If an online lending app keeps your ID photos, contact list, selfies, location data, employer details, or messages after your loan was denied, cancelled, or fully paid, you may ask for deletion under Philippine data privacy law. The request is not just a “customer service favor.” It is an exercise of your right to erasure or blocking under Republic Act No. 10173, the Data Privacy Act of 2012, especially when the data is excessive, unlawfully obtained, used for harassment, or no longer needed for the loan purpose. (National Privacy Commission)
The practical goal is simple: make a clear written request, preserve proof, give the lending app a fair chance to act, then escalate to the National Privacy Commission (NPC), Securities and Exchange Commission (SEC), or law enforcement if the app refuses, ignores you, or continues misusing your data.
What “personal data deletion” means for lending apps
In Philippine data privacy practice, deletion is usually part of the broader right to erasure or blocking. This may include asking the online lending app to:
- delete or destroy personal data it no longer has a lawful reason to keep;
- block further processing while a dispute is pending;
- remove you as a character reference;
- stop using your data for marketing, collection harassment, or public shaming;
- delete unlawfully harvested contact lists, photos, call logs, SMS data, or social media contacts;
- tell its outsourced collectors, affiliates, or third-party processors to stop processing your data.
The NPC describes this right as the right to request the “suspension, withdrawal, blocking, removal, or destruction” of personal data from a personal information controller’s filing system, including live and backup systems. (National Privacy Commission)
For online lending apps, the personal information controller is usually the lending company, financing company, app operator, or other entity that decides what data to collect and how it will be used. The personal information processor may be a collection agency, cloud service provider, call center, or outsourced service provider acting under the lender’s instructions. Under the Data Privacy Act, the controller remains accountable for personal data under its control, including data transferred to a third party for processing. (National Privacy Commission)
Legal basis for requesting deletion in the Philippines
The Data Privacy Act of 2012
Republic Act No. 10173 applies to the processing of personal information by private companies and government offices. It also applies to certain entities outside the Philippines if the processing involves Philippine citizens or residents, or if the entity has links to the Philippines, such as carrying on business in the country or collecting personal information in the Philippines. (National Privacy Commission)
The core principles are:
| Principle | What it means for lending apps |
|---|---|
| Transparency | The app must tell you what data it collects, why, how it will be used, who receives it, and how long it will be stored. |
| Legitimate purpose | Data must be collected and used for a lawful and declared purpose, such as loan evaluation, KYC, fraud prevention, servicing, or lawful collection. |
| Proportionality | The app should collect only data that is adequate, relevant, suitable, necessary, and not excessive for the loan purpose. |
The Data Privacy Act expressly says personal information should be retained only as long as necessary for the purpose for which it was obtained, for legal claims, legitimate business purposes, or as provided by law. It also gives data subjects the right to order the blocking, removal, or destruction of personal information that is incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes, or no longer necessary. (National Privacy Commission)
NPC rules specific to online lending and loan-related transactions
The NPC issued NPC Circular No. 20-01, later amended by NPC Circular No. 2022-02, specifically for loan-related personal data processing. These rules matter because many lending app problems are not just about ordinary loan records. They involve app permissions, contact lists, character references, guarantors, and collection practices.
Under these NPC rules:
- lending apps must not require unnecessary app permissions involving personal or sensitive personal information;
- access to phone contacts, email lists, social media contacts, or similar contact details for debt collection or harassment is prohibited;
- apps should use a separate interface where borrowers provide character references or co-makers of their own choosing;
- personal data of denied applicants and fully paid borrowers should not be kept forever for an undefined future use;
- character references must be informed that they were listed and must be given the option, where feasible, to have their data removed as a character reference.
In 2026, the DICT, NPC, and SEC also issued a public advisory on online lending platforms, reiterating that unnecessary, unauthorized, excessive, or disproportionate processing of personal data is prohibited, especially access to borrowers’ contact lists and processing that leads to harassment, intimidation, public shaming, or unfair collection practices.
SEC rules on lending and collection practices
Online lending apps are also regulated from the financial services side. Lending companies are covered by Republic Act No. 9474, the Lending Company Regulation Act of 2007. Financing companies are covered by Republic Act No. 8556, the Financing Company Act of 1998. The SEC regulates these entities and requires authority to operate for legitimate lending or financing business.
