I. Introduction

Lending apps have become common in the Philippines because they offer fast loan applications, digital onboarding, electronic contracts, and quick disbursement. However, many borrowers later discover that these apps collect and process large amounts of personal information, including names, mobile numbers, valid IDs, selfies, device information, employment details, bank or e-wallet accounts, contact references, location information, and sometimes even phone contacts or media access.

Because of abusive collection practices, unauthorized contact of references, public shaming, excessive data collection, and harassment by some online lenders, many borrowers ask: Can I delete my lending app account and demand that the app delete my personal data?

Under Philippine data privacy law, the answer is: yes, a borrower has data privacy rights, including the right to request deletion, blocking, removal, or destruction of personal data in proper cases. However, the right is not absolute. A lending company may be allowed, or even required, to retain certain information for lawful purposes, such as enforcing a valid loan, complying with accounting, tax, anti-fraud, regulatory, audit, or legal obligations, resolving disputes, or complying with orders of government authorities.

The legal issue is therefore not simply whether the user can press “delete account.” The real question is: What personal data must the lending app delete, what data may it retain, for how long, and what can the borrower do if the app refuses or continues to misuse the data?

---

II. Legal Framework

The principal Philippine law is the Data Privacy Act of 2012, or Republic Act No. 10173. It protects personal information and sensitive personal information and gives data subjects rights over their personal data.

Other relevant laws, rules, and principles may include:

1. Rules and issuances of the National Privacy Commission;
2. Civil Code principles on privacy, abuse of rights, damages, and human dignity;
3. Cybercrime laws, if harassment, threats, hacking, identity theft, or online shaming are involved;
4. Consumer protection rules;
5. Securities and Exchange Commission rules for financing and lending companies;
6. Bangko Sentral-related rules if the entity is a bank, financing partner, or regulated financial institution;
7. Anti-Money Laundering, tax, audit, accounting, and record-retention obligations;
8. Rules on electronic evidence and electronic contracts;
9. Contract law, if the loan agreement is still outstanding.

A lending app is not exempt from data privacy law simply because the borrower owes money. Debt collection must still be lawful, fair, proportionate, and respectful of privacy rights.

---

III. What Is Personal Data?

Under Philippine privacy principles, personal data generally includes information that identifies or can reasonably identify an individual.

In lending app transactions, personal data may include:

1. Full name;
2. Nickname or alias;
3. Date of birth;
4. Address;
5. Mobile number;
6. Email address;
7. Government ID numbers;
8. ID photos;
9. Selfies and facial images;
10. Signature;
11. Employer or business information;
12. Salary or income details;
13. Bank account or e-wallet details;
14. Loan amount and repayment history;
15. Credit score or internal risk profile;
16. Device ID;
17. IP address;
18. Location data;
19. App usage logs;
20. Contact references;
21. Phone contact list, if accessed;
22. Messages or uploaded documents;
23. Collection notes;
24. Call recordings, if any;
25. Complaints, dispute records, and communications.

Some of this information may be sensitive personal information, especially government-issued identifiers, financial information, health-related information if collected, and other data requiring higher protection.

---

IV. Lending Apps as Personal Information Controllers or Processors

A lending app or its operating company may act as a personal information controller if it decides why and how personal data is collected, used, stored, shared, or deleted.

It may also use personal information processors, such as:

1. Cloud service providers;
2. Credit scoring providers;
3. Collection agencies;
4. Payment processors;
5. Customer service providers;
6. Identity verification vendors;
7. Analytics providers;
8. SMS, email, and call service providers;
9. Outsourced technology providers.

Even if a lending app uses contractors, the lending company may still have obligations to ensure that personal data is processed lawfully and securely.

---

V. The Borrower as Data Subject

A borrower, applicant, guarantor, co-maker, contact reference, or person whose phone number was uploaded to a lending app may be a data subject.

As a data subject, the person has rights over personal data, including rights commonly understood as:

1. Right to be informed;
2. Right to access;
3. Right to object;
4. Right to rectification;
5. Right to erasure or blocking;
6. Right to damages;
7. Right to data portability, where applicable;
8. Right to file a complaint with the National Privacy Commission.

The right to delete a lending app account is mainly connected with the right to erasure or blocking, but other rights may also apply.

---

VI. The Right to Erasure or Blocking

The right to erasure or blocking allows a data subject to request that personal data be blocked, removed, or destroyed in proper circumstances.

This may apply when:

1. The personal data is incomplete, outdated, false, or unlawfully obtained;
2. The personal data is being used for an unauthorized purpose;
3. The data is no longer necessary for the purpose for which it was collected;
4. The borrower withdraws consent, and there is no other lawful basis for processing;
5. The data is being processed unlawfully;
6. The data subject objects to processing, and there is no overriding lawful ground;
7. The data was collected excessively or disproportionately;
8. The lending app continues to use data after the loan relationship has ended without valid reason;
9. The data is being used for harassment, public shaming, unauthorized contact of third persons, or abusive collection;
10. The law or regulator orders deletion or blocking.

This right is sometimes casually called the “right to delete,” but legally it is more precise to call it a right to erasure, blocking, removal, or destruction of personal data, subject to legal limitations.

---

VII. Account Deletion vs. Data Deletion

It is important to distinguish between deleting an app account and deleting all personal data.

A. Account Deletion

Account deletion usually means the user can no longer log in, apply for loans, view records, or use the app. The account may be deactivated, closed, disabled, or anonymized.

B. Data Deletion

Data deletion means personal information is removed, destroyed, blocked, anonymized, or made inaccessible in a way that it can no longer be used to identify the person, subject to lawful retention.

A lending app may delete the account interface but still keep backend data for legal, accounting, regulatory, fraud-prevention, or dispute purposes.

Thus, a borrower should specifically request both:

1. Closure or deletion of the account; and
2. Deletion, blocking, or restriction of personal data that is no longer legally necessary.

