How to Delete Personal Information From Online Lending Apps in the Philippines

I. Introduction

Online lending apps have become common in the Philippines because they offer fast access to credit with minimal paperwork. Many borrowers, however, later discover that these apps may collect broad categories of personal information, including contact lists, identification documents, employment details, facial images, device information, phone numbers, email addresses, addresses, payment records, and sometimes even social media or messaging-related data.

The legal issue is not simply whether a borrower owes money. It is whether the lending app has a lawful basis to continue collecting, storing, using, sharing, or displaying the borrower’s personal information. Under Philippine data privacy law, personal information cannot be kept or processed indefinitely merely because it was once submitted through an app. Borrowers and other data subjects have enforceable rights, including the right to request access, correction, blocking, removal, destruction, or deletion of personal data when legal grounds exist.

This article explains how a person in the Philippines may request deletion of personal information from online lending apps, what laws apply, what limits exist, how to prepare a deletion request, and what remedies may be available if the app refuses or misuses personal data.

II. Governing Law in the Philippines

The primary law is the Data Privacy Act of 2012, or Republic Act No. 10173. It is implemented by rules and regulations issued by the National Privacy Commission, commonly called the NPC.

The Data Privacy Act applies to the processing of personal information by private entities, including lending companies, financing companies, online lending platforms, app operators, collection agencies, service providers, and other persons or organizations that determine or control how personal data is processed.

In the online lending context, other laws and regulations may also be relevant, including rules of the Securities and Exchange Commission on lending companies and financing companies, consumer protection laws, cybercrime laws, laws against harassment, and rules on unfair debt collection practices. However, the main legal basis for demanding deletion or removal of personal information is data privacy law.

III. What Counts as Personal Information?

Under Philippine privacy law, personal information refers to information from which a person’s identity is apparent or can reasonably and directly be ascertained, or information that would identify a person when combined with other information.

For online lending apps, this may include:

  1. Full name;
  2. Date of birth;
  3. Home address;
  4. Mobile number;
  5. Email address;
  6. Government-issued ID details;
  7. Selfie or facial image;
  8. Signature;
  9. Employer or business information;
  10. Income information;
  11. Bank account, e-wallet, or payment details;
  12. Emergency contact details;
  13. Contact list data;
  14. Device identifiers;
  15. App usage data;
  16. Loan application records;
  17. Credit-related information;
  18. Collection notes and call logs;
  19. Messages, screenshots, or uploaded documents;
  20. Any data that can identify the borrower or another person.

Some data may qualify as sensitive personal information, such as government-issued identification numbers, health information, biometric data, or information specifically protected by law. Sensitive personal information receives stricter protection and generally requires a stronger legal basis before it may be processed.

IV. The Parties Involved

In a typical online lending app, the following parties may be involved:

1. Data Subject

The data subject is the person whose personal information is collected, used, stored, or shared. This may include the borrower, co-maker, reference person, emergency contact, employer, family member, or any person found in the borrower’s contact list.

Importantly, a person can be a data subject even if that person never borrowed money. For example, if a lending app accessed and stored a borrower’s phone contacts, the people in the contact list may also have privacy rights.

2. Personal Information Controller

The lending company or app operator is usually the personal information controller if it decides why and how personal data is processed. It is responsible for complying with the Data Privacy Act.

3. Personal Information Processor

A third-party service provider, such as a cloud host, verification provider, payment processor, collection agency, call center, or software vendor, may be a personal information processor if it processes data on behalf of the lending company.

4. Collection Agency

Collection agencies may process personal information to collect debt, but they are not free to harass, shame, threaten, or disclose private information to unrelated third parties. If they receive personal information from a lending app, their use of that information must still comply with data privacy law.

V. Can You Demand Deletion of Your Personal Information?

Yes, but not in every situation and not always immediately.

A data subject may request deletion, blocking, removal, or destruction of personal data when there is a lawful basis to do so. Common grounds include:

  1. The data is no longer necessary for the purpose for which it was collected;
  2. The data was unlawfully obtained;
  3. The data is being used for unauthorized purposes;
  4. The data is inaccurate, outdated, false, or misleading;
  5. The data is being processed without valid consent or other lawful basis;
  6. The borrower has withdrawn consent and no other legal basis exists for continued processing;
  7. The app is using excessive data beyond what is necessary for lending;
  8. The app accessed contacts, photos, messages, or files without proper authority;
  9. The app disclosed information to family, friends, employers, or social media contacts without lawful basis;
  10. The app used personal data for harassment, public shaming, threats, or coercive collection;
  11. The app retained data beyond the period allowed by law, regulation, contract, or declared privacy policy.

