing when data is being used in a way that is excessive, harmful, unlawful, or inconsistent with the original purpose.

For example:

  • Debt-shaming;
  • Posting personal details;
  • Calling unrelated contacts;
  • Using personal photos as threats;
  • Sending loan details to employer;
  • Marketing after repayment;
  • Repeated profiling after account closure;
  • Sharing data with undisclosed collection agencies.

An objection should be made in writing so there is proof.

24. Demand to Stop Contacting Third Parties

A borrower should separately demand that the lending app and collectors stop contacting third parties unless those persons are lawful co-borrowers, guarantors, sureties, or authorized representatives.

A suggested wording:

“You are directed to cease contacting, messaging, calling, threatening, or disclosing my loan information to my relatives, friends, employer, co-workers, phone contacts, or other third parties who are not legally obligated for this loan. Any such disclosure is unauthorized and may be the subject of a complaint.”

This demand is especially important when collection agents are using the borrower’s phone contacts.

25. What Information Can a Lender Refuse to Delete?

A lender may refuse immediate deletion of certain information if retention is legally justified.

Examples may include:

  • Loan contract;
  • Proof of identity used for Know-Your-Customer checks;
  • Records required by regulators;
  • Accounting records;
  • Tax records;
  • Anti-fraud records;
  • Payment history;
  • Outstanding balance;
  • Complaint records;
  • Litigation or dispute documents;
  • Records needed to establish, exercise, or defend legal claims.

But the lender should explain:

  • What data is retained;
  • Why it is retained;
  • For how long;
  • Who can access it;
  • What safeguards exist;
  • Whether it will be blocked from active use;
  • Whether it will be deleted after the retention period.

A blanket refusal without explanation may be challenged.

26. Blocking Instead of Deletion

If immediate deletion is not possible because of lawful retention, the borrower may request blocking or restricted processing.

Blocking means the data is retained only for limited legal purposes and is no longer actively used for marketing, harassment, reloan offers, profiling, or unnecessary disclosure.

This is often a practical compromise:

  • Retain legally required loan records;
  • Delete excessive app data;
  • Block marketing use;
  • Stop third-party disclosure;
  • Restrict collection agents;
  • Delete data after the retention period.

27. How Long Can Lending Apps Keep Data?

There is no single universal retention period for all categories of lending app data. Different data categories may have different retention periods depending on law, regulation, business need, contract, accounting, tax, anti-fraud, dispute, or legal claim requirements.

However, the general rule is that personal data should not be kept longer than necessary for the declared, specified, and legitimate purpose.

A responsible lending app should have a data retention policy stating:

  • What data is collected;
  • Purpose of each data category;
  • Retention period;
  • Deletion schedule;
  • Security measures;
  • Process for deletion requests;
  • Handling of backups;
  • Handling of third-party processors;
  • Contact details of the Data Protection Officer.

Borrowers may request a copy or summary of the retention policy.

28. What If the App Says You Agreed to the Privacy Policy?

A privacy policy does not automatically legalize all processing. The policy must be lawful, fair, transparent, and consistent with the Data Privacy Act.

A borrower may respond:

“Consent to a privacy policy does not authorize excessive, unlawful, unnecessary, or abusive processing. I request that you identify the specific legal basis for each category of data retained or processed and explain why continued processing is necessary and proportionate.”

This is especially important when the app uses a broad privacy policy to justify contact harvesting or public shaming.

29. What If the App Has No Data Protection Officer Contact?

A covered company should have a responsible privacy contact or officer. If the app does not provide a Data Protection Officer, privacy email, office address, or complaint channel, the borrower may send the request to all available official channels:

  • Customer support email;
  • App support email;
  • Registered business email;
  • Website contact form;
  • In-app chat;
  • Company office address;
  • Collection email;
  • Official social media page.

Keep screenshots and proof of sending.

A lack of visible privacy contact may itself support a complaint.

30. How to Preserve Evidence

Before making a complaint, preserve evidence carefully.

Useful evidence includes:

  • Screenshots of the app permissions;
  • Screenshots of privacy policy and terms;
  • Screenshots of account profile;
  • Loan agreement;
  • Disclosure statement;
  • Payment confirmation;
  • Demand letters;
  • Messages from collectors;
  • Call logs;
  • Voice recordings, where lawfully obtained;
  • Messages sent to contacts;
  • Affidavits or screenshots from contacts;
  • Harassing group chats;
  • Threats;
  • Names and numbers used by collectors;
  • App name and developer name;
  • Links to app store listing;
  • Company registration details, if known;
  • Proof of deletion request;
  • Proof of company response or non-response.

Do not fabricate evidence. Do not edit screenshots in a misleading way. Preserve originals.

31. Filing a Complaint with the National Privacy Commission

For data privacy violations, the main privacy regulator is the National Privacy Commission.