---

VIII. When the Borrower Has No Outstanding Loan

If the borrower has fully paid all loans and has no pending application, dispute, chargeback, investigation, or legal case, the borrower has a stronger basis to demand deletion or blocking of data that is no longer necessary.

The lending app may still retain some records if required for lawful purposes, such as:

1. Accounting records;
2. Audit trail;
3. Regulatory compliance;
4. Tax records;
5. Anti-fraud monitoring;
6. Proof of loan contract and payment history;
7. Complaint handling records;
8. Legal defense in case of future disputes.

However, the lending app should not continue to use the borrower’s personal data for unnecessary marketing, harassment, profiling, excessive monitoring, or unauthorized sharing.

If all obligations are settled, the borrower may demand:

1. Account closure;
2. Deletion of app profile;
3. Deletion of device permissions and unnecessary collected data;
4. Blocking of further collection calls or messages;
5. Removal from marketing lists;
6. Deletion of uploaded contacts or third-party contact data, if unlawfully or unnecessarily retained;
7. Confirmation of what data will be retained and why.

---

IX. When the Borrower Has an Outstanding Loan

If the borrower still owes money, the lending app may have a lawful basis to retain and process certain personal data to enforce the loan.

This may include:

1. Borrower’s name;
2. Contact information;
3. Loan agreement;
4. Payment history;
5. Amount due;
6. Billing and collection records;
7. Valid identification documents;
8. Fraud-prevention records;
9. Communications about payment;
10. Legal and regulatory records.

A borrower generally cannot use account deletion to erase a valid debt or prevent lawful collection. The right to delete data does not extinguish the loan obligation.

However, even if a loan remains unpaid, the lending app must still process personal data lawfully. It cannot use the debt as a license to:

1. Harass the borrower;
2. Shame the borrower publicly;
3. Contact all phone contacts without lawful basis;
4. Threaten criminal cases without basis;
5. Send humiliating messages to relatives or employers;
6. Post the borrower’s photo or ID;
7. Use personal data for unrelated purposes;
8. Access device data beyond what is necessary;
9. Retain excessive data indefinitely;
10. Sell or share data without lawful basis.

The borrower may not be able to demand deletion of all loan records while the loan is outstanding, but may demand that processing be limited to lawful, necessary, and proportionate purposes.

---

X. Consent Is Not the Only Basis for Processing

Many lending apps rely on consent because users click “I agree” before using the app. However, under data privacy principles, consent is only one possible basis for processing.

A lending company may also process data because it is necessary for:

1. Performance of a contract;
2. Compliance with legal obligations;
3. Legitimate interests, subject to rights and safeguards;
4. Establishment, exercise, or defense of legal claims;
5. Protection against fraud;
6. Regulatory compliance.

Therefore, even if the borrower withdraws consent, the lending app may still retain some data if another lawful basis applies.

But the app should explain what data it will retain, why it will retain it, and how long it will be kept.

---

XI. Withdrawal of Consent

A borrower may withdraw consent for certain processing activities, especially those that are optional, excessive, or unrelated to the loan.

Examples of processing that may be objected to or withdrawn include:

1. Marketing messages;
2. Promotional loan offers;
3. Access to phone contacts;
4. Access to media gallery;
5. Location tracking not necessary for the loan;
6. Sharing data with unrelated third-party marketers;
7. Profiling for new offers after account closure;
8. Use of personal data for purposes not disclosed at collection.

Withdrawal of consent should be made in writing and should be specific.

However, withdrawal of consent may not stop processing that is necessary to service or collect an existing loan, comply with law, or defend legal claims.

---

XII. Right to Object

A borrower may object to processing of personal data when the processing is based on consent or legitimate interest and the borrower has legitimate grounds for objection.

For example, the borrower may object to:

1. Use of data for marketing;
2. Sharing data with collection agents not properly disclosed;
3. Contacting references for purposes beyond verification;
4. Processing data from phone contacts;
5. Automated profiling that affects loan decisions;
6. Continued use of personal data after account closure;
7. Repeated collection messages that go beyond lawful collection.

When a borrower objects, the lending app should stop processing unless it has compelling lawful grounds or the processing is needed for legal claims.

---

XIII. Right to Access

Before demanding deletion, a borrower may request access to personal data held by the lending app.

The request may ask:

1. What personal data do you hold about me?
2. What data did you collect from my phone?
3. Did you access my contacts?
4. Did you upload my contact list?
5. Who did you share my data with?
6. What collection agency has my data?
7. What is the purpose of processing?
8. What is the legal basis?
9. How long will you retain the data?
10. How can I request deletion or correction?

The right to access helps determine whether the app collected excessive or unauthorized data.

---

XIV. Right to Rectification

If the lending app holds wrong information, the borrower may demand correction.

Examples:

1. Wrong name;
2. Wrong phone number;
3. Wrong employer;
4. Wrong loan status;
5. Wrong amount due;
6. Wrong payment posting;
7. Wrong delinquency status;
8. Wrong identity document;
9. Incorrect contact references;
10. Misleading collection notes.

Incorrect loan or identity data can harm a borrower’s reputation, credit standing, and legal position. The borrower should request correction in writing and attach proof.

---

XV. Right to Damages

A borrower may claim damages if the lending app violates data privacy rights and causes harm.

Possible harms include:

1. Reputational damage;
2. Emotional distress;
3. Loss of employment opportunity;
4. Harassment by collection agents;
5. Exposure of private information;
6. Public shaming;
7. Identity theft;
8. Unauthorized contact of relatives or employer;
9. Financial loss;
10. Legal expenses;
11. Anxiety, humiliation, or mental anguish.

The right to damages may be pursued through appropriate legal proceedings, depending on the facts and forum.

---

XVI. What Lending Apps Commonly Collect

A lending app may collect data during registration, loan application, verification, credit scoring, disbursement, repayment, and collection.