However, deletion may be limited if the lending company has a lawful reason to retain certain records. For example, it may need to keep limited information for accounting, tax, audit, regulatory compliance, fraud prevention, litigation, or enforcement of a valid loan obligation.

The key point is proportionality. Even if a lender may retain some data, it does not automatically mean it may keep everything. A lender may be allowed to retain loan transaction records while being required to delete unnecessary contact list data, images, permissions, marketing data, or unlawfully collected information.

VI. Deletion Is Different From Loan Cancellation

Deleting personal information does not automatically cancel a valid debt.

A borrower who obtained a loan remains subject to the valid terms of the loan agreement, subject to applicable law. A privacy request is not a way to erase legitimate repayment obligations. However, the existence of a debt does not give the lender unlimited power to collect, expose, sell, misuse, or weaponize personal data.

Therefore, two issues must be separated:

  1. Debt issue: whether the borrower owes money, how much, and under what terms.
  2. Privacy issue: whether the lender is lawfully processing the borrower’s personal information.

A borrower may dispute unlawful processing even while a loan remains unpaid. Likewise, a lender may pursue lawful collection while still being required to respect privacy rights.

VII. What Data Should You Ask the Lending App to Delete?

A deletion request should be specific. The borrower may request deletion or blocking of the following categories where appropriate:

  1. Account profile information no longer needed;
  2. Uploaded IDs after verification is complete, unless legally required to retain them;
  3. Selfies, facial images, or biometric templates;
  4. Contact list data;
  5. Data of third-party contacts, references, or emergency contacts;
  6. Device information collected beyond what is necessary;
  7. Marketing preferences and advertising identifiers;
  8. Chat logs or app messages not required for legal retention;
  9. Photos, files, or media accessed by the app;
  10. Location data;
  11. Call logs or SMS metadata, if collected;
  12. Social media information;
  13. Duplicative, outdated, or incorrect records;
  14. Data shared with collection agencies where sharing was unauthorized or no longer necessary;
  15. Data posted or disclosed to third parties;
  16. Data used for harassment or public shaming;
  17. Any data collected through excessive app permissions.

A borrower may also demand that the lender notify third parties, processors, collection agencies, or affiliates to delete or stop processing the data, where legally appropriate.

VIII. Common Privacy Problems With Online Lending Apps

Many complaints involving lending apps arise from excessive or abusive data practices. Common issues include:

1. Access to Contact Lists

Some lending apps request access to a borrower’s contacts. The app may then use the contact list to pressure the borrower by messaging relatives, friends, employers, or co-workers. This can violate privacy rights, especially when the contacts did not consent or when the disclosure is unnecessary for the loan.

2. Public Shaming

Some borrowers report that collection agents threaten to post their photos, loan details, or alleged debt on social media. Public shaming is not a legitimate debt collection practice and may give rise to privacy, civil, criminal, and regulatory complaints.

3. Harassing Calls and Messages

Debt collection must be lawful, fair, and proportionate. Repeated threats, insults, intimidation, or disclosure of debt to unrelated persons may be unlawful.

4. Misleading Consent

Consent is not valid simply because an app includes vague or hidden language in its terms. Consent should be informed, specific, freely given, and evidenced. Broad permission to access “device data” may not justify unlimited data harvesting.

5. Retaining Data After Account Closure

Some apps keep user data even after the borrower has paid the loan or deleted the app. Deleting the app from a phone does not necessarily delete the account or server-side data. A formal deletion request is often necessary.

6. Sharing With Unknown Third Parties

Lending apps may share data with affiliates, advertisers, collection agencies, analytics providers, or other partners. Sharing must have a lawful basis and must be disclosed in the privacy notice.

IX. The Borrower’s Rights Under Philippine Data Privacy Law

A data subject generally has the following rights:

1. Right to Be Informed

The borrower has the right to know what data is collected, why it is collected, how it is used, who receives it, how long it is kept, and how the borrower may exercise privacy rights.

2. Right to Access

The borrower may request a copy or description of personal data being processed, including sources, recipients, purposes, and methods of processing.

3. Right to Object

The borrower may object to processing based on consent or legitimate interest, especially if the processing is unnecessary, excessive, or harmful.

