How to Request Personal Data Deletion from Online Lending Apps in the Philippines

If an online lending app in the Philippines keeps using your contacts, photos, IDs, messages, or other personal information after you paid, cancelled, or were denied a loan, you can formally request deletion or blocking of your personal data. Philippine law gives you a real process for this, but it is important to ask for the right thing, send it to the right entity, preserve evidence first, and understand what the app may legally keep, especially if you still have an unpaid loan.

What “personal data deletion” means under Philippine law

In the Philippines, the right most people call “data deletion” is legally known as the right to erasure or blocking. It comes from Section 16(e) of Republic Act No. 10173, or the Data Privacy Act of 2012.

This right allows you to request the suspension, withdrawal, blocking, removal, or destruction of your personal information from the filing system of a personal information controller, including live systems and backup systems.

For online lending apps, this may cover:

  • your name, phone number, email address, address, birthday, employment details, and ID copies;
  • selfies, face scans, proof-of-billing documents, and uploaded payslips;
  • device information, app logs, location data, and access history;
  • contact list data, character references, guarantor details, and metadata from your phone;
  • marketing profiles, credit-scoring inputs, and automated decision-making records;
  • personal data shared with collectors, affiliates, third-party processors, or debt collection agencies.

But deletion is not always “delete everything immediately.” A lending company may still retain data that is necessary for lawful purposes such as loan servicing, accounting, tax, regulatory compliance, credit reporting required by law, fraud investigation, or the establishment, exercise, or defense of legal claims.

The practical goal is to force the lender to stop unlawful or excessive processing and delete or block data that is no longer necessary.

Your legal rights against online lending apps

The Data Privacy Act protects borrowers, rejected applicants, references, and contacts

Under the Data Privacy Act, an online lending app is usually a personal information controller or PIC. This means it decides why and how your personal data is collected, used, stored, shared, and deleted.

A PIC must follow the general data privacy principles of:

Principle What it means in ordinary language
Transparency The app must clearly tell you what data it collects, why, how long it keeps it, and who receives it.
Legitimate purpose The app must use your data only for lawful and declared purposes.
Proportionality The app must collect only data that is necessary and not excessive.

Section 11 of the Data Privacy Act also states that personal information must be retained only for as long as necessary for the purpose for which it was obtained, for legal claims, for legitimate business purposes, or as provided by law.

This matters because many abusive lending apps collect far more than they need, especially contact lists, gallery access, social media contacts, and phone permissions.

Special NPC rules for loan apps

The National Privacy Commission issued NPC Circular No. 20-01, later amended by NPC Circular No. 2022-02, specifically for personal data processing in loan-related transactions.

These rules are important because they directly address online lending app abuses.

Under these NPC circulars:

  • online lending apps must not require unnecessary app permissions;
  • access to contact lists, camera, gallery, storage, or location must be suitable, necessary, and not excessive;
  • unbridled processing of contact lists is prohibited;
  • contact list access must not be used for harassment, debt shaming, or collection from persons who are not guarantors;
  • character references must not automatically be treated as guarantors;
  • a guarantor must separately consent to be a guarantor;
  • lending and financing companies must provide an option for a character reference to have their personal data removed as a character reference;
  • personal data must not be retained forever just because the company may want to use it later.

The 2026 DICT-NPC-SEC Public Advisory on Online Lending Platforms also reminds the public that unnecessary processing, excessive contact-list access, harassment, public shaming, and unfair debt collection practices are prohibited.

SEC rules also matter when the issue involves collection harassment

The Securities and Exchange Commission regulates lending companies under Republic Act No. 9474, the Lending Company Regulation Act of 2007, and financing companies under Republic Act No. 8556, the Financing Company Act of 1998.

The SEC also handles unfair debt collection complaints against lending and financing companies. Republic Act No. 11765, the Financial Products and Services Consumer Protection Act, strengthens consumer protection in financial products and services.

For data deletion, the main agency is the National Privacy Commission. For abusive collection, unregistered lending activity, threats, or harassment by a lending or financing company, the SEC may also be involved.

