A Philippine Legal Article on Privacy, Debt Collection, Consumer Protection, and Remedies

I. Overview

Lending app access to phone contacts without permission is one of the most common complaints against online lending platforms in the Philippines. It usually happens when a borrower downloads a mobile lending application, applies for a small loan, and later discovers that the app has accessed, copied, stored, or used the borrower’s phone contacts.

The problem becomes more serious when the lending app uses those contacts to shame, harass, threaten, or pressure the borrower into paying. Some apps send messages to relatives, friends, coworkers, employers, or even random contacts, claiming that the borrower is a fraudster, criminal, scammer, or逃 debtor. Others threaten to expose the borrower’s loan, post the borrower’s photo, contact the borrower’s workplace, or send defamatory messages to the borrower’s contact list.

In the Philippine legal context, this conduct may violate several bodies of law, including:

• Data privacy law;
• Consumer protection rules;
• Lending company and financing company regulations;
• Cybercrime law;
• Civil law on damages;
• Criminal laws on threats, coercion, unjust vexation, libel, or slander;
• Rules on fair debt collection;
• Contract and consent principles;
• Platform and app store policies.

The central legal issue is simple:

A lending app cannot freely access, collect, store, use, disclose, or weaponize a borrower’s contacts merely because the borrower downloaded the app or borrowed money.

Consent must be valid, informed, specific, freely given, and limited to a legitimate purpose. Even where the borrower grants some app permissions, the lending company may still violate the law if it collects excessive data, uses contacts for harassment, discloses debt information to third parties, or processes personal data beyond what is necessary.

---

II. Why Contact Access Is Legally Sensitive

A phone contact list is not a trivial piece of information. It may reveal the borrower’s family, employer, coworkers, clients, doctors, lawyers, children’s school contacts, church community, business partners, romantic relationships, and other private associations.

A contact list may contain personal information of many people who never borrowed money from the lending app and never consented to being contacted. These third persons are also data subjects under Philippine data privacy law.

Accessing contacts can therefore involve at least two levels of privacy intrusion:

First, the borrower’s privacy is affected because the app gains access to the borrower’s network and relationships.

Second, the privacy of the contacts is affected because their names, phone numbers, email addresses, and relationship to the borrower may be collected without their knowledge or consent.

This is why contact harvesting by lending apps is legally dangerous. It is not merely an aggressive collection tactic. It may be unlawful data processing.

---

III. The Philippine Legal Framework

Several laws and rules may apply.

A. Data Privacy Act

The Data Privacy Act protects personal information and sensitive personal information. It regulates the collection, use, storage, sharing, disclosure, retention, and destruction of personal data.

A lending app that collects a borrower’s contact list is processing personal information. If the contact list includes names, phone numbers, email addresses, addresses, photos, work details, or relationship labels, those are personal data.

The lending company, app operator, financing company, collection agency, or third-party service provider may be treated as a personal information controller or processor, depending on its role.

The Data Privacy Act is central because it requires lawful, fair, transparent, proportionate, and purpose-limited data processing.

B. Lending Company and Financing Company Regulation

Lending companies and financing companies in the Philippines are regulated entities. They are expected to comply with registration, disclosure, fair lending, and collection rules.

Online lending apps that use abusive collection methods may face regulatory consequences, including suspension, revocation, penalties, cease-and-desist measures, or other sanctions.

C. Consumer Protection Rules

Borrowers are consumers of financial services. They are entitled to fair treatment, transparency, protection from abusive practices, and accurate disclosure of loan terms.

A lending app that hides data collection practices, misleads borrowers about permissions, or uses personal data to harass may violate consumer protection principles.

D. Cybercrime Prevention Act

If the lending app or its collectors use electronic communications to threaten, defame, shame, extort, or harass the borrower or contacts, cybercrime issues may arise.

Possible cyber-related offenses may include cyber libel, computer-related identity misuse, unlawful access, or other cyber-enabled offenses depending on the facts.

E. Revised Penal Code and Special Penal Laws

Depending on conduct, criminal issues may include grave threats, light threats, unjust vexation, coercion, slander, libel, or other offenses.

If the app sends defamatory accusations to contacts, creates fake posts, edits photos, or falsely accuses the borrower of a crime, criminal and civil liability may arise.

F. Civil Code

The borrower and affected contacts may seek damages for invasion of privacy, abuse of rights, bad faith, defamation, emotional distress, or violation of dignity.

Civil liability may exist even where criminal prosecution is not pursued.

---

IV. What Counts as “Accessing Contacts Without Permission”?

A lending app may access contacts without valid permission in several ways.

It may happen when:

1. The app accesses contacts even though the borrower did not grant contact permission;
2. The app makes contact access mandatory even though it is unnecessary for the loan;
3. The app hides consent in vague terms and conditions;
4. The app claims contact access is needed for “verification” but later uses contacts for collection harassment;
5. The app collects the entire contact list instead of only emergency references;
6. The app stores contacts on its servers without proper notice;
7. The app shares contacts with collectors, affiliates, agents, or third parties;
8. The app uses contacts after the borrower revokes permission;
9. The app contacts persons who were never listed as references;
10. The app accesses contacts through device permissions, screenshots, uploaded files, social media syncing, or deceptive prompts;
11. The app uses the borrower’s contacts to shame, threaten, or pressure payment.

The issue is not only whether the phone showed a permission prompt. The deeper question is whether the consent was legally valid and whether the actual use of the data was lawful.

---

V. Consent Under Philippine Data Privacy Law

Consent must not be treated as a magic word. A lending app cannot simply say, “You agreed to our terms,” and assume every data practice is lawful.

For consent to be meaningful, it should be:

• Freely given;
• Specific;
• Informed;
• Clear;
• Based on a legitimate purpose;
• Limited to what is necessary;
• Capable of being withdrawn, subject to lawful limits.

A borrower should know what data will be collected, why it will be collected, how it will be used, who will receive it, how long it will be retained, and what rights the borrower has.

A hidden clause buried in long terms and conditions may not be enough, especially if the app collects excessive contacts or uses them for harassment.

---

VI. “You Allowed Contact Permission” Does Not Always Mean the App Acted Lawfully

Many lending apps rely on the defense that the borrower clicked “Allow” when the phone requested permission to access contacts.

That is not the end of the legal analysis.