Commonly collected data includes:

1. Name;
2. Mobile number;
3. Email address;
4. Address;
5. Date of birth;
6. Civil status;
7. Nationality;
8. Employment details;
9. Monthly income;
10. Employer name and address;
11. Bank account or e-wallet details;
12. Government ID;
13. Selfie;
14. Loan purpose;
15. Contact references;
16. Device information;
17. App usage;
18. Location;
19. Payment behavior;
20. Collection history.

The app must collect only data that is necessary and proportionate for legitimate lending purposes.

---

XVII. Excessive Data Collection

A major issue with some lending apps is excessive data collection.

Examples of potentially excessive data practices include:

1. Requiring access to all phone contacts;
2. Uploading entire contact list;
3. Accessing photos or media files without need;
4. Accessing SMS inbox unnecessarily;
5. Collecting location continuously;
6. Recording calls without proper notice or basis;
7. Accessing social media accounts;
8. Collecting data about non-borrowers;
9. Collecting unrelated sensitive data;
10. Retaining data after account closure without justification.

Borrowers may object to excessive collection and demand deletion or blocking of unlawfully obtained or unnecessary data.

---

XVIII. Contact References and Third-Party Data

Many lending apps ask borrowers to provide references. A reference may be contacted for verification or collection-related communication, depending on the privacy notice and lawful basis.

However, lending apps should not abuse reference information.

Improper practices may include:

1. Calling references repeatedly;
2. Disclosing the borrower’s debt without lawful basis;
3. Threatening references;
4. Shaming the borrower through references;
5. Contacting people not listed as references;
6. Using uploaded phone contacts for collection;
7. Sending defamatory messages;
8. Harassing employers, co-workers, neighbors, or relatives.

Third-party contacts are also data subjects. Their personal data should not be collected or used without lawful basis.

---

XIX. Phone Contacts and Device Permissions

One of the most controversial lending app practices is requesting access to a borrower’s phone contacts.

Access to contacts may be problematic because it involves personal data of many people who did not apply for the loan and did not consent to the app.

Borrowers should check app permissions and revoke unnecessary access.

A deletion request may specifically state:

1. Delete any uploaded phone contact list;
2. Stop processing contacts collected from my device;
3. Do not contact persons not expressly provided as references;
4. Identify any third parties to whom my contact data was shared;
5. Confirm deletion or blocking of non-essential contact data.

If the app collected contacts without proper notice or lawful basis, the borrower may have grounds for complaint.

---

XX. Collection Harassment and Data Privacy

Debt collection is allowed when lawful, but harassment is not.

Data privacy issues arise when collectors:

1. Send messages to the borrower’s contacts;
2. Disclose the debt to relatives or employer;
3. Post the borrower’s photo online;
4. Use the borrower’s ID in threats;
5. Send defamatory messages;
6. Threaten public exposure;
7. Use abusive language;
8. Pretend to be police, lawyers, or court officers;
9. Share screenshots of loan details;
10. Contact references excessively;
11. Use personal data to shame or intimidate.

The borrower may demand that the lender stop unlawful processing and delete or block data used for harassment.

---

XXI. Deleting the App Is Not the Same as Deleting the Account

Uninstalling the lending app from a phone does not automatically delete the account or personal data stored by the lender.

Uninstalling only removes the app from the device. Data may still remain in:

1. Lending app servers;
2. Cloud storage;
3. Collection agency databases;
4. Customer service systems;
5. Loan management platforms;
6. Payment processors;
7. Analytics tools;
8. Backup systems;
9. Regulatory records;
10. Audit logs.

To request deletion, the borrower should send a formal request to the lending company’s official contact channel, data protection officer, or customer support.

---

XXII. App Account Closure Procedure

A lending app should ideally provide a way to close or delete an account, especially if the borrower has no outstanding obligations.

The process may include:

1. Logging into the app;
2. Going to privacy settings or account settings;
3. Selecting account deletion or closure;
4. Submitting a written request;
5. Verifying identity;
6. Confirming no outstanding loan;
7. Waiting for processing;
8. Receiving confirmation of closure;
9. Receiving explanation of retained data, if any.

If no account deletion feature exists, the borrower may send a written request.

---

XXIII. What a Deletion Request Should Contain

A borrower’s request should be clear, specific, and documented.

It should include:

1. Full name;
2. Registered mobile number;
3. Registered email address;
4. Account ID or loan ID, if available;
5. Statement that all loans are fully paid, if true;
6. Request to close or delete account;
7. Request to delete, block, or restrict unnecessary personal data;
8. Request to stop marketing messages;
9. Request to stop sharing data with third parties;
10. Request to identify retained data and legal basis;
11. Request for confirmation within a reasonable period;
12. Copies of supporting documents, such as proof of full payment;
13. Contact details for response.

Do not send unnecessary sensitive documents unless needed for verification.

---

XXIV. Sample Request to Delete Lending App Account

Subject: Request for Account Deletion and Erasure or Blocking of Personal Data

Dear Data Protection Officer / Privacy Team,

I am [complete name], registered in your lending app under mobile number [number] and email address [email].

I request the closure and deletion of my lending app account. I further request the deletion, blocking, removal, or restriction of processing of my personal data that is no longer necessary for the purpose for which it was collected.

If any personal data must be retained for legal, regulatory, accounting, audit, fraud-prevention, or claims-related purposes, please identify:

1. The specific personal data to be retained;
2. The legal basis for retention;
3. The purpose of retention;
4. The retention period;
5. The persons or entities with whom the data has been shared;
6. The safeguards applied to the retained data.

I also withdraw consent to receive marketing, promotional offers, or unnecessary communications and object to any processing of my data for purposes unrelated to my account, loan, or lawful obligations.

Please confirm in writing once my account has been closed and unnecessary personal data has been deleted, blocked, or restricted.

Thank you.

