How to Delete Your Personal Data From Online Lending Apps

Deleting an online lending app from your phone does not automatically delete the personal information the lender has already collected. Copies of your ID, selfie, phone number, contact list, device information, location data, employment details, loan records, and payment history may remain on the lender’s servers or with collection agencies and other service providers. Under Philippine data privacy law, you may request erasure, blocking, correction, or restricted use of personal data—but a lender may lawfully retain limited information needed for an active loan, regulatory compliance, accounting, fraud prevention, or legal claims.

This guide explains what you can realistically have deleted, how to send an effective data deletion request, how long the lender has to respond, and where to complain when an online lending app ignores your request or misuses your contacts.

Can You Really Delete Your Data From an Online Lending App?

Yes, but the right to deletion is not absolute.

The Data Privacy Act of 2012 requires personal information to be processed fairly, for a legitimate purpose, and only to the extent necessary. Data should not be kept longer than needed for the purpose for which it was collected. It also gives a person the right to demand the blocking, removal, or destruction of information that was unlawfully obtained, used without authority, is already outdated, or is no longer necessary. These rules appear in Sections 11 and 16 of Republic Act No. 10173, or the Data Privacy Act of 2012. (Lawphil)

However, deleting personal data is different from:

  • Uninstalling the lending app;
  • Closing your user account;
  • Revoking the app’s phone permissions;
  • Paying or cancelling a loan;
  • Asking the lender to stop contacting you; or
  • Deleting text messages and emails from your own device.

Each action addresses a different issue. For example, revoking access to your contacts may prevent future access from your phone, but it does not erase a contact list that the lender previously uploaded.

Similarly, deleting your account does not cancel a valid unpaid loan. Article 1159 of the Civil Code provides that contractual obligations have the force of law between the parties and must be performed in good faith. A lender may therefore retain the minimum records reasonably needed to establish the loan, payments, balance, and communications relating to collection or a legal dispute. (Lawphil)

Your Rights Under Philippine Data Privacy Law

Right to erasure or blocking

The right to erasure allows you to ask a lender to suspend processing or delete personal information when:

  • The data is incomplete, outdated, false, or inaccurate;
  • It was unlawfully obtained;
  • It is being used for a purpose you did not authorize;
  • The lender no longer needs it for the stated purpose;
  • You withdrew consent and there is no other lawful basis for continued processing;
  • The processing violates the Data Privacy Act or your rights as a data subject; or
  • The information is private and prejudicial to you, and continued processing is unjustified.

The National Privacy Commission’s rules expressly state that erasure may cover information in both live systems and backup systems. (National Privacy Commission)

You may also exercise related rights, including the right to:

  • Know what information the lender holds;
  • Ask where the information came from;
  • Learn the purpose and legal basis for processing;
  • Identify the companies or persons that received your information;
  • Correct inaccurate information;
  • Object to certain processing;
  • Withdraw consent where consent was the legal basis;
  • Demand compensation for proven damage caused by unlawful processing; and
  • File a complaint with the National Privacy Commission.

When a lender may refuse to delete some records

A lender may deny all or part of an erasure request when continued retention is genuinely necessary for:

  • Servicing or collecting an active loan;
  • Complying with a law or regulatory obligation;
  • Establishing, exercising, or defending a legal claim;
  • Maintaining accounting, audit, fraud, or security records;
  • Investigating suspicious or unauthorized transactions;
  • Fulfilling a legitimate business purpose consistent with applicable law and industry standards; or
  • Protecting public interest or another person’s legal rights.

A refusal should not be vague. The lender should identify the information it will retain, explain the legal or business basis, state the applicable retention period, and delete or restrict unrelated information.

For example, a lender may have grounds to retain your signed loan agreement and payment ledger after the loan is paid. That does not automatically justify continued access to your contact list, photographs, precise location, social media information, or data gathered for marketing.

Data minimization and proportionality

A lender cannot justify unlimited collection merely because a borrower clicked “Allow” during installation. Personal data must be adequate and relevant but not excessive in relation to the declared purpose.