Device permission is only a technical permission. Legal consent requires more. Even if the borrower clicked “Allow,” the app may still be liable if:

• The permission was obtained through deception;
• The app failed to explain the purpose;
• The app collected more data than necessary;
• The app used contacts for a purpose not disclosed;
• The app disclosed contacts to unauthorized parties;
• The app retained contacts longer than necessary;
• The app used contacts for harassment or public shaming;
• The app contacted persons who had no relation to the loan;
• The app made contact access a condition for a loan when not reasonably necessary.

Technical access is not equal to lawful processing.

---

VII. Contact List of Third Persons: The Rights of Non-Borrowers

The borrower’s contacts are not parties to the loan. They did not apply for credit, sign a contract, or agree to receive collection messages.

When a lending app collects their names and phone numbers, it processes their personal information. When it sends them debt-related messages, it may further disclose the borrower’s personal financial information.

This creates a two-way violation:

The borrower’s debt information is disclosed to third parties.

The third parties’ contact details are used without proper basis.

A lending app cannot justify contacting a borrower’s entire phonebook just because the borrower owes money. Debt collection must still respect privacy, dignity, and lawful procedure.

---

VIII. Emergency Contacts Versus Full Contact Harvesting

There is a major difference between asking a borrower to provide one or two emergency references and harvesting the borrower’s entire phonebook.

A legitimate lender may ask for reference persons as part of credit verification, provided the borrower voluntarily supplies them and the lender uses them appropriately.

But accessing hundreds or thousands of contacts is usually disproportionate.

Even with emergency references, the lender should not:

• Disclose unnecessary details about the loan;
• Harass the reference;
• Threaten the reference;
• Make the reference pay the loan;
• Shame the borrower through the reference;
• Send defamatory messages;
• Repeatedly call or text at unreasonable times.

A reference is not automatically a guarantor. Unless the person signed as co-maker, guarantor, surety, or debtor, the person generally has no obligation to pay.

---

IX. Data Privacy Principles Violated by Unauthorized Contact Access

A. Transparency

Borrowers must be informed that their contacts will be accessed, collected, stored, or used. The explanation must be clear enough for an ordinary person to understand.

A vague phrase such as “we may collect device data for verification and collection” may be insufficient if the app actually uploads the entire contact list and uses it for debt shaming.

B. Legitimate Purpose

Data collection must have a lawful and legitimate purpose. Credit verification may be legitimate in a narrow sense, but mass contact scraping for public shaming is not.

C. Proportionality

The app should collect only data that is adequate, relevant, suitable, necessary, and not excessive.

A small loan does not justify unlimited access to all contacts, photos, messages, social media, storage, or device files.

D. Purpose Limitation

If contacts were collected for identity verification, they cannot later be used for harassment, public shaming, coercive collection, or unrelated marketing.

E. Security

The lender must protect personal data against unauthorized access, disclosure, misuse, or breach.

If collectors, agents, or third-party vendors freely access contact lists and use them abusively, this may indicate poor data governance.

F. Retention Limitation

Contacts should not be retained indefinitely. Once no longer necessary, they should be deleted or anonymized according to lawful retention policies.

---

X. Common Abusive Practices by Lending Apps

The following practices may be unlawful or legally risky:

1. Uploading the borrower’s entire contact list;
2. Sending messages to the borrower’s relatives and coworkers;
3. Telling contacts that the borrower is a scammer or criminal;
4. Sending the borrower’s photo with defamatory captions;
5. Threatening to post the borrower on social media;
6. Threatening criminal charges for non-payment of a civil debt;
7. Contacting the borrower’s employer to shame the borrower;
8. Calling late at night or repeatedly;
9. Using profane, insulting, or degrading language;
10. Creating group chats with the borrower’s contacts;
11. Sending fake barangay, police, court, or warrant notices;
12. Pretending to be a lawyer, prosecutor, police officer, or court employee;
13. Threatening arrest for failure to pay;
14. Contacting persons not listed as references;
15. Demanding payment from relatives who are not co-makers;
16. Publishing the borrower’s personal data;
17. Using edited photos or fake accusations;
18. Threatening to report the borrower to all contacts;
19. Using foreign or unregistered collection agents;
20. Continuing to harass after payment dispute or complaint.

A borrower’s default does not legalize harassment.

---

XI. Debt Is Generally a Civil Obligation, Not a License to Harass

Failure to pay a loan is usually a civil matter. A lender may demand payment, charge lawful interest and penalties, report to lawful credit bureaus where allowed, file a civil action, or use legitimate collection channels.

But the lender may not use unlawful pressure tactics.

The borrower’s obligation to pay does not erase the borrower’s right to privacy, dignity, due process, and protection from threats or defamation.

A lending app must collect debts lawfully.

---

XII. Can a Lending App Contact Your Contacts?

A lender may contact a reference or guarantor only within lawful limits.

It may be allowed to verify identity or ask how to reach the borrower if the person was properly listed as a reference and the contact is done respectfully.

However, the lender should not disclose unnecessary debt information to third parties. It should not say that the borrower is delinquent, a criminal, a fraudster, or a scammer. It should not pressure the contact to pay unless that person is legally liable.

Contacting third parties becomes legally problematic when the purpose is embarrassment, pressure, intimidation, or public humiliation.

---

XIII. Can a Lending App Contact Your Employer?

A lender should be extremely careful in contacting an employer.

Contacting an employer to verify employment may be permissible if properly disclosed and limited. But contacting the employer to shame the borrower, threaten job loss, disclose unpaid debt, or pressure salary deduction may violate privacy and fair collection principles.

Unless there is a lawful wage assignment, court order, or valid authorization, a lender cannot simply compel the employer to deduct salary.

A borrower may have a claim if the lending app’s disclosure to the employer damages employment, reputation, or mental well-being.

---

XIV. Is Contact Access a Condition for Loan Approval?

Some lending apps force borrowers to grant contact access before they can proceed with the application. This raises concerns.

Consent is questionable if the borrower has no real choice and the data demanded is excessive.

For small consumer loans, requiring access to the entire phonebook may be disproportionate. A lender may need identification and credit information, but it does not automatically need the borrower’s full personal network.

A “take it or leave it” permission may still be unlawful if the data collection is unnecessary, excessive, or used unfairly.

---

XV. Contact Access After Permission Is Revoked

A borrower may revoke app permissions on the phone. However, if the app already uploaded contacts to its server, revoking phone permission may not erase previously collected data.