SEC Memorandum Circular No. 18, Series of 2019 prohibits unfair debt collection practices by financing and lending companies. These include threats of violence or criminal means to harm a person’s body, reputation, or property, threats to take actions that cannot legally be taken, and deceptive means to collect debt or obtain borrower information.
The important point: even if you still owe money, the lender does not get unlimited power over your personal data.
When you can validly ask a lending app to delete your data
You have stronger grounds for deletion when one or more of these facts apply:
Your loan application was rejected or cancelled. The app may not keep your data indefinitely just because you might apply again someday.
Your loan is already fully paid. The lender may still keep limited records for legal, accounting, regulatory, credit, or dispute purposes, but it should not keep excessive data or continue using your data for marketing or harassment.
The app collected excessive permissions. Examples include full contact list access, SMS access, gallery access after KYC is done, location access unrelated to the loan, or social media scraping.
The app contacted people you did not list as guarantors or references. NPC rules prohibit harvesting contact lists and using them for debt collection or harassment.
You were listed as a character reference without meaningful notice. A character reference is not automatically a guarantor. The amended NPC circular requires lenders to inform character references how their details were obtained and provide an option to remove their personal data as a reference. (National Privacy Commission)
The app used your photo, ID, contacts, or personal details to shame or threaten you. This may raise data privacy, SEC collection-practice, civil damages, and possibly criminal issues depending on the facts.
You withdrew consent for marketing or unrelated sharing. A lender may have a lawful basis to process data for the loan contract, but separate use for marketing, cross-selling, or sharing unrelated products generally needs its own lawful basis.
When the lender may refuse full deletion
A deletion request does not always mean every record must disappear immediately. A lending app may lawfully keep limited personal data when it is still necessary for:
- an unpaid loan or active repayment arrangement;
- compliance with law or regulator requirements;
- accounting, audit, fraud prevention, or tax documentation;
- establishment, exercise, or defense of legal claims;
- legitimate business purposes consistent with lawful retention standards;
- credit data reporting or correction obligations under applicable law.
For example, if you still have an unpaid loan, the lender may retain your name, contact details, loan agreement, payment history, and collection records needed to enforce the contract. But that does not justify keeping your entire phonebook, using your selfie to shame you, contacting unrelated people, or keeping unnecessary app permissions active after the purpose has ended.
Credit reporting is also different from app deletion. Under Republic Act No. 9510, the Credit Information System Act, borrowers have rights to access and dispute erroneous, incomplete, outdated, or misleading credit information, but lawful credit data may be subject to a separate correction or dispute process rather than simple deletion. (Credit Information Corporation (CIC))
Step-by-step guide: how to request personal data deletion from an online lending app
1. Identify the real company behind the app
Before sending the request, gather the app’s identifying details:
- app name as shown on Google Play, App Store, APK, website, SMS, or collection message;
- registered company name, if shown in the privacy notice or loan agreement;
- SEC registration number and Certificate of Authority number, if available;
- email address of the Data Protection Officer, customer support, or complaints unit;
- office address and contact number;
- screenshots of the app page, privacy policy, permissions screen, and loan agreement.
Many abusive apps use multiple names. The app name used in text messages may differ from the corporate name in the loan agreement. Do not rely only on the app logo. Look at the privacy policy, disclosure statement, payment instructions, collection notices, email sender, and SEC-related disclosures.
2. Preserve evidence before deleting the app
Do this before uninstalling or losing access:
- take screenshots of the app permissions;
- download or screenshot the privacy policy;
- save the loan disclosure statement, promissory note, repayment schedule, and proof of full payment;
- screenshot harassment messages, threats, public posts, or messages sent to your contacts;
- save call logs and dates;
- ask affected contacts to screenshot messages they received;
- record the exact dates when you requested deletion and when the app responded.
If a complaint later goes to the NPC, the SEC, or law enforcement, vague statements like “they harassed me” are weaker than dated screenshots showing who sent what, when, and to whom.
3. Revoke unnecessary app permissions
On your phone, immediately review and revoke permissions that are no longer needed.
For Android, check: Settings → Apps → [App Name] → Permissions.
For iPhone, check: Settings → Privacy & Security, then review Contacts, Photos, Camera, Location, Microphone, and Tracking permissions.
Revoking permission does not automatically delete data already copied by the app. It simply reduces further access. That is why a written deletion request is still important.