4. Right to Erasure or Blocking

The borrower may request deletion, blocking, removal, or destruction of data when the processing is unlawful, unnecessary, outdated, unauthorized, or otherwise improper.

5. Right to Rectification

The borrower may require correction of inaccurate or outdated information.

6. Right to Data Portability

Where applicable, the borrower may request personal data in a structured and commonly used format.

7. Right to Damages

A person who suffers harm due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of personal information may seek damages, subject to proof and applicable procedures.

8. Right to File a Complaint

A borrower or affected person may file a complaint with the National Privacy Commission if rights are violated.

X. Before Sending a Deletion Request

Before asking for deletion, prepare evidence. This is important because some lending apps may deny wrongdoing or ignore vague requests.

Gather the following:

  1. Name of the lending app;
  2. Name of the lending company, if known;
  3. App screenshots;
  4. Privacy policy or terms and conditions;
  5. Loan agreement, if available;
  6. Account number or registered mobile number;
  7. Proof of payment, if the loan is fully paid;
  8. Screenshots of app permissions;
  9. Screenshots of abusive messages;
  10. Call logs;
  11. Messages sent to contacts;
  12. Names or numbers of collection agents;
  13. Dates and times of incidents;
  14. Proof that third parties were contacted;
  15. Any email or chat correspondence with the lender.

If the issue involves contact list misuse, obtain screenshots or statements from the people contacted, if possible.

XI. Step-by-Step: How to Request Deletion

Step 1: Identify the Correct Company

Find the app’s registered company name. This may appear in:

  1. The app store listing;
  2. Privacy policy;
  3. Terms and conditions;
  4. Loan agreement;
  5. SMS or email notices;
  6. SEC registration details;
  7. Payment instructions;
  8. Collection notices.

The app name may be different from the legal company name. Address the request to the legal entity operating the app, not only to the app brand.

Step 2: Look for the Data Protection Officer

Companies covered by the Data Privacy Act are expected to have a data protection officer or privacy contact. The privacy policy should contain contact details for privacy-related requests.

Send the request to the official privacy email address, customer support email, or registered business address. If available, also send it through the app’s support channel.

Step 3: State That You Are Exercising Your Data Privacy Rights

Make clear that the request is made under Philippine data privacy law. Identify yourself and specify the account involved.

Step 4: Specify the Data to Be Deleted

Do not merely say, “Delete my data.” Specify the categories of data you want deleted or blocked.

Example:

“I request deletion, blocking, removal, or destruction of all personal information no longer necessary for the purpose for which it was collected, including contact list data, third-party contact information, device data, photos, selfies, marketing data, and any information shared with collection agencies without lawful basis.”

Step 5: Ask for the Legal Basis for Any Retained Data

The lender may claim it must retain certain records. Require it to identify:

  1. What data it will retain;
  2. Why it will retain the data;
  3. The legal basis for retention;
  4. The retention period;
  5. Who will have access;
  6. Whether it has been shared with third parties.

Step 6: Withdraw Consent Where Appropriate

If the processing relies on consent, you may withdraw consent for further processing, especially for marketing, contact list access, location tracking, device permissions, or sharing with affiliates.

Step 7: Demand Confirmation

Ask the company to confirm in writing that deletion, blocking, or restriction has been completed.

Step 8: Keep Records

Save all emails, screenshots, delivery receipts, and replies. These may be needed for an NPC complaint.

XII. Sample Deletion Request Letter

Subject: Request for Deletion, Blocking, and Cessation of Processing of Personal Information

Dear Data Protection Officer / Privacy Officer:

I am writing to exercise my rights as a data subject under Philippine data privacy law.

I request the deletion, blocking, removal, or destruction of my personal information that is no longer necessary, was unlawfully obtained, is being processed without valid legal basis, or is being processed beyond the purpose for which it was collected.

My details are as follows:

Name: [Full Name] Registered mobile number/email: [Mobile Number/Email] Account or loan reference number: [Reference Number, if available] App name: [Name of Lending App]

This request covers, where applicable, the following categories of personal information:

  1. Contact list data and information of third-party contacts;
  2. Uploaded IDs, selfies, photos, and biometric-related information not legally required to be retained;
  3. Device data, app permissions data, location data, and other technical data not necessary for any lawful purpose;
  4. Marketing, profiling, analytics, or advertising-related data;
  5. Data shared with collection agencies, affiliates, partners, or third parties without valid legal basis;
  6. Any inaccurate, outdated, excessive, or unlawfully processed personal information;
  7. Any personal information retained beyond the necessary or lawful retention period.

