If an online app in the Philippines still holds your name, phone number, ID photo, address, contacts, messages, location, loan details, biometrics, or other personal data after you stop using it, you may have the right to ask that app to delete, block, remove, or destroy your data. Under Philippine law, this is usually called the right to erasure or blocking. It is not always automatic, and it does not mean every company must immediately wipe all records on demand. But when your data is outdated, unlawfully obtained, no longer necessary, used for an unauthorized purpose, or processed without a valid legal basis, you can make a formal written request and, if ignored, escalate the matter to the National Privacy Commission.
What “Deletion of Personal Data” Means in the Philippines
In everyday language, people say “delete my data.” Under the Philippine Data Privacy Act, the more precise legal right is the right to suspend, withdraw, block, remove, or destroy personal data from the filing system of the personal information controller or PIC. A PIC is the person or organization that controls how and why your personal data is collected, stored, used, shared, or deleted. A personal information processor or PIP is a third party that processes data for the PIC, such as a cloud provider, payment gateway, KYC vendor, outsourced customer support team, or app analytics provider. (National Privacy Commission)
For an online app, “personal data” may include:
- Account details: name, username, email address, phone number
- Identity verification files: passport, driver’s license, UMID, PhilID, selfie, signature
- Contact and device data: phonebook access, IP address, device ID, advertising ID
- Financial or transaction data: wallet history, card details, loan records, payment logs
- Location, ride, delivery, booking, or usage history
- Messages, photos, comments, posts, or uploaded files
- Sensitive personal information, such as age, marital status, health data, biometrics, government ID numbers, ethnicity, religion, or criminal records
The right is not limited to a “Delete Account” button. You can ask the app to delete or block specific categories of data, stop processing data for certain purposes, withdraw consent, remove uploaded documents, de-index public pages, or explain why the app believes it must retain some information.
Legal Basis: Your Right to Erasure or Blocking
The main law is Republic Act No. 10173, or the Data Privacy Act of 2012. The law recognizes the State policy of protecting the fundamental human right of privacy while allowing the free flow of information for innovation and growth. It covers personal information in both government and private-sector information systems. (National Privacy Commission)
Section 16(e) of RA 10173 gives a data subject the right to suspend, withdraw, or order the blocking, removal, or destruction of personal information from the PIC’s filing system upon discovery and substantial proof that the information is incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes, or no longer necessary for the purposes for which it was collected. (National Privacy Commission)
The Implementing Rules and Regulations expand this right. Section 34(e) of the IRR states that a data subject may exercise the right to erasure or blocking when, among others, the data is incomplete, outdated, false, unlawfully obtained, used for an unauthorized purpose, no longer necessary, processed unlawfully, or when the PIC or PIP violated the data subject’s rights. (National Privacy Commission)
The National Privacy Commission’s own guide also explains that the right covers deletion or blocking from both live and backup systems, which matters because many apps keep data not only in the active app database but also in backups, logs, customer support tools, fraud monitoring systems, and third-party processors. (National Privacy Commission)
When an Online App Should Delete or Block Your Personal Data
You have a stronger request when you can clearly point to one or more legal grounds. The most common are:
| Situation | Example |
|---|---|
| The data is no longer necessary | You closed a shopping app account years ago, but it still keeps your selfie, ID, or address even though no pending transaction exists. |
| The data is outdated or inaccurate | The app still displays your old phone number, old address, wrong name, or incorrect repayment status. |
| The data was unlawfully obtained | The app accessed your contact list, photos, or location without a clear valid purpose or proper consent. |
| The data is used for an unauthorized purpose | You gave your number for delivery updates, but the app or its partner uses it for unrelated marketing. |
| You withdrew consent | You previously allowed optional marketing, profiling, or contact syncing, then later withdrew consent. |
| The processing is disproportionate | A basic coupon app asks for government ID, birthdate, exact location, and contact list access when those are not needed. |
| The app violated your rights | It refused access to your data, ignored correction requests, shared your data without basis, or exposed your information. |
A request is usually weaker when it only says “delete everything” without identifying the data, the account, the reason, or the specific processing you object to. In practice, companies respond faster when the request is precise.
