If an online lending app has messaged your contacts, threatened to post your photo, called your workplace, accessed your phone data without a clear reason, or shamed you online because of a loan, the issue is no longer just about unpaid debt. In the Philippines, those acts may involve violations of the Data Privacy Act, unfair debt collection rules, cybercrime laws, and civil rights against humiliation and invasion of privacy. This guide explains what counts as a data privacy violation by an online lending app, what evidence to save, where to complain, what documents and fees are usually required, and what remedies may realistically be available.
When an Online Lending App Violates Data Privacy Rights
Online lending platforms often ask for personal information because they need to verify identity, assess creditworthiness, prevent fraud, process payments, and collect debts. That part is not automatically illegal.
The problem begins when the app or its collectors process personal data in a way that is unnecessary, excessive, misleading, abusive, or unrelated to the loan purpose.
Common examples include:
- Accessing your entire phone contact list when the app only needs your chosen references.
- Texting or calling your relatives, friends, officemates, neighbors, or employer even if they are not guarantors.
- Posting your name, face, ID, address, loan amount, or alleged unpaid balance on social media or group chats.
- Sending “scammer,” “estafa,” “wanted,” or other humiliating messages to third parties.
- Using your profile photo, ID photo, or phone gallery image to shame or threaten you.
- Continuing to use your personal data after your loan is denied, settled, or closed without a lawful reason.
- Using confusing app screens, pre-ticked boxes, or dark patterns to make you grant permissions without real choice.
Under Republic Act No. 10173, or the Data Privacy Act of 2012, personal information must be processed according to the principles of transparency, legitimate purpose, and proportionality. Data must also be adequate and not excessive for the purpose for which it is collected. (National Privacy Commission)
Your Key Rights Under the Data Privacy Act
As a borrower, applicant, guarantor, or even a person wrongly contacted because your number appeared in someone else’s phone, you may be a data subject. A data subject is an individual whose personal information is processed.
Your rights include the right to:
- Be informed whether your personal information is being processed.
- Know what data is collected, why it is collected, how it is processed, who receives it, and how long it will be kept.
- Access your personal data upon demand.
- Correct inaccurate or outdated personal data.
- Suspend, withdraw, block, remove, or order the destruction of unlawfully obtained or unauthorized personal data.
- Be indemnified for damages caused by inaccurate, false, unlawfully obtained, or unauthorized use of your personal information. (National Privacy Commission)
The National Privacy Commission, or NPC, is the government agency that receives complaints, investigates privacy violations, issues orders, and may recommend criminal prosecution to the Department of Justice in proper cases. (National Privacy Commission)
What Online Lending Apps Are Allowed and Not Allowed to Do
Access to Contacts, Camera, Gallery, and Phone Data
NPC Circular No. 20-01, issued in 2020, specifically addressed online lending apps. The NPC noted complaints involving access to contact lists, camera, location, storage, and other phone data, and issued rules for loan-related personal data processing.
The rule is simple in practical terms: the app must not ask for phone permissions unless the permission is suitable, necessary, and not excessive for a legitimate loan-related purpose.
For example:
| App permission | When it may be legitimate | When it becomes suspicious or excessive |
|---|---|---|
| Camera | Taking a live selfie for identity verification or KYC | Keeping camera access open after verification |
| Photo gallery | Uploading one ID or proof of payment | Accessing unrelated photos or using them to shame the borrower |
| Contacts | Letting you select your own character references or guarantors | Harvesting the entire contact list or contacting random people |
| Location | Fraud prevention or address verification where clearly justified | Tracking location for harassment or threats |
| SMS/call logs | Rarely justified for ordinary consumer loans | Reading messages or call logs to pressure the borrower |
The NPC’s 2026 public advisory on online lending platforms also reminds borrowers to review permissions, avoid unnecessary permissions, and watch for deceptive design patterns such as pre-ticked boxes or screens that make consent easy to give but difficult to withdraw.
Contact Lists, Character References, and Guarantors
A major source of abuse is the misuse of contact lists.
The NPC’s amended rules under NPC Circular No. 2022-02 make an important distinction:
- A character reference is someone used for identification or verification.
- A guarantor is someone who has expressly consented to assume responsibility for the loan if the borrower defaults.
