What to Do If an Online Lending App Threatens to Publish Your Personal Information

An online lending app may demand payment, send a statement of account, and use lawful collection methods. It may not threaten to post your photo, government ID, address, phone contacts, loan details, private messages, or other personal information to shame you into paying. Even when the debt is valid, this conduct may violate Philippine privacy, consumer-protection, civil, and criminal laws. Your immediate priorities are to preserve the evidence, secure your phone and accounts, notify the lender in writing, handle the debt separately, and report the conduct to the correct government agencies.

Is It Legal for an Online Lending App to Publish Your Information?

Generally, no. Public humiliation is not a lawful debt-collection method.

The Securities and Exchange Commission’s Memorandum Circular No. 18, Series of 2019 prohibits financing and lending companies from using unfair debt-collection practices. Prohibited conduct includes:

  • Threatening harm to a borrower’s person, reputation, or property
  • Threatening an action that cannot legally be taken
  • Using insults, obscenities, or profane language
  • Disclosing or publishing a borrower’s name and personal information
  • Using false or deceptive representations to collect a debt
  • Contacting people in the borrower’s phone contacts, except persons who are legally involved as guarantors or co-makers
  • Contacting borrowers before 6:00 a.m. or after 10:00 p.m., subject to limited exceptions

Collectors should also disclose their true identity and full name. A lender cannot avoid responsibility simply by outsourcing collection to an agency or freelance collector. The lender remains ultimately responsible for the collection practices used on its behalf.

The official SEC issuance can be accessed through the SEC page for Memorandum Circular No. 18, Series of 2019.

A threat may be actionable even if the app has not yet published anything. Screenshots saying “We will post your ID,” “We will message everyone in your contacts,” or “We will expose you on Facebook” may help prove an attempted unfair collection practice, a privacy violation, or a possible criminal threat.

Your Rights Under Philippine Law

The Data Privacy Act protects your personal information

The Data Privacy Act of 2012, or Republic Act No. 10173, requires personal data to be collected and used for a declared, specific, and lawful purpose. The information collected must be adequate, relevant, and not excessive for that purpose.

A lender may process information genuinely needed to evaluate, release, administer, or collect a loan. That does not give it unlimited authority to use your data for intimidation, public shaming, or indiscriminate disclosure.

Under Section 16 of RA 10173, a data subject—the person whose information is being processed—has rights that include:

  • The right to know what information is being processed
  • The right to know the source, purpose, and recipients of the information
  • The right to access personal data
  • The right to correct inaccurate information
  • The right to object to certain processing
  • The right to request blocking, removal, or destruction of unlawfully obtained, improperly used, outdated, or unnecessary information
  • The right to claim damages when legally justified

These rights are not always absolute. For example, a lender may retain certain records while a loan remains active or while the records are needed for accounting, regulatory compliance, fraud prevention, or a legal claim. However, lawful retention does not authorize public disclosure or harassment. (National Privacy Commission)

RA 10173 also imposes confidentiality and security obligations. A lender remains accountable when it transfers data to a collection agency, technology provider, or other third party. Unauthorized processing, processing for an unauthorized purpose, malicious disclosure, and unauthorized disclosure may carry criminal penalties under the Act. (National Privacy Commission)

Giving app permission is not blanket consent to harassment

Many lending apps request access to contacts, photos, files, cameras, locations, text messages, or phone functions. Tapping “Allow” does not automatically make every later use lawful.

The National Privacy Commission’s Circular No. 2020-01, as amended by Circular No. 2022-02, specifically regulates the processing of personal data in loan-related transactions. Among other things, the rules require online lenders to limit permissions to those that are suitable, necessary, and not excessive.

An app should not scrape or save your entire address book so collectors can pressure your relatives, friends, co-workers, or clients. Where character references or co-makers are genuinely required, the app should provide a separate method allowing the borrower to identify those specific persons instead of harvesting every contact stored on the phone. A borrower’s photograph also cannot lawfully be repurposed to embarrass or harass the borrower over a delinquent account.

The NPC rules can be reviewed in NPC Circular No. 2020-01 and its 2022 amendment on loan-related transactions.

Importantly, the NPC circular applies broadly to persons or organizations acting as lenders or financing providers, even when they are not properly authorized by the SEC. An unregistered app does not receive a free pass to misuse personal data.

Financial consumers have a right to fair treatment

The Financial Products and Services Consumer Protection Act, or RA 11765 of 2022, recognizes the rights of financial consumers to fair treatment, data privacy, effective complaint handling, and protection against abusive collection practices.

Financial service providers must maintain a free consumer-assistance mechanism. When a collection agency or other accredited third-party service provider performs the collection, the financial service provider may remain legally responsible for its acts and omissions.