[Name] [Mobile number] [Email] [Date]

---

XXV. Sample Request When the Loan Is Fully Paid

Subject: Account Deletion Request After Full Payment

Dear Data Protection Officer / Privacy Team,

I am requesting deletion of my account and personal data in your lending app.

My loan under [loan reference number] has been fully paid as of [date], as shown by the attached proof of payment. I have no pending loan application, no outstanding balance, and no unresolved dispute.

Please close my account and delete, block, or anonymize personal data that is no longer necessary. This includes unnecessary app profile data, marketing data, device data, contact data, and any data collected from my phone that is not legally required to be retained.

If you will retain any records, please provide the legal basis, purpose, retention period, and safeguards.

Please also confirm that my personal data will no longer be used for marketing, profiling, re-loan offers, or sharing with third parties unrelated to legal retention purposes.

Respectfully,

[Name]

---

XXVI. Sample Request When the App Contacted Phone Contacts

Subject: Demand to Stop Unauthorized Contact and Delete Unnecessary Contact Data

Dear Data Protection Officer / Privacy Team,

I object to the processing of personal data obtained from my phone contacts or from persons who did not consent to be contacted regarding my account.

Please immediately:

1. Stop contacting persons who are not lawful parties to my loan;
2. Stop disclosing my loan, alleged balance, or personal information to third persons;
3. Delete or block any phone contact data uploaded from my device without lawful basis;
4. Identify all third parties or collection agencies that received my data;
5. Confirm the measures taken to prevent further unauthorized disclosure.

This request is made without waiver of my rights and remedies under Philippine data privacy law and other applicable laws.

[Name] [Date]

---

XXVII. What the Lending App May Lawfully Retain

Even after account deletion, the app may retain some data for lawful purposes. This may include:

1. Loan contract;
2. Payment records;
3. Billing records;
4. Tax and accounting records;
5. Audit logs;
6. Fraud-prevention records;
7. Regulatory compliance records;
8. Complaint records;
9. Legal case records;
10. Evidence needed for claims or defense;
11. Transaction records required by law;
12. Records needed to prevent duplicate or fraudulent accounts.

However, retention must still comply with privacy principles. The app should retain only what is necessary, for a lawful purpose, for a reasonable period, and with appropriate security.

---

XXVIII. What the Lending App Should Delete or Stop Processing

The borrower may have a strong basis to demand deletion or blocking of data that is:

1. Excessive;
2. Unnecessary;
3. Unlawfully obtained;
4. Used for harassment;
5. Used for unauthorized marketing;
6. No longer needed after full payment;
7. Collected from phone contacts without lawful basis;
8. Shared with unauthorized third parties;
9. Inaccurate or misleading;
10. Retained indefinitely without justification;
11. Processed beyond the disclosed purpose;
12. Used to shame, threaten, or intimidate.

Examples include uploaded contact lists, marketing profiles, unnecessary device permissions, duplicate ID copies, and information unrelated to the loan.

---

XXIX. Retention Periods

Philippine data privacy law does not allow personal data to be retained forever simply because a company wants to keep it. Data should be retained only as long as necessary for the declared, specified, and legitimate purpose, or as required by law.

A lending app should have a retention policy explaining:

1. What data is retained;
2. Why it is retained;
3. How long it is retained;
4. When it is deleted, anonymized, or archived;
5. Who can access it;
6. How it is secured;
7. What happens after account deletion.

Borrowers may request a copy or summary of the retention basis applicable to their account.

---

XXX. Data Minimization

Data minimization means collecting and keeping only personal data that is necessary and proportionate.

A lending app should not collect or retain excessive personal data merely because technology allows it.

For example:

1. A lender may need identity data to verify the borrower;
2. It may need repayment records to manage the loan;
3. It may not need to keep the borrower’s entire phone contact list after verification;
4. It may not need continuous location tracking after loan approval;
5. It may not need access to photos or files unrelated to the loan;
6. It may not need to retain marketing data after consent is withdrawn.

Data minimization supports account deletion and data erasure requests.

---

XXXI. Purpose Limitation

Personal data must be processed only for declared, specified, and legitimate purposes.

If the borrower gave information for loan evaluation, the lender should not automatically use it for:

1. Public shaming;
2. unrelated marketing;
3. sale to third parties;
4. harassment campaigns;
5. unauthorized credit blacklisting;
6. disclosure to employer;
7. disclosure to relatives;
8. unrelated profiling.

If data is used beyond the original lawful purpose, the borrower may object and demand deletion or blocking.

---

XXXII. Transparency

A lending app should inform users about:

1. What data is collected;
2. Why it is collected;
3. How it is used;
4. Whether contacts are accessed;
5. Whether data is shared with collectors;
6. Whether data is used for credit scoring;
7. How long data is retained;
8. How users can exercise privacy rights;
9. Who the data protection officer is;
10. How to file a privacy complaint.

A vague or hidden privacy notice may support a borrower’s objection to processing.

---

XXXIII. Security of Personal Data

Lending apps must protect personal data against unauthorized access, misuse, loss, disclosure, alteration, or destruction.

Security measures may include:

1. Access controls;
2. Encryption;
3. Audit logs;
4. Secure storage;
5. Staff confidentiality;
6. Vendor controls;
7. Limited access by collection agents;
8. Data breach response;
9. Secure deletion methods;
10. Regular privacy and security review.

If a lending app leaks borrower data or allows collectors to misuse it, liability may arise.

---

XXXIV. Data Sharing With Collection Agencies

A lending company may hire collection agencies, but sharing borrower data must have a lawful basis and proper safeguards.

The lender should ensure that collection agencies:

1. Use data only for lawful collection;
2. Do not harass borrowers;
3. Do not disclose debt to unauthorized persons;
4. Protect data securely;
5. Delete or return data after engagement ends;
6. Follow privacy and collection rules;
7. Do not use borrower data for unrelated purposes.

