Privacy at a Glance
We collect personal information you provide during registration and KYC — including your name, date of birth, Philippine mobile number, email address, and government ID. We also collect usage data, device information, and transaction records generated by your activity on the platform.
Your data is collected for account management, identity verification, regulatory compliance, fraud prevention, anti-money laundering reporting, and customer support. We do not collect personal information for purposes beyond those disclosed in this policy without your separate consent.
We share your data only with PAGCOR and other Philippine regulatory authorities as required by law, KYC and payment processing service providers under strict data agreements, and our licensed game content providers where technically necessary for service delivery. We do not sell your data.
All personal data processed by 28ph is protected using 256-bit SSL encryption in transit and AES-256 encryption at rest. Access to personal data is restricted to authorised personnel on a need-to-know basis. We conduct regular security audits in line with industry standards and PAGCOR requirements.
As a data subject under the Philippine Data Privacy Act, you have the right to access your data, request corrections, object to certain processing, withdraw consent, and request erasure subject to legal retention obligations. You may exercise these rights by contacting our Data Protection Officer.
We retain your personal data for as long as your account remains active and for a minimum of five (5) years after account closure, as required by PAGCOR and Anti-Money Laundering Council regulations. Transaction records may be retained for longer periods where mandated by applicable Philippine law.
Summary: 28ph is committed to protecting your personal information. This policy is written in plain, readable English. We collect only what we need, use it only for disclosed purposes, protect it with appropriate security measures, and give you meaningful control over your own data. If you have any questions, contact our Data Protection Officer at [email protected].
This Privacy Policy ("Policy") describes how 28ph ("the Company," "we," "us," or "our") collects, uses, discloses, stores, and protects the personal information of individuals ("you," "the User," or "Data Subject") who access or use the 28ph online gaming platform and related services available at 28ph.asia.
This Policy is issued pursuant to Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012 ("DPA"), its Implementing Rules and Regulations as promulgated by the National Privacy Commission ("NPC"), and applicable regulations of the Philippine Amusement and Gaming Corporation ("PAGCOR") governing online gaming operators licensed in the Philippines.
By registering on the 28ph platform or by continuing to use our services, you acknowledge that you have read, understood, and consented to the collection and processing of your personal information as described in this Policy. This Policy should be read together with the 28ph Terms & Conditions, which govern the overall relationship between you and the Company.
If you do not agree to the terms of this Policy, you must not register on or use the 28ph platform. If you have an existing account and no longer agree to this Policy, you may close your account by contacting our support team.
For the purposes of the Philippine Data Privacy Act, 28ph is the Personal Information Controller in respect of the personal data it collects and processes about registered users and visitors to the 28ph.asia platform.
28ph operates as a PAGCOR-regulated online gaming platform under Philippine law. All data processing activities described in this Policy are conducted within the framework of 28ph's PAGCOR operating license and in compliance with the DPA and applicable NPC issuances.
28ph has designated a Data Protection Officer ("DPO") responsible for overseeing compliance with this Policy and with the DPA. The DPO's contact details are provided in Section 15 of this Policy. You may contact the DPO directly for any privacy-related inquiry, complaint, or request to exercise your data subject rights.
28ph collects only the personal information that is necessary for the purposes described in this Policy. The categories of personal information we process are set out in the table below.
| Data Category | Specific Data Points | Collection Stage |
|---|---|---|
| Registration Data | Full legal name, date of birth, Philippine mobile number, email address, username, password (hashed) | Account registration |
| Identity Verification (KYC) | Government-issued ID type and number, ID images, selfie or liveness verification image, address details | Pre-withdrawal KYC |
| Financial Data | GCash / PayMaya account number (last digits), bank account details (BPI / BDO / Metrobank / UnionBank), deposit and withdrawal transaction records, balance history | Payment processing |
| Gaming Activity Data | Game session logs, bet history, win/loss records, game type preferences, session duration, wagering patterns | Platform use |
| Device & Technical Data | IP address, device type and OS, browser type and version, screen resolution, session timestamps, login timestamps and locations | Platform access |
| Communications Data | Live chat transcripts, support ticket content, email correspondence content, voluntary feedback submitted | Support interactions |
| Responsible Gaming Data | Deposit limit settings, self-exclusion records, cooling-off requests, problem gambling indicators flagged by the platform's responsible gaming monitoring system | Responsible gaming tools |
28ph does not collect sensitive personal information — as defined under Section 3(l) of RA 10173 — beyond what is strictly necessary for KYC identity verification and responsible gaming compliance. We do not collect racial or ethnic origin, political opinions, religious beliefs, health data beyond responsible gaming indicators, or biometric data beyond standard KYC liveness verification where applicable.
28ph collects personal information through the following channels and methods:
The majority of personal information 28ph holds about you is provided directly by you — during account registration, during the KYC verification process, when you make deposits or request withdrawals, when you contact customer support, and when you voluntarily participate in surveys or promotions.
When you access and use the 28ph platform, our systems automatically record technical and usage data including your IP address, device identifiers, browser type, session timestamps, pages visited, games played, and wagering activity. This data is generated as a byproduct of your use of the platform and is collected via server logs, session tracking technology, and analytics tools that operate within the platform environment.
28ph may receive personal data about you from third-party service providers engaged for specific functions, including:
All third-party providers engaged by 28ph are required to process your personal data only for the specific purpose for which they were engaged and in compliance with the Philippine Data Privacy Act.
Under the Philippine Data Privacy Act, 28ph processes your personal information on the following legal bases:
28ph uses the personal information it collects for the following specific and disclosed purposes:
No Data Selling. 28ph does not sell, rent, or otherwise commercially transfer your personal information to any third party for marketing, profiling, or commercial purposes. Your data is never a product.