A complaint may be appropriate if the lending app:

  • Refuses to delete unlawfully processed data;
  • Ignores a valid data subject request;
  • Harasses contacts using personal data;
  • Publicly shames the borrower;
  • Discloses loan information without authority;
  • Collects excessive device data;
  • Uses personal information beyond the stated purpose;
  • Fails to identify its Data Protection Officer;
  • Suffers a data breach;
  • Retains data without lawful basis;
  • Continues processing after withdrawal of consent;
  • Shares data with undisclosed third parties.

Before filing, it is usually helpful to show that the borrower first contacted the company and gave it a chance to respond, unless the harm is urgent or severe.

32. What to Include in a Privacy Complaint

A privacy complaint should include:

  • Borrower’s name and contact details;
  • Name of the lending app;
  • Name of lending company, if known;
  • Account details;
  • Description of the violation;
  • Dates and times of incidents;
  • Copies of messages, calls, or screenshots;
  • Proof that contacts were harassed;
  • Copy of deletion request;
  • Company response, if any;
  • Proof of payment, if relevant;
  • Explanation of harm suffered;
  • Relief requested.

Relief may include:

  • Deletion of personal data;
  • Blocking of processing;
  • Cessation of harassment;
  • Disclosure of data recipients;
  • Investigation;
  • Penalties;
  • Damages, where appropriate;
  • Other corrective action.

33. Complaint to the Securities and Exchange Commission

Many online lending companies are lending companies or financing companies regulated by the Securities and Exchange Commission. Complaints may be filed where the app engages in unfair, abusive, or unlawful lending and collection practices.

Issues that may involve the SEC include:

  • Unregistered lending app;
  • Misleading loan terms;
  • Excessive charges;
  • Abusive collection;
  • Threats;
  • Public shaming;
  • Unauthorized disclosure to contacts;
  • Misrepresentation as law enforcement;
  • Failure to disclose corporate identity;
  • Use of unregistered or abusive collection agents.

A borrower may consider filing complaints with both the privacy regulator and the corporate/lending regulator when both privacy and lending abuses are involved.

34. Complaint to App Stores

Borrowers may also report abusive lending apps to app stores. While this is not a legal remedy in the same way as a regulator complaint, it can help trigger platform review.

Report reasons may include:

  • Harassment;
  • Misuse of contacts;
  • Misleading loan terms;
  • Excessive permissions;
  • Impersonation;
  • Threats;
  • Privacy violations;
  • Fraudulent behavior.

Include screenshots and explain clearly.

35. Police, Cybercrime, and Criminal Complaints

Some conduct may go beyond data privacy and become criminal or cybercrime-related.

Examples include:

  • Threats of harm;
  • Extortion;
  • Identity theft;
  • Cyberlibel;
  • Online harassment;
  • Unauthorized access;
  • Use of fake court or police documents;
  • Public posting of personal information;
  • Altered photos;
  • Blackmail;
  • Grave threats;
  • Unjust vexation;
  • Slander or libel;
  • Use of personal data to commit fraud.

A borrower who receives threats or whose information is posted online may consider reporting to law enforcement or a cybercrime unit.

36. Civil Remedies

A borrower may also consider civil action when the lending app or collectors cause damage.

Possible civil claims may involve:

  • Violation of privacy;
  • Damages for abuse of rights;
  • Defamation;
  • Breach of contract;
  • Harassment;
  • Moral damages;
  • Exemplary damages;
  • Attorney’s fees;
  • Injunction.

Civil cases require evidence and legal strategy. They may be costly and time-consuming, so the borrower should assess proportionality and remedies.

37. Can Debt Be Erased by Asking for Data Deletion?

No. A deletion request does not erase a valid debt.

The borrower’s privacy rights and debt obligations are separate. A borrower may demand deletion of excessive or unlawfully processed data, but the lender may still pursue lawful collection of a valid unpaid loan.

Likewise, a borrower should not use deletion rights to hide from legitimate obligations. The stronger legal position is to assert privacy rights while addressing the debt honestly.

38. Can a Borrower Demand Deletion of Contact List Data?

Yes, this is often one of the strongest privacy demands.

Contacts belong not only to the borrower but also involve third persons who may not have consented to the lending app’s processing. Uploading, storing, or using an entire contact list can be difficult to justify unless strictly necessary and properly disclosed.

A borrower may demand that the app:

  • Delete uploaded contact list data;
  • Stop contacting third parties;
  • Identify whether contacts were uploaded;
  • Identify recipients of contact data;
  • Confirm deletion from servers and processors;
  • Stop using contacts for collection pressure.

Contacts should not be treated as automatic guarantors.

39. Can a Borrower Demand Deletion of Photos and IDs?

A borrower may request deletion of photos and IDs that are no longer necessary. However, lenders may claim they need to retain identity verification documents for legal, regulatory, anti-fraud, or dispute purposes.