When you can request deletion from an online lending app

You may request deletion, blocking, or removal when you have substantial proof that your personal data is:

  • incomplete, outdated, false, or unlawfully obtained;
  • used for an unauthorized purpose;
  • no longer necessary for the purpose for which it was collected;
  • processed unlawfully;
  • processed despite your valid objection;
  • used in violation of your rights as a data subject.

Common examples include:

Situation What you can usually request
You paid the loan in full Deletion or blocking of data no longer needed, closure of account, removal from marketing and collection systems, and retention explanation for records they must keep.
Your loan application was denied Deletion of application data that is no longer necessary, especially uploaded IDs, selfies, employment documents, and app permissions data.
You cancelled before loan release Withdrawal of consent and deletion of unnecessary onboarding data.
The app accessed your contacts Deletion of harvested contacts and proof that contacts were not shared with collectors or affiliates.
Your relatives or officemates were contacted Removal of their data, disclosure of how their data was obtained, and cessation of processing.
You were listed as a character reference Removal of your personal data as a character reference.
You were wrongly treated as guarantor Removal from guarantor records unless you separately and expressly agreed to be one.

What the lending app may refuse to delete

A deletion request is stronger when it is realistic. Lending apps may deny deletion, wholly or partly, if the data is still necessary for:

  • the fulfillment of the loan contract;
  • collection of an existing unpaid obligation;
  • compliance with law or regulation;
  • accounting, tax, audit, or regulatory recordkeeping;
  • submission or correction of credit data where required by law;
  • fraud prevention or investigation;
  • establishment, exercise, or defense of legal claims;
  • legitimate business purposes consistent with proper retention standards.

For example, if you still owe money, the lender may keep your loan agreement, statement of account, repayment history, and identity verification records. But that does not mean it can keep your entire phonebook, shame you online, message your employer, or contact people who are not guarantors.

Step-by-step guide to request personal data deletion

1. Preserve evidence before deleting the app

Before revoking permissions or uninstalling the app, save proof. This is important because abusive apps may disappear, change names, or remove pages later.

Keep:

  • screenshots of the app name, logo, developer, and app store listing;
  • the privacy policy and consent screens;
  • screenshots of permissions requested by the app;
  • account number, loan reference number, and registered mobile number;
  • proof of full payment, cancellation, or denied application;
  • text messages, emails, chat messages, and call logs;
  • screenshots of messages sent to your contacts;
  • names and numbers of collectors, if visible;
  • proof that third persons were contacted or shamed;
  • copies of IDs or documents you uploaded, if available;
  • dates and times of incidents.

If relatives, officemates, or friends were contacted, ask them to save screenshots too. Their evidence can be very important.

2. Revoke unnecessary app permissions

After preserving evidence, revoke permissions in your phone settings.

For Android, check:

  • Settings → Apps → App name → Permissions
  • Remove access to Contacts, Camera, Photos, Files, Microphone, Location, SMS, and Phone where not necessary.

For iPhone, check:

  • Settings → Privacy & Security
  • Review Contacts, Photos, Camera, Location Services, Tracking, and Microphone permissions.

Revoking permissions does not automatically delete data already collected. It only stops or limits future access from your device. You still need to send a written deletion request.

3. Identify the legal company behind the app

Many online lending apps use trade names, app names, or collection names different from the registered company.

Look for the company’s:

  • registered corporate name;
  • SEC registration number;
  • Certificate of Authority number, if listed;
  • privacy policy;
  • Data Protection Officer or DPO email;
  • customer support email;
  • office address;
  • app developer name in Google Play or App Store;
  • collection agency name, if different.

You can check the SEC’s public information pages, including the SEC list of recorded online lending platforms, through the official SEC Philippines website and related lending and financing company pages. For complaints, the SEC now uses the iMessage SEC portal.

4. Send a written data subject request

Send your request by email, in-app support ticket, registered mail, courier, or any official channel listed in the privacy notice. Email is usually fastest, but keep proof that it was sent.