- A person is not a guarantor just because their number is in your phone or because you typed their name in an app.
- For debt collection, lenders may contact the guarantor, but contacting persons in the borrower’s contact list who were not named as guarantors is prohibited.
Online lending apps must also have separate interfaces where borrowers can provide character references and guarantors of their own choosing. They may not force borrowers to surrender an entire contact list when only selected names are needed.
Privacy Violation vs. Debt Collection: Do Not Confuse the Two
A borrower’s unpaid loan does not give the lender a free pass to violate privacy rights.
At the same time, a privacy violation does not automatically erase a valid debt. These are usually separate issues:
| Issue | Main question | Where it may be raised |
|---|---|---|
| Data privacy violation | Did the app misuse personal data, contacts, photos, IDs, or phone permissions? | National Privacy Commission |
| Unfair debt collection | Did the lender harass, threaten, shame, call at unreasonable hours, or contact non-guarantors? | SEC, and sometimes NPC if personal data is involved |
| Cyberlibel, threats, identity theft, hacking | Did collectors commit a criminal act through phone, chat, social media, or computer systems? | PNP Anti-Cybercrime Group, NBI Cybercrime Division, prosecutor |
| Loan charges and authority to lend | Is the lender registered, authorized, and transparent about fees and interest? | SEC, BSP, or other regulator depending on the provider |
The Securities and Exchange Commission regulates lending and financing companies under laws such as Republic Act No. 9474, the Lending Company Regulation Act of 2007, which aims to regulate lending companies and prevent practices prejudicial to public interest. (Supreme Court E-Library)
Republic Act No. 11765, the Financial Products and Services Consumer Protection Act, also covers financial products and services, including digital financial services, and gives financial regulators such as the SEC and BSP enforcement powers over covered financial service providers. (Supreme Court E-Library)
Unfair Debt Collection Practices by Online Lending Apps
The SEC’s Memorandum Circular No. 18, series of 2019, prohibits unfair debt collection practices by financing and lending companies and their third-party collection agents. A 2025 Philippine Information Agency report quoting SEC counsel identified unfair practices such as threats of violence, obscene or insulting language, disclosure or publication of borrowers’ personal information, contacting people in the borrower’s contact list who are not guarantors or co-makers, and calling to demand payment between 10:01 p.m. and 5:59 a.m. (Philippine Information Agency)
Examples that may justify an SEC complaint include:
- “Magbabayad ka o ipopost ka namin.”
- “Pupuntahan ka namin sa bahay ninyo at ipapahiya ka namin.”
- Messages to your boss saying you are a “fraudster” or “scammer.”
- Calls to relatives who did not sign as guarantors.
- Threats of arrest for a simple unpaid loan, without any actual court case.
- Repeated late-night calls meant to intimidate or embarrass.
Step-by-Step: What to Do Immediately
1. Preserve Evidence Before Deleting or Uninstalling Anything
Before uninstalling the app, blocking numbers, or deleting messages, save evidence first.
Collect:
- Screenshots of threatening texts, chats, emails, app notifications, and call logs.
- Screen recordings showing the app’s permission requests.
- Copies of the app’s privacy notice, loan agreement, disclosure statement, and terms.
- Proof of the app name, developer name, website, Play Store/App Store listing, and URL.
- Screenshots from relatives, friends, officemates, or employers who received messages.
- Proof that the contacted person was not your guarantor or co-maker.
- Payment receipts, loan disbursement records, and account statements.
- IDs or photos used by the app, especially if altered or posted publicly.
- Names, phone numbers, email addresses, and social media accounts used by collectors.
- Dates and times of calls, especially calls made between 10:01 p.m. and 5:59 a.m.
Keep original files when possible. Do not crop out dates, phone numbers, sender details, or URLs. If a third party received the abusive message, ask them to save their own screenshot and write a short statement describing when and how they received it.
2. Revoke App Permissions and Secure Your Accounts
After saving evidence, reduce further exposure:
- Go to your phone settings.
- Review the lending app’s permissions.
- Revoke access to contacts, camera, photos, location, microphone, and storage unless still strictly necessary.
- Change passwords for email, social media, and e-wallet accounts if you suspect unauthorized access.
- Turn on two-factor authentication.
- Warn your chosen references that they may receive messages.
- Avoid giving new OTPs, passwords, or verification codes to collectors.