If the lender refuses deletion, the borrower may request blocking or restricted access and ask:

  • Why retention is required;
  • How long it will be retained;
  • Who can access it;
  • Whether it is encrypted;
  • Whether it was shared;
  • Whether it will be deleted after the retention period.

The lender should not use IDs or photos for harassment, public posting, memes, threats, or disclosure to contacts.

40. Can a Borrower Demand Deletion from Collection Agencies?

The borrower should direct the lending company to ensure deletion or cessation by its collection agencies and processors.

The lender cannot avoid responsibility by saying, “The collector did it.” If the collector processed personal data on behalf of the lender, the lender may still be responsible for ensuring lawful processing.

The borrower may demand:

  • List of collection agencies that received data;
  • Deletion instructions sent to those agencies;
  • Confirmation of compliance;
  • End of unauthorized calls or messages;
  • Identification of collectors who harassed contacts.

41. Can the Borrower Demand Deletion from Credit Databases?

This is more complicated. If the lender lawfully reports credit information to authorized credit bureaus or databases, deletion may not be automatic merely because the borrower asks.

However, the borrower may demand correction or deletion of inaccurate, outdated, unauthorized, or unlawfully reported information.

The borrower may also request information about:

  • Whether data was reported;
  • To whom it was reported;
  • What data was reported;
  • Legal basis for reporting;
  • How to dispute inaccurate records.

Accurate credit information may be retained for lawful credit reporting purposes, subject to applicable rules.

42. Marketing Messages and Reloan Offers

Borrowers often continue receiving reloan offers after paying off a loan. They may object to marketing and withdraw consent.

A borrower may say:

“I withdraw consent to marketing, promotional messages, reloan offers, automated profiling, and sharing of my information with affiliates or third parties for advertising. Please remove my number, email, device ID, and account from all marketing databases.”

Marketing is one area where deletion or opt-out requests are usually easier to justify.

43. Data Breach Issues

If a lending app exposes personal information through hacking, unauthorized access, employee misuse, or uncontrolled disclosure by collectors, a data breach may exist.

A borrower may ask:

  • Was there a data breach?
  • What information was affected?
  • When did the company discover it?
  • What steps were taken?
  • Was the regulator notified?
  • Were affected borrowers notified?
  • What safeguards are now in place?
  • What remedies are offered?

Unauthorized disclosure to contacts may also raise breach-like concerns, especially if data was intentionally or negligently disclosed.

44. Special Concern: Third-Party Contacts

When a borrower’s contacts are harvested, third parties become affected even though they never borrowed money.

These third parties may have their own rights. A family member, friend, employer, or co-worker whose number was collected or harassed may demand deletion of their own personal information and may complain if their data was misused.

A borrower can ask contacts to send screenshots and statements, but should avoid exposing their contacts to further harm.

45. How to Deal with Harassing Collectors

When collectors call or message abusively:

  • Do not respond emotionally;
  • Ask for their full name, company, authority, and official contact details;
  • Do not admit false amounts;
  • Do not agree to illegal charges;
  • Take screenshots;
  • Save call logs;
  • Record details of date and time;
  • Demand written computation;
  • Demand that third-party contact stop;
  • Send formal complaint to the lender;
  • Report serious threats.

A suggested response:

“Please communicate only through lawful channels. Do not contact my relatives, employer, co-workers, or phone contacts. Do not disclose my personal information or loan details to third parties. Please send the official statement of account and your authority to collect.”

46. What If the App Threatens Imprisonment?

Nonpayment of debt is generally a civil matter, not automatic imprisonment. However, fraud, fake documents, or criminal conduct may create separate issues.

Collectors sometimes use threats of arrest, estafa, barangay blotter, or police action to pressure borrowers. Such threats may be misleading or abusive if made without legal basis.

A borrower should not ignore legitimate legal notices, but should distinguish between official court documents and intimidation messages from collectors.

47. Barangay Complaints

For harassment involving local individuals, barangay conciliation may sometimes be relevant, especially if the collector or lender’s representative is identifiable and within the same locality. However, many online lending disputes involve companies, apps, or collectors outside the borrower’s area, making barangay proceedings less practical.

Privacy and lending complaints are usually more appropriately directed to regulators when the issue involves app-based processing and company practices.

48. Demand Letter Through Counsel

For serious harassment, repeated refusal to delete data, or large exposure of personal information, a lawyer’s demand letter may be effective.

A legal demand may include:

  • Notice of Data Privacy Act rights;
  • Demand to delete or block data;
  • Demand to cease third-party contact;
  • Demand to preserve evidence;
  • Demand to identify processors;
  • Demand for damages;
  • Warning of regulatory, civil, or criminal action.

A lawyer can also help determine whether to file a complaint with regulators or courts.

