I. Overview: Why complaints work and what the law targets

Online lending apps (OLAs) can lawfully collect debts, but they cannot lawfully harass borrowers, shame them, threaten them, publish personal data, or access and use a borrower’s contacts, photos, or messages beyond what is necessary and lawful. In the Philippines, harassment and privacy violations by OLAs commonly trigger liability under:

Data privacy law (unauthorized collection, use, disclosure, or excessive processing of personal data);
Consumer protection and fair debt collection rules applicable to lending companies and their collection agents;
Criminal laws (grave threats, coercion, unjust vexation, libel/cyberlibel, identity misuse, etc.); and
Regulatory violations (unregistered/unauthorized lending, improper disclosures, abusive collection conduct).

The practical goal of filing complaints is to (a) stop the conduct fast (takedowns, cease-and-desist, account restrictions), (b) document wrongdoing for stronger enforcement, and (c) pursue penalties, damages, or both.

II. Common unlawful acts by online lending apps

A. Harassment and abusive collection practices

Typical prohibited conduct includes:

Repeated calls/texts intended to intimidate (especially outside reasonable hours)
Threats of arrest or criminal prosecution for ordinary nonpayment
Threats to “visit” your home/work to shame you
Use of obscene, insulting, or humiliating language
Contacting your employer, co-workers, friends, or relatives to pressure you
Public posting of your debt status (social media “shaming”)

Key principle: Debt collection is allowed; harassment and intimidation are not.

B. Privacy violations (data misuse and overreach)

Common privacy violations include:

Collecting excessive permissions (contacts, photos, location, messages) not necessary for credit evaluation
Accessing your contact list and messaging them about your loan
Disclosing your debt and personal information to third parties
Using your data for unrelated purposes (marketing, profiling) without valid consent
Refusing to delete data or continuing to process after it’s no longer necessary

Key principle: Even if an app claims you “consented,” consent must be informed, specific, freely given, and not obtained through deception or coercion, and processing must still be proportionate and lawful.

III. Laws and rules you will most often invoke

A. Data Privacy Act of 2012 (Republic Act No. 10173) and NPC rules

The Data Privacy Act (DPA) governs the processing of personal data and provides rights and remedies against unlawful collection, use, disclosure, and other improper processing. Harassment cases frequently overlap with privacy complaints because shaming and contact-spamming typically involve unlawful disclosure and misuse of personal data.

Data subject rights (practical highlights):

Right to be informed
Right to object
Right to access
Right to rectification
Right to erasure/blocking (in certain circumstances)
Right to damages (in proper cases)

What you allege under the DPA: unauthorized disclosure, disproportionate collection, lack of valid consent, processing beyond declared purpose, insecure processing, and failure to respect your rights.

B. Lending Company Regulation Act of 2007 (Republic Act No. 9474) and SEC oversight

Lending companies are regulated and registered with the Securities and Exchange Commission (SEC). The SEC issues rules and circulars against unfair debt collection and improper practices by lending companies and their agents. Many harassment complaints are enforced through SEC administrative actions, including penalties and possible revocation or suspension of authority.

What you allege to the SEC: abusive/harassing collection, misrepresentation, failure to comply with required disclosures, and other unfair practices.

C. Cybercrime Prevention Act of 2012 (Republic Act No. 10175)

When harassment, threats, libelous posts, or identity misuse occurs through electronic means (social media, messaging platforms, email), cybercrime-related provisions may apply. Often used in tandem with traditional penal provisions.

D. Revised Penal Code (RPC) and other criminal statutes (as applicable)

Depending on facts, conduct may amount to:

Grave threats / light threats
Grave coercion / unjust vexation
Slander (oral defamation) / libel (if public imputation of a crime/vice is made)
Other offenses based on the specific threats, false accusations, or acts

E. Consumer Act and general consumer protection

If the lending is offered to the public with unfair, deceptive, or abusive conduct, consumer-protection principles may reinforce claims, especially for misleading terms, hidden charges, and abusive collection methods. (Which agency path you take depends on the entity and product structure.)

IV. Which government office should receive your complaint

Most cases involve multiple tracks, because a single set of facts may violate both privacy and lending regulations.

Track 1: National Privacy Commission (NPC) — for privacy and data misuse

File with the NPC if your complaint involves:

Accessing and using your contacts to message them
Publishing your personal data or debt status
Excessive app permissions and data collection
Processing without valid consent or beyond purpose
Refusal to correct/delete data
Security breaches or leaks

Best for: getting a privacy-based enforcement path and formal findings on unlawful processing.

Track 2: Securities and Exchange Commission (SEC) — for lending company misconduct and abusive collection

File with the SEC if:

The lender is a lending company (or claims to be) and is engaging in harassment
There are abusive collection practices or unlawful disclosures tied to collection
You suspect the lender is operating without proper registration or authority

Best for: administrative sanctions against lending companies (fines, suspension/revocation).