The borrower may send a written demand to the lending company requiring:

• Cessation of contact-list processing;
• Deletion of unlawfully collected contacts;
• Withdrawal of consent;
• Disclosure of what data was collected;
• Identification of third parties who received the data;
• Stoppage of harassment;
• Correction or deletion of defamatory records.

The company may retain certain lawful records related to the loan, but it should not continue using unrelated or excessive data.

---

XVI. App Permissions and Practical Device Protection

Borrowers should review app permissions before and after installing lending apps.

Risky permissions include:

• Contacts;
• SMS;
• Call logs;
• Camera;
• Microphone;
• Location;
• Storage or files;
• Photos;
• Calendar;
• Installed apps;
• Device ID;
• Accessibility services;
• Notification access.

A legitimate lending app should not demand broad access unrelated to lending. Contact, SMS, and call-log permissions are especially sensitive because they may be used for harassment or profiling.

---

XVII. Harassment Through Contacts

Harassment often occurs when the borrower misses a payment or even before the due date.

Common messages include:

• “Your friend is a scammer.”
• “Tell this person to pay or we will file a case.”
• “You are listed as a guarantor.”
• “This person used your name in a loan.”
• “We will post this borrower online.”
• “We will report this to police.”
• “We will call your office.”
• “We will shame your family.”

Such messages may violate privacy and may also be defamatory, misleading, threatening, or abusive.

If the recipient is not a co-maker or guarantor, the lending app should not demand payment from that person.

---

XVIII. Public Shaming and Social Media Exposure

Some lending apps threaten to post the borrower’s name, photo, ID, address, or debt details on social media. Others send edited images or defamatory posts to contacts.

This may create liability for:

• Invasion of privacy;
• Data privacy violation;
• Cyber libel;
• Civil damages;
• Unfair debt collection;
• Consumer protection violations;
• Harassment or unjust vexation;
• Possible criminal offenses depending on content.

Debt collection must not become digital vigilantism.

---

XIX. Fake Legal Threats

Lending apps and collectors sometimes send fake legal notices to scare borrowers.

Examples include:

• Fake warrant of arrest;
• Fake subpoena;
• Fake prosecutor notice;
• Fake court order;
• Fake police complaint;
• Fake barangay summons;
• Fake hold departure order;
• Fake cybercrime warrant;
• Fake estafa accusation;
• Fake notice to employer.

A lender may file lawful cases where legally proper, but it may not fabricate official documents or misrepresent legal consequences.

Non-payment of a loan does not automatically mean estafa. Criminal liability requires specific legal elements, such as deceit at the time of borrowing or other fraudulent conduct. Mere inability to pay is generally not enough.

---

XX. Defamation, Cyber Libel, and Slander

If a lending app tells contacts that the borrower is a scammer, thief, fraudster, criminal, or immoral person, the borrower may have defamation claims.

If the statement is made online, through social media, group chats, messaging apps, or electronic means, cyber libel may be considered, depending on the content and publication.

If the statement is oral, slander may be considered.

If the statement is written but not through a computer system, traditional libel may be considered.

Truth, privileged communication, fair comment, and other defenses may arise, but many debt-shaming messages are not legitimate collection notices. They are designed to humiliate.

---

XXI. Threats, Coercion, and Unjust Vexation

A lending app or collector may be liable if it threatens harm, arrest, public exposure, job loss, family shame, or legal consequences that are false or abusive.

Possible criminal concepts include:

• Grave threats;
• Light threats;
• Other light threats;
• Coercion;
• Unjust vexation;
• Alarms and scandals, depending on conduct;
• Other offenses depending on facts.

Repeated harassment may also support civil damages.

---

XXII. Data Privacy Rights of the Borrower

A borrower has several rights regarding personal data.

These include the right to:

1. Be informed about data collection and use;
2. Access personal data held by the lender;
3. Object to unlawful processing;
4. Withdraw consent where processing is based on consent;
5. Correct inaccurate data;
6. Suspend, withdraw, block, remove, or destroy unlawfully processed data;
7. Be indemnified for damages caused by inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of personal data;
8. File a complaint with the proper authority.

These rights are especially important when the app has accessed contacts or disclosed debt information to third parties.

---

XXIII. Rights of the Contacts

The borrower’s contacts may also have rights.

A person whose phone number was harvested from the borrower’s phone may ask:

• Why does this lending app have my number?
• Who gave them my data?
• What data do they have about me?
• Why are they contacting me?
• Am I being treated as a guarantor without consent?
• Can I demand deletion?
• Can I complain about harassment?

Contacts who receive threatening, defamatory, or harassing messages may also file complaints or support the borrower’s complaint as witnesses.

---

XXIV. The Role of the National Privacy Commission

The National Privacy Commission is the main Philippine authority for data privacy complaints.

A borrower may complain when a lending app:

• Accessed contacts without valid consent;
• Used contacts beyond the stated purpose;
• Shared personal data without authority;
• Failed to provide privacy notice;
• Refused to delete unlawfully collected data;
• Disclosed debt to third parties;
• Used personal data for harassment;
• Failed to secure personal data;
• Retained excessive information;
• Ignored data subject rights.

The complaint should include screenshots, app name, company name, privacy policy, loan agreement, messages, permissions, and proof of harm.

---

XXV. The Role of the Securities and Exchange Commission

Many lending companies and financing companies are regulated through corporate and lending rules. Complaints may be filed when the app is engaged in unfair debt collection, abusive lending, unauthorized operation, excessive charges, misleading practices, or violation of lending regulations.

Regulatory complaints may lead to investigation, penalties, suspension, revocation, or orders against abusive lending operators.

A borrower should identify the legal company behind the app, not only the app name. Some apps use different trade names, developer names, collection names, or shell entities.

---

XXVI. The Role of the Bangko Sentral ng Pilipinas

If the lender is a bank, e-money issuer, financial institution, or supervised entity, consumer protection complaints may involve the Bangko Sentral ng Pilipinas.

However, many online lending apps are lending companies or financing companies rather than banks. The proper regulator depends on the entity.

---

XXVII. The Role of Police, NBI, and Cybercrime Authorities

If there are threats, extortion, identity misuse, cyber libel, fake official documents, hacking, unauthorized access, or severe harassment, the borrower may seek help from cybercrime authorities.

Evidence should be preserved before deletion. Screenshots should show the sender, number, date, time, message content, and platform. If there are links, profiles, group chats, or posts, these should also be preserved.