4. Send a written deletion request
Send the request by email, in-app ticket, website form, and any official support channel shown in the privacy notice. Use a channel that gives you proof of sending.
Your message should be polite but specific. Avoid emotional insults. State the legal basis and the exact action you want.
Sample deletion request
Subject: Request for Erasure/Blocking of Personal Data under the Data Privacy Act
I am exercising my right to erasure or blocking under Republic Act No. 10173, the Data Privacy Act of 2012, and applicable NPC issuances on loan-related transactions.
Please delete, block, or securely dispose of personal data that is no longer necessary, unlawfully obtained, excessive, or used for unauthorized purposes, including any phone contact list, social media contacts, SMS data, photos, gallery files, location data, employer details, character reference details, and other data not necessary for any lawful remaining purpose.
My details for verification are:
- Full name:
- Mobile number used in the app:
- Email used in the app:
- Loan/account reference number, if any:
- Date of application or loan:
- Status of loan: denied / cancelled / fully paid / disputed / active
I also request written confirmation of:
- what categories of my personal data you currently hold;
- the purpose and legal basis for keeping any remaining data;
- the retention period for any data you refuse to delete;
- the names or categories of third parties, collectors, processors, affiliates, or credit entities that received my data;
- confirmation that unnecessary or unlawfully obtained data has been deleted, blocked, or securely disposed of; and
- confirmation that your collectors and processors have been instructed to stop unauthorized processing.
Please act on this request within fifteen (15) calendar days from receipt. If you refuse full deletion, please explain the specific legal basis and the exact data categories you will retain.
The 15-day period is practical because the NPC’s complaint rules require exhaustion of remedies: before filing a complaint, the complainant must have informed the respondent in writing and the respondent failed to take timely or appropriate action, or gave no response within fifteen calendar days from receipt. (National Privacy Commission)
5. Ask for partial deletion if full deletion is refused
If the lender says it must keep records because the loan is active, unpaid, or subject to audit, reply by narrowing the request:
- delete unlawfully harvested contact lists;
- delete photos or gallery files not needed after KYC;
- remove character reference data;
- stop marketing and cross-selling;
- stop disclosure to collectors not properly authorized;
- block disputed data while the complaint is pending;
- give a clear retention schedule for remaining records.
This often works better than demanding “delete everything,” especially where the lender has a lawful reason to retain some account records.
6. Escalate to the NPC if the app ignores or denies the request improperly
If the app ignores you, continues processing unlawfully, or refuses without a valid reason, you may file with the National Privacy Commission.
The NPC’s complaint process requires a filled-out and notarized complaint form or verified complaint, supporting evidence, and witness affidavits when available. The NPC states that complaints may be submitted personally, by registered mail, by courier, or by email when authorized; its formal complaint page also says the notarized complaint may be scanned and emailed to the NPC complaints address. (National Privacy Commission)
Prepare these:
| Item | Why it matters |
|---|---|
| Valid ID | Shows you are the data subject or authorized representative. |
| Deletion request | Proves you informed the app in writing. |
| Proof of receipt | Email delivery, ticket number, chat acknowledgment, or courier proof. |
| Screenshots | Shows excessive permissions, harassment, disclosure, or refusal. |
| Loan documents | Shows account status, app name, company name, and payment status. |
| Proof of full payment | Important if deletion is based on closure of the loan account. |
| Witness statements | Useful if contacts, relatives, employers, or coworkers were messaged. |
| Special Power of Attorney | Needed if someone files for you as representative. |
The NPC warns that complaints may be dismissed outright if they are insufficient in form, if the respondent was not given an opportunity to address the complaint, if the allegations do not involve a DPA issue, if evidence is insufficient, or if parties cannot be identified despite diligent effort. (National Privacy Commission)
7. File with the SEC for lending-app or collection-practice violations
If the issue involves abusive collection, unregistered lending activity, misleading app identity, unfair collection practices, or unauthorized online lending operations, the SEC may also be relevant.
The SEC now uses iMessage, its official SEC-wide ticketing system, for public inquiries, complaints, incidents, and requests. The platform generates an electronic ticket and allows users to track ticket status. (Securities and Exchange Commission)
For SEC complaints, include:
- app name and company name;
- screenshots of threats or public shaming;
- proof that collectors contacted non-guarantors;
- proof of payment and loan balance dispute, if any;
- app store link or APK source;
- SEC registration details, if available;
- names, phone numbers, and screenshots of collectors.