I also withdraw any consent previously given for processing that is not necessary for a lawful and specific purpose, including marketing, profiling, contact-list processing, and disclosure to third parties not legally entitled to receive my personal information.

If you believe that any part of my personal information must be retained, please provide the following in writing:

  1. The specific personal information you will retain;
  2. The legal basis for retention;
  3. The purpose of retention;
  4. The retention period;
  5. The persons or entities to whom the data has been disclosed;
  6. The safeguards used to protect the retained data.

Please also confirm that you have instructed your processors, collection agencies, affiliates, service providers, and other recipients of my personal information to delete, block, return, or cease processing such information where appropriate.

Kindly provide written confirmation once the deletion, blocking, or restriction of processing has been completed.

Sincerely, [Full Name] [Date]

XIII. What If the Loan Is Already Fully Paid?

If the loan has been fully paid, the borrower has a stronger practical basis to request deletion of data no longer needed for lending, collection, or account servicing. The lender may still retain limited records for legal, accounting, audit, regulatory, or dispute purposes, but it should not keep unnecessary data indefinitely.

After full payment, a borrower may request:

  1. Closure of the account;
  2. Deletion of unnecessary personal data;
  3. Cancellation of marketing consent;
  4. Deletion of contact list data;
  5. Confirmation that no further collection activity will occur;
  6. Removal from collection systems;
  7. A certificate or confirmation of full payment;
  8. Cessation of communications to references, contacts, employer, or relatives.

If a lender continues to contact third parties after full payment, that may strengthen a privacy complaint.

XIV. What If the Loan Is Unpaid?

If the loan is unpaid, the lender may have a legitimate basis to process certain data necessary for lawful collection. However, the lender still cannot process data in an excessive, abusive, deceptive, or unlawful manner.

Even with an unpaid loan, a borrower may object to:

  1. Contacting unrelated third parties;
  2. Disclosing the loan to family, friends, employers, or social media contacts;
  3. Using threats or public shaming;
  4. Using contact list data;
  5. Processing data not necessary for collection;
  6. Misrepresenting legal consequences;
  7. Continuing to process sensitive personal information without lawful basis;
  8. Sharing information with unverified or unauthorized collectors.

An unpaid debt does not justify harassment or privacy violations.

XV. Does Deleting the App Delete Your Data?

No. Deleting the app from your phone usually removes only the local app installation. It does not necessarily delete your account, uploaded documents, server records, loan history, contact list data, or data already shared with third parties.

To delete data, you should:

  1. Revoke app permissions on your phone;
  2. Delete the app, if desired;
  3. Send a formal deletion request;
  4. Request account closure;
  5. Ask for confirmation of server-side deletion;
  6. Ask whether data was shared with third parties;
  7. Ask third-party recipients to delete or stop processing data, if identified.

XVI. Revoking App Permissions

Aside from sending a legal request, borrowers should review app permissions.

Depending on the phone, permissions may include:

  1. Contacts;
  2. Camera;
  3. Microphone;
  4. Location;
  5. Photos and videos;
  6. Files and storage;
  7. Phone;
  8. SMS;
  9. Notifications.

Revoke permissions that are unnecessary. However, revoking permissions only limits future access from the device. It does not automatically erase data already uploaded or copied to the lender’s servers.

XVII. Special Concern: Contact Persons and References

Online lending apps often ask borrowers to provide references or emergency contacts. Sometimes apps also access the borrower’s entire phonebook.

A reference person or emergency contact has privacy rights. The lender should not harass or disclose unnecessary debt information to such persons. A third-party contact may demand deletion or cessation of processing of their own personal information, especially if they did not consent to being included or contacted.

A reference person may send a privacy request stating:

  1. They are not the borrower;
  2. They did not consent to processing;
  3. They request deletion of their contact information;
  4. They object to further calls, texts, or messages;
  5. They request the source of their data;
  6. They reserve the right to file a complaint with the NPC.

XVIII. When a Lending App May Refuse Full Deletion

A lending app may refuse immediate total deletion if it can show a lawful basis for retaining specific data. Possible reasons include:

  1. Existing loan obligation;
  2. Legal claims or disputes;
  3. Accounting and tax requirements;
  4. Regulatory obligations;
  5. Anti-fraud monitoring;
  6. Audit requirements;
  7. Compliance with court orders or lawful government requests;
  8. Defense against legal claims.