49. Special Issue: Multiple Lending Apps

Many borrowers use several lending apps. Each app may have separately collected data. Deleting one app or sending one request does not cover all other apps.

A borrower should make a list:

  • App name;
  • Company name;
  • Loan account number;
  • Amount borrowed;
  • Payment status;
  • Permissions granted;
  • Contacts harassed;
  • Official email or support channel;
  • Date deletion request was sent;
  • Response received.

Send separate requests to each company.

50. Special Issue: Fake or Unregistered Lending Apps

Some apps may operate under unclear names, foreign entities, shell companies, or changing app names. This makes deletion requests harder.

The borrower should identify:

  • App developer name;
  • Company name in loan agreement;
  • Payment recipient;
  • Collection agency name;
  • SMS sender names;
  • Email addresses;
  • Bank or e-wallet accounts;
  • App store link;
  • Website;
  • Business address;
  • SEC registration number, if shown.

Even if the company is hard to identify, preserve evidence and report the app to regulators and app stores.

51. Special Issue: Overseas Operators

Some online lending apps may use foreign servers, foreign owners, or outsourced collectors. Philippine data privacy law may still apply when personal information of individuals in the Philippines is processed in connection with business conducted in the Philippines or when equipment or systems in the Philippines are used.

The borrower can still assert rights against the local lender, operator, or entity offering loans to Philippine residents.

52. Special Issue: Data in Backups

Companies may claim that deletion from backups cannot happen immediately. This may be reasonable in some technical situations, but the company should ensure that backup data is not restored into active systems except for legitimate purposes and that it is deleted or overwritten according to a retention schedule.

The borrower may ask:

  • Has my data been deleted from active systems?
  • Is it still in backups?
  • When will backups be overwritten?
  • Is backup data blocked from ordinary access?
  • Will processors also delete it?

53. Special Issue: Shared Data with Affiliates

Some lending apps share borrower data with affiliates, partner lenders, advertisers, collection agencies, analytics providers, or marketing platforms.

A deletion request should include affiliates and third parties:

“Please also notify all affiliates, processors, collection agencies, marketing partners, analytics providers, and other third parties to whom you disclosed my data to delete, block, or stop processing my personal information, unless legally required to retain it.”

The borrower may also request a list of recipients.

54. Special Issue: Automated Credit Scoring

Online lending apps may use automated scoring based on personal data, device data, behavior, repayment history, or other indicators.

Borrowers may ask whether automated decision-making or profiling was used and may object to continued profiling after repayment or account closure.

If scoring used excessive data such as contacts, SMS, or device behavior, the borrower may challenge whether the processing was necessary and lawful.

55. Special Issue: Employer Contact

Some lending apps ask for employer details. Contacting an employer may be legitimate for employment verification if properly disclosed and limited. But telling an employer about the debt, threatening workplace consequences, or shaming the borrower may be abusive.

A borrower may demand:

  • No disclosure of loan information to employer;
  • No calls to HR except authorized verification;
  • No threats of termination;
  • No sending of borrower photos or IDs;
  • No repeated workplace harassment.

56. Special Issue: References

A character reference is not automatically a co-borrower. A lender may contact a reference for limited verification if the borrower authorized it and the reference was properly identified for that purpose. But the lender should not harass the reference, demand payment, or disclose unnecessary loan details.

If a reference asks not to be contacted, the lender should respect that unless there is a lawful basis.

57. Special Issue: Family Members

Family members are not automatically liable for a borrower’s debt. A spouse, parent, sibling, child, or relative does not become responsible merely because the borrower listed them, because their number appeared in contacts, or because they are related.

A lender should not shame a borrower through family members or demand payment from relatives who did not sign as borrowers, co-makers, guarantors, or sureties.

58. Special Issue: Public Posting of Borrower Data

Posting a borrower’s name, photo, ID, address, phone number, debt amount, or accusation online is extremely risky for the lender or collector. It may involve privacy violations, defamation, harassment, cybercrime, or civil liability.

The borrower should immediately take screenshots, copy URLs, identify posters, report the content to the platform, and consider regulatory or legal action.

A takedown request should be sent to both the platform and the lender.

59. Special Issue: Threatening Messages to Contacts

If contacts receive messages calling the borrower a scammer, criminal, thief, or fraudster, preserve the messages. Such statements may be defamatory if false and may also involve unauthorized disclosure of personal information.

The borrower should ask contacts to keep screenshots with visible date, time, sender number, and message content.

60. Special Issue: Fake Legal Documents

Some collectors send fake subpoena, warrant, court order, police notice, barangay notice, or attorney demand letters. Borrowers should verify whether a document is genuine.

Warning signs include:

  • No real court name;
  • No case number;
  • No judge or clerk details;
  • Threat of immediate arrest for ordinary debt;
  • Poor grammar;
  • Unofficial email;
  • Payment demand to personal e-wallet;
  • Use of police logos without authority;
  • Refusal to provide lawyer details.