8. Consider law enforcement if there are threats, fake cases, identity theft, or public shaming
Some conduct goes beyond privacy and financial regulation. If collectors threaten death or physical harm, create fake police or court documents, post your photo with accusations, use your identity, or hack accounts, the matter may involve the Philippine National Police Anti-Cybercrime Group, the National Bureau of Investigation Cybercrime Division, or local law enforcement.
Online defamatory posts may raise issues under the Revised Penal Code provisions on libel and the Cybercrime Prevention Act of 2012, Republic Act No. 10175. In Disini v. Secretary of Justice, the Supreme Court addressed constitutional challenges to the Cybercrime Prevention Act, including cyberlibel provisions. (Lawphil)
Civil damages may also be relevant. Civil Code Articles 19, 20, and 21 require people to exercise rights with justice, honesty, and good faith, and to indemnify another person for damage caused contrary to law, morals, good customs, or public policy. (Lawphil)
Special situations
If you are only a character reference
You can request removal even if you are not the borrower. Under the amended NPC circular, a character reference is someone whose contact information is provided to verify the borrower’s identity or truthfulness. A character reference is not automatically a guarantor, and the lender must provide the option of having the person’s data removed as a character reference where feasible. (National Privacy Commission)
Your message can say:
I did not agree to be a guarantor and I do not consent to further use of my number for collection, marketing, or borrower pressure. Please remove my personal data as a character reference and confirm deletion or blocking.
If your loan is unpaid
You may still object to excessive or unlawful processing. You can ask the app to delete your contact list, unrelated photos, social media data, and non-guarantor contact information. However, the lender may keep data needed to service or collect the legitimate debt, prove the loan contract, comply with law, or defend legal claims.
A good approach is to separate the debt issue from the privacy issue:
- “I am not refusing to discuss any lawful loan obligation.”
- “This request concerns excessive and unauthorized personal data processing.”
- “Please communicate only through my own contact details or authorized legal channels.”
If you already deleted the app
You can still send a request if you know the company name, email, phone number, or app identity. Use old SMS messages, payment receipts, screenshots, loan documents, app store history, or bank/e-wallet transaction records to identify the lender.
Deleting the app from your phone does not delete your data from the company’s servers.
If you are a Filipino abroad or a foreigner dealing with a Philippine lender
You may still have rights under Philippine data privacy law if the lender is in the Philippines, the loan transaction was with a Philippine lending or financing company, the processing is done in the Philippines, or the entity has sufficient links to the Philippines. The Data Privacy Act expressly covers certain processing outside the Philippines when it relates to Philippine citizens or residents, or when the processing entity carries on business in the Philippines or collected/held personal information there. (National Privacy Commission)
For filings from abroad, the practical issue is documentation. If someone in the Philippines will file for you, prepare a Special Power of Attorney. If the document is signed abroad, it may need Philippine consular notarization or apostille, depending on where it is executed and how the receiving office treats the document. Keep scanned copies ready because NPC and SEC processes may involve electronic submissions, but formal verified complaints may still require notarized documents. (National Privacy Commission)
Common mistakes that weaken deletion requests
Sending only a one-line message
A message like “Delete my data now or else” is easy to ignore. A stronger request identifies the account, cites the right to erasure, specifies the data to delete, and asks for written confirmation.
Asking for deletion while evidence is not yet saved
If the app later removes messages or disables your account, you may lose proof. Save screenshots first.
Confusing deletion with debt cancellation
Data deletion does not erase a lawful debt. A paid or disputed loan may support deletion of unnecessary data, but it does not automatically cancel a valid obligation.