The Supreme Court has reiterated that lawful processing must satisfy the principles of transparency, legitimate purpose, and proportionality. In Zoleta v. Office of the Ombudsman, G.R. No. 258888, the Court emphasized that personal information should be appropriate and not excessive for the purpose for which it is processed. (Lawphil)

For online lenders, this means that access to a borrower’s entire contact list, photographs, microphone, or location cannot be treated as automatically necessary simply because the lender wants more information for collection.

Special Rules for Online Lending Apps

The National Privacy Commission issued specific rules for processing personal data in loan-related transactions. These rules cover loan applications, approval, collection, account closure, character references, and guarantors.

Among other requirements, an online lender should:

  • Give clear privacy information at the time data is collected;
  • Make its privacy notice easy to locate inside the app;
  • Request only permissions that are necessary for a specific lawful purpose;
  • Avoid excessive, disproportionate, or harassing use of contact information;
  • Tell users when a phone permission is no longer needed;
  • Allow unnecessary permissions to be revoked;
  • Avoid using character references for debt collection unless they are actual guarantors; and
  • Avoid contacting people in a borrower’s phonebook for collection when those people are not declared guarantors.

The NPC also states that a character reference does not become a guarantor merely because the borrower entered the person’s name and number. A guarantor must separately and expressly agree to be legally bound. A character reference should be informed that their details were provided and should be given an opportunity to request removal. (National Privacy Commission)

Contacting unrelated family members, coworkers, Facebook friends, or phone contacts to shame a borrower or disclose the debt may constitute unauthorized disclosure and unfair collection. The NPC has previously acted against online lending applications accused of harvesting contact lists and using them for debt-shaming. (National Privacy Commission)

What Personal Data Can You Ask the Lending App to Delete?

A focused request is usually more effective than simply writing, “Delete everything.”

Type of data What you may request What the lender may potentially retain
Contact list or phonebook data Delete uploaded copies and stop using contacts for collection, profiling, or marketing Information concerning a separately consenting guarantor
Character-reference details Remove the person as a reference and stop contacting them A limited record of the request or prior communication if needed for legal documentation
Photos, files, microphone, or location data Delete information unrelated to identity verification or the loan Evidence strictly necessary to resolve fraud, identity, or legal disputes
Government ID and selfie Delete excess copies or restrict use after verification A limited identity record if required by law, fraud controls, or an unresolved loan
Marketing and profiling data Stop marketing, withdraw consent, and delete or suppress the profile A suppression record showing that you opted out
Device information and app analytics Delete unnecessary device identifiers and tracking records Security logs needed to investigate unauthorized access or fraud
Loan agreement and transaction history Correct inaccuracies and request deletion after the lawful retention period Contract, payment, audit, tax, collection, and litigation records while lawfully needed
Messages and call recordings Delete recordings or messages no longer necessary Evidence connected with complaints, disputes, or legal claims
Bank or e-wallet details Remove payment details no longer needed Transaction references required for accounting or dispute resolution
Copies shared with collectors or vendors Require the lender to notify recipients of the erasure or restriction Data a recipient must independently retain under a valid legal obligation

How to Delete Your Personal Data From an Online Lending App

1. Preserve evidence before deleting or uninstalling anything

Take screenshots and save records before you close the account or remove the app. Important evidence can disappear once you lose access.

Preserve:

  • The app’s name and app-store listing;
  • The company name shown in the terms and conditions;
  • The privacy notice and loan agreement;
  • The app permissions displayed on your phone;
  • Your account profile and registered mobile number;
  • Loan disbursement and payment receipts;
  • Statements showing a zero balance, if fully paid;
  • Collection texts, emails, chat messages, and call logs;
  • Threatening or humiliating messages;
  • Names and numbers of collectors;
  • Messages sent to your relatives, coworkers, or contacts;
  • Screenshots of social media posts;
  • Your previous complaints and the lender’s replies; and
  • Proof that your deletion request was sent and received.

Do not secretly alter screenshots or crop out details necessary to establish the sender, date, time, or context. Keep original files whenever possible.

2. Identify the company legally responsible for the app

The app’s brand name may be different from the registered corporation operating it.