Do not send nude photos, additional IDs, blank signed forms, or new contact lists to anyone claiming they need them to “fix” the account.
3. Send a Written Privacy Complaint to the Lender or Its Data Protection Officer
Before filing with the NPC, you generally need to show exhaustion of remedies. This means you informed the respondent in writing about the privacy violation and gave them a chance to address it. The NPC says complainants must attach proof that the respondent failed to take timely or appropriate action, or did not respond within 15 calendar days from receipt of the written notice. (National Privacy Commission)
Your written notice should be short and specific. Include:
- Your full name and contact details.
- App name and account or loan reference number, if any.
- The specific privacy violation.
- Dates and screenshots.
- Names or numbers of collectors involved.
- A clear request, such as stopping contact with non-guarantors, deleting unlawfully obtained contacts, correcting false information, explaining data use, or removing public posts.
- A request for the lender’s Data Protection Officer contact details.
Send it by email, in-app support, registered mail, courier, or another channel that gives proof of sending and receipt.
4. File a Complaint with the National Privacy Commission
The NPC’s official complaint page states that a formal complaint must be in a specific format, printed and filled out, notarized, and submitted in person, by courier, or by scanned email submission. (National Privacy Commission)
Under the NPC’s complaint mechanics, a complaint may be filed by the data subject, an authorized representative with a Special Power of Attorney, certain authorized juridical representatives, or the NPC on its own initiative. The complaint must be supported by evidence and affidavits; insufficient complaints may be dismissed outright. (National Privacy Commission)
A practical NPC complaint packet usually includes:
| Document | Purpose |
|---|---|
| Notarized complaint form or verified complaint | Main pleading explaining the violation |
| Government-issued ID | Identity of complainant |
| Screenshots and digital evidence | Proof of misuse, harassment, unauthorized processing, or disclosure |
| Written notice to lender/DPO | Proof of exhaustion of remedies |
| Proof of receipt or sending | Shows the 15-calendar-day period |
| Affidavits of witnesses | Useful if contacts, relatives, or coworkers received messages |
| Loan documents and privacy notice | Shows what the app represented and what data it collected |
| Special Power of Attorney | Needed if another person files for you |
If you are abroad, execution of a complaint, affidavit, or SPA may require notarization, apostille, or consular acknowledgment depending on where the document is signed and where it will be used. The DFA’s apostille guidance explains that apostille processes apply to public documents and that foreign documents for use in the Philippines may need proper certification depending on the issuing country and document type. (Apostille Government of the Philippines)
5. File a Separate SEC Complaint for Unfair Collection or Unauthorized Lending
If the issue involves harassment, unfair collection, misleading loan terms, excessive charges, or an unregistered lending company, the SEC may also be relevant.
Use the SEC’s official online complaint channel or verify the lender’s authority through SEC resources. The SEC i-Message platform is an official portal for submitting complaints and tracking tickets. (imessage.sec.gov.ph)
When filing with the SEC, include:
- Name of lending or financing company, if known.
- App name and developer name.
- Screenshots of abusive collection messages.
- Proof that third parties contacted were not guarantors or co-makers.
- Loan agreement, disclosure statement, interest, fees, and payment records.
- App store link or website.
- Copies of IDs or registration details shown by the app.
- Your timeline of events.
6. Report Criminal Conduct When There Are Threats, Cyberlibel, Identity Theft, or Hacking
Some cases go beyond administrative complaints.
Possible criminal issues include:
- Grave threats under Article 282 of the Revised Penal Code if someone threatens harm to your person, honor, property, or family.
- Grave coercion or unjust vexation under Articles 286 and 287 where intimidation or unjust annoyance is used.
- Libel or cyberlibel if false and malicious accusations are published to others.