When the App May Refuse Full Deletion
The right to deletion is powerful, but it is not absolute. A PIC may deny the request in whole or in part when the personal data is still necessary for a lawful reason, such as fulfilling the purpose for which it was obtained, complying with a legal obligation, establishing or defending a legal claim, legitimate business purposes consistent with industry retention standards, public interest, freedom of speech, or other grounds provided by law. (National Privacy Commission)
Common examples:
- A bank, e-wallet, fintech app, or lending company may need to keep KYC, transaction, anti-fraud, and regulatory records for a legally required period.
- A marketplace may retain transaction records, invoices, refund records, and dispute logs for accounting, tax, consumer protection, or litigation purposes.
- A transport, delivery, or accommodation app may keep records needed to investigate safety incidents, fraud, chargebacks, or complaints.
- A company may retain limited records showing that you requested deletion, so it can prove compliance later.
- Public posts, reviews, comments, or media content may raise issues involving freedom of expression, press freedom, public interest, or other users’ rights.
The practical compromise is often partial deletion: the app deletes your public profile, marketing data, uploaded IDs no longer needed, optional consents, and unnecessary app permissions, while retaining a limited legal or audit record for a stated retention period.
Step-by-Step Guide to Request Deletion From an Online App
1. Identify the company and its Data Protection Officer
Start with the app’s privacy notice, website footer, in-app settings, help center, or Play Store/App Store listing. Look for:
- Privacy Policy or Privacy Notice
- Data Protection Officer or DPO
- Privacy Office
- Personal Information Controller
- Data subject rights request form
- Email address for privacy concerns
Covered PICs and PIPs in the Philippines are required to register their Data Protection Officer and data processing systems with the NPC, and registration involves providing DPO contact details and a dedicated DPO email. (National Privacy Commission)
For Philippine companies, also check the business name against official records if needed, such as SEC registration for corporations or DTI registration for sole proprietorships. For online lending apps, check whether the lending or financing company is properly registered and licensed.
2. Decide exactly what you want deleted
Be specific. Instead of saying “Delete my data,” identify the data categories:
- My account profile and login credentials
- My phone number and email address
- My uploaded government IDs and selfies
- My contact list data
- My device and location history
- My marketing profile and ad identifiers
- My chat, posts, comments, or uploaded photos
- My payment, delivery, or booking history that is no longer legally required
- My personal data shared with processors, affiliates, collection agents, advertisers, or analytics providers
Also say whether you want the app to:
- Delete the account entirely
- Delete only optional or excessive data
- Stop marketing or profiling
- Withdraw consent
- Block further processing while a dispute is pending
- Inform third parties who received the data
- Confirm retention periods for data they refuse to delete
3. Preserve evidence before deleting the app
Before uninstalling, take screenshots or export records. This is especially important if the app has abusive collection messages, unauthorized contact-list access, fake charges, harassment, public shaming, or unexplained account activity.
Save:
- Screenshots of the account page and personal data displayed
- Privacy policy and consent screens
- App permission settings
- SMS, email, chat, or push notifications
- Proof of account ownership
- Date and time of request
- Names or email addresses of support agents
- Any ticket numbers or automated acknowledgments
For online lending apps, this is crucial. A 2026 joint advisory by the DICT, NPC, and SEC states that unnecessary app permissions, excessive contact-list processing, contacting people other than guarantors for debt collection, harassment, intimidation, public shaming, and unlawful use of personal data are prohibited.
4. Send a written deletion request
Use email, in-app support, privacy portal, or registered mail. Email is usually enough for the first request, provided you can prove it was sent and received or at least delivered.