Using fake legal documents may create additional liability.

61. Practical Step-by-Step Guide to Delete Personal Information

Step 1: Identify the Lending App and Company

Find the app name, company name, support email, registered address, and loan account details.

Step 2: Check Loan Status

Determine whether the loan is paid, unpaid, disputed, or overcharged.

Step 3: Preserve Evidence

Take screenshots of app permissions, privacy policy, loan details, payment proof, and abusive messages.

Step 4: Revoke App Permissions

Disable contacts, location, camera, storage, SMS, microphone, and other unnecessary permissions.

Step 5: Send a Data Deletion Request

Email or message the company’s DPO, support, or official channel.

Step 6: Demand Cessation of Third-Party Contact

Specifically prohibit contact with relatives, employer, co-workers, and phone contacts.

Step 7: Request Confirmation

Ask the company to confirm what was deleted, what was retained, why, and for how long.

Step 8: Follow Up

Send a follow-up if there is no response.

Step 9: File Complaints if Needed

Complain to the National Privacy Commission, SEC, app stores, or law enforcement depending on the violation.

Step 10: Monitor for Continued Misuse

Watch for new calls, messages, marketing, or harassment after deletion request.

62. What to Write in the Subject Line

Useful subject lines include:

  • “Data Privacy Request: Delete My Personal Information”
  • “Request for Erasure and Blocking of Personal Data”
  • “Withdrawal of Consent and Objection to Processing”
  • “Demand to Stop Contacting Third Parties”
  • “Data Privacy Complaint and Deletion Request”
  • “Cease Unauthorized Processing of Personal Information”

A clear subject line helps show that the company received a formal privacy request.

63. What Not to Do

Borrowers should avoid:

  • Ignoring lawful debt obligations;
  • Sending threats to collectors;
  • Posting collector personal data unlawfully;
  • Fabricating screenshots;
  • Deleting evidence before saving it;
  • Paying to unknown personal accounts without verification;
  • Giving more personal information to suspicious agents;
  • Installing more suspicious loan apps;
  • Sharing OTPs or passwords;
  • Agreeing to new loans under pressure;
  • Allowing contacts access again after revoking permissions;
  • Signing settlement terms without reading them.

64. Settlement and Data Deletion

If settling a loan, include privacy terms in the settlement:

  • Confirmation of full settlement;
  • Zero balance statement;
  • No further collection;
  • Deletion or blocking of unnecessary personal data;
  • No contact with third parties;
  • Withdrawal from marketing;
  • Correction of credit records, if applicable;
  • Confirmation that collectors have been instructed to stop.

A written settlement is better than a verbal promise.

65. Sample Settlement Privacy Clause

“The lender confirms that upon receipt of the settlement amount, the account shall be considered fully paid and closed. The lender shall cease all collection activity, stop contacting third parties, withdraw the account from collection agencies, and delete or block personal information no longer necessary for lawful retention. The lender shall not use the borrower’s personal information for marketing, reloan offers, harassment, public disclosure, or unauthorized sharing.”

66. If the Lender Retaliates After a Deletion Request

If harassment worsens after asserting privacy rights, preserve evidence and escalate.

Retaliation may include:

  • More frequent calls;
  • Contacting more people;
  • Threats;
  • Public posting;
  • False accusations;
  • Refusal to issue receipt;
  • Inflated charges;
  • Blocking access to payment records.

Include the retaliation in regulatory complaints.

67. If the App Refuses Because of “System Limitations”

A company cannot avoid legal obligations merely by saying its system cannot delete data. It should have reasonable mechanisms for data subject requests, retention controls, access restrictions, and deletion processes.

The borrower may respond:

“Please explain the specific technical limitation, the data affected, the alternative safeguards applied, the date when deletion or blocking will be completed, and the person responsible for compliance.”

68. If the App Says “We Already Deleted It”

Ask for written confirmation specifying:

  • Date of deletion;
  • Categories of data deleted;
  • Categories retained;
  • Reason for retention;
  • Third parties notified;
  • Confirmation that contacts were deleted;
  • Confirmation that marketing stopped;
  • Confirmation that collectors were instructed.

A vague “done” may not be enough if harassment continues.

69. If Collectors Continue After Deletion Confirmation

If collectors continue contacting the borrower or third parties, the borrower may say:

“Your company confirmed deletion/blocking on [date], yet collection agents continue using my personal data. Please explain why my data remains available and identify the persons or agencies responsible. I reserve the right to file complaints.”

This suggests weak internal controls or false confirmation.

70. If the Borrower Has Multiple Phone Numbers

Include all numbers used in the app or contacted by collectors. Otherwise, the company may claim it could not identify the account.

List:

  • Registered number;
  • Alternate number;
  • Old number;
  • Number used for disbursement;
  • Number used for payment;
  • Email address;
  • App account ID.