Check the:

  • Privacy policy;
  • Terms and conditions;
  • Loan agreement or disclosure statement;
  • Email address used to send the loan confirmation;
  • Company name on payment receipts;
  • App-store developer information;
  • Data protection officer or privacy contact; and
  • Securities and Exchange Commission registration details.

Address your request to the company’s Data Protection Officer, privacy office, customer support address, or official corporate email. Sending it only through an in-app chatbot may make it harder to prove receipt.

Lending companies operating in the Philippines must have the appropriate SEC authority under Republic Act No. 9474, the Lending Company Regulation Act of 2007. (Lawphil)

3. Revoke the app’s phone permissions

Revoking permissions limits future access from your device.

On many Android phones, open:

Settings → Apps → [name of lending app] → Permissions

Turn off unnecessary access to:

  • Contacts;
  • Phone or call logs;
  • SMS;
  • Location;
  • Camera;
  • Microphone;
  • Photos and videos;
  • Files; and
  • Nearby devices.

Menu names vary depending on the phone manufacturer and Android version.

On an iPhone, open Settings → Privacy & Security, then review access to Contacts, Photos, Location Services, Camera, and Microphone. Apple explains these controls in its official guide to controlling access to information in apps on iPhone. (Apple Support)

You may uninstall the app after preserving evidence and confirming that you can still access records needed for payment or a dispute. Remember that revoking permissions and uninstalling do not delete information already transferred to the lender.

4. Check whether the loan is active, paid, disputed, or fraudulent

Your request should accurately describe the account’s status:

  • Active loan: Ask the lender to delete unrelated data and restrict retained data to what is necessary for servicing and collecting the loan.
  • Fully paid loan: Attach proof of full payment and request account closure, deletion of unnecessary data, and the specific retention period for records the lender claims it must keep.
  • Rejected or abandoned application: Ask for deletion because no loan was granted and the application data may no longer be necessary.
  • Fraudulent account: State that you did not apply for or authorize the loan. Request immediate blocking, preservation of fraud evidence, correction of records, and an investigation.
  • Disputed balance: Do not demand destruction of evidence needed to prove your position. Request restricted processing instead, so the records are preserved but not used for unrelated collection, marketing, or disclosure.

5. Send a written data erasure request

The NPC’s guidance says a company should not reject a request merely because you did not use its preferred form. A request containing enough information to identify the account, understand the right being exercised, and verify the requester should be acted upon.

You may send wording similar to the following:

I am exercising my rights as a data subject under Republic Act No. 10173, its Implementing Rules and Regulations, and applicable National Privacy Commission issuances.

Please provide an inventory of the personal data your company holds about me, the purposes and lawful bases for processing, the sources of the information, the applicable retention periods, and the identities or categories of third parties that received it.

I request the deletion or blocking of personal data that is no longer necessary, was collected excessively, was obtained or used without a valid lawful basis, or is being processed for purposes unrelated to my loan account. This includes, where applicable, uploaded contact-list information, character-reference details, location data, photographs, device information, marketing profiles, and copies held by collection agencies or other processors.

I also withdraw any consent for direct marketing, cross-selling, contact-list processing, and other optional processing that is not necessary to comply with a contract or legal obligation.

Please stop contacting persons who are not validly declared guarantors and notify all recipients or processors to whom the affected data was disclosed of the deletion, blocking, or restriction.

If your company believes that any information must be retained, please identify each category, the specific legal or legitimate basis for retention, the purpose, the recipient, and the date or event upon which it will be deleted.

Please confirm in writing when the request has been completed.

Include:

  • Your full name;
  • Registered mobile number and email address;
  • Account or loan reference number;
  • App and company name;
  • Whether the loan is paid, active, disputed, or unauthorized;
  • The specific data and processing you object to;
  • Relevant screenshots or receipts; and
  • A secure means for the company to verify your identity.

A lender may reasonably verify your identity, but verification must be proportionate. Avoid sending an unredacted government ID through an insecure social media account. Where possible, watermark the copy with wording such as “For data-subject request verification only,” and cover information the lender does not need.

6. Keep proof of delivery and track the deadline

Send the request through a channel that creates a record, such as:

  • Email with a sent timestamp;
  • Registered mail or reputable courier;
  • A support ticket with a reference number;
  • An in-app complaint function that allows screenshots; or
  • A combination of email and support ticket.