Include:
- Your full name and account identifier
- The email address or mobile number linked to the app
- A clear statement that you are exercising your right to erasure or blocking under RA 10173 and its IRR
- The specific personal data you want deleted or blocked
- The legal reason, such as withdrawal of consent, unnecessary retention, unauthorized purpose, or unlawful processing
- A request for written confirmation
- A request for the retention basis if the app refuses full deletion
- A request that third-party processors, affiliates, or recipients be informed where applicable
Avoid sending unnecessary extra IDs unless needed to verify your identity. If the app asks for more verification, it should be reasonable and proportionate. For example, a wallet app may need stronger verification than a newsletter app.
5. Give the app a reasonable period to respond
The Data Privacy Act does not give one universal “delete within X days” deadline for every app request. In practice, use a clear deadline in your letter, such as 15 calendar days, because the NPC complaint rules require a complainant to first inform the PIC, PIP, or concerned entity in writing and show that the entity failed to take timely or appropriate action, or gave no response within 15 calendar days from receiving the written information.
If the company replies within 15 days but says it needs more time, ask for:
- The reason for the extension
- The specific data still being reviewed
- The expected completion date
- Whether processing is paused while the request is pending
6. Ask for a deletion confirmation
A proper response should ideally say:
- What data was deleted, blocked, anonymized, or retained
- When the deletion happened
- Whether deletion covers backups or when backup copies will expire
- Whether third-party processors or recipients were instructed to delete or block the data
- What legal basis supports any continued retention
- The retention period for data that cannot yet be deleted
- How to appeal or escalate internally
Be careful with vague replies like “your account is deactivated.” Deactivation may only hide your profile while the company keeps the same personal data in its system.
Sample Email Request for Deletion of Personal Data
Subject: Request for Erasure/Blocking of Personal Data under RA 10173
Dear Data Protection Officer / Privacy Team,
I am writing to exercise my right to erasure or blocking under Republic Act No. 10173, the Data Privacy Act of 2012, and its Implementing Rules and Regulations.
My account details are:
- Full name:
- App username:
- Registered email address:
- Registered mobile number:
- Account ID or customer number, if any:
I request the deletion, blocking, removal, or destruction of the following personal data from your live and backup systems, where applicable:
1. My account profile and login-related personal data;
2. My uploaded identification documents, selfies, photos, or verification files;
3. My contact list, device, location, advertising, analytics, and profiling data;
4. My personal data shared with processors, affiliates, service providers, advertisers, collection agents, or other third parties, unless retention is legally required;
5. Any other personal data that is no longer necessary for the purpose for which it was collected.
The basis for this request is that the data is no longer necessary for the purpose for which it was collected, and/or I withdraw consent for processing that depends on consent, and/or I object to processing for unauthorized, excessive, or disproportionate purposes.
Please confirm in writing within fifteen (15) calendar days:
- What personal data you deleted, blocked, anonymized, or retained;
- The legal basis and retention period for any personal data you refuse to delete;
- Whether third parties who received my personal data have been instructed to delete, block, or stop processing it;
- Whether the deletion applies to backup systems or, if not immediate, when backup copies will be overwritten or made inaccessible.
Please treat this as a formal data subject rights request.
Sincerely,
[Name]
[Date]What to Do If the App Ignores or Rejects Your Request
If the app gives no response, gives a vague response, or refuses without a valid basis, prepare an NPC complaint.
Before filing, make sure you have proof that you already informed the respondent in writing and gave it a chance to act. The NPC’s mechanics for complaints emphasize exhaustion of remedies: you must show that the respondent did not take timely or appropriate action, or gave no response within 15 calendar days from receipt of your written information. Proof must be attached to the complaint. (National Privacy Commission)
The NPC may waive exhaustion in serious situations, such as grave and irreparable damage, lack of a plain, speedy, or adequate remedy, or patently illegal action, but you should not rely on waiver unless the facts clearly justify urgent intervention.