71. If the Borrower Changed Phones

Changing phones does not delete data already uploaded. The borrower should still send a deletion request and revoke permissions on any device where the app remains installed.

72. If the Borrower Used a Relative’s Phone

If the borrower installed the app on a relative’s phone, the app may have accessed the relative’s contacts or device data. The relative may also submit a data deletion complaint or request as an affected data subject.

This is a serious issue because the app may have collected data from a person who was not the borrower.

73. If the App Collected Contacts Without Consent of Contacts

The borrower may raise that third-party contacts did not consent to collection or use of their personal information. The company should explain its lawful basis for processing those contacts.

A strong request may say:

“Please delete all personal information of third parties obtained from my device, including contacts who did not consent to your collection, storage, use, or disclosure of their personal data.”

74. If the App Accessed Photos or Files

If photos, IDs, screenshots, or files were accessed, ask whether they were uploaded or merely accessed locally.

Demand deletion of any uploaded files that are not necessary. If the app used photos for threats or public shaming, preserve evidence and escalate.

75. If the App Accessed SMS

Some apps may access SMS to verify OTPs, analyze transactions, or profile borrowers. This is highly intrusive. The borrower may ask:

  • What SMS data was accessed?
  • Was SMS content uploaded?
  • Was it used for credit scoring?
  • Was it shared?
  • What is the legal basis?
  • Has it been deleted?

SMS may contain third-party personal information and sensitive financial data.

76. If the App Accessed Location

Location data can reveal home, workplace, travel patterns, and sensitive routines. The borrower may demand deletion of location logs unless legally necessary.

Continuous tracking after loan approval or repayment may be difficult to justify.

77. If the App Uses Social Media

If the app requested social media login, friend list, profile, or posts, the borrower may revoke access from the social media platform’s settings and demand deletion of data already collected.

Also check connected apps in Facebook, Google, or other accounts and remove app access.

78. If the Borrower Wants Total Account Closure

A request for account closure should include:

  • Delete account;
  • Close profile;
  • Stop marketing;
  • Stop reloan offers;
  • Block retained legal records from active use;
  • Delete device and contact data;
  • Notify third parties;
  • Confirm closure.

But if a loan is unpaid, the lender may refuse full account closure until the obligation is resolved.

79. Timeframe for Response

The company should respond within a reasonable period under data privacy rules and its own privacy policy. If there is no response, the borrower should follow up in writing and then consider filing a complaint.

A reasonable follow-up may say:

“I sent a data subject request on [date]. I have not received a proper response. Please act on my request or provide the legal basis for refusal. If I do not receive a response, I may file a complaint with the proper authorities.”

80. How to Write a Strong Follow-Up

Subject: Follow-Up on Data Deletion Request

I sent a request on [date] asking for deletion, blocking, and cessation of processing of my personal information. I have not received a complete response.

Please confirm:

  1. What data has been deleted;
  2. What data is retained;
  3. Legal basis for retention;
  4. Retention period;
  5. Whether my contacts were collected;
  6. Whether third parties received my data;
  7. Whether collection agencies were instructed to stop;
  8. Whether marketing and reloan offers have stopped.

Failure to respond may be included in a complaint.

81. Legal Strategy: Do Not Rely on Deletion Alone

Deletion requests are important but should be part of a broader strategy.

For unpaid loans:

  • Ask for statement of account;
  • Dispute illegal charges;
  • Negotiate settlement;
  • Demand lawful collection only;
  • Stop third-party harassment;
  • Preserve evidence.

For paid loans:

  • Demand account closure;
  • Demand deletion;
  • Demand zero balance certificate;
  • Stop marketing;
  • Monitor credit reports, if applicable.

For harassment:

  • Preserve evidence;
  • Demand cessation;
  • File complaints;
  • Consider legal counsel.

82. Data Deletion and Loan Overcharges

Some borrowers want deletion because they believe the app charged excessive interest, hidden fees, or illegal penalties. Data deletion does not directly resolve overcharging. The borrower should separately request a statement of account and dispute the computation.

Ask for:

  • Principal amount;
  • Interest rate;
  • Processing fee;
  • Service fee;
  • Penalties;
  • Due date;
  • Total amount paid;
  • Remaining balance;
  • Legal basis of charges.

Privacy complaints and lending complaints can proceed together.

83. What If the App Uses Different Names?

Some lending operations use one app name, another company name, and another collector name. In your complaint or deletion request, include all names.

Example:

“This request covers [App Name], [Company Name], [Collection Agency Name], and any affiliates, agents, processors, or representatives acting on your behalf.”

This prevents the company from avoiding responsibility through name changes.

84. What If There Is No Response at All?

If there is no response:

  1. Send a follow-up;
  2. Preserve proof of sending;
  3. Take screenshots of bounced emails or ignored chats;
  4. File a complaint;
  5. Report to app stores;
  6. Consider reporting to lending regulators;
  7. Consider legal counsel if harm is serious.