Use a subject line like:

Request for Erasure/Blocking of Personal Data under RA 10173 – [Your Name] – [Registered Mobile Number]

Your request should include:

  1. your full name;
  2. registered mobile number and email used in the app;
  3. loan reference number or account ID, if any;
  4. clear statement that you are exercising your right to erasure or blocking;
  5. specific data you want deleted or blocked;
  6. reason for deletion;
  7. request for confirmation of deletion;
  8. request for a list of third parties who received your data;
  9. request to notify those third parties of the deletion;
  10. attachments proving identity and supporting facts.

5. Ask for access and deletion together when needed

If you are not sure what data the app collected, combine your deletion request with a right of access request.

Ask the lending app to disclose:

  • what personal data it collected;
  • where it obtained the data;
  • why it processed the data;
  • who received it;
  • whether collectors, affiliates, or overseas processors received it;
  • how long it will be retained;
  • whether automated credit scoring or profiling was used;
  • whether contact-list data was copied, stored, or shared.

This is useful because many borrowers do not know whether the app actually uploaded contacts or merely accessed them temporarily.

6. Attach only necessary proof of identity

The app may verify that you are the correct data subject. That is allowed. But it should not demand excessive new personal data just to process your request.

Practical attachments may include:

  • one valid ID, with unnecessary details covered where possible;
  • screenshot of your app account;
  • proof of payment or account closure;
  • screenshots of offending messages;
  • authorization letter or Special Power of Attorney if another person is filing for you.

Avoid sending a full set of new IDs, selfies, bank statements, or passwords unless truly necessary. Data minimization applies both ways.

7. Wait for the proper response period

Under NPC Advisory No. 2021-01 on Data Subject Rights, a personal information controller should comply with data subject requests without undue delay, and not beyond 30 working days after receiving the request and necessary documents. If the request is complex or numerous, it may be extended by up to another 15 working days, but you should be informed of the reason.

For an NPC complaint, however, the NPC Rules of Procedure require exhaustion of remedies. This means you generally need to show that you first informed the company in writing and gave it an opportunity to act. The NPC’s mechanics for complaints state that if the respondent fails to take timely or appropriate action, or there is no response within 15 calendar days from receipt of your written notice, proof of this must be attached to the complaint.

A practical approach is:

  • ask the lender to acknowledge and stop unlawful processing within 15 calendar days;
  • allow the full data subject rights response period for complete deletion or explanation;
  • prepare an NPC complaint if there is no response, an unreasonable denial, continued harassment, or continued unlawful processing.

Sample deletion request you can adapt

Subject: Request for Erasure/Blocking of Personal Data under RA 10173

To the Data Protection Officer / Privacy Office:

I am exercising my right to erasure or blocking under Section 16(e) of Republic Act No. 10173, the Data Privacy Act of 2012, and applicable NPC issuances on loan-related transactions.

Name: [Full name] Registered mobile number: [Number] Registered email: [Email] Loan/account reference number: [If available] App name: [App name]

I request the deletion, blocking, or removal of my personal data that is no longer necessary, unlawfully obtained, excessive, or used for unauthorized purposes, including any contact-list data, uploaded photos, device permissions data, marketing profile, and data shared with collectors, affiliates, or third-party processors beyond what is legally necessary.

I also withdraw consent for marketing, cross-selling, contact-list processing, and disclosure to third parties not necessary for lawful loan servicing or legal compliance.

Please confirm in writing:

  1. what personal data you currently hold about me;
  2. the purpose and legal basis for each category of data retained;
  3. the recipients or third parties to whom my data was disclosed;
  4. what data has been deleted, blocked, or retained;
  5. the legal basis and retention period for any data you refuse to delete;
  6. whether my contact list, character references, or guarantor information were accessed, stored, or shared; and
  7. whether third parties who received my data have been instructed to delete, block, or stop processing it.

Attached are documents supporting my identity and request. Please respond within the period required by NPC rules and advisories.