---

XXVIII. Evidence to Preserve

A borrower should immediately preserve evidence, including:

• Name of lending app;
• App screenshots;
• App store listing;
• Developer name;
• Website;
• Privacy policy;
• Terms and conditions;
• Loan agreement;
• Disclosure statement;
• Payment schedule;
• Proof of amount borrowed and amount received;
• Interest, fees, and penalties;
• Screenshots of permission requests;
• Phone settings showing app permissions;
• Messages from collectors;
• Call logs;
• Voice recordings, where lawful and safely obtained;
• Screenshots from contacts who were messaged;
• Names and numbers of collectors;
• Threats or defamatory statements;
• Proof of payment;
• Emails or complaints sent to the company;
• Responses from the company;
• Social media posts;
• Edited photos or public shaming material;
• Medical or psychological records, if harassment caused harm;
• Witness statements from contacts.

The borrower should back up evidence in cloud storage or another device.

---

XXIX. How to Document Contact Harassment

The borrower should ask affected contacts to forward or screenshot messages they received.

The screenshot should show:

• Sender number or account;
• Date and time;
• Full message;
• Borrower’s name if mentioned;
• Group chat name if applicable;
• Any attached image;
• Any threat or defamatory statement.

Contacts should not simply say, “They texted me.” Actual screenshots or written statements are stronger.

---

XXX. What the Borrower Should Do Immediately

A borrower facing unauthorized contact access or harassment should consider the following steps:

1. Revoke the app’s permissions on the phone;
2. Uninstall the app only after preserving evidence, if possible;
3. Screenshot the app permissions before uninstalling;
4. Save the loan agreement and payment history;
5. Tell contacts not to engage with collectors;
6. Ask contacts to preserve messages;
7. Send a written demand to the lending company;
8. Pay only through official channels if paying;
9. Avoid sending money to personal accounts without verification;
10. File complaints with the appropriate authorities;
11. Do not sign waivers under threat;
12. Seek legal help if threats, defamation, or employer contact occur.

If the debt is legitimate, the borrower should still address it, but legal repayment does not require tolerating unlawful harassment.

---

XXXI. Written Demand to Stop Processing Contacts

A borrower may send a written demand to the lending company stating that the borrower withdraws consent to process contact-list data and demands that the company stop contacting third parties.

The demand may request:

• Confirmation of what personal data was collected;
• Deletion of the borrower’s uploaded contacts;
• Identification of third parties who received the data;
• Cessation of contact with non-reference persons;
• Cessation of defamatory or threatening messages;
• Communication only through lawful channels;
• Correction of false statements;
• Preservation of records for investigation.

The demand should be calm, factual, and documented.

---

XXXII. Can the Borrower Still Owe the Loan?

Yes. A privacy violation does not automatically erase a valid debt.

If the borrower received money under a valid loan, the borrower may still owe the principal and lawful charges. However, unlawful collection practices may expose the lender to separate liability.

In some cases, excessive interest, hidden charges, unfair terms, or illegal lending practices may be challenged. But borrowers should not assume that harassment automatically cancels the debt.

There are two separate issues:

1. Whether the borrower owes a lawful amount; and
2. Whether the lender violated privacy, collection, or consumer protection laws.

Both can be true at the same time.

---

XXXIII. Can the Lending App File a Case?

A lender may pursue lawful collection remedies. It may send demand letters, engage legitimate collection agencies, report to lawful credit systems where allowed, file civil cases, or use other lawful remedies.

However, it cannot use false threats or claim that every unpaid loan is automatically a criminal case.

Borrowers should distinguish between a real legal notice and a scare tactic.

A real court process usually comes from a court, prosecutor, barangay, or authorized legal office, not from anonymous collectors using abusive language.

---

XXXIV. Can Non-Payment Lead to Arrest?

Generally, non-payment of debt alone does not lead to imprisonment. The Philippine Constitution prohibits imprisonment for debt.

However, criminal liability may arise if the facts involve fraud, deceit, falsification, use of fake identity, bouncing checks, or other criminal conduct.

Collectors often misuse criminal terms to scare borrowers. A borrower should not ignore genuine legal notices, but should also not be intimidated by fake threats of immediate arrest.

---

XXXV. Estafa Threats by Lending Apps

Many lending apps threaten borrowers with estafa.

Estafa is not established merely because the borrower failed to pay. There must be criminal fraud or deceit, typically existing at or before the time the money was obtained, depending on the legal theory.

If the borrower applied using real identity, received the loan, and later became unable to pay, that is generally a civil debt issue.

If the borrower used fake documents, false identity, or deliberate fraud, the analysis may be different.

Threatening estafa without basis may be abusive collection conduct.

---

XXXVI. Barangay Complaints and Small Claims

For unpaid loans, the lender may attempt barangay conciliation or small claims proceedings, depending on the parties and amount.

These are lawful venues. A borrower should participate if properly summoned.

But a lending app should not fake barangay notices or claim that barangay officials will arrest the borrower.

Small claims is a civil process for collection. It is not a criminal punishment.

---

XXXVII. Disclosure of Debt to Third Parties

Debt information is personal information. Sharing it with third parties can violate privacy unless there is a lawful basis.

Improper disclosure includes telling relatives, friends, coworkers, employers, neighbors, or group chats that the borrower owes money, is overdue, or refuses to pay.

Even if the borrower listed a person as a reference, the lender should limit communication to verification or locating the borrower. It should not disclose unnecessary debt details or humiliate the borrower.

---

XXXVIII. Use of Borrower’s Photo and ID

Lending apps often collect selfies, ID cards, and personal documents. These should be used only for lawful identification and verification.

Using the borrower’s selfie, ID, or photo for public shaming, group messages, wanted-style posters, or defamatory edits may violate privacy, defamation, and cybercrime laws.

The borrower should preserve copies of any image circulated.

---

XXXIX. Excessive Interest, Fees, and Hidden Charges

Contact harassment often accompanies predatory lending.

Borrowers should review:

• Amount applied for;
• Amount actually received;
• Processing fee;
• Service fee;
• Interest;
• Penalty;
• Late fees;
• Rollover charges;
• Insurance or membership charges;
• Short repayment period;
• Effective interest rate;
• Total amount demanded.

Some lending apps lend a small amount, deduct large fees upfront, and demand repayment within a few days with heavy penalties. Abusive collection may be used to enforce unfair terms.

Excessive or hidden charges may be subject to regulatory challenge.