Non-response may support the claim that the company lacks proper data subject rights mechanisms.

85. What If You Cannot Identify the Company?

Use available clues:

  • App store listing developer;
  • Privacy policy;
  • Terms and conditions;
  • Loan agreement;
  • Payment recipient;
  • SMS sender;
  • Email domain;
  • Collection message signature;
  • Business permit details;
  • SEC registration number;
  • Customer service number;
  • Bank account name;
  • E-wallet recipient name.

Attach all available identifiers to complaints.

86. Data Protection Officer Demand

A borrower may demand contact with the Data Protection Officer:

“Please provide the name or office designation and contact details of your Data Protection Officer or responsible privacy officer handling this request.”

A company that processes large amounts of borrower data should have a responsible privacy contact.

87. Use of Personal Information for Collection

A lender may process personal data for lawful collection, but only within legal limits.

Lawful collection may include:

  • Contacting the borrower;
  • Sending payment reminders;
  • Providing statement of account;
  • Referring account to authorized collection agency;
  • Filing a civil case;
  • Reporting to authorized credit systems, if lawful.

Unlawful or abusive collection may include:

  • Public shaming;
  • Threats;
  • Harassing contacts;
  • False criminal accusations;
  • Misuse of IDs and photos;
  • Repeated calls at unreasonable hours;
  • Pretending to be police or court personnel;
  • Disclosing debt to unrelated persons.

The borrower may demand deletion or blocking of data used for abusive collection.

88. The Role of Privacy Policy

A privacy policy should explain:

  • What data is collected;
  • Why it is collected;
  • How it is used;
  • With whom it is shared;
  • How long it is kept;
  • How to exercise rights;
  • How to contact the DPO;
  • Security measures;
  • Cross-border transfers, if any.

If the policy is vague, hidden, misleading, or different from actual practices, the borrower may challenge the processing.

89. Red Flags in Lending App Privacy Practices

Watch for:

  • App asks for full contacts;
  • App requires unnecessary permissions;
  • No company name;
  • No DPO contact;
  • No privacy policy;
  • Privacy policy is copied or generic;
  • Loan terms are unclear;
  • Collection agents use personal numbers;
  • App threatens access to contacts;
  • App sends messages to contacts;
  • App refuses deletion after payment;
  • App demands payment through personal accounts;
  • App changes names frequently;
  • App offers instant approval but demands broad device access.

These red flags support caution and possible complaints.

90. Borrower’s Rights Are Not Waived by Default

Even if a borrower needed money urgently, accepted terms quickly, or clicked through the app, privacy rights remain protected. A desperate financial situation does not give a lender unlimited authority to collect and misuse personal data.

Contracts, consents, and app permissions must still comply with law.

91. Practical Template: Complete Deletion and Anti-Harassment Demand

Subject: Data Privacy Demand: Deletion, Blocking, and Stop Third-Party Contact

To the Data Protection Officer / Compliance Officer:

I am [Full Name], registered under mobile number [number] in [App Name].

I request the deletion, blocking, removal, and destruction of my personal information that is unnecessary, excessive, unlawfully obtained, outdated, or no longer needed for the purpose of my loan transaction. I also withdraw consent to marketing, profiling, contact access, third-party disclosure, and use of my data for reloan offers.

You are specifically directed to delete or block data obtained from my phone contacts, call logs, SMS, photos, files, storage, location, device, social media, and other app permissions, unless you can identify a specific lawful basis and retention period.

You are also directed to stop contacting, messaging, threatening, or disclosing my loan information to my relatives, friends, employer, co-workers, phone contacts, references, or any third party who is not legally liable for the loan.

Please provide written confirmation of:

  1. Data deleted;
  2. Data retained;
  3. Legal basis for retention;
  4. Retention period;
  5. Third parties or collection agencies that received my data;
  6. Confirmation that those third parties were instructed to delete, block, or stop processing the data;
  7. Confirmation that marketing and reloan offers have stopped.

Failure to act on this request may be included in complaints before the proper authorities.

Sincerely, [Name] [Date]

92. Checklist for Filing a Complaint

Before filing a complaint, prepare:

  • Valid ID;
  • App name;
  • Company name;
  • Loan account number;
  • Timeline of events;
  • Data deletion request;
  • Follow-up message;
  • Company response or non-response;
  • Screenshots of harassment;
  • Contact screenshots from relatives or friends;
  • Call logs;
  • Payment proof;
  • Privacy policy screenshots;
  • App permissions screenshots;
  • Loan agreement;
  • Statement of account;
  • Names/numbers of collectors;
  • Description of harm suffered.

Organize evidence chronologically.