The borrower may ask the lending app to identify collection agencies that received personal data.

---

XXXV. Data Sharing With Credit Bureaus or Credit Information Systems

Lenders may report credit information to lawful credit information systems where allowed by law and regulation. However, reporting must be accurate, lawful, and proportionate.

A borrower may request correction if the report is false or outdated.

Deletion may not always be available if the reporting is legally authorized and accurate, but the borrower may challenge inaccurate or unlawful reporting.

---

XXXVI. Account Deletion and Credit Records

Deleting a lending app account does not necessarily delete all credit history.

A paid loan record may still be retained or reported for legitimate credit, audit, or regulatory purposes. However, it should not be falsely reported as unpaid, delinquent, fraudulent, or unresolved if it has been settled.

A borrower should request a certificate of full payment or clearance when a loan is paid.

---

XXXVII. Certificate of Full Payment or Clearance

Before deleting the account, the borrower should request:

1. Official receipt;
2. Statement of account showing zero balance;
3. Certificate of full payment;
4. Loan closure confirmation;
5. Confirmation that no further collection will be made;
6. Confirmation that collection agencies have been informed.

This prevents future disputes and supports the deletion request.

---

XXXVIII. If the Lending App Refuses to Delete the Account

If the app refuses deletion, ask for a written explanation stating:

1. What data will be retained;
2. Why it must be retained;
3. The legal basis;
4. The retention period;
5. Whether the account can at least be deactivated;
6. Whether marketing can be stopped;
7. Whether unnecessary data can be deleted;
8. Whether third-party sharing can be restricted;
9. How to appeal or complain.

A blanket refusal without explanation may be challenged.

---

XXXIX. If the Lending App Has No Delete Button

The absence of an in-app delete button does not remove the borrower’s rights.

The borrower may send the request through:

1. Official customer service email;
2. Data protection officer email;
3. Privacy notice contact channel;
4. In-app help center;
5. Registered office address;
6. Formal demand letter;
7. Complaint channel of the regulator.

Keep screenshots and proof of submission.

---

XL. If the Lending App Ignores the Request

If the app ignores the request, the borrower should:

1. Send a follow-up;
2. Preserve proof of the original request;
3. Document continued messages or data misuse;
4. Stop unnecessary app permissions;
5. Uninstall the app only after preserving records;
6. File a complaint with the National Privacy Commission if warranted;
7. Report abusive lending or collection practices to the proper regulator;
8. Consult counsel if harassment, threats, or reputational damage occurred.

A privacy complaint is stronger when the borrower can show written requests and the company’s failure or refusal to respond.

---

XLI. Filing a Complaint With the National Privacy Commission

A borrower may file a complaint with the National Privacy Commission if the lending app violates data privacy rights.

Possible grounds include:

1. Unauthorized collection of phone contacts;
2. Failure to honor deletion or blocking request;
3. Excessive data collection;
4. Unauthorized sharing of data;
5. Harassment through personal data;
6. Disclosure of debt to third persons;
7. Failure to provide privacy notice;
8. Failure to respond to access request;
9. Failure to correct wrong data;
10. Data breach;
11. Processing after withdrawal of consent without lawful basis;
12. Retention of data without valid purpose.

The borrower should prepare evidence.

---

XLII. Evidence for a Privacy Complaint

Useful evidence includes:

1. Screenshots of the app permissions requested;
2. Privacy policy screenshots;
3. Loan agreement;
4. Account deletion request;
5. Email replies or lack of response;
6. Proof of full payment;
7. Collection messages;
8. Messages sent to contacts;
9. Call logs;
10. Names and numbers of collectors;
11. Screenshots from relatives or employer;
12. Social media posts, if any;
13. Proof of emotional or reputational harm;
14. App store listing;
15. Screenshots showing no deletion option;
16. Any data access response from the lender.

The more specific the evidence, the stronger the complaint.

---

XLIII. Complaints to Other Regulators

Depending on the type of lender, complaints may also be directed to other regulators.

Possible concerns include:

1. Lending company registration;
2. abusive collection;
3. unfair debt collection;
4. threats;
5. excessive interest;
6. misleading loan terms;
7. unauthorized online lending operations;
8. violation of financing or lending company rules;
9. consumer protection concerns.

Data privacy complaints and lending regulation complaints may proceed separately because they address different wrongs.

---

XLIV. Harassment, Threats, and Criminal Remedies

If collectors use threats, coercion, defamation, identity theft, or cyber harassment, data privacy remedies may not be the only remedy.

Possible legal issues include:

1. Grave threats;
2. light threats;
3. unjust vexation;
4. grave coercion;
5. oral defamation;
6. libel or cyberlibel;
7. identity theft;
8. illegal access;
9. unauthorized use of personal data;
10. harassment under applicable laws;
11. civil damages.

Borrowers should preserve evidence and seek legal advice if threats are serious.

---

XLV. Can a Lending App Contact Your Employer?

A lending app may collect employment information to verify income or identity, if properly disclosed and lawful. However, contacting the employer to shame, threaten, or disclose debt may violate privacy and other laws.

Improper employer contact may include:

1. Telling HR that the borrower is a delinquent debtor;
2. Sending humiliating messages to co-workers;
3. Threatening termination;
4. Misrepresenting legal consequences;
5. Sending the borrower’s ID or photo;
6. Demanding salary deduction without authority;
7. Calling repeatedly to cause embarrassment.

The borrower may object and demand cessation of unauthorized disclosure.

---

XLVI. Can a Lending App Contact Your Family or Friends?

A lending app should not freely disclose loan details to family or friends unless there is a lawful basis. A reference contact does not automatically become a co-debtor.

Improper conduct includes:

1. Telling relatives the exact loan amount;
2. Calling friends not listed as references;
3. Sending threats to family members;
4. Posting in group chats;
5. Sending borrower’s photo to contacts;
6. Asking contacts to shame the borrower;
7. Claiming contacts are liable when they are not.