---

XL. Loan Agreements Signed Through Apps

Electronic loan agreements may be valid, but validity depends on consent, disclosure, and compliance with law.

The borrower should be able to access the loan terms. If the app hides the actual charges until after disbursement, gives misleading information, or prevents the borrower from downloading the contract, this may support a complaint.

A valid digital contract does not authorize unlawful data harvesting or harassment.

---

XLI. Collection Agencies and Third-Party Collectors

Lending companies often outsource collection to third-party agencies.

The lender remains responsible for ensuring that collectors comply with the law. It cannot escape liability by saying, “That was our collection agency, not us.”

If the collector used personal data provided by the lending app, the company may be accountable for improper sharing, poor supervision, or unlawful processing.

Collectors should identify themselves properly, communicate professionally, and avoid threats, insults, or disclosure to third parties.

---

XLII. Anonymous Collectors

Many borrowers receive messages from unknown numbers or accounts that refuse to identify the company.

Anonymous collection is problematic. A borrower has the right to know who is processing personal data and on whose behalf collection is being made.

Anonymous threats may also indicate scams, unauthorized collection, or misuse of leaked borrower data.

Borrowers should avoid paying unknown personal accounts without confirming the official payment channel.

---

XLIII. Data Sharing Among Lending Apps

Some borrowers report that after using one app, they receive offers or threats from other apps. This may suggest data sharing among related companies, brokers, marketers, or collectors.

Unauthorized sharing of borrower data may violate privacy law, especially if the borrower was not informed or did not consent to such sharing.

Borrowers should check whether the privacy policy mentions affiliates, partners, service providers, credit scoring companies, or marketing networks.

---

XLIV. Credit Scoring and Contact Data

Some lending apps claim they need contact access for credit scoring. This raises proportionality concerns.

Credit scoring may be legitimate when based on lawful and relevant information, but collecting an entire contact list may be excessive. A person’s friends, relatives, or coworkers should not become involuntary data points for a loan.

Automated decision-making, profiling, and alternative credit scoring must still comply with data privacy principles.

---

XLV. Children, Schools, and Sensitive Contacts

If the borrower’s phonebook contains children’s numbers, school contacts, medical contacts, religious contacts, legal counsel, or workplace clients, the risk is higher.

The lending app may inadvertently collect sensitive or confidential relational information. Contacting such persons for debt collection can cause serious harm.

This reinforces why full phonebook harvesting is disproportionate and dangerous.

---

XLVI. Sensitive Personal Information

Contact lists may indirectly reveal sensitive personal information, such as health affiliations, religious contacts, union membership, legal matters, or family relationships.

If the app collects or infers sensitive information, stricter standards may apply.

A lending app should not collect sensitive data unless clearly necessary and lawfully justified.

---

XLVII. Security Breach Concerns

If the lending app stores contact lists insecurely, a data breach may occur.

Signs of possible breach include:

• Unknown collectors contacting the borrower from multiple numbers;
• Other apps suddenly knowing the borrower’s loan details;
• Contacts receiving messages from unrelated entities;
• Borrower data appearing online;
• Spam or scam messages after app installation;
• Threats from unknown parties claiming access to documents.

A company may have breach notification duties depending on the nature and risk of the breach.

---

XLVIII. App Store and Platform Complaints

Borrowers may also report abusive apps to app stores or digital platforms.

Reports may include:

• Unauthorized contact access;
• Harassment;
• Deceptive permissions;
• Misleading financial services;
• Threats;
• Abuse of personal data;
• Impersonation;
• Fake reviews;
• Fraudulent developer identity.

Platform removal does not replace legal remedies, but it can prevent further harm.

---

XLIX. Common Defenses of Lending Apps

A lending app may argue:

1. The borrower consented through the privacy policy;
2. The borrower clicked “Allow” on app permissions;
3. Contact access was necessary for credit scoring;
4. Contacts were used only for verification;
5. The borrower listed the contacts as references;
6. The messages were sent by third-party collectors;
7. The borrower is delinquent;
8. The borrower agreed to collection measures;
9. The company did not authorize abusive messages;
10. The screenshots are fake;
11. The borrower suffered no actual damage;
12. The company already deleted the data.

These defenses must be tested against evidence. Consent, necessity, proportionality, and actual use are the critical issues.

---

L. Why “Borrower Is Delinquent” Is Not a Complete Defense

A borrower’s missed payment does not authorize privacy violations.

A lender may collect lawfully. It may not:

• Harass;
• Defame;
• Threaten;
• Shame;
• Disclose debt to unrelated third parties;
• Use unlawfully collected contacts;
• Misrepresent legal consequences;
• Demand payment from non-debtors;
• Publish personal information.

Default affects the debt. It does not remove legal protections.

---

LI. Remedies Available to the Borrower

A borrower may pursue several remedies depending on the facts.

A. Data Privacy Complaint

For unauthorized access, excessive collection, unlawful sharing, or disclosure of debt information.

B. Regulatory Complaint

For abusive lending or collection practices, unfair terms, excessive charges, or unregistered lending activity.

C. Criminal Complaint

For threats, cyber libel, coercion, unjust vexation, identity misuse, fake documents, or other criminal acts.

D. Civil Action for Damages

For injury to reputation, mental anguish, privacy invasion, humiliation, loss of employment, or other harm.

E. Consumer Protection Complaint

For unfair, deceptive, or abusive financial practices.

F. Platform Report

For app store removal, account takedown, or abuse reporting.

The best remedy depends on the evidence and the desired outcome.

---

LII. Remedies Available to Contacts

Contacts who were harassed may also complain.

They may claim:

• Their personal data was processed without lawful basis;
• They were contacted without consent;
• They were harassed or threatened;
• They were misled into believing they were liable;
• Their peace and privacy were disturbed;
• They received defamatory material about the borrower.

Their statements can also support the borrower’s complaint.

---

LIII. Damages

Damages may include:

• Moral damages for anxiety, shame, humiliation, or mental anguish;
• Actual damages for expenses, lost employment, medical costs, or financial loss;
• Exemplary damages for oppressive or abusive conduct;
• Attorney’s fees and litigation expenses where legally proper.

Proof matters. Screenshots, witness statements, medical records, employer notices, and complaint records strengthen claims.

---

LIV. Administrative Penalties

Depending on the regulator and violation, a lending app or company may face:

• Warning;
• Fines;
• Suspension;
• Revocation of certificate or license;
• Cease-and-desist orders;
• Takedown requests;
• Disqualification of officers;
• Orders to stop abusive practices;
• Other sanctions.