Civil and criminal liability may also arise

Articles 19, 20, 21, and 26 of the Civil Code of the Philippines, RA 386 require people and businesses to exercise their rights with justice, honesty, and good faith. They also recognize possible claims for damages and other relief when someone unlawfully injures another person or intrudes upon that person’s dignity, privacy, family life, or peace of mind. (Lawphil)

Depending on the exact words and conduct involved, threats or coercive collection may potentially fall under provisions of the Revised Penal Code, such as grave threats, grave coercion, or unjust vexation. False and defamatory online posts may also raise cyberlibel issues under the Cybercrime Prevention Act of 2012, RA 10175. The legal classification depends on the content of the threat, whether a condition was imposed, what was published, who received it, and the evidence available. (Lawphil)

“Doxxing” is often used to describe publishing someone’s identifying information online to expose, intimidate, or endanger that person. Philippine law does not treat every instance under one single offense called doxxing. Instead, the conduct may violate the Data Privacy Act, SEC regulations, the Revised Penal Code, cybercrime laws, or Civil Code provisions, depending on the facts.

What to Do Immediately

1. Preserve the evidence before blocking or uninstalling the app

Do not begin by deleting the app, clearing the conversation, or resetting your phone. Secure the evidence first.

Save the following:

  • Full screenshots showing the sender, phone number, profile, date, and time
  • Screen recordings that show the complete conversation
  • Text messages, emails, chat exports, and call logs
  • Voice messages and recordings lawfully available to you
  • The app’s name, developer, app-store page, website, and package name
  • The loan agreement, disclosure statement, promissory note, and repayment schedule
  • Receipts and proof of previous payments
  • The app’s privacy notice and permission screens
  • Names and numbers used by individual collectors
  • Copies of messages sent to relatives, friends, employers, or co-workers
  • Links and screenshots of any Facebook, TikTok, Telegram, or other online posts
  • Statements from people who received the messages

Keep the surrounding conversation, not only the most offensive sentence. Context can show whether the threat was connected to debt collection and whether the collector identified the lender.

Make at least two backups. Store one outside the affected phone, such as in cloud storage, an email account, a computer, or an external drive. Ask recipients not to delete messages they received.

2. Revoke unnecessary app permissions

After preserving the evidence, review the lending app’s permissions in your phone settings. Revoke access that is no longer necessary, particularly access to:

  • Contacts
  • Photos and videos
  • Files and storage
  • Camera and microphone
  • Location
  • Phone and call logs
  • Text messages
  • Accessibility controls

Uninstalling the app may stop future access to the device, but it does not erase information already copied to the lender’s servers.

Also:

  • Change passwords that were reused on other accounts
  • Enable two-factor authentication
  • Review logged-in devices for your email, Facebook, Google, and Apple accounts
  • Check whether the app was granted accessibility, device-administrator, or screen-overlay privileges
  • Remove unfamiliar applications installed outside an official app store

Do not install a supposed “settlement app,” “verification file,” or APK sent by the collector. It may expose more information or compromise the phone.

3. Send a written notice to the lender and its data protection officer

Send a formal notice through every verifiable channel available: the lender’s official email, customer-service portal, data protection officer, registered office, and in-app support channel.

The notice serves several purposes. It clearly withdraws any supposed consent to public disclosure, demands that the harassment stop, asks the company to preserve evidence, and creates proof that you first raised the matter with the respondent.

For a formal NPC complaint, the complainant generally must show that the respondent was first notified in writing and was given an opportunity to act. Under the NPC’s complaint mechanics, a complaint may proceed when the respondent has failed to respond within 15 calendar days or has provided an unsatisfactory response. (National Privacy Commission)

You may use wording similar to this:

Subject: Formal Notice to Stop Unlawful Disclosure and Preserve Records

I am [complete name], borrower/account number [number, if available].

On [date and time], a person using [phone number, account name, or email] and claiming to represent [lender/app] threatened to publish or disclose my [photo, ID, contacts, address, loan information, or other data] to pressure me regarding the alleged loan.

I do not consent to the publication, disclosure, alteration, or use of my personal information for harassment, humiliation, or communication with unrelated third parties.

I demand that the company:

  1. Immediately stop all threats, public disclosures, and communications with persons who are not lawful guarantors or co-makers;
  2. Restrict future communications to [email or phone number];
  3. Identify the company, collection agency, individual collector, and data protection officer responsible;
  4. State what personal data the company holds, where it came from, and to whom it has been disclosed;
  5. Preserve all call recordings, messages, system logs, access records, collection instructions, and account notes relevant to this incident;
  6. Block or remove personal data that was unlawfully collected or used, subject to any lawful retention requirement; and
  7. Confirm in writing the corrective measures taken.