But refusal must not be blanket or unexplained. The lender should identify what data is retained and why. It should not use legal retention as an excuse to keep unrelated or excessive data.

For example, a lender may retain a record of a loan contract but may have difficulty justifying retention of the borrower’s entire contact list after verification or collection need has ended.

XIX. Data Minimization and Proportionality

A key principle of data privacy is that processing must be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and legitimate purpose.

In online lending, this means a lender should collect only what is reasonably necessary to evaluate, release, service, and collect a loan. It should not collect broad device data merely because technology allows it. It should not demand access to contact lists as a coercive collection tool. It should not use data in a way that surprises or harms the borrower beyond what was disclosed and lawfully allowed.

A deletion request should emphasize that excessive data must be removed or blocked.

XX. Consent Is Not Unlimited

Many lending apps rely on consent. But consent has limits.

Consent should be:

  1. Freely given;
  2. Specific;
  3. Informed;
  4. Evidenced;
  5. Related to a declared purpose.

Consent hidden in long terms and conditions may be challenged if the borrower was not properly informed. Consent to verify identity does not necessarily mean consent to shame the borrower publicly. Consent to contact references does not necessarily authorize disclosure of loan details to everyone in the borrower’s phonebook.

Consent may also be withdrawn, unless the processing is still justified by another lawful basis.

XXI. What to Do If the App Ignores the Request

If the lending app ignores the request, the borrower may send a follow-up and then consider filing a complaint with the National Privacy Commission.

A follow-up should include:

  1. Date of original request;
  2. Copy of the original request;
  3. Proof of sending;
  4. A demand for response;
  5. A statement that failure to respond may be raised before the NPC.

The borrower should avoid emotional or threatening language. A clear legal record is more effective.

XXII. Filing a Complaint With the National Privacy Commission

A complaint may be appropriate when:

  1. The app refuses to delete unlawfully processed data;
  2. The app ignores privacy requests;
  3. The app contacts third parties without lawful basis;
  4. The app posts or threatens to post personal information;
  5. The app uses contact list data for harassment;
  6. The app collects excessive data;
  7. The app shares data with unauthorized collection agents;
  8. The app fails to provide access, correction, or deletion rights;
  9. The app’s privacy policy is misleading or inadequate;
  10. The data subject suffers harm from unlawful processing.

A complaint should be supported by evidence. Include screenshots, messages, call logs, app details, company details, emails, and proof of identity.

XXIII. Possible Liability for Misuse of Data

Depending on the facts, misuse of personal information by an online lending app or collection agent may result in:

  1. Administrative liability before regulators;
  2. Orders to stop processing;
  3. Orders to delete, block, or correct data;
  4. Fines or penalties;
  5. Civil liability for damages;
  6. Criminal liability under applicable laws;
  7. SEC action if the lender is regulated by the SEC;
  8. Complaints based on unfair, abusive, or deceptive collection practices;
  9. Cybercrime-related complaints if threats, identity misuse, or unlawful online posting are involved.

Not every violation leads to every remedy. The available remedy depends on the evidence, the nature of the data, the harm suffered, and the laws violated.

XXIV. What If the App Is Not Registered or Is Illegal?

Some lending apps operate under unclear, suspended, revoked, or unregistered entities. If the company is not properly registered or authorized, that may support regulatory complaints. However, even an illegal or unregistered app may still possess personal information, so the borrower should still act quickly to protect data.

Practical steps include:

  1. Stop granting app permissions;
  2. Take screenshots of the app and its communications;
  3. Identify payment channels used;
  4. Save all messages and threats;
  5. Avoid giving more personal information;
  6. Send a deletion or cease-processing demand if contact details exist;
  7. Report privacy violations to the NPC;
  8. Report lending or collection violations to the appropriate regulator;
  9. Consider law enforcement assistance for threats, extortion, identity misuse, or public shaming.

XXV. How to Handle Harassment While Requesting Deletion

If collectors are harassing the borrower or third parties, the borrower may send a cease-and-desist style notice. The notice should not deny valid debt if the borrower does owe money. Instead, it should demand that all collection activity comply with law and stop unlawful data processing.