28ph discloses personal information to third parties only in the limited circumstances described below:
28ph is required by law to disclose personal and transactional data to PAGCOR as our licensing authority, to the Anti-Money Laundering Council (AMLC) for suspicious transaction reporting as required by RA 9160, and to other Philippine government bodies (including law enforcement agencies) in response to lawful orders, court processes, or mandatory reporting obligations.
28ph engages third-party service providers who process personal data on our behalf and under our instruction, including KYC identity verification providers, payment processing and e-wallet integration partners, fraud detection and AML screening services, cloud infrastructure and data hosting providers, and customer support platform providers. All such providers are engaged under data processing agreements that require them to maintain data security standards consistent with the DPA and to process your data only for the specific purpose authorised by 28ph.
Where technically necessary for the provision of specific game content, limited session data (such as player ID, session token, and wagering information) may be shared with the relevant licensed game provider for the purpose of game operation and dispute resolution. Game providers are required by their own regulatory obligations to maintain appropriate data security standards.
In the event of a merger, acquisition, restructuring, or sale of all or a portion of the business of 28ph, personal data held by 28ph may be transferred to a successor entity as part of that transaction, subject to the successor entity assuming the obligations under this Privacy Policy with respect to your personal data.
28ph uses cookies and similar tracking technologies on the 28ph.asia platform to enable core platform functionality, maintain session state across page loads, support security features including CSRF protection, and generate anonymised analytics data used to improve the platform.
You may manage cookie preferences through your browser's privacy settings. Please note that disabling strictly necessary cookies will prevent you from logging in to and using the 28ph platform. Instructions for managing cookies are available in the help documentation of your specific browser.
28ph does not use third-party advertising cookies or behavioural tracking cookies that profile your activity for the purpose of targeted advertising.
28ph implements technical, organisational, and administrative security measures designed to protect your personal information against unauthorised access, disclosure, alteration, or destruction. These measures include:
Notwithstanding these measures, no data security system is infallible. You are responsible for maintaining the security of your own login credentials and for reporting any suspected unauthorised access to your account to 28ph support immediately.
28ph retains personal information for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable Philippine law, whichever is longer. The following retention guidelines apply:
Upon expiry of the applicable retention period, personal data is securely destroyed or anonymised in a manner that prevents reconstruction of the individual's identity. Where data is anonymised rather than deleted, the anonymised data set may be retained indefinitely for aggregated analytics purposes.
Under the Philippine Data Privacy Act (RA 10173), you have the following rights with respect to your personal information held by 28ph:
To exercise any of the above rights, please submit a written request to 28ph's Data Protection Officer at [email protected], clearly identifying yourself and the right you wish to exercise. We will acknowledge receipt of your request within three (3) business days and provide a substantive response within fifteen (15) business days, or within such extended period as permitted by the DPA where the request is complex or voluminous.
Identity Verification Required: To protect against fraudulent data subject requests, 28ph will verify your identity before processing any request to access, correct, or erase personal data. We may ask you to confirm your registered mobile number, email address, or provide a copy of your government-issued ID.
The 28ph platform is strictly restricted to individuals who are at least 21 years of age, as required by PAGCOR regulations and Philippine law governing online gaming. 28ph does not knowingly collect personal information from minors.
Age verification is conducted at the KYC stage through the submission of a government-issued photo identification document bearing the applicant's date of birth. Where 28ph discovers or has reason to believe that an account has been registered by or on behalf of a person under 21 years of age, the account will be immediately suspended, all associated transactions voided in accordance with our Terms & Conditions, and the matter reported to PAGCOR as required by our licensing conditions.
Parents or guardians who believe that a minor has registered on or accessed 28ph are encouraged to contact our support team immediately at [email protected].
As an online gaming platform, 28ph may engage service providers — particularly game content providers and cloud infrastructure providers — whose servers are located outside the Philippines. Where such cross-border transfers of personal data occur, 28ph ensures that appropriate safeguards are in place consistent with the requirements of the Philippine Data Privacy Act and any applicable NPC regulations governing cross-border data transfers.
Safeguards applied to cross-border transfers include contractual clauses requiring recipient organisations to maintain data protection standards equivalent to those required under Philippine law, and, where required by the NPC, registration of the cross-border data sharing arrangement with the Commission.
28ph does not transfer your personal information to countries or organisations that do not provide an adequate level of data protection relative to the standards required under Philippine law without first implementing the safeguards described above.
28ph reserves the right to update or amend this Privacy Policy at any time to reflect changes in our data processing practices, applicable law, PAGCOR requirements, or NPC issuances. Material changes to this Policy will be communicated to registered users by email notification to the address on file or by a prominent notice displayed on the 28ph platform prior to the changes taking effect.
The effective date of the current version of this Policy is displayed at the top of this page. The currently published version supersedes all prior versions. If the amended Policy is not acceptable to you, you may request account closure as described in the 28ph Terms & Conditions.
Your continued use of the 28ph platform after the effective date of any amended Policy constitutes your acceptance of the updated terms.
For any questions, concerns, or requests relating to this Privacy Policy or the handling of your personal information by 28ph, please contact our Data Protection Officer through the following channels:
If you are not satisfied with 28ph's response to your privacy concern, or if you believe that 28ph has violated your rights under the Data Privacy Act, you have the right to lodge a formal complaint with the National Privacy Commission (NPC) of the Philippines. The NPC is the independent government body responsible for administering and enforcing the Data Privacy Act. Information about the NPC's complaint mechanism is available through official Philippine government channels.
This Privacy Policy was last reviewed and updated on 1 January 2026. It supersedes all prior versions. 28ph is a PAGCOR-regulated online gaming operator. All rights reserved.
Data Subject Rights