Please acknowledge this urgent notice promptly. If the matter is not satisfactorily resolved within 15 calendar days, I will include this notice and proof of delivery in complaints before the appropriate government agencies.

This notice does not admit the amount claimed and does not waive any dispute, defense, or legal right relating to the account.

A demand letter is not the same as a court order. Its immediate value is to document your objection, clarify what corrective action you expect, and support later complaints.

4. Deal with the debt separately from the harassment

Harassment does not erase a valid loan. At the same time, owing money does not eliminate your privacy rights.

Ask for a written:

  • Statement of account
  • Breakdown of principal, interest, penalties, and other charges
  • Copy of the loan agreement and disclosure statement
  • Official payment instructions
  • Settlement or restructuring proposal, if available
  • Confirmation that payment will be applied to the correct account

Do not send money to an individual collector’s personal bank or e-wallet account unless the lender independently confirms that the channel is authorized. Fraudsters sometimes impersonate collectors or exploit leaked borrower information.

If you dispute the debt, state the reason clearly. Common disputes involve loans never received, unauthorized applications, amounts already paid, undisclosed charges, or collectors claiming more than the lender’s records show. Avoid making admissions about figures you have not verified.

5. Warn affected contacts without spreading the private information further

Send a brief private notice to people who may be contacted:

Someone claiming to collect an online loan may send you a message about me. Please do not click links, send money, provide information, or argue with the sender. Kindly screenshot the complete message, including the number, date, and time, and forward it to me.

Do not repost the collector’s threat publicly with your unredacted ID, home address, account number, or phone contacts visible. That may spread the same information you are trying to protect.

6. If information has already been published, preserve it before requesting removal

Record:

  • The exact URL
  • Account or page name
  • Date and time found
  • Number of views, shares, or comments
  • Names of groups or pages where it appeared
  • Screenshots showing the full post and profile
  • Search-engine results displaying the post

After preserving the evidence, report the content through the platform’s privacy, harassment, impersonation, or non-consensual-information reporting process. Ask group administrators and page owners to remove it privately. Do not engage in a public argument that increases the post’s visibility.

If the information creates an immediate safety risk—such as publication of your home address combined with threats of physical harm—report it promptly to law enforcement rather than waiting for an administrative complaint to finish.

Where to File a Complaint

More than one agency may have jurisdiction. A single incident can involve unfair collection, unlawful data processing, and criminal intimidation at the same time.

Where to report Best used for Practical filing route
The lender or its data protection officer First written objection, request for data access, correction, blocking, deletion, and preservation of records Official email, customer-service portal, registered office, or in-app complaint channel
Securities and Exchange Commission Harassment or unfair collection by financing companies, lending companies, online lending platforms, and their collectors File a ticket through the SEC I-Message portal
National Privacy Commission Contact harvesting, excessive permissions, unauthorized disclosure, public shaming, unlawful use of photos, IDs, contacts, or loan information Use the NPC formal complaint page and follow its notarization and submission requirements
Bangko Sentral ng Pilipinas Complaints involving a BSP-supervised bank, e-wallet issuer, digital bank, or other BSP-supervised institution Complain first through the institution’s consumer-assistance mechanism, then elevate through BSP’s consumer-assistance channels if unresolved
PNP Anti-Cybercrime Group, NBI Cybercrime Division, CICC, or local police Threats, coercion, impersonation, hacking, extortion-like demands, or harmful online publication Bring identification, an incident summary, the device if requested, and preserved digital evidence
Civil courts Claims for damages, injunctions, or other judicial relief The proper court depends on the remedy, amount claimed, parties, and location

The SEC currently accepts complaint and reporting tickets through I-Message, including complaints involving lending and financing companies. (Securities and Exchange Commission)

For a BSP-supervised institution, the first-level remedy is the institution’s own Financial Consumer Protection Assistance Mechanism. If the response is unsatisfactory, the complaint may be elevated to the BSP Consumer Assistance Mechanism. Complaints involving ordinary financing or lending companies and online lending apps are generally directed to the SEC rather than the BSP. (Bangko Sentral ng Pilipinas)

How to File a National Privacy Commission Complaint

The NPC complaint process is more formal than sending an ordinary email.

Basic procedure

  1. Notify the lender or respondent in writing. Explain what happened, identify the data involved, and request corrective action.

  2. Keep proof of delivery. Save sent-email records, courier receipts, ticket numbers, automatic acknowledgments, and screenshots from the company’s support portal.