93. Possible Remedies to Request

A borrower may request:

  • Deletion of unlawfully processed data;
  • Blocking of retained data;
  • Stop to third-party contact;
  • Removal from marketing list;
  • Disclosure of data recipients;
  • Correction of inaccurate records;
  • Investigation of collectors;
  • Sanctions for abusive processing;
  • Damages where allowed;
  • Takedown of public posts;
  • Written apology or correction;
  • Confirmation of account closure;
  • Zero balance certificate after payment.

94. Best Practices Before Using Any Lending App

To avoid future problems:

  • Check if the lender is legitimate;
  • Read the privacy policy;
  • Review app permissions before installing;
  • Avoid apps requiring full contact access;
  • Avoid apps with unclear company identity;
  • Avoid apps that charge unclear fees;
  • Use only reputable lending institutions;
  • Do not upload unnecessary documents;
  • Do not use another person’s phone;
  • Do not list references without permission;
  • Keep screenshots of loan terms;
  • Pay only through official channels;
  • Maintain your own records.

95. Best Practices After Repayment

After fully paying:

  • Save proof of payment;
  • Request certificate of full payment or zero balance;
  • Request account closure;
  • Revoke permissions;
  • Uninstall the app;
  • Send deletion request;
  • Opt out of marketing;
  • Monitor messages and calls;
  • Ask contacts to report harassment;
  • Keep records for future disputes.

96. Best Practices If You Cannot Pay Yet

If you cannot pay yet:

  • Do not ignore the debt;
  • Ask for statement of account;
  • Negotiate payment terms;
  • Dispute illegal charges in writing;
  • Pay through official channels only;
  • Do not borrow from more abusive apps to pay old apps;
  • Assert privacy rights;
  • Demand no third-party harassment;
  • Preserve threats and abusive messages;
  • Seek help from regulators, counsel, or trusted financial advisers.

97. Common Misconceptions

“If I uninstall the app, my data is deleted.”

False. Uninstalling stops the app from being on your phone but does not necessarily delete server-side data.

“If I owe money, I have no privacy rights.”

False. A borrower with an unpaid loan still has privacy rights.

“If I paid the loan, the app automatically deletes everything.”

Not necessarily. You should request deletion or account closure.

“My contacts are liable because they were in my phonebook.”

False. Contacts are not liable unless they legally agreed to be liable.

“Consent allows the app to do anything.”

False. Consent does not authorize unlawful, excessive, abusive, or unfair processing.

“The company can keep my data forever.”

False. Retention must have a lawful purpose and should not exceed what is necessary.

“Data deletion cancels my debt.”

False. Privacy rights and loan obligations are separate.

98. Key Legal Principles

A. Lawful Basis

The lender must have a lawful basis for collecting and using personal information.

B. Transparency

The borrower must be informed about what data is collected and how it will be used.

C. Proportionality

The data collected must be adequate, relevant, suitable, necessary, and not excessive.

D. Purpose Limitation

Data should be used only for declared, specified, and legitimate purposes.

E. Retention Limitation

Data should not be kept longer than necessary.

F. Security

The lender must protect personal information from unauthorized access, misuse, and disclosure.

G. Accountability

The lender remains responsible for its own personnel, agents, processors, and collection partners.

H. Data Subject Rights

Borrowers may access, correct, object, block, delete, and complain regarding their personal data.

99. Practical Bottom Line

A borrower in the Philippines may request deletion or blocking of personal information from an online lending app, especially after full payment or where the app collected excessive, unnecessary, or unlawfully used data.

The borrower should:

  1. Preserve evidence;
  2. Revoke app permissions;
  3. Send a written deletion request;
  4. Withdraw consent for unnecessary processing;
  5. Object to marketing and third-party disclosure;
  6. Demand that contacts and device data be deleted;
  7. Ask what data will be retained and why;
  8. Demand that collection agents stop using the data;
  9. File complaints if ignored or harassed.

The lending app may retain records necessary for lawful purposes, but it cannot use debt as an excuse for unlimited surveillance, contact-shaming, harassment, or indefinite processing of personal information.

100. Conclusion

Deleting personal information from online lending apps in the Philippines is both a practical and legal process. It requires more than uninstalling the app. The borrower must assert rights under the Data Privacy Act, revoke unnecessary permissions, demand deletion or blocking of excessive data, object to improper processing, and require the lender to stop contacting third parties.

The right to deletion is strongest when the loan is fully paid, the data is excessive, the processing is unauthorized, or the information is used for harassment. Even when a loan remains unpaid, the lender’s collection rights do not override the borrower’s right to privacy, dignity, proportionality, and lawful processing.

A valid debt may be collected through lawful means. But personal information may not be weaponized. Online lending apps, their officers, their collectors, and their service providers must process borrower data responsibly, transparently, and only for legitimate purposes. Borrowers should protect themselves by documenting abuse, sending formal deletion requests, and using the available legal remedies when their privacy rights are violated.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login