- Computer-related identity theft under the Cybercrime Prevention Act if identifying information is acquired, used, misused, transferred, or altered without right. (Lawphil)
Under the Cybercrime Prevention Act’s implementing rules, the NBI and PNP are the law enforcement authorities responsible for cybercrime enforcement, and they are required to organize cybercrime units. (Supreme Court E-Library)
For online libel, the Supreme Court in Disini v. Secretary of Justice discussed that RA 10175 adopts the Revised Penal Code’s definition of libel and applies it to libel committed through a computer system. (Supreme Court E-Library)
Fees, Timelines, and Practical Expectations
| Item | Typical amount or timeline | Notes |
|---|---|---|
| Written notice to lender/DPO | 15 calendar days to respond before NPC filing | Required for exhaustion of remedies unless an exception applies |
| NPC complaint filing fee | ₱500 | Based on NPC Circular No. 2023-01 |
| Additional NPC fee for damages claim not more than ₱20,000 | ₱150 | Higher claims have additional fees |
| Motion for reconsideration at NPC | ₱500 | If a party challenges a ruling |
| Application for cease-and-desist order | ₱1,000 | Bonds may apply depending on the application |
| Legal research fee | 1% of filing fee, minimum ₱10 | Listed in NPC fee schedule |
| Indigent litigant exemption | Available if requirements are met | Requires barangay certificate of indigency and supporting affidavits |
NPC Circular No. 2023-01 lists the ₱500 complaint filing fee, additional fees for claims of damages, a ₱1,000 fee for cease-and-desist applications, and requirements for indigent litigant exemption.
In practice, simple intake and evaluation may take weeks, while contested cases, mediation, hearings, technical evaluation, and enforcement can take several months or longer depending on the number of respondents, quality of evidence, completeness of documents, and whether the company can be traced.
Remedies That May Be Available
Depending on the facts, remedies may include:
- Order to stop unlawful processing.
- Order to remove, block, or destroy unlawfully obtained personal data.
- Order to stop contacting non-guarantors.
- Administrative fines or sanctions.
- Referral for criminal prosecution.
- Civil damages or indemnity.
- SEC sanctions for unfair collection practices.
- Suspension, revocation, or regulatory action against erring lending or financing companies.
The Data Privacy Act expressly recognizes the right to be indemnified for damages caused by unlawfully obtained or unauthorized use of personal information. (National Privacy Commission)
Civil remedies may also be available under the Civil Code. Articles 19, 20, and 21 require persons to act with justice, comply with law, and compensate for willful acts contrary to morals, good customs, or public policy. Article 26 protects dignity, privacy, and peace of mind, while Article 2219 allows moral damages in cases involving defamation and acts under Articles 21 and 26. (Lawphil)
Common Mistakes That Weaken Complaints
Deleting the App Before Saving Evidence
Many borrowers uninstall the app immediately because they are scared. That is understandable, but it can remove useful evidence such as permission screens, in-app notices, loan terms, and account history. Save evidence first, then revoke permissions.
Filing Only a Narrative Without Screenshots or Affidavits
A strong complaint is not just a story. It should have a timeline, proof, names, phone numbers, screenshots, receipts, and witness statements.
Failing to Prove the 15-Day Written Notice
NPC complaints may be dismissed if the complainant did not show that the respondent was first informed in writing and given a chance to act. Save email headers, courier tracking, in-app tickets, or registered mail receipts. (National Privacy Commission)
Treating Every Collector Message as a Privacy Violation
A lawful payment reminder sent only to the borrower may not be a privacy violation. The stronger cases usually involve unauthorized disclosure, excessive data collection, contact-list misuse, threats, public shaming, or continued processing without lawful basis.
Assuming a Character Reference Is Automatically Liable
A character reference is not automatically a co-maker or guarantor. A guarantor must have expressly consented to assume responsibility for the loan.
Ignoring the SEC Side of the Problem
If the app is not registered, not recorded, uses unfair collection practices, hides loan charges, or misrepresents itself, the SEC complaint may be just as important as the NPC complaint.
Special Notes for OFWs, Foreigners, and Borrowers Outside the Philippines
You may still have remedies even if you are outside the Philippines.
The Data Privacy Act has extraterritorial application in certain cases, including acts or processing outside the Philippines that relate to personal information of Philippine citizens or residents, or entities with links to the Philippines such as carrying on business in the Philippines or collecting or holding personal information in the Philippines. (National Privacy Commission)
Practical points:
- Use email and scanned PDF submissions where accepted.
- Have affidavits, complaints, or SPAs properly notarized and authenticated when signed abroad.
- If a relative in the Philippines will file or follow up, prepare a Special Power of Attorney.
- Preserve time-zone details for late-night calls or threats.