The borrower may state:

  1. Do not contact unrelated third parties;
  2. Do not disclose my loan information to others;
  3. Do not use threats, insults, or public shaming;
  4. Do not post my personal information online;
  5. Communicate only through lawful channels;
  6. Identify your company, authority, and basis for processing;
  7. Delete or block all unlawfully obtained personal data.

XXVI. Sample Notice Against Contacting Third Parties

Subject: Demand to Stop Unauthorized Disclosure and Processing of Personal Information

Dear [Lending Company / Collection Agency]:

I object to the disclosure, use, and processing of my personal information and loan-related information through communications with my relatives, friends, employer, co-workers, phone contacts, or other third parties who are not legally responsible for my alleged obligation.

You are directed to cease contacting third parties regarding my personal information, alleged debt, account status, or any matter relating to me, unless you can identify a clear and lawful basis for doing so.

You are also directed to delete, block, or cease processing any contact list data or third-party contact information obtained from my device, account, application, or records without proper legal basis.

Please confirm in writing:

  1. The source of the third-party contact information;
  2. The legal basis for processing it;
  3. The recipients to whom my personal information was disclosed;
  4. The steps taken to stop further unauthorized processing;
  5. The steps taken to delete or block unlawfully processed information.

I reserve all rights and remedies under Philippine law, including the right to file complaints before the proper authorities.

Sincerely, [Full Name] [Date]

XXVII. Data of Minors and Other Vulnerable Persons

If the lending app collected data involving minors, elderly persons, household members, or unrelated persons from a contact list, the privacy concern may be more serious. These individuals did not apply for the loan and may not have consented to any processing.

Where minors’ data is involved, the borrower or parent/guardian should demand immediate deletion and cessation of processing, unless the company can clearly establish a lawful basis.

XXVIII. Identity Documents and Selfies

Lending apps often require a government ID and selfie for identity verification. This may be legitimate at the application stage, but retention should still be limited.

Borrowers may ask:

  1. Whether the ID image is still retained;
  2. Whether facial recognition or biometric templates were created;
  3. Whether the data was shared with verification vendors;
  4. Whether the data can be deleted after verification;
  5. Whether legal retention applies;
  6. When the data will be permanently deleted;
  7. What safeguards protect the data.

If the app refuses deletion, it should explain the legal basis and retention period.

XXIX. Credit Information and Blacklisting

Some borrowers worry that deletion requests will erase negative credit information or prevent reporting. Data privacy law does not automatically prohibit lawful credit reporting or legitimate retention of credit records. However, credit-related processing must still be lawful, accurate, fair, and proportionate.

A borrower may demand correction or dispute inaccurate information. If the information is false, outdated, or unlawfully reported, the borrower may request rectification, blocking, or deletion.

XXX. Marketing and Promotional Messages

Even when a lender retains loan records, it may not have a continuing right to send marketing messages. Borrowers may withdraw consent to promotional messages, app notifications, SMS marketing, email marketing, and offers from affiliates.

A marketing opt-out request should be direct:

“I withdraw consent to receive marketing, promotional, profiling, advertising, or cross-selling communications. Please remove my number and email address from all marketing lists.”

XXXI. App Store Complaints

A borrower may also report abusive lending apps to the app store where the app is distributed, especially when the app appears to request excessive permissions or engage in harassment. This does not replace legal remedies, but it may help restrict abusive apps.

Evidence should include screenshots of permissions, messages, threats, and privacy policy claims.

XXXII. Practical Checklist for Borrowers

A borrower who wants personal information deleted should do the following:

  1. Screenshot the app profile, loan page, and account details;
  2. Save the privacy policy and terms;
  3. Revoke unnecessary app permissions;
  4. Send a written deletion request to the privacy officer or support email;
  5. Identify specific data categories for deletion;
  6. Withdraw consent for unnecessary processing;
  7. Ask for the legal basis for retained data;
  8. Ask for a list of third-party recipients;
  9. Demand that collection agencies stop unauthorized processing;
  10. Request written confirmation of deletion;
  11. Keep all proof of sending and replies;
  12. File a complaint if ignored or harassed.

XXXIII. Practical Checklist for Third-Party Contacts

If you are a relative, friend, employer, co-worker, or contact person being harassed by a lending app, you may:

  1. Tell the collector you are not the borrower;
  2. Demand the source of your personal data;
  3. Demand deletion of your number and name;
  4. Object to further processing;
  5. Screenshot all calls and messages;
  6. Block the number after preserving evidence;
  7. Report the matter to the borrower;
  8. File your own privacy complaint if your data is misused.