Under NPC Advisory No. 2021-01, a personal information controller should act on a data-subject request without undue delay and generally within 30 working days after receiving the request and required supporting documents. A further extension of up to 15 working days may be used for a complex request or a large number of requests, but the company should inform you of the extension and its reason. Exercising data-subject rights is generally free, although a reasonable administrative charge may apply to certain additional copies requested under the right of access.

The 30-working-day period is different from the NPC complaint rule discussed below, which generally requires you to first notify the company and allow 15 calendar days for an appropriate response before escalating.

7. Review the lender’s response carefully

A proper response should tell you:

  • What information was deleted;
  • What information was blocked or restricted;
  • What information remains;
  • Why the remaining data is necessary;
  • The legal basis and purpose for retention;
  • The retention period or deletion trigger;
  • Whether backup copies were covered;
  • Whether collection agencies and other recipients were notified;
  • Whether marketing and profiling were stopped; and
  • How to challenge the decision.

Be cautious with replies such as:

  • “Your data is protected under our privacy policy.”
  • “We cannot delete any information because you once applied for a loan.”
  • “Your account has been deactivated.”
  • “Your data will be retained as required by law.”

These statements do not fully answer a properly framed request. Ask the lender to identify the exact data categories, law, purpose, and retention period.

8. Escalate unresolved privacy violations

Escalation may be appropriate when the lender:

  • Ignores your request;
  • Continues accessing or using contacts without justification;
  • Contacts people who are not guarantors;
  • Publicly shames or threatens you;
  • Discloses your loan to your employer, family, or friends;
  • Refuses to correct a fraudulent account;
  • Keeps sending marketing messages after you object;
  • Gives no meaningful explanation for indefinite retention; or
  • Claims that uninstalling the app is the only deletion method.

Depending on the violation, you may complain to more than one agency:

Concern Appropriate office
Unlawful collection, use, disclosure, retention, or refusal to honor data rights National Privacy Commission
Harassment or unfair debt-collection practices by a financing or lending company Securities and Exchange Commission
Threats, extortion, impersonation, identity theft, or unauthorized account access Philippine National Police or National Bureau of Investigation cybercrime units
Unauthorized debit, e-wallet, or bank transaction Bank or e-wallet provider, followed where applicable by the Bangko Sentral ng Pilipinas
False or defamatory public posts Relevant platform, law-enforcement office, and the proper court or prosecutor’s office where warranted

The SEC’s Memorandum Circular No. 18, Series of 2019 prohibits unfair debt-collection practices by financing and lending companies. Complaints and supporting evidence may be submitted through the SEC’s iMessage complaint and inquiry portal. (SEC Appointment System)

How to File a Complaint With the National Privacy Commission

1. Notify the lender first

As a general rule, you must first notify the lender or other responsible company in writing and give it an opportunity to address the problem.

Under the NPC’s complaint mechanics, you may usually proceed with a formal complaint if:

  • The company gives no response within 15 calendar days;
  • It rejects the request without an adequate basis; or
  • Its action does not appropriately resolve the privacy violation.

The NPC may waive this prior-notice requirement in serious or urgent situations. (National Privacy Commission)

2. Prepare a verified complaint

A verified complaint is one that you sign under oath before a notary public or another authorized officer.

The complaint should generally contain:

  • Your full name and contact information;
  • The respondent company’s name and known address;
  • A clear chronological account of events;
  • The privacy rights or violations involved;
  • The relief you are requesting;
  • Copies of supporting evidence;
  • Copies of your request and all correspondence with the lender; and
  • A certification against forum shopping, meaning a sworn declaration concerning other cases involving the same issues.

The NPC’s official complaint page provides the current complaint form and submission instructions. Complaints may be submitted through the methods identified by the NPC, including physical delivery and the official electronic channel stated on its website. (National Privacy Commission)

3. Pay the applicable filing fee or request indigent exemption

Under the NPC’s published fee schedule, the listed basic complaint filing fee is ₱500, plus a legal research fee equal to 1% of the filing fee, subject to a stated minimum of ₱10. Additional fees may apply when damages are claimed.