A borrower may demand that the lender stop processing third-party contact data and delete improperly collected contact information.

---

XLVII. Can a Lending App Post Your Information Online?

A lending app or collector should not post a borrower’s personal information online for collection.

Public shaming may involve:

1. Posting the borrower’s photo;
2. Posting ID documents;
3. Posting debt details;
4. Calling the borrower a scammer without basis;
5. Posting in Facebook groups;
6. Tagging relatives;
7. Sending defamatory captions;
8. Creating fake wanted posters.

This may trigger data privacy, cybercrime, defamation, civil damages, and regulatory complaints.

---

XLVIII. Can a Lending App Keep Your ID After Account Deletion?

A lending app may need to retain a copy of ID for a lawful retention period if the borrower took a loan or completed verification. However, it should not keep ID copies indefinitely without justification.

If the loan was denied or the application was abandoned, the app should have a clear basis for retaining or deleting the ID.

The borrower may request:

1. Deletion if no loan was granted and retention is unnecessary;
2. Restriction of access if retention is legally required;
3. Explanation of retention period;
4. Confirmation that the ID will not be used for marketing or shared with collectors unnecessarily.

---

XLIX. Can a Lending App Refuse Deletion Because of “Company Policy”?

A company policy is not enough by itself. The policy must be consistent with law.

If the app says it cannot delete data because of company policy, the borrower may ask:

1. What law or regulation requires retention?
2. What specific data must be retained?
3. How long is the retention period?
4. Can unnecessary data be deleted?
5. Can the account be deactivated?
6. Can marketing processing stop?
7. Can access be restricted?
8. Can data be anonymized?

A lawful retention policy must be specific, reasonable, and proportionate.

---

L. Can You Delete Your Account to Avoid Payment?

No. Account deletion does not erase a valid loan. If the borrower owes money, the lender may retain and use necessary data to collect lawfully.

However, the lender must still respect privacy and collection rules.

A borrower should separate two issues:

1. Debt issue — whether money is owed, how much, and payment terms;
2. Privacy issue — whether data is collected, used, shared, retained, or disclosed lawfully.

Even an unpaid borrower has privacy rights.

---

LI. Can You Demand Deletion After Paying the Loan?

Yes, the borrower may demand deletion or blocking of unnecessary data after full payment.

The lender may retain certain records for lawful reasons, but should stop unnecessary processing.

A strong post-payment request should include:

1. Proof of full payment;
2. Request for account closure;
3. Request for deletion of unnecessary personal data;
4. Request to stop marketing;
5. Request to stop sharing with collectors;
6. Request to delete phone contact data;
7. Request for retention explanation.

---

LII. Data of Loan Applicants Who Were Rejected

If a person applied for a loan but was rejected, the lending app may not automatically keep all personal data forever.

The applicant may request deletion if:

1. No loan contract was created;
2. Data is no longer necessary;
3. Consent is withdrawn;
4. Retention is excessive;
5. The app collected sensitive data unnecessarily;
6. The app uses the data for marketing despite rejection.

The app may retain some anti-fraud or application records for legitimate purposes, but should explain why and for how long.

---

LIII. Data of Persons Who Never Applied but Were Contacted

Some people receive collection messages because their number appeared in another borrower’s phone contacts or reference list.

These persons may demand:

1. Information on how their number was obtained;
2. Deletion of their contact data;
3. Cessation of collection messages;
4. Blocking of further processing;
5. Identification of the borrower, where appropriate and lawful;
6. Complaint if harassment continues.

A person who is merely a contact or reference is not automatically liable for the borrower’s debt.

---

LIV. Data Portability

In some cases, borrowers may request a copy of their personal data in a structured or commonly used format, especially if processed electronically and if the legal requirements for portability apply.

This may be useful for:

1. Reviewing loan history;
2. Checking payment records;
3. Disputing wrong balances;
4. Transferring records to another financial provider;
5. Supporting complaints.

This right is separate from deletion.

---

LV. Automated Credit Scoring and Profiling

Lending apps may use automated systems to evaluate credit risk. These systems may rely on personal data, payment history, device data, or behavioral data.

Borrowers may ask:

1. Is automated decision-making used?
2. What categories of data affect credit scoring?
3. Was my application rejected based on automated processing?
4. Is there human review?
5. Can inaccurate data be corrected?
6. Can unnecessary profiling data be deleted?

Automated profiling must still comply with fairness, transparency, and proportionality principles.

---

LVI. Cross-Border Data Transfers

Some lending apps may store or process data outside the Philippines through cloud providers, foreign affiliates, or overseas vendors.

Cross-border processing is not automatically illegal, but the lender must ensure that personal data remains protected.

Borrowers may ask:

1. Is my data stored outside the Philippines?
2. What country or provider processes it?
3. What safeguards apply?
4. Are collection agencies abroad involved?
5. Will deletion requests be honored across all systems?

Account deletion should address both local and foreign processors, where applicable.

---

LVII. Data Breach Concerns

If a lending app exposes borrower data through hacking, leaks, employee misuse, or collector abuse, a data breach may occur.

Signs of possible breach include:

1. Unknown persons contacting the borrower about loan details;
2. Loan information appearing online;
3. ID photos being circulated;
4. Contacts receiving messages from unknown collectors;
5. Unauthorized accounts created using borrower information;
6. Spam or phishing after loan application;
7. Data sold or shared without consent.

The borrower may demand information, mitigation, deletion where appropriate, and may complain to the National Privacy Commission.

---

LVIII. Practical Steps Before Requesting Deletion

Before requesting deletion, the borrower should:

1. Screenshot the account page;
2. Save loan agreements;
3. Save payment records;
4. Secure proof of full payment;
5. Download transaction history;
6. Screenshot privacy policy;
7. Screenshot app permissions;
8. Save collection messages;
9. Revoke unnecessary phone permissions;
10. Update passwords if needed;
11. Identify official company contact channels.