XXXIV. Common Mistakes to Avoid

Borrowers should avoid the following mistakes:

  1. Assuming that uninstalling the app deletes data;
  2. Sending only verbal requests;
  3. Failing to save screenshots before losing access;
  4. Deleting evidence of harassment;
  5. Giving additional IDs or selfies to unknown collectors;
  6. Engaging in abusive exchanges with collectors;
  7. Posting private details online without legal advice;
  8. Ignoring notices from legitimate lenders;
  9. Treating deletion as automatic cancellation of debt;
  10. Failing to request the legal basis for retained data.

XXXV. Can You Demand Deletion From Google Play, Apple, or App Stores?

App stores generally do not control the lender’s customer database. They may remove or restrict apps that violate platform rules, but they usually cannot delete the borrower’s account data from the lender’s servers.

The deletion request should be sent to the lending company or app operator. App store reporting is only an additional step.

XXXVI. Can You Demand Deletion From a Collection Agency?

Yes, if the collection agency processes your personal information. You may demand that it identify its authority, the source of the data, the lender it represents, and the legal basis for processing.

You may request deletion or blocking if:

  1. You are not the borrower;
  2. The data is inaccurate;
  3. The agency has no authority;
  4. The debt is fully paid;
  5. The agency is contacting unrelated third parties;
  6. The processing is excessive or abusive;
  7. The data was unlawfully obtained.

If the agency claims it must retain data, it should explain why.

XXXVII. What a Proper Response From the Lending App Should Contain

A proper response should ideally state:

  1. Whether the request is granted, denied, or partially granted;
  2. What data was deleted;
  3. What data was blocked or restricted;
  4. What data was retained;
  5. Legal basis for retained data;
  6. Retention period;
  7. Third parties notified;
  8. Date of completion;
  9. Contact person for follow-up;
  10. How to appeal or complain.

A vague response such as “we will handle your concern” is not enough if it does not address the substance of the request.

XXXVIII. Sample Follow-Up Letter

Subject: Follow-Up on Data Deletion Request

Dear Data Protection Officer / Privacy Officer:

I refer to my previous request dated [date] regarding the deletion, blocking, removal, or destruction of my personal information.

As of today, I have not received a sufficient response confirming the action taken on my request.

Please provide a written response stating:

  1. Whether my request has been granted;
  2. What personal information has been deleted or blocked;
  3. What personal information remains retained;
  4. The legal basis and retention period for any retained data;
  5. The third parties, processors, affiliates, or collection agencies notified;
  6. The date when deletion, blocking, or restriction was completed.

If I do not receive a proper response, I reserve the right to raise this matter before the appropriate authorities.

Sincerely, [Full Name] [Date]

XXXIX. Best Arguments for Deletion

The strongest deletion arguments usually arise when:

  1. The loan is fully paid;
  2. The app collected contact list data;
  3. The app contacted unrelated third parties;
  4. The app threatened public disclosure;
  5. The app collected data beyond what was necessary;
  6. The privacy notice did not clearly disclose the processing;
  7. The borrower withdrew consent;
  8. The data is inaccurate or outdated;
  9. The lender cannot identify a lawful retention basis;
  10. The data belongs to non-borrowers.

XL. Best Arguments the Lender May Raise

A lender may argue:

  1. The borrower consented;
  2. The data is needed to process the loan;
  3. The data is needed for collection;
  4. The data is required for accounting or compliance;
  5. The data is needed to prevent fraud;
  6. The data may be needed for legal claims;
  7. The data must be retained under internal policy or regulation.

The borrower should respond by asking whether the specific data is necessary, proportionate, and supported by law. A general claim of “business necessity” should not justify retention of excessive or unlawfully collected information.

XLI. Data Retention: How Long Can They Keep It?

There is no single universal retention period for all data in all lending apps. Retention depends on the nature of the data and the lawful purpose. Loan contracts, accounting records, and regulatory records may be retained longer than app permissions, contact lists, marketing profiles, selfies, or analytics data.

A proper privacy policy should state retention periods or criteria for determining retention. If it does not, the borrower may demand clarification.

The principle is that personal data should not be retained longer than necessary for the declared and lawful purpose.

XLII. Deletion vs. Blocking vs. Restriction

The borrower may request more than one remedy.

Deletion

Deletion means the data is erased or destroyed.

Blocking

Blocking means the data is not necessarily erased but is no longer processed for ordinary use. It may be retained only for limited lawful purposes.