Track 3: PNP Anti-Cybercrime Group (PNP-ACG) / NBI Cybercrime Division — for criminal conduct online

Report to PNP-ACG or NBI if there are:

Threats of harm, extortion, doxxing, stalking
Cyberlibel or online defamation
Identity misuse, fake posts/messages, hacking
Coordinated harassment via multiple accounts/numbers

Best for: evidence preservation and criminal case build-up.

Track 4: Local prosecutor (Office of the City/Provincial Prosecutor) — for criminal complaints

For criminal charges (threats/coercion/libel and similar), the formal complaint is typically filed with the prosecutor’s office. Police/NBI assistance is often used to gather evidence and identify respondents.

Best for: pursuing criminal accountability.

Track 5: Courts / small claims / civil actions — for damages, injunctions, and other relief

If you want:

Damages for privacy violations and harassment
Injunction to stop further processing/harassment
Return of overpayments, voiding unconscionable terms (fact-dependent)

This is usually lawyer-assisted due to procedural requirements, but preparation starts with evidence gathering and prior complaints.

V. Before you file: evidence you should gather (the stronger your proof, the faster it moves)

A. Preserve communications

Screenshots of SMS, chat apps, email
Call logs showing frequency and time (especially late-night/early-morning)
Voicemails (export audio if possible)
Social media posts/comments (include URLs, timestamps, account names)

B. Preserve identity data of the collector/app

App name, developer/publisher name, app store page
Website URLs, email addresses, in-app support tickets
Loan account screenshots: principal, interest, fees, due dates
Bank/e-wallet transfer records (proof of payments, disbursements)
Names/handles of collectors, numbers used, and any “team” names

C. Preserve privacy-permission evidence

App permission screen captures (contacts, storage, location, SMS)
Phone settings showing permissions granted
Any consent screens/checkboxes
Privacy policy screenshot (the exact text you saw)
If contacts were messaged: ask them for screenshots plus the number/account that contacted them

D. Make a timeline

A 1–2 page chronology helps agencies quickly understand:

Loan date, due date, amount, and payments
When harassment started
When third-party contacts were approached
Exact threats or statements and how often

Tip: Keep your evidence in one folder, name files by date/time, and create a simple index.

VI. Immediate self-protection steps (lawful and practical)

Revoke app permissions (contacts, storage, location, SMS) in phone settings.
Uninstall the app after documenting permissions and in-app pages relevant to the complaint.
Block numbers and switch to “Silence unknown callers,” but keep logs/screenshots first.
Tell contacts not to engage and to screenshot everything they receive.
Change passwords (email, socials) if you suspect compromise.
Document every incident going forward (date/time/content).

These steps do not waive your rights; they reduce ongoing harm while preserving proof.

VII. Writing the complaint: structure that agencies act on

A good complaint is short, organized, and evidence-backed.

A. Caption / Parties

Your full name, address, contact number/email
Respondent: lending company name (and SEC registration details if known), app name, collection agency (if any), known collector names/numbers/accounts

B. Statement of facts (chronological)

Include:

Loan transaction summary (amount, date, terms as shown)
Payments made (with proof)
Harassment incidents (quotes of threats; frequency; unusual hours)
Privacy violations (contacts accessed; third parties messaged; social posts)
Harm suffered (reputational harm, distress, workplace issues)

C. Violations alleged

Group them by category:

Abusive collection/harassment
Unauthorized disclosure of personal data
Excessive collection/processing
Misrepresentation (e.g., “we will have you arrested tomorrow”)

D. Evidence list (attach as annexes)

“Annex A: screenshots of SMS dated…” “Annex B: call logs…” etc.

E. Relief requested

Be specific:

Order to stop contacting you and third parties
Order to delete/cease processing of contacts and unrelated data
Investigation and penalties
Referral for prosecution (if appropriate)
Any other appropriate relief (e.g., correction of records)

VIII. Filing with the National Privacy Commission (NPC)

A. What to file

A complaint describing the unlawful processing
Evidence annexes
IDs as required by procedure (and authorization if filing through a representative)

B. What makes an NPC complaint strong

Proof that your contacts were accessed or messaged
Proof of disclosure (screenshots of messages to third parties)
Proof of lack of necessity/proportionality (permissions unrelated to lending)
Proof you asserted rights (e.g., you demanded deletion/stop processing) and their response, if any

C. Typical outcomes

Compliance orders and corrective measures
Findings of unlawful processing
Administrative penalties (case-dependent)
Referral for prosecution where warranted

IX. Filing with the SEC (lending company regulation and abusive collection)

A. What to check first (if possible)

Whether the entity is a registered lending company and whether the app is connected to a registered entity.
Whether the lender is using a third-party collection agency.

Even if you cannot confirm registration, you can still complain; the SEC can verify.