An indigent complainant may request exemption by submitting documents such as:

  • A Barangay Certificate of Indigency;
  • A notarized affidavit of the litigant;
  • A notarized affidavit of a disinterested person; and
  • A current tax declaration for real property, if applicable.

Fees and documentary requirements can change, so check the NPC’s current issuances and complaint instructions before filing.

4. Filing from outside the Philippines

A Filipino living abroad may still exercise data-subject rights against a lender covered by Philippine privacy law.

The NPC’s rules specifically allow a non-resident Filipino citizen who has no Philippine representative to submit a complaint notarized through a Philippine embassy or consulate, or accompanied by an apostille from the country of origin.

Foreign nationals whose personal information is processed in connection with a Philippine lending operation may also assert rights where the Data Privacy Act applies. Because the current procedural rule on overseas notarization expressly refers to non-resident Filipino citizens, a foreign complainant signing documents abroad should confirm with the NPC whether an apostille, consular authentication, Philippine notarization, or a local representative is required for the particular filing.

Common Problems and Practical Solutions

The lender says it cannot delete anything because the loan is still active

The lender may retain information necessary to administer and enforce the loan, but that does not automatically justify keeping every permission-derived data point.

Ask it to:

  • Identify the data strictly required for the active loan;
  • Delete contact-list, marketing, location, and device data that is no longer necessary;
  • Restrict information that is relevant only to a dispute;
  • Stop optional profiling and marketing;
  • Stop contacting non-guarantors; and
  • State when each retained category will be deleted.

The loan is fully paid, but the app says it keeps data indefinitely

Attach the official receipt, payment confirmation, or certificate of full payment. Ask the company to distinguish between:

  1. Records it must retain for a defined legal, accounting, audit, or claims period; and
  2. Data that can now be erased, anonymized, or restricted.

“Indefinite retention” without a specific justification is difficult to reconcile with the requirement that personal data be kept only as long as necessary.

A character reference is being contacted for payment

The character reference should write directly to the lender and state:

  • They did not borrow the money;
  • They did not agree to guarantee the loan;
  • They object to continued processing of their information;
  • They request removal as a reference;
  • They demand that calls and messages stop; and
  • They want to know how the lender obtained and used their information.

Being named as a reference does not make someone liable for the debt. A guarantor must expressly agree to assume that obligation. (National Privacy Commission)

The lender contacted everyone in the borrower’s phonebook

Preserve screenshots, call logs, recordings where lawfully obtained, and written statements from affected contacts. Ask each contact to save the complete message showing the number, date, time, and wording.

Send separate complaints concerning:

  • Excessive collection of contact-list data;
  • Unauthorized disclosure of the loan;
  • Harassing or humiliating collection;
  • Failure to limit collection communications to the borrower and valid guarantor; and
  • Failure to honor erasure or objection requests.

The borrower’s unpaid balance does not give a collector unrestricted authority to disclose the debt to unrelated persons.

The app has disappeared or the company does not reply

Use old loan documents, receipts, emails, payment instructions, app-store records, and SMS messages to identify the corporation, payment recipient, collection agency, and officers involved.

Send the request to every verified official channel. Avoid sending IDs or sensitive documents to numbers that cannot be linked to the company.

If the company remains unresponsive, attach evidence of your attempts to an NPC or SEC complaint. The disappearance of the app does not necessarily mean that the corporation or its databases have ceased operating.

The account was opened using stolen identity information

Request blocking and preservation, not immediate destruction of every record. Destruction could remove evidence needed to identify who opened the account.

Ask the lender to:

  • Freeze the account;
  • Stop collection against you;
  • Mark the account as disputed identity theft;
  • Preserve application logs, device identifiers, photographs, account numbers, and disbursement records;
  • Correct any credit or collection record associated with your identity;
  • Identify recipients of the false information; and
  • Provide a written investigation result.

Also secure your email, mobile number, bank, and e-wallet accounts, and report unauthorized transactions promptly.