Repeated complaints can be especially damaging to the company.

---

LV. Criminal Exposure

Possible criminal exposure may arise from:

• Cyber libel;
• Libel;
• Slander;
• Grave threats;
• Light threats;
• Coercion;
• Unjust vexation;
• Identity misuse;
• Unauthorized access;
• Computer-related offenses;
• Falsification, if fake legal documents are used;
• Other offenses depending on conduct.

Criminal liability depends on specific elements. Not every abusive message is automatically a specific crime, but many may justify investigation.

---

LVI. Civil Liability of Officers, Agents, and Collectors

Liability may extend to the company, its officers, collection agencies, individual collectors, app operators, data processors, or persons who sent the messages.

If individual collectors used personal accounts or anonymous numbers, identifying them may be difficult but not impossible through records, platform reports, subpoenas, or investigation.

---

LVII. Data Protection Officer

A lending company processing personal data should have a proper privacy governance structure, including a Data Protection Officer or responsible privacy contact where required.

Borrowers may send requests or complaints to the company’s privacy contact.

Failure to respond to data subject requests may aggravate the company’s position.

---

LVIII. The Importance of the Privacy Policy

The privacy policy is a key document.

Borrowers should check whether it states:

• What personal data is collected;
• Whether contacts are collected;
• Whether SMS, call logs, location, camera, or storage are accessed;
• Purpose of collection;
• Third-party sharing;
• Collection agencies;
• Credit scoring;
• Retention period;
• Data subject rights;
• Contact details of the company;
• How to withdraw consent;
• How to file complaints.

If the policy does not mention contact access but the app accessed contacts, the borrower has a stronger privacy complaint.

If the policy mentions broad access but the app uses data for harassment, the company may still be liable.

---

LIX. Data Minimization in Lending

A legitimate lender may need identity, income, employment, address, credit history, bank or wallet details, and repayment information.

But it usually does not need unrestricted access to:

• All contacts;
• All SMS messages;
• Private photos;
• Complete call logs;
• Microphone;
• Personal files;
• Social media accounts;
• Location history unrelated to loan processing.

The more intrusive the data, the stronger the justification required.

---

LX. Contact Access and Loan Amount

Proportionality is also affected by the loan amount.

If a borrower receives a very small loan, full phonebook access is even harder to justify. Excessive data collection for a short-term microloan may be viewed as abusive or disproportionate.

The app should not collect more personal data than necessary merely because the borrower is financially vulnerable.

---

LXI. Consent Fatigue and Dark Patterns

Some apps use design tricks to force permission.

Examples include:

• Repeated pop-ups until the borrower clicks allow;
• Disabling the app unless contacts are enabled;
• Mislabeling contact access as “identity verification”;
• Hiding the skip button;
• Bundling many permissions in one consent;
• Using small text or confusing language;
• Making privacy notices inaccessible;
• Claiming the loan cannot be processed unless full access is granted.

These may undermine valid consent.

---

LXII. Borrowers With Multiple Lending Apps

Many borrowers use several lending apps at once. This creates evidence and responsibility issues.

When contacts are harassed, identify which app sent which message. Some collectors handle multiple apps. Some apps share databases. Some borrowers may confuse one app with another.

The borrower should create a table listing:

• App name;
• Company name;
• Amount borrowed;
• Due date;
• Collector number;
• Harassing message;
• Contacts messaged;
• Screenshots available;
• Payments made.

Organized evidence improves complaints.

---

LXIII. Paying the Debt After Harassment

Paying the debt does not automatically waive claims for privacy violations or harassment.

However, settlement documents may contain waiver language. Borrowers should read carefully before signing or clicking “settle” terms.

If the borrower pays, payment should be through official channels and documented. The borrower should request confirmation that the account is closed and that collection activity will stop.

---

LXIV. Settlement With the Lending App

A borrower may settle the loan while reserving rights regarding privacy violations, or may settle all claims if the terms are fair.

A proper settlement should state:

• Exact amount paid;
• Whether it covers principal, interest, penalties, or all obligations;
• That collection will stop;
• That the company will not contact third parties;
• That negative or false messages will be corrected if necessary;
• That unlawfully collected contacts will be deleted where required;
• Whether privacy or harassment claims are waived.

The borrower should avoid vague settlements.

---

LXV. Demand for Deletion of Contacts

A borrower may demand deletion of contact-list data that was unlawfully or excessively collected.

The company may claim it must retain some information for legal or accounting purposes, but this does not usually justify retaining the entire phonebook or using it for collection.

The demand should distinguish between lawful loan records and unlawfully collected third-party contact data.

---

LXVI. What to Tell Contacts

The borrower may inform contacts:

• They are not required to pay unless they signed as guarantor, surety, co-maker, or debtor;
• They should not engage with abusive collectors;
• They should screenshot messages;
• They may block numbers after preserving evidence;
• They may file complaints if harassed;
• They should not provide personal information to collectors.

This reduces panic and prevents collectors from extracting more data.

---

LXVII. When the App Threatens to Contact All Contacts

A threat to contact all contacts is itself evidence.

The borrower should screenshot the threat and file a complaint. The borrower should also revoke permissions and notify close contacts.

If the app already has uploaded contacts, revocation may not stop all messages, but it helps prevent further device access.

---

LXVIII. When the App Has Already Contacted Contacts

If contacts have already been messaged:

1. Collect screenshots from each contact;
2. Identify the sender number or account;
3. Note whether the message disclosed debt;
4. Note whether it contained insults, threats, or false accusations;
5. Ask the contact to write a brief statement;
6. Include these in complaints;
7. Demand that the company stop third-party contact.

The more contacts affected, the stronger the evidence of systematic harassment.

---

LXIX. Blocking Collectors

Blocking collectors may protect mental health, but borrowers should preserve evidence first. If there is an ongoing loan, the borrower should maintain at least one lawful communication channel, such as email, so the lender cannot claim total refusal to communicate.

Borrowers may state: “Please communicate only through this email address. Do not contact third parties.”

---

LXX. Changing Phone Number

Changing numbers may reduce harassment but does not solve the legal issue. The app may still have contact data, ID documents, and employer information.

Before changing numbers, the borrower should preserve messages, app details, and account information.