B. What to emphasize

Abusive and harassing collection acts
Use of threats (especially threats of arrest for simple nonpayment)
Contacting third parties and public shaming
Any misleading disclosures, hidden fees, and unclear terms tied to collection

C. Typical outcomes

Orders to explain, show cause, or comply
Fines and other administrative sanctions
Possible suspension/revocation (serious/repeated violations)

X. Filing criminal complaints (PNP-ACG/NBI/prosecutor)

A. When criminal filing is appropriate

Threats of violence, doxxing, extortion
Organized harassment or impersonation
Public posts accusing you of crimes, fraud, or immoral acts
Repeated intimidation causing fear or serious distress

B. Evidence rules of thumb

Keep original files and metadata where possible
Do not edit screenshots; export full conversation threads
For social media posts: capture the post, comments, profile page, and timestamps
If possible: notarized affidavits of witnesses (e.g., co-workers/relatives who were contacted)

C. Respondent identification challenges

Collectors often use rotating numbers/accounts. This is where PNP/NBI subpoenas, preservation requests, and platform cooperation become important; your role is to provide complete logs and context.

XI. Civil remedies: damages and injunctions (privacy + harassment)

A. Damages under privacy and civil law principles

Where a privacy violation is established, civil claims may be pursued for actual damages, moral damages, and other relief depending on proof and circumstances.

B. Injunctions / restraining relief

In urgent situations (continuous harassment, ongoing public disclosure), court relief may be pursued to stop further acts. This typically requires strong evidence and counsel due to procedural and evidentiary standards.

XII. Dealing with “consent” arguments used by lending apps

Apps often claim you consented when you installed the app and clicked “Allow.” In Philippine privacy practice, the validity of consent depends on:

Whether you were properly informed (clear and prominent disclosures)
Whether consent was specific to a defined purpose (not blanket)
Whether it was freely given (not forced as a condition for unrelated processing)
Whether processing was necessary and proportionate

Even with consent, disclosing your debt to third parties or shaming you publicly is highly vulnerable to challenge because it is generally unrelated to legitimate collection and is disproportionate.

XIII. Practical templates (adaptable language)

A. Demand to stop harassment and third-party contact

“You are directed to cease contacting any third parties regarding my alleged obligation and to stop all harassing communications. Any further contact that discloses my personal data to third parties, threatens me, or humiliates me will be included in regulatory and criminal complaints.”

B. Privacy rights assertion (objection + deletion/blocking request)

“I object to the processing of my personal data for purposes beyond lawful loan servicing and collection. I request the deletion/blocking of my contacts and other non-essential data collected through the app, and I request confirmation of the specific data you hold, the purpose and legal basis for processing, and the entities to whom you disclosed my data.”

Use these statements only after you have preserved evidence of the existing conduct.

XIV. Common pitfalls that weaken complaints (and how to avoid them)

No proof of third-party disclosure → get screenshots from the contacted person.
Only partial screenshots → include the full thread and the number/account identifier.
Confusing loan facts → attach the in-app loan schedule, disbursement record, and payment receipts.
Emotional narrative without specifics → include exact dates/times, exact words used, and frequency.
Deleting the app too early → document permissions, policies, and in-app screens before removal.
Engaging in threats back → keep responses neutral; let evidence show the wrongdoing.

XV. What to expect after filing

Agencies may ask for clarifications, additional evidence, or sworn statements (affidavits).
Respondents may deny authorship of messages; robust logs and third-party screenshots help.
Some matters resolve quickly through compliance and takedown actions; others proceed through administrative hearings or prosecutorial evaluation.
Parallel filings (NPC + SEC + criminal route) are common when both privacy and harassment are involved.

XVI. Special situations

A. If you are not the borrower but your number was contacted

You can complain as a data subject whose data was processed unlawfully, even if you never took a loan. Provide:

The message showing your number was targeted
Any proof the sender is linked to the lender/app
Statement that you did not consent and demand cessation/deletion

B. If the loan itself appears illegal or unconscionable

If fees and interest appear extreme or disclosures were unclear, include that in SEC/consumer-related complaints; abusive collection often accompanies questionable lending terms.

C. If there is doxxing or public shaming posts

Treat this as both privacy and possible defamation/cybercrime:

Preserve the post (screenshots + URLs + account identifiers)
Document shares/comments
File privacy and cybercrime-related complaints

XVII. Checklist: fastest path to a strong complaint

Screenshot: harassment messages + call logs + threats
Screenshot: app permissions + privacy policy + in-app loan terms
Obtain third-party screenshots (contacts who were messaged)
Create a dated timeline
File with NPC (privacy/data misuse) and SEC (abusive collection/lending regulation)
If threats/doxxing/defamation: report to PNP-ACG/NBI and file with the prosecutor
Keep all new incidents documented after filing

XVIII. Key takeaways

Harassment is not “part of collection”; it is actionable misconduct.
Privacy violations are central to many OLA harassment schemes, especially contact-list abuse and public shaming.
Effective complaints are evidence-led: complete threads, third-party screenshots, permission proof, and a clear timeline.
In the Philippines, the most direct administrative routes are NPC for privacy and SEC for lending company misconduct, with PNP/NBI/prosecutor pathways for criminal acts committed through electronic means.