NPC complaint requirements
| Requirement | Practical notes |
|---|---|
| Written verified complaint | The complaint must be in writing, signed, and verified. Use the current NPC complaint-affidavit template. |
| Identity of complainant | State your full name, contact details, email address, and address for service. |
| Identity of respondent | Name the app operator, company, DPO, responsible officers if known, and app name. |
| Facts and timeline | Explain what data was collected, why deletion was requested, when you requested it, and how the app responded or failed to respond. |
| Evidence | Attach screenshots, emails, privacy policy, app permission screens, IDs only if necessary, and witness affidavits if relevant. |
| Reliefs requested | Ask for deletion, blocking, correction, cessation of processing, confirmation to third parties, damages if supported, or other appropriate relief. |
| Certification against forum shopping | The NPC rules require a sworn certification against forum shopping. |
| Proof of prior written notice | Attach your deletion request and proof of delivery or receipt. |
The NPC’s formal complaint page states that a complaint must be printed, filled out, notarized, and submitted in person, by courier, or by scanned email to the NPC complaints address. (National Privacy Commission) The NPC also announced a new Complaint-Affidavit template effective 1 July 2025, with the older version no longer accepted after the transition period, so use the latest form available from the NPC. (National Privacy Commission)
Fees and possible costs
| Item | Current NPC fee or practical cost |
|---|---|
| Filing fee for complaints | ₱500 |
| Additional fee if claiming damages | Starts at ₱150 for claims not more than ₱20,000; higher claims have additional fees |
| Motion for reconsideration | ₱500 |
| Application for cease-and-desist order | ₱1,000, plus possible bond |
| Legal research fee | 1% of filing fee, but not less than ₱10 |
| Notarization | Varies by notary; commonly paid separately |
| Indigent litigants | May be exempt if they submit required proof, including barangay certificate of indigency and affidavits |
These fees are based on NPC Circular No. 2023-01, the Schedule of Fees and Charges of the National Privacy Commission.
Special Issues for Filipinos Abroad and Foreigners
RA 10173 can apply even when processing happens partly outside the Philippines, if the processing relates to personal information about a Philippine citizen or resident, if the entity has a link with the Philippines, if a contract was entered into in the Philippines, if the entity carries on business in the Philippines, or if the personal information was collected or held by an entity in the Philippines. (National Privacy Commission)
For Filipinos abroad, the NPC Rules of Procedure provide that a non-resident citizen who has no authorized representative in the Philippines, or is unable to appoint one, may submit a complaint, but the complaint must be notarized by the Philippine Embassy or Consulate or carry an apostille certificate from the country of origin.
For foreigners, the strongest connection is usually one of these:
- You are a resident in the Philippines.
- You used a Philippine app or dealt with a Philippine company.
- Your data was collected in the Philippines.
- The app operator has a Philippine branch, subsidiary, office, or business presence.
- The contract, service, delivery, loan, booking, or transaction occurred in the Philippines.
If documents are signed abroad, use consular notarization or apostille where appropriate, especially for sworn complaints, affidavits, authorizations, and special powers of attorney.
Common Problems and How to Handle Them
The app says “we deleted your account” but keeps sending messages
Ask whether the company deleted only login access or also deleted marketing, profiling, device, and partner-sharing records. Separately withdraw consent to marketing and object to direct marketing, automated processing, or profiling.
The app says it needs to keep everything “for legal reasons”
Ask for the specific law, retention period, and data categories. A valid legal obligation may justify keeping some records, but it does not automatically justify keeping unnecessary selfies, contact lists, location history, or marketing profiles forever.
The app accessed your contacts
Contact-list access is a major red flag, especially for lending apps. The 2026 OLP advisory states that unauthorized, excessive, or disproportionate access to borrowers’ contact lists is prohibited, and contacting persons in the borrower’s contacts other than guarantors is prohibited for debt collection.
The app is foreign and has no Philippine address
Look for a privacy representative, DPO email, app store developer contact, website privacy notice, or local affiliate. If it targets Philippine users, has local partners, processes Philippine residents’ data, or carries on business in the Philippines, include those facts in your request and any NPC complaint.