---

LXXI. Uninstalling the App

Uninstalling the app may stop further device access, but it may also delete useful account records. Before uninstalling, the borrower should screenshot:

• Account page;
• Loan details;
• Payment schedule;
• Terms;
• Privacy policy;
• Permissions;
• Collector messages inside the app;
• Receipts;
• Company details.

After evidence is preserved, uninstalling may be reasonable.

---

LXXII. Factory Resetting the Phone

A factory reset may remove the app, but it may also destroy evidence. It will not necessarily delete data already uploaded to the lender.

Factory reset should be considered only after backups are made.

---

LXXIII. Identity Theft Risks

Some lending apps collect IDs, selfies, signatures, and personal details. If misused, these can lead to identity theft.

Borrowers should monitor for:

• Unknown loans;
• SIM registration misuse;
• Wallet or bank account attempts;
• Fake social media accounts;
• Unauthorized credit applications;
• Messages from other lenders.

If identity misuse occurs, file reports promptly.

---

LXXIV. Fake Lending Apps and Scams

Some apps pretend to be lenders but are actually data-harvesting or extortion schemes. They may collect contacts and IDs, then deny the loan or send a small amount and demand huge repayment.

Warning signs include:

• No clear company name;
• No physical address;
• Personal bank account payments;
• Excessive permissions;
• Very short loan term;
• No proper contract;
• Large upfront deductions;
• Threats before due date;
• Unprofessional language;
• Multiple app names using the same collectors;
• Fake regulatory claims.

Borrowers should avoid installing suspicious apps.

---

LXXV. Due Diligence Before Using a Lending App

Before using a lending app, a borrower should check:

• Legal company name;
• Registration or authority to lend;
• Physical office address;
• Privacy policy;
• Interest and fees;
• App permissions;
• Reviews mentioning harassment;
• Contact details;
• Official payment channels;
• Whether the app asks for contacts or SMS;
• Whether it has prior complaints.

A legitimate lender should be transparent.

---

LXXVI. Employer and Workplace Harassment

If collectors contact the borrower’s employer, the borrower should preserve evidence and inform HR that the messages may be unauthorized and abusive.

If the borrower suffers suspension, termination, humiliation, or workplace discipline because of unlawful disclosures, damages may be claimed depending on proof.

The employer should not automatically act against an employee based on unverified collector messages.

---

LXXVII. Family Harassment

Collectors often target parents, spouses, siblings, children, or in-laws.

Family members who are not guarantors do not owe the debt. They may block collectors after preserving evidence. They may also file complaints for harassment, threats, or privacy violations.

If collectors contact minors, this may aggravate the complaint.

---

LXXVIII. Use of Shame as Collection Strategy

Debt shaming is legally risky because it relies on humiliation rather than lawful process.

The law allows collection. It does not allow social destruction.

The borrower’s dignity remains protected even when the borrower is in default.

---

LXXIX. Misuse of “Reference” Label

Collectors often tell contacts: “You were listed as a reference, so you must pay.”

This is usually false.

A reference is simply a person who may verify information or help locate the borrower. A reference is not liable unless they signed a legally binding undertaking such as guaranty, suretyship, co-maker obligation, or similar agreement.

Threatening references with liability may be deceptive and abusive.

---

LXXX. Guarantor, Co-Maker, and Reference Distinguished

A borrower directly owes the loan.

A co-maker signs as a person jointly liable for payment.

A guarantor agrees to answer if the borrower fails to pay, subject to terms.

A surety may be directly and solidarily liable depending on the agreement.

A reference is usually not liable for payment.

Collectors often blur these categories. Liability requires a legal basis, not mere presence in a phonebook.

---

LXXXI. What If the Borrower Uploaded Contacts as References?

If the borrower voluntarily listed certain persons as references, the lender may contact those specific persons within lawful limits. But this does not authorize contacting all contacts, disclosing debt details, or harassing references.

The lender should not contact persons who were never listed.

---

LXXXII. What If the Borrower Lied in the Application?

If the borrower used false information, fake documents, or another person’s identity, the lender may have remedies. However, even then, the lender must use lawful processes.

A borrower’s misconduct does not authorize threats, defamation, or unlawful data processing against unrelated contacts.

---

LXXXIII. What If the Borrower Gave Consent to Contact References Upon Default?

Even if the borrower agreed that references may be contacted upon default, the contact must still be reasonable, limited, and respectful.

The lender should not:

• Contact non-references;
• Disclose excessive details;
• Use threats;
• Shame the borrower;
• Demand payment from references;
• Send defamatory messages;
• Post personal data publicly.

Consent to contact is not consent to abuse.

---

LXXXIV. When Contact Access Becomes a Data Breach

Unauthorized disclosure to collectors, contacts, social media, or unrelated third parties may amount to a data breach or unauthorized processing.

If sensitive or harmful personal data is involved, the company may have obligations to investigate, contain, notify, and remediate.

Failure to manage the incident may lead to greater liability.

---

LXXXV. Corporate Accountability

The legal company behind the app may be liable even if the app uses:

• Outsourced collectors;
• Independent contractors;
• Affiliate platforms;
• Foreign call centers;
• Multiple app names;
• Automated messaging systems;
• Anonymous numbers.

A company that benefits from collection cannot easily avoid responsibility for abusive collection systems.

---

LXXXVI. Individual Accountability of Collectors

Individual collectors may be personally liable if they send threats, defamatory messages, fake legal notices, or harassing communications.

Screenshots should show the collector’s number, name, account, and messages. If the collector uses a fake name, investigators may still trace accounts depending on available procedures.

---

LXXXVII. Directors and Officers

In serious or repeated violations, company officers may face regulatory consequences, especially if abusive practices are part of company policy or tolerated by management.

Directors and officers should ensure compliance systems exist and that collectors are trained and monitored.

---

LXXXVIII. Compliance Obligations of Lending Apps

A compliant lending app should:

• Collect only necessary data;
• Avoid contact-list harvesting;
• Provide a clear privacy notice;
• Obtain valid consent;
• Allow withdrawal of unnecessary permissions;
• Avoid hidden or bundled consent;
• Secure personal data;
• Limit collector access to data;
• Use lawful collection scripts;
• Prohibit shaming and threats;
• Monitor collection agents;
• Provide complaint channels;
• Respond to data subject requests;
• Delete unnecessary data;
• Cooperate with regulators.