[Name] [Date]

Documents, timelines, and where to file

Purpose Where to send/file Key documents Practical timeline
Initial deletion request Lending app DPO, privacy email, support email, in-app ticket, registered mail, or courier ID, account details, screenshots, proof of payment or cancellation Acknowledgment may vary; full response should generally be within 30 working days, extendible by 15 working days for complex requests
NPC privacy complaint National Privacy Commission Notarized complaint-affidavit, proof of written notice, evidence, IDs, affidavits if available NPC evaluates sufficiency; respondent may be required to comment if given due course
SEC unfair collection complaint SEC through iMessage SEC Loan documents, screenshots, call logs, proof of harassment, app details Ticket-based handling; timeline depends on completeness and agency action
Cyber harassment, threats, fraud, or scams DICT Cyber Hotline, NBI Cybercrime Division, PNP Anti-Cybercrime Group, local police where appropriate Screenshots, links, numbers, names, call logs, account details, affidavits Urgent threats should be documented immediately
Barangay or police blotter Barangay or police station Screenshots, witnesses, IDs Useful for documenting harassment, but it does not replace NPC or SEC complaints

How to file a complaint with the National Privacy Commission

If the lending app ignores your request, refuses without a valid reason, continues using your data, or keeps harassing your contacts, you may file a formal complaint with the NPC.

The NPC’s official filing a complaint page requires a complaint in the proper format. The NPC has also implemented updated complaint-affidavit templates, so use the latest form from the NPC website before filing.

In general, you need:

  • a completed complaint-affidavit or verified complaint;
  • notarization;
  • your evidence;
  • proof that you first informed the company in writing;
  • proof of no response, inadequate response, or continued violation;
  • witness affidavits, if available;
  • proof of identity;
  • Special Power of Attorney if someone else files for you.

You may file personally, by registered mail, by courier, or by email if authorized by the NPC. Electronic submissions should be in PDF format where practicable and must comply with NPC rules on electronic filing.

For OFWs, Filipinos abroad, and foreigners outside the Philippines, the NPC Rules of Procedure allow complaints filed from outside the Philippines, but notarization may need to be done through a Philippine Embassy or Consulate, or with an apostille certificate from the country of origin, depending on the document and place of execution.

Common problems and how to handle them

The app says it cannot delete anything because you borrowed money

That is too broad. If you still owe money, the lender may retain records necessary for the loan, collection within legal limits, accounting, and legal claims. But it must still justify retention and should not keep excessive data.

A better response is:

  • request deletion of contact-list data, gallery data, marketing data, and excessive app permissions data;
  • request blocking of data not needed for collection;
  • request the retention period and legal basis for loan records;
  • request that third-party collectors stop processing data not necessary for lawful collection.

The loan is fully paid but the app keeps calling your contacts

Once the loan is fully settled, collection-related processing should stop. Ask for account closure, deletion of unnecessary data, removal from collection systems, and confirmation that collectors and processors were instructed to stop.

Attach proof of full payment. If they keep contacting third parties, preserve screenshots and escalate to NPC and SEC.

You were only a character reference

A character reference is not automatically a guarantor. NPC Circular No. 2022-02 states that character references should be informed that they were chosen, told how their details were obtained, and given the option to have their personal data removed.

Your request can be short:

“I did not borrow from your company and did not agree to be contacted for collection. Please remove my name and number as a character reference and confirm deletion or blocking of my personal data.”

The app claims your consent allowed contact-list access

Consent must be freely given, specific, informed, and tied to a legitimate purpose. Blanket consent hidden in a long privacy policy is weak if the processing is excessive or used for harassment.

NPC rules specifically prohibit unbridled contact-list processing. Even if you clicked “Allow,” the app cannot use that permission to shame you, pressure relatives, or collect from persons who are not guarantors.

The app is not registered or uses a fake company name

Unregistered or hard-to-trace apps are common. Still preserve evidence and file complaints using all identifying details available:

  • app name;
  • package name or app store link;
  • developer name;
  • phone numbers used;
  • GCash, bank, or payment channels;
  • collection messages;
  • privacy policy link;
  • screenshots of ads and social media pages.

Report the data privacy issue to NPC, the lending/collection issue to SEC, and threats or scams to cybercrime authorities.