  3. Allow the respondent to act. The NPC generally requires proof that the company failed to respond within 15 calendar days or that its response did not satisfactorily address the issue.

  4. Complete the NPC complaint form. State the identities of the parties, the chronological facts, the personal data involved, the legal rights allegedly violated, and the relief requested.

  5. Attach supporting evidence. Include the written notice, proof of delivery, threats, posts, app-permission evidence, privacy notices, loan records, and witness affidavits where available.

  6. Have the complaint notarized.

  7. Submit it to the NPC. The current NPC instructions allow submission in person, by courier, or by scanned email using the address listed on its official complaint page. (National Privacy Commission)

Under the NPC’s current schedule, the basic complaint filing fee is ₱500, with additional fees when a specific claim for damages is included. Qualified indigent litigants may request a fee exemption by submitting the required proof, such as a barangay certificate of indigency and supporting affidavits.

An incomplete, unsigned, unnotarized, or unsupported complaint can be delayed or dismissed. The most common bottlenecks are failure to identify the respondent, failure to show prior written notice, missing proof of delivery, unclear screenshots, and allegations that do not explain what personal data was processed and how.

Documents and Evidence to Prepare

A well-organized complaint packet usually contains:

Document Why it matters
Government-issued ID Establishes the complainant’s identity
One- or two-page incident chronology Helps the agency understand events quickly
Loan agreement and disclosure statement Connects the collector to the transaction
Proof of disbursement and payments Clarifies whether the account and amount are disputed
Full screenshots and chat exports Shows the threat, sender, date, time, and context
Call logs and voice messages Shows frequency and character of collection attempts
App listing and privacy notice Identifies the app, developer, and declared data practices
Permission screenshots Shows what access the app requested or obtained
Messages received by third parties Proves disclosure beyond the borrower
Written notice to the lender Shows that the respondent was informed
Proof of delivery and response Supports compliance with NPC complaint requirements
Witness affidavits Useful when relatives, co-workers, or employers were contacted
URLs and platform reports Helps prove online publication and takedown efforts

Create an index and number the attachments as Annex “A,” Annex “B,” and so on. Use the same annex labels when referring to evidence in your narrative. This small step often makes a complaint much easier to evaluate.

Common Situations and How the Rules Apply

“The app says I consented when I installed it”

Consent must be informed, specific, and connected to a lawful purpose. A broad permission screen does not necessarily authorize the lender to shame you, publish your ID, or message your entire address book. Processing must still satisfy necessity, proportionality, transparency, and fairness requirements under the Data Privacy Act and NPC circulars. (National Privacy Commission)

“They contacted my character reference”

A character reference is not automatically a guarantor or co-maker. Unless the person separately agreed to be legally liable, the lender ordinarily cannot demand that the reference pay the debt.

The lender may have a legitimate reason to verify information through a specifically named reference during an application. That is different from repeatedly disclosing the borrower’s debt or pressuring the reference to force payment.

“They threatened to call my employer”

A collector should not disclose your debt to supervisors, co-workers, customers, or human-resources personnel merely to embarrass you. Even where employment information needs verification, the lender must limit the communication to what is necessary and must not turn the workplace into a pressure point.

Keep evidence of workplace calls because publication to an employer can cause measurable consequences, including disciplinary problems, lost clients, or reputational harm.

“The app is no longer in the app store”

Removal from an app store does not prove that the debt is fake, and it does not prevent a complaint. Preserve the app’s name, old installation records, text messages, loan documents, payment destination, developer information, and website.

The NPC’s loan-transaction circular can apply to persons acting as lenders even without proper SEC authorization. Report the app to the SEC and NPC, and include facts showing how the lender operated.

“The collector says the police will arrest me tomorrow”

The 1987 Constitution, Article III, Section 20 states that no person shall be imprisoned for debt. An ordinary failure to pay a loan is generally a civil matter, and a collector cannot personally order an arrest. (Lawphil)

This does not mean that every dispute involving a loan is immune from criminal investigation. Separate conduct—such as identity fraud, falsified documents, estafa, or issuing a worthless check under circumstances covered by law—may create different legal issues. A mere collector’s message claiming “you will be arrested today” is not a warrant, court order, subpoena, or official criminal charge.

“They are demanding payment in exchange for not posting my data”

Preserve the exact demand. A message tying payment to a threat against your reputation or privacy may be relevant to unfair collection, coercion, threats, or other offenses. Do not negotiate through disappearing messages when an ordinary written channel is available.