Ignoring third-party collectors
Ask the lender to confirm that its collection agencies, outsourced processors, affiliates, and service providers were instructed to stop unauthorized processing. The Data Privacy Act’s accountability principle is important because lenders sometimes blame “third-party collectors” for harassment. (National Privacy Commission)
Filing with the NPC before writing to the app
Unless there is a special urgent reason, the NPC generally expects proof that you first informed the respondent in writing and gave it a chance to respond. Failure to show exhaustion of remedies can lead to dismissal. (National Privacy Commission)
Practical timeline
| Stage | Practical timeframe | What to do |
|---|---|---|
| Evidence gathering | Same day | Screenshot app permissions, messages, privacy policy, loan status, and proof of payment. |
| Written deletion request | Day 1 | Send by email, app ticket, and official support channel. |
| Waiting period | 15 calendar days | Track response or silence. This supports NPC exhaustion of remedies. |
| Follow-up or narrowed request | Day 15–20 | Ask for partial deletion, blocking, or retention explanation if needed. |
| NPC complaint | After no timely or appropriate action | Prepare notarized complaint, evidence, and proof of prior written notice. |
| SEC complaint | Any time there are lending or collection-practice issues | File through SEC iMessage with screenshots and company/app details. |
Frequently Asked Questions
Can I ask an online lending app to delete my personal data after I fully pay my loan?
Yes. Full payment strengthens your request because the original loan purpose may already be completed. The lender may retain limited records for lawful retention, accounting, legal claims, credit, or regulatory purposes, but it should not keep excessive data or continue processing your personal data for undefined future use.
Can I demand deletion if my loan application was denied?
Yes. NPC Circular No. 20-01 specifically says lending and financing companies must adopt retention policies for personal data of denied loan applicants and should not retain data forever for a possible future use that has not been determined.
Can a lending app legally access my contact list?
Broad harvesting of phone contacts, email lists, or social media contacts for collection or harassment is prohibited. The NPC rules allow a separate interface where the borrower provides chosen character references or co-makers, but not uncontrolled copying of the borrower’s entire contact list.
Can I remove myself as a character reference?
Yes, where feasible. The amended NPC circular requires lenders to inform character references that they were listed, explain how their details were obtained, and provide the option to have their personal data removed as a character reference. A character reference is not automatically a guarantor. (National Privacy Commission)
What if the lending app says I consented when I installed the app?
Consent is not a blank check. Processing must still be lawful, transparent, legitimate, and proportional. Excessive permissions, unrelated marketing, contact-list harvesting, public shaming, and unauthorized disclosure may still violate the Data Privacy Act and NPC lending rules even if the app showed a privacy policy.
Can the app refuse deletion because I still owe money?
It can refuse deletion of data genuinely needed for the loan, collection, legal claims, or compliance. But it should still delete or block unnecessary, excessive, unlawfully obtained, or unauthorized data, such as harvested contact lists or unrelated photos.
Where do I complain if the app ignores my deletion request?
For privacy violations, file with the National Privacy Commission after documenting your written request and the app’s failure to act within fifteen calendar days. For abusive collection, unregistered lending, or SEC-regulated lending issues, file through SEC iMessage. (National Privacy Commission)
Do I need a lawyer to request deletion?
No. You can send the deletion request yourself. A lawyer or authorized representative may help if the facts are complex, if there are threats or public shaming, or if you will file a formal verified complaint. If a representative files with the NPC, the NPC rules require proper authority such as a Special Power of Attorney. (National Privacy Commission)
Can I ask Google Play or Apple to remove the lending app?
You can report abusive or privacy-invasive apps to the app store, especially if the app asks for excessive permissions or misuses data. This is separate from your Philippine legal remedies. For Philippine regulatory action, the NPC handles data privacy violations and the SEC handles lending and financing company regulatory issues.
What if the collector posts my photo or messages my employer?
Save evidence immediately. This may involve data privacy violations, unfair debt collection practices, possible civil damages, and possibly criminal issues depending on the content. Report the privacy issue to the NPC, the lending or collection-practice issue to the SEC, and threats, fake legal documents, identity misuse, or defamatory online posts to appropriate law enforcement.
Key Takeaways
- You have a Philippine legal right to request erasure, blocking, removal, or destruction of personal data that is excessive, unlawfully obtained, used for unauthorized purposes, or no longer necessary.
- Online lending apps cannot freely harvest your contact list, social media contacts, photos, or other phone data for collection or harassment.
- Full deletion is not always automatic if there is an unpaid loan, legal claim, credit reporting issue, or lawful retention obligation.
- A strong request should be written, specific, evidence-backed, and sent through traceable channels.
- Keep screenshots before uninstalling the app or deleting messages.
- Give the app a written chance to act; fifteen calendar days is important for NPC exhaustion of remedies.
- File with the NPC for privacy violations and with the SEC for lending-app or unfair collection-practice issues.
- Character references are not automatically guarantors and may request removal of their data as references.