The app asks for another ID before deleting your data
Verification may be legitimate, but it must be proportionate. If the app already has enough data to verify you, question why it needs more. Offer safer alternatives, such as replying from the registered email, confirming recent transaction details, or submitting a redacted ID with unnecessary fields covered.
Frequently Asked Questions
Can I force an app to delete all my personal data immediately?
Not always. You can request erasure or blocking when the legal grounds exist, but the app may retain limited data for legal obligations, contract performance, fraud prevention, accounting, regulatory compliance, or legal claims. It should explain what it retained, why, and for how long.
Is deleting my app account the same as deleting my personal data?
No. Account deletion may only deactivate your login or hide your profile. A proper data deletion request should ask what data remains in live systems, backups, analytics tools, customer support systems, fraud databases, and third-party processors.
How long should I wait before filing an NPC complaint?
For complaint purposes, you generally need to show that you informed the app or company in writing and that it failed to take timely or appropriate action, or failed to respond within 15 calendar days from receiving your written notice. (National Privacy Commission)
Can I request deletion through chat support?
Yes, but email or a privacy portal is usually better because it creates a clearer paper trail. If you use chat support, save screenshots showing the date, time, agent name, ticket number, and full conversation.
Can an online lending app keep my contacts?
It should not process contact-list data in an excessive or disproportionate way. The 2026 DICT-NPC-SEC advisory states that contacting persons on a borrower’s contact list other than guarantors is prohibited for debt collection, and that contact-list access must be limited to specified and legitimate purposes.
Can I ask Google or search engines to remove results showing my personal data?
Yes, in appropriate cases. The NPC explains that publicly available personal data online may be subject to erasure requests, and the PIC should communicate with other PICs, including third-party indexes, to request erasure, removal, or de-listing of search results or links to the relevant personal data. (National Privacy Commission)
What if the personal data belongs to my child?
A parent or legal guardian may usually act for a minor, but be ready to prove authority, such as through the child’s birth certificate or guardianship documents. The NPC Rules allow representation for minors or persons alleged to be incompetent, subject to the pertinent Rules of Court.
Can heirs request deletion after someone dies?
Yes. The IRR recognizes that lawful heirs and assigns may invoke data subject rights after the data subject’s death, or when the data subject is incapacitated or incapable of exercising those rights. (National Privacy Commission)
Is habeas data the same as an NPC complaint?
No. An NPC complaint is the usual route for Data Privacy Act violations involving apps, companies, and data controllers. A writ of habeas data is a court remedy for violations or threats to the right to privacy in life, liberty, or security by a public official, employee, or private person or entity engaged in gathering, collecting, or storing information. The Supreme Court has explained that habeas data may involve updating, rectification, suppression, or destruction of databases or files, but it generally requires a stronger showing than an ordinary app deletion request. (Supreme Court of the Philippines)
Key Takeaways
- In the Philippines, “delete my data” is legally framed as the right to erasure or blocking under RA 10173 and its IRR.
- You have a stronger request when the data is outdated, false, unlawfully obtained, used for an unauthorized purpose, no longer necessary, or processed without a valid legal basis.
- The right is not absolute; apps may retain limited data for legal obligations, contracts, fraud prevention, regulatory compliance, accounting, or legal claims.
- Send a written request to the app’s DPO or privacy team, identify the specific data, state the legal basis, and ask for written confirmation.
- Keep screenshots, emails, ticket numbers, privacy notices, and proof that the app received your request.
- Before filing an NPC complaint, you generally need to show that you first informed the app or company in writing and gave it a chance to act within 15 calendar days.
- NPC complaints must follow the proper form, include supporting evidence, and usually require notarization and filing fees unless an exemption applies.
- For online lending apps, excessive contact-list access, harassment, public shaming, and contacting non-guarantor contacts are serious red flags under current Philippine government guidance.