What Not to Do

  • Do not delete evidence before making backups.
  • Do not pay a collector’s personal account without verification.
  • Do not send another selfie, ID, contact list, or one-time password to “confirm” your identity.
  • Do not threaten the collector back. Your own messages may become evidence.
  • Do not publicly post unredacted screenshots containing your data.
  • Do not assume a barangay blotter alone will stop online publication. It can document an incident, but it does not replace an SEC, NPC, cybercrime, or court process.
  • Do not ignore the legitimate loan issue. Request records and discuss payment through documented, official channels.
  • Do not accept a verbal promise that the data was deleted. Ask for written confirmation describing the corrective measures taken.

Filing From Abroad or as a Foreigner

A person does not lose privacy protection simply because the person is outside the Philippines. The Data Privacy Act can apply to processing outside Philippine territory when the entity has relevant links to the Philippines or processes information concerning Philippine citizens or residents under the conditions stated in the law. A foreign borrower may also complain when a Philippine lender, collector, office, or data-processing operation is involved. (National Privacy Commission)

An overseas complainant may submit documents through available electronic or courier channels and may authorize a Philippine representative. The NPC requires a representative to show proper authority, ordinarily through a Special Power of Attorney.

When an SPA or affidavit is executed abroad, the receiving Philippine office may require consular notarization or an apostille, depending on the country and the document. Documents apostilled by a competent authority in another Apostille Convention country are generally recognized for use in the Philippines; requirements vary by jurisdiction and should be confirmed with the receiving office before submission. (Philippine Embassy)

Frequently Asked Questions

Can an online lending app post my photo because I have an unpaid loan?

Generally, no. A photo collected for identity verification cannot be repurposed to embarrass or publicly shame a delinquent borrower. Such use may violate NPC loan-processing rules, the Data Privacy Act, SEC regulations, and financial-consumer protections.

Can a lending app message everyone in my contacts?

It should not harvest or use your entire contact list for debt collection or harassment. A specifically identified guarantor or co-maker is different because that person may have a legal connection to the loan. Ordinary friends, relatives, clients, and co-workers do not become liable merely because their numbers were stored on your phone.

Does clicking “Allow Contacts” mean I agreed to contact shaming?

No. Device permission and legally valid consent are not necessarily the same thing. Any processing must still be lawful, transparent, necessary, and proportionate. Permission to access contacts does not legalize public humiliation or excessive disclosure.

Can I be arrested for not paying an online loan?

A person cannot be imprisoned merely for debt. Ordinary nonpayment is generally civil. However, separate fraudulent or criminal acts may be investigated independently. A collector’s threat of immediate arrest is not itself an arrest warrant or court order.

Does illegal collection cancel the loan?

Not automatically. The debt and the collection misconduct are separate issues. You may still owe a valid principal and lawful charges while retaining the right to complain about harassment, privacy violations, or unlawful fees.

What should I do if the post is already online?

Preserve the URL, full screenshots, account details, date, time, comments, and shares. Then request removal through the platform, notify the lender in writing, and report the incident to the NPC, SEC, and cybercrime authorities where appropriate.

Should I complain to the SEC or the NPC?

Use the SEC for unfair collection by lending and financing companies. Use the NPC for unlawful collection, use, or disclosure of personal data. Many cases properly involve both agencies.

When should I complain to the BSP?

Use BSP channels when the product is offered by a BSP-supervised institution, such as a bank, digital bank, e-wallet issuer, or another supervised financial institution. First use the institution’s internal consumer-assistance mechanism.

Can I ask the lender to delete all my information immediately?

You may request deletion, blocking, or removal of unlawfully processed, excessive, outdated, or unnecessary information. The lender may still retain records genuinely required for an existing contract, regulatory obligation, fraud investigation, or legal claim. It cannot use lawful retention as an excuse to shame or harass you.

Can I complain even if the app is unregistered?

Yes. Report the possible unauthorized lending operation to the SEC and the personal-data violations to the NPC. The NPC’s loan-related privacy rules are broad enough to cover persons acting as lenders even if they lack SEC authorization.

Key Takeaways

  • A real unpaid debt does not give an online lending app the right to publish your personal information.
  • Preserve complete evidence before blocking numbers, deleting messages, or uninstalling the app.
  • Revoke unnecessary permissions and secure your email, social-media, and mobile accounts.
  • Send a written objection and data-rights request to the lender and its data protection officer.
  • Keep the debt dispute or repayment discussion separate from the harassment complaint.
  • Report unfair collection to the SEC and unlawful personal-data processing to the NPC.
  • Report serious threats, coercion, impersonation, or dangerous publication to cybercrime or police authorities.
  • A character reference is not automatically a guarantor, co-maker, or person responsible for the loan.
  • Public shaming may create administrative, civil, and criminal consequences for the lender, collector, and responsible officers.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.