You are a foreigner who used a Philippine lending app

The Data Privacy Act protects data subjects, not only Filipino citizens. If a Philippine lending app or Philippine-based company processed your personal data, you may exercise data subject rights. For formal complaints filed from abroad, expect identity verification and possible notarization, consular acknowledgment, or apostille requirements.

What not to do

Avoid these common mistakes:

  • Do not delete the app before saving evidence.
  • Do not rely only on phone calls; send a written request.
  • Do not send unnecessary IDs, selfies, or bank documents.
  • Do not admit to facts you dispute just to get deletion.
  • Do not threaten the company with false accusations.
  • Do not ignore a legitimate unpaid loan; deletion rights do not erase debt.
  • Do not file an NPC complaint without proof that you first notified the company, unless there is a strong reason why prior notice was not possible or safe.
  • Do not confuse a character reference with a guarantor. A guarantor must separately agree to answer for the debt.

Frequently Asked Questions

Can I ask an online lending app to delete my data after I fully pay my loan?

Yes. After full payment, you can request account closure and deletion or blocking of personal data no longer necessary. The lender may retain some records for legal, accounting, tax, regulatory, or claims-related purposes, but it should explain what it is keeping, why, and for how long.

Can I request deletion if I still have an unpaid loan?

Yes, but the lender may retain data necessary for lawful collection and legal claims. You can still request deletion or blocking of excessive data, especially contact-list data, gallery access data, marketing data, and information about people who are not guarantors.

Can the app contact everyone in my phonebook?

No. NPC rules prohibit unbridled contact-list processing. For debt collection, lending and financing companies may contact the guarantor. Contacting people in your contact list who were not named as guarantors is prohibited under NPC rules and may also violate SEC rules on unfair debt collection.

Is a character reference responsible for my loan?

No. A character reference is not automatically a guarantor. A guarantor must expressly agree to be responsible for the borrower’s obligation in case of default. If a lending app treats a character reference as a guarantor without separate consent, that is a serious red flag.

How long should the lending app take to answer my deletion request?

Under NPC Advisory No. 2021-01, the PIC should act without undue delay and generally not beyond 30 working days after receiving the request and necessary documents. For complex or numerous requests, it may extend by up to 15 working days, but it should notify you of the reason.

What if the lending app ignores me?

Save proof of your written request and proof of receipt or sending. If there is no response, an inadequate response, or continued unlawful processing, prepare an NPC complaint. For collection harassment, also file with the SEC through iMessage SEC.

Can I make the app delete my data from its collectors and affiliates?

You can request that the lending app inform third parties who received your personal data of the erasure or blocking. The PIC remains accountable for personal data under its control or custody, including data processed by third-party processors.

Can I file a complaint even if I am abroad?

Yes, but formal documents executed abroad may need consular notarization or an apostille. If someone in the Philippines files for you, prepare a specific authorization or Special Power of Attorney.

Is uninstalling the app enough?

No. Uninstalling may stop some future access, but it does not delete data already collected, copied, uploaded, or shared. Send a written deletion or blocking request and preserve evidence before uninstalling.

Can I demand deletion of negative credit records?

Not automatically. If the data is accurate and lawfully reported under applicable credit or financial regulations, the lender may have a legal basis to retain or report it. If the information is false, outdated, excessive, or unlawfully processed, request correction, blocking, or deletion and attach proof.

Key Takeaways

  • The Philippine legal right to “delete my data” is the right to erasure or blocking under the Data Privacy Act.
  • Online lending apps cannot collect or keep excessive data, and unbridled contact-list processing is prohibited.
  • A deletion request does not erase a valid debt, but it can stop unlawful use of contacts, photos, IDs, marketing data, and unnecessary app permissions data.
  • Send a written request to the lending app’s DPO or official privacy channel and keep proof of sending.
  • The app generally has up to 30 working days to comply with a data subject request, with a possible 15-working-day extension for complex requests.
  • Before filing with the NPC, preserve proof that you first informed the company in writing and gave it an opportunity to act.
  • File with the NPC for data privacy violations and with the SEC for unfair debt collection or unauthorized lending activity.
  • Character references are not guarantors, and guarantors must separately consent to be responsible for the loan.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.