---

LXXXIX. Lawful Debt Collection Practices

A lender may lawfully:

• Send payment reminders;
• Call or message the borrower at reasonable times;
• Send demand letters;
• Offer restructuring;
• Accept installment arrangements;
• Use legitimate collection agencies;
• File civil cases;
• Report to lawful credit systems if allowed;
• Contact authorized references narrowly and respectfully.

The key is lawful, proportionate, and respectful collection.

---

XC. Unlawful or Abusive Collection Practices

A lender should not:

• Threaten violence;
• Threaten arrest without basis;
• Pretend to be police or court staff;
• Use fake legal documents;
• Insult the borrower;
• Contact all phone contacts;
• Disclose debt to third parties;
• Post borrower information online;
• Use borrower’s photo for shaming;
• Harass family or coworkers;
• Call repeatedly at unreasonable hours;
• Use obscene language;
• Demand payment from non-liable persons;
• Continue contacting after formal dispute without proper handling.

---

XCI. Sample Legal Theory for a Complaint

A complaint may be framed as follows:

The borrower downloaded and used the lending app for a loan. The app required or obtained access to the borrower’s contacts without valid, specific, and proportionate consent. The company collected and processed the borrower’s contact list, including personal data of third persons who never consented. Upon alleged default or even before proper collection, the company or its agents used the contact list to send threatening, defamatory, and humiliating messages to the borrower’s relatives, friends, coworkers, or employer. This conduct violated data privacy principles, disclosed the borrower’s debt to unauthorized third parties, caused emotional distress and reputational harm, and constituted abusive debt collection. The company should be ordered to stop unlawful processing, delete unlawfully collected contacts, account for data disclosures, pay damages where proper, and face regulatory sanctions.

---

XCII. Complaint Checklist

A borrower preparing a complaint should gather:

1. Full name of app;
2. Company name and address;
3. App store link or screenshot;
4. Privacy policy and terms;
5. Loan agreement;
6. Proof of amount received;
7. Payment history;
8. Contact permission screenshots;
9. Messages from collectors;
10. Messages received by contacts;
11. List of contacted persons;
12. Screenshots of defamatory posts;
13. Proof of threats;
14. Demand letter sent to company;
15. Company replies;
16. Proof of emotional, reputational, or financial harm;
17. IDs and contact details for filing;
18. Timeline of events.

A clear timeline helps regulators and lawyers understand the case quickly.

---

XCIII. Timeline Format

A useful timeline may look like this:

• Date app was downloaded;
• Date loan was applied for;
• Permissions requested;
• Amount approved;
• Amount actually received;
• Due date;
• Date harassment began;
• Contacts who received messages;
• Dates of threats or defamatory messages;
• Date complaint was sent to company;
• Company response or lack of response;
• Date complaints were filed with authorities.

This structure is often more persuasive than a long emotional narrative.

---

XCIV. Possible Outcomes of a Complaint

Depending on the forum and evidence, possible outcomes include:

• Order to stop contacting third parties;
• Deletion or blocking of unlawfully processed data;
• Regulatory penalties;
• Suspension or revocation of authority;
• Settlement of loan dispute;
• Refund of excessive charges;
• Damages;
• Criminal investigation;
• App takedown;
• Collection practice reforms;
• Dismissal if evidence is insufficient.

Outcomes depend heavily on documentation.

---

XCV. Limits and Practical Realities

Borrowers should understand practical challenges.

Some abusive apps use fake names, foreign operators, changing phone numbers, shell companies, or unregistered entities. Some disappear after complaints. Some collectors use prepaid SIMs or fake accounts.

This makes evidence preservation and early reporting important.

Even if full recovery is difficult, complaints may help stop harassment, support regulatory action, and protect other borrowers.

---

XCVI. Best Practices for Borrowers

Borrowers should:

• Avoid apps requiring excessive permissions;
• Read privacy policies before applying;
• Borrow only from legitimate lenders;
• Keep copies of loan documents;
• Pay through official channels;
• Communicate in writing;
• Revoke unnecessary permissions;
• Preserve evidence of harassment;
• Inform contacts calmly;
• File complaints promptly;
• Avoid panic payments to unknown accounts;
• Seek legal help for threats or defamation.

---

XCVII. Best Practices for Lending Companies

Lending companies should:

• Stop collecting full contact lists;
• Use minimal and relevant data;
• Clearly explain data processing;
• Separate references from phonebook contacts;
• Train collectors on lawful communication;
• Ban harassment and debt shaming;
• Monitor outsourced collection agencies;
• Maintain audit trails;
• Respond to privacy requests;
• Provide fair dispute resolution;
• Follow lawful collection procedures;
• Protect borrower dignity.

Compliance is not optional. It is a condition of lawful financial service.

---

XCVIII. Key Takeaways

The most important points are:

1. Phone contacts are personal data.
2. A lending app cannot lawfully harvest contacts without valid and proportionate consent.
3. Clicking “Allow” on a phone permission does not automatically legalize all data use.
4. Contacts who did not borrow money also have privacy rights.
5. Debt information should not be disclosed to unrelated third parties.
6. A reference is not automatically liable for the loan.
7. Non-payment of a debt does not justify harassment, threats, or public shaming.
8. Fake legal threats may create additional liability.
9. Borrowers should preserve screenshots, permissions, loan documents, and messages.
10. Complaints may be filed for privacy violations, abusive collection, defamation, threats, or unfair lending practices.

---

XCIX. Conclusion

Lending app access to contacts without permission is a serious legal issue in the Philippines because it combines financial vulnerability, digital surveillance, privacy invasion, and abusive debt collection. A borrower’s phonebook is not collateral. It is not a collection weapon. It is not a public directory for lenders to exploit.

A borrower who owes money may still be required to pay lawful obligations, but the lender must collect through lawful means. The lender may not secretly harvest contacts, disclose the borrower’s debt to friends and coworkers, shame the borrower online, threaten arrest without basis, or demand payment from people who never signed the loan.

The law protects both the borrower and the borrower’s contacts. Valid consent, proportionality, transparency, and fairness are essential. When a lending app ignores these principles, it may face data privacy complaints, regulatory sanctions, civil damages, and even criminal exposure depending on the conduct.

For borrowers, the best response is to preserve evidence, revoke unnecessary permissions, communicate in writing, warn contacts not to engage with abusive collectors, and file complaints with the proper authorities. For lending companies, the lawful path is equally clear: lend transparently, collect fairly, process only necessary data, and respect the dignity and privacy of every person involved.