This prevents loss of evidence after account closure.

---

LIX. Practical Steps After Requesting Deletion

After sending the request:

1. Save proof of sending;
2. Wait for response within a reasonable period;
3. Follow up in writing;
4. Record any continued marketing or collection;
5. Ask for written confirmation of deletion;
6. Ask for retained data details;
7. Check whether app login is disabled;
8. Monitor contacts for continued harassment;
9. File complaint if ignored or if misuse continues.

Do not rely only on verbal promises from call center agents.

---

LX. What to Ask the Lending App’s Data Protection Officer

A borrower may ask:

1. Who is your Data Protection Officer?
2. What personal data do you hold about me?
3. What data did you collect from my device?
4. Did you collect my phone contacts?
5. Did you share my data with collectors?
6. Which collection agencies received my data?
7. What is your lawful basis for retaining data?
8. How long will you retain my records?
9. What data can be deleted now?
10. What data can be blocked or restricted?
11. How do I opt out of marketing?
12. How do I file a privacy complaint with your company?

The answer should be specific, not generic.

---

LXI. What if the App Is Unregistered or Suspicious?

If the lending app appears unregistered, fake, or abusive, the borrower should be more cautious.

Practical steps:

1. Do not upload additional IDs;
2. Stop granting unnecessary permissions;
3. Preserve evidence;
4. Check the company name and address;
5. Request deletion in writing;
6. Report abusive practices;
7. Watch for identity theft;
8. Notify contacts not to respond to harassment;
9. Monitor bank and e-wallet accounts;
10. Consider replacing compromised IDs or accounts if serious misuse occurs.

An unregistered or illegal lender may ignore deletion requests, so regulatory and legal complaints may be necessary.

---

LXII. If the Borrower Used a Fake Name or Wrong Information

A borrower who provided false information may still have privacy rights, but the lender may retain data for fraud prevention, legal claims, or investigation.

Providing false information may create separate legal risks. Account deletion should not be used to conceal fraud.

A borrower in this situation should seek legal advice before submitting statements that may be used against them.

---

LXIII. If the Borrower Is a Victim of Identity Theft

Sometimes a loan account is opened using another person’s identity.

The victim should immediately:

1. Request account freeze or deletion;
2. Deny authorization in writing;
3. Request copies of documents used;
4. File a dispute with the lending app;
5. File a police or cybercrime report if needed;
6. File a privacy complaint;
7. Notify banks or e-wallets if accounts were used;
8. Monitor credit records;
9. Demand correction of any false credit report;
10. Preserve evidence.

In identity theft cases, deletion is important but so is correction and investigation.

---

LXIV. If the Lending App Uses Your Data After Deletion

If the app confirms deletion but later sends marketing, collection, or shares data, the borrower should:

1. Save the later communication;
2. Send a demand for explanation;
3. Ask what data source was used;
4. Demand deletion from third-party processors;
5. File a complaint if repeated;
6. Seek damages if harm occurred.

Deletion must be effective, not merely symbolic.

---

LXV. Data Deletion From Backups

Companies may retain data temporarily in backups even after deletion from active systems. However, backup retention should be limited and secured.

A good deletion response should explain whether data remains in backups and when it will be permanently purged or overwritten.

Backup data should not be restored into active use unless legally justified.

---

LXVI. Anonymization as an Alternative

In some cases, instead of deletion, the lending app may anonymize data so it no longer identifies the borrower.

Anonymized data may be used for:

1. Statistical analysis;
2. risk modeling;
3. product improvement;
4. compliance reporting;
5. fraud trend analysis.

True anonymization means the data can no longer reasonably identify the person. Merely removing the name while retaining phone number, ID number, or unique device ID may not be enough.

---

LXVII. Deactivation vs. Deletion vs. Blocking

These terms differ.

A. Deactivation

The account is disabled but data may remain.

B. Deletion

Data is removed or destroyed, subject to lawful retention.

C. Blocking

Data is retained but no longer actively processed except for limited lawful purposes.

D. Anonymization

Data is transformed so it no longer identifies the person.

A borrower may request deletion, but the lender may respond with blocking or restricted retention for legally required records. The response should be explained.

---

LXVIII. Demand Letter Through Counsel

If the app ignores informal requests or continues harassment, a lawyer may send a demand letter.

The letter may demand:

1. Account closure;
2. deletion or blocking of unnecessary data;
3. cessation of unlawful processing;
4. identification of third-party recipients;
5. proof of full payment recognition;
6. correction of false data;
7. deletion of phone contacts;
8. stop to harassment;
9. damages or settlement;
10. written undertaking of compliance.

A demand letter may be useful when the harm is serious or continuing.

---

LXIX. Civil Remedies for Damages

A borrower may consider civil action if misuse of personal data caused harm.

Possible damages include:

1. Moral damages for humiliation, anxiety, or emotional distress;
2. Actual damages for financial loss;
3. Exemplary damages for oppressive or malicious acts;
4. Attorney’s fees where legally recoverable;
5. Injunction or other relief in proper cases.

Civil action depends on evidence and applicable legal grounds.

---

LXX. Criminal and Administrative Exposure of Lending Apps

Depending on the acts committed, a lending app or its personnel may face:

1. Data privacy complaints;
2. administrative penalties;
3. regulatory sanctions;
4. criminal complaints for threats, coercion, or defamation;
5. cybercrime complaints;
6. civil damages;
7. suspension or cancellation of authority to operate;
8. complaints against collection agencies;
9. complaints for unfair or abusive collection practices.

The proper remedy depends on the specific facts.

---

LXXI. Borrower’s Responsibilities

Borrowers also have responsibilities.