Restriction

Restriction means limiting how the data may be used, such as prohibiting marketing, third-party sharing, or collection contact to references.

In some cases, blocking or restriction may be more realistic than complete deletion, especially when legal retention obligations exist.

XLIII. If Your Data Was Already Shared

If the data has already been shared with collection agencies, affiliates, or processors, ask the lender to identify the recipients and notify them of the deletion or blocking request.

A strong request should include:

“Please identify all third parties to whom my personal information was disclosed and confirm that they have been instructed to delete, block, return, or cease processing my personal information where legally required.”

If the lender refuses to identify recipients, that refusal may be relevant in a complaint.

XLIV. If the App Posted Your Information Online

If a lending app or collector posts your photo, ID, name, address, loan details, or accusations online, preserve evidence immediately.

Take screenshots showing:

  1. The post;
  2. Date and time;
  3. URL or platform;
  4. Account name of poster;
  5. Comments or shares;
  6. Messages linking the post to the collector;
  7. Any threats before posting.

Then consider:

  1. Reporting the post to the platform;
  2. Sending a takedown demand;
  3. Filing a complaint with the NPC;
  4. Filing complaints with other appropriate authorities;
  5. Seeking legal assistance if threats, extortion, or identity misuse are involved.

XLV. If the App Uses Your ID for Fraud

If there is a risk that your ID, selfie, or personal data is being misused, take additional steps:

  1. Document the suspected misuse;
  2. Request deletion or blocking of ID and biometric-related data;
  3. Ask for disclosure logs;
  4. Ask whether the data was shared with verification vendors;
  5. Monitor accounts and messages;
  6. Report identity misuse to appropriate authorities;
  7. Consider replacing compromised credentials where possible.

XLVI. Remedies Are Stronger With Evidence

Privacy complaints are evidence-driven. A borrower should preserve:

  1. Screenshots;
  2. Emails;
  3. SMS messages;
  4. App notifications;
  5. Call logs;
  6. Voice recordings, subject to legal considerations;
  7. Payment records;
  8. Privacy policy copies;
  9. App permission screenshots;
  10. Statements from third parties contacted by collectors.

Avoid relying only on memory. A dated evidence folder can make a complaint more credible.

XLVII. Legal and Practical Limits

While deletion rights are important, they are not absolute. A borrower should understand these limits:

  1. Valid debt records may be retained for lawful purposes;
  2. Deletion may not stop lawful collection;
  3. Records relevant to disputes may be preserved;
  4. Regulators may require retention of certain records;
  5. Third parties may have separate retention obligations;
  6. Some data may exist in backups for a limited time before permanent deletion;
  7. The company may need to verify identity before processing deletion;
  8. Frivolous or abusive requests may be denied.

Still, the company must justify continued processing and should not retain excessive or unlawfully obtained data.

XLVIII. Recommended Wording for a Strong Deletion Demand

A strong deletion demand may say:

“I am not requesting deletion of records that you are specifically required by law to retain. However, I request deletion, blocking, or restriction of all personal information that is unnecessary, excessive, unlawfully obtained, processed without valid legal basis, used for unauthorized collection activity, shared with unauthorized third parties, or retained beyond the purpose for which it was collected. For any data you refuse to delete, please identify the exact data, the legal basis for retention, the retention period, and all recipients.”

This wording is balanced because it recognizes lawful retention while challenging excessive processing.

XLIX. Conclusion

Deleting personal information from online lending apps in the Philippines is not as simple as uninstalling the app. The borrower must make a formal privacy request, identify the data involved, withdraw unnecessary consent, demand the legal basis for any retained information, and preserve evidence.

Philippine law gives data subjects meaningful rights against excessive, unlawful, outdated, inaccurate, or abusive processing of personal information. These rights are especially important in online lending, where apps may collect sensitive identity documents, device data, contact lists, and personal details that can be misused for harassment or public shaming.

A valid debt may still be collected through lawful means, but debt collection does not erase privacy rights. Lending apps, collection agencies, and their service providers must process personal information lawfully, fairly, transparently, and only to the extent necessary.

The best approach is to act in writing, be specific, keep evidence, demand confirmation, and escalate to the proper authorities if the lending app refuses to comply or continues abusive processing.

This article is for general informational purposes and should not be treated as a substitute for legal advice from a Philippine lawyer who can evaluate the specific facts of a case.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login