- If the app targets Filipinos in the Philippines but claims to be based abroad, include proof that it markets to Philippine users, uses Philippine numbers, accepts Philippine IDs, disburses to Philippine e-wallets or bank accounts, or collects from Philippine residents.
Foreigners living in the Philippines can also be data subjects. If the app processed your passport, ACR I-Card details, phone number, local address, employer details, or contacts in the Philippines, those facts should be clearly stated in the complaint.
Frequently Asked Questions
Can an online lending app access my contacts in the Philippines?
Only in a limited and lawful way. The NPC allows processing of contact lists only when suitable, necessary, and not excessive, such as allowing you to choose your own character references or guarantors. Unbridled processing of contact lists is prohibited.
Can a lending app message my family or officemates about my loan?
Not simply because their numbers are in your phone. For debt collection, lenders may contact the guarantor, but contacting people in your contact list who were not named as guarantors is prohibited under the NPC’s loan-related data rules.
Is it legal for collectors to post my photo and call me a scammer?
That may involve data privacy violations, unfair debt collection, civil liability for damages, and possibly libel or cyberlibel depending on the words used, publication, identifiability, malice, and medium. The Revised Penal Code defines libel as a public and malicious imputation tending to dishonor, discredit, or cause contempt, and RA 10175 covers libel committed through a computer system. (Lawphil)
Do I still have to pay the loan if the app violated my privacy?
A privacy violation does not automatically cancel a valid loan. However, the lender may still face NPC, SEC, civil, or criminal consequences for unlawful data processing, harassment, public shaming, or unfair collection. Disputes about excessive interest, hidden charges, or unauthorized lending should be raised with the proper regulator or court.
Where do I complain first, NPC or SEC?
File with the NPC for misuse of personal data, contact harvesting, unauthorized disclosure, or privacy rights violations. File with the SEC for unfair debt collection, unauthorized lending, misleading loan terms, excessive or hidden charges, or harassment by lending and financing companies. In many online lending app cases, both agencies may be relevant.
Do I need a lawyer to file an NPC complaint?
The NPC provides complaint forms and filing instructions for data subjects. The important requirements are a properly prepared and notarized complaint, evidence, affidavits where needed, and proof that you first notified the respondent in writing and allowed the 15-calendar-day period to pass. (National Privacy Commission)
What if the collector threatens to have me arrested?
Nonpayment of an ordinary loan is generally a civil matter, but threats, intimidation, fake warrants, or false claims of immediate arrest may create separate legal issues. Save the messages and include them in SEC, NPC, or criminal complaints as appropriate.
Can my employer terminate me because a lending app contacted the office?
An employer should not automatically act on unverified collection messages. If the lender disclosed your personal data to your workplace to shame or pressure you, that disclosure may strengthen a privacy or unfair collection complaint. Save the message received by HR, your supervisor, or officemates.
What if I never borrowed but the app keeps contacting me?
You may still be a data subject if your number or identity is being processed. Ask the lender in writing where it obtained your data, demand deletion if you are not a borrower or guarantor, and preserve proof of continued contact. If they do not properly respond, an NPC complaint may be available.
Can I ask NPC to remove my data from the app?
Yes, where there is substantial proof that the personal information is incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes, or no longer necessary for the purpose for which it was collected, the Data Privacy Act recognizes the right to suspend, withdraw, block, remove, or order destruction of that data. (National Privacy Commission)
Key Takeaways
- Online lending apps may collect data only for lawful, specific, and proportionate loan-related purposes.
- Access to your whole contact list is highly sensitive and cannot be used for harassment or debt shaming.
- Character references are not automatically guarantors.
- Contacting non-guarantors, posting your personal data, or embarrassing you at work may trigger NPC and SEC remedies.
- Save evidence before deleting the app or blocking collectors.
- Send a written notice to the lender or its Data Protection Officer and keep proof of receipt.
- NPC complaints generally require a notarized complaint, evidence, and proof that the respondent had 15 calendar days to act.
- SEC complaints are important when the problem involves unfair debt collection, unauthorized lending, hidden charges, or abusive collectors.
- Serious threats, cyberlibel, identity theft, or hacking may be reported to cybercrime authorities.
- A privacy violation does not automatically erase a debt, but it can give rise to administrative sanctions, civil damages, and possible criminal liability.