A borrower should:

1. Read the privacy policy before applying;
2. Avoid granting unnecessary permissions;
3. Provide accurate information;
4. Keep loan records;
5. Pay obligations according to contract;
6. Communicate disputes in writing;
7. Avoid ignoring legitimate notices;
8. Request full payment certification;
9. Use official channels;
10. Preserve evidence of harassment;
11. Avoid making false complaints;
12. Exercise privacy rights in good faith.

Data privacy rights should not be misused to avoid lawful debts.

---

LXXII. Practical Privacy Checklist for Lending App Users

Before using a lending app:

1. Check company name and registration;
2. Read privacy policy;
3. Check app permissions;
4. Avoid apps requiring unnecessary contact access;
5. Do not upload more documents than needed;
6. Use strong passwords;
7. Save all loan terms;
8. Avoid borrowing from suspicious apps;
9. Check interest, penalties, and fees;
10. Know the data protection contact.

After using a lending app:

1. Save payment proof;
2. Request clearance;
3. Revoke app permissions;
4. Request account deletion after settlement;
5. Opt out of marketing;
6. Monitor contacts for harassment;
7. File complaints for misuse.

---

LXXIII. Frequently Asked Questions

1. Can I delete my lending app account in the Philippines?

Yes, you may request account deletion or closure. You may also request deletion, blocking, or restriction of personal data that is no longer necessary or is unlawfully processed.

2. Does deleting my account erase my loan?

No. Account deletion does not extinguish a valid debt. If you still owe money, the lender may retain necessary data for lawful collection and legal purposes.

3. Can I demand deletion after fully paying my loan?

Yes. After full payment, you have a stronger basis to demand deletion or blocking of unnecessary personal data, subject to lawful retention of certain records.

4. Can the app keep my loan records after account deletion?

Yes, if retention is necessary for legal, accounting, audit, regulatory, fraud-prevention, or claims-related purposes. But retention must be limited and justified.

5. Can the app keep my phone contacts?

The app should not retain or use phone contact data without lawful basis. You may demand deletion or blocking of contact data, especially if it was collected excessively or used for harassment.

6. Can the app contact my references?

It may contact references for legitimate and disclosed purposes, but it should not harass them, disclose unnecessary loan details, or threaten them.

7. Can the app contact people who are not my references?

This is highly questionable and may violate privacy rights, especially if the contacts were obtained from your phone without proper lawful basis.

8. Can the app contact my employer?

It may verify employment if lawfully disclosed and necessary, but it should not shame you, disclose debt unnecessarily, or harass your workplace.

9. Can the app refuse deletion because I have an unpaid loan?

It may refuse deletion of data necessary for lawful collection and enforcement, but it should still delete or stop processing unnecessary, excessive, or unlawfully obtained data.

10. Can I withdraw consent?

Yes, but withdrawal may not stop processing based on contract, legal obligation, legitimate claims, or regulatory compliance.

11. What if the app keeps sending marketing after I request deletion?

You may object, withdraw consent for marketing, demand cessation, and file a complaint if the app continues.

12. What if the app ignores my request?

Send a written follow-up, preserve proof, and consider filing a complaint with the National Privacy Commission or other regulators.

13. Can I file a privacy complaint against a lending app?

Yes, if the app violates your data privacy rights, such as unauthorized data sharing, excessive collection, refusal to honor rights, or harassment using personal data.

14. Is uninstalling the app enough?

No. Uninstalling removes the app from your phone but does not delete your account or data from the lender’s servers.

15. Should I request deletion before or after paying?

If you still owe money, the lender may retain necessary data. If fully paid, request deletion with proof of payment and ask for written confirmation.

16. Can I demand deletion of my ID photo?

You may request deletion if it is no longer necessary. The lender may retain it for lawful record-retention purposes if justified, but access should be restricted and protected.

17. Can a contact reference demand deletion?

Yes. A person contacted by a lending app may request deletion or blocking of their personal data if they are not legally liable and their data is being processed without lawful basis.

18. Can the lending app share my data with collectors?

It may share necessary data with lawful collectors under proper safeguards, but collectors must not misuse or disclose the data unlawfully.

19. Can I sue for damages?

Possibly, if unlawful processing caused harm such as humiliation, financial loss, emotional distress, or reputational damage.

20. What should I do first if collectors are harassing my contacts?

Preserve evidence, send a written demand to stop unauthorized processing, request deletion of contact data, report to the lender’s data protection officer, and consider filing complaints with the proper authorities.

---

LXXIV. Conclusion

A borrower in the Philippines has the right to request deletion, blocking, removal, or restriction of personal data held by a lending app, especially when the data is no longer necessary, was unlawfully collected, is excessive, inaccurate, or is being used for unauthorized purposes such as harassment, public shaming, or improper contact of third persons.

However, the right to delete a lending app account is not absolute. If the borrower still has an outstanding loan, the lender may retain and process personal data necessary for lawful collection, contract enforcement, compliance, fraud prevention, and legal claims. Even after full payment, the lender may retain limited records for accounting, regulatory, audit, tax, or dispute purposes. But it must not retain everything indefinitely or use personal data for unrelated purposes.

The best approach is to send a clear written request to the lending app’s data protection officer or official privacy channel. The request should ask for account closure, deletion or blocking of unnecessary personal data, cessation of marketing, restriction of third-party sharing, deletion of unlawfully collected phone contacts, and an explanation of any data retained.

Borrowers should remember that uninstalling the app is not enough. They should preserve loan records, proof of payment, privacy requests, and evidence of harassment. If the lending app ignores the request or continues to misuse personal data, the borrower may file a complaint with the National Privacy Commission and, where appropriate, with other regulators or law enforcement.

The guiding principle is simple: a lender may collect and retain what is lawful, necessary, and proportionate, but it may not weaponize personal data. Debt collection does not cancel privacy rights. A borrower may owe money, but the borrower remains a data subject protected by Philippine law.