Suggested Documents and Expected Timelines

Stage Useful documents Practical timeline
Evidence preservation Screenshots, app details, permissions, privacy notice, loan records, collection messages Before uninstalling or closing the account
Initial request Written erasure request, account details, limited identity verification, payment proof Send as soon as the issue is documented
Company response Request acknowledgment and reference number Follow up if no acknowledgment within several business days
Data-subject request decision Complete request and supporting documents Generally within 30 working days
Possible extension Written notice explaining complexity or volume Up to 15 additional working days
Prior notice before NPC complaint Copy of request and proof of delivery Usually allow 15 calendar days for an appropriate response
NPC complaint Verified complaint, evidence, correspondence, certification against forum shopping, fee or indigency papers Processing time varies according to complexity, service of pleadings, conferences, and evidence
SEC complaint Collection messages, call logs, company details, loan records, witness statements File promptly while evidence and contact information remain available

Frequently Asked Questions

Does uninstalling an online lending app delete my personal data?

No. Uninstalling removes the app from your device and generally stops future app access, but information already uploaded to the lender’s servers, collection systems, backups, or vendors may remain. Send a separate written erasure or blocking request.

Can I delete my information even if I still owe money?

You can request deletion of data that is excessive, unrelated, unlawfully obtained, or no longer necessary. The lender may retain the minimum information needed to service and collect the valid loan, comply with law, and handle legal claims.

Will deleting my account erase or cancel the loan?

No. Account deletion and debt payment are separate matters. A valid loan obligation does not disappear merely because the app or account is deleted.

Can the lending app keep my contacts after I revoke permission?

Revoking permission should prevent future access from the device, but it may not erase contacts previously copied or uploaded. Specifically request deletion of stored contact-list information and require the lender to identify any recipients that received it.

Can an online lender call my family, employer, or coworkers?

A lender may communicate with a validly consenting guarantor and may use reasonable lawful methods to locate or contact the borrower. It should not disclose the debt to unrelated persons, shame the borrower, or use the entire contact list as a collection directory. Such conduct may justify complaints to the NPC and SEC.

Can I ask the lender to delete my government ID and selfie?

Yes. The lender must assess whether continued retention remains necessary and lawful. It may have grounds to retain limited identity information for an active account, fraud prevention, regulatory compliance, or a dispute, but it should explain the purpose and retention period and delete unnecessary copies.

How long does the lender have to answer my deletion request?

Under NPC guidance, a data-subject request should generally be acted upon within 30 working days after the company receives the complete request and necessary supporting documents. A complex request may be extended by up to 15 working days if the company informs you and explains the extension.

What should I do if the lender ignores my request?

Keep proof of delivery and send a documented follow-up. If there is no appropriate response within 15 calendar days after written notice, you may generally proceed with an NPC complaint. Unfair collection practices may also be reported to the SEC.

Do I need to submit a government ID with my request?

The company may reasonably verify your identity, but it should request only what is proportionate. Ask whether verification can be completed using an account number, registered email, one-time password, or redacted and watermarked ID instead of sending an unrestricted copy.

Can a character reference ask to have their number deleted?

Yes. A character reference is also a data subject. The person may request information about how their details were obtained, object to continued processing, demand removal as a reference, and require the lender to stop contacting them. They are not responsible for the loan unless they separately agreed to act as guarantor.

Key Takeaways

  • Deleting or uninstalling a lending app does not erase personal information already collected.
  • Philippine law allows you to request erasure, blocking, correction, access, or restricted processing of unlawfully used, excessive, inaccurate, or unnecessary data.
  • A lender may retain limited loan, payment, fraud, audit, and legal records when a genuine lawful basis remains.
  • Deleting personal data does not cancel an unpaid or otherwise valid loan.
  • Revoke unnecessary phone permissions, but also send a separate written request to the lender’s Data Protection Officer or official privacy channel.
  • Identify the exact data you want deleted and require the lender to explain the lawful basis and retention period for anything it keeps.
  • Character references are not guarantors unless they separately and expressly agreed to guarantee the debt.
  • Online lenders should not use a borrower’s entire contact list to shame, threaten, or collect from unrelated persons.
  • Preserve screenshots, agreements, receipts, call logs, messages, and proof of delivery before uninstalling the app.
  • Unresolved privacy violations may be reported to the National Privacy Commission, while unfair collection practices may also be reported to the Securities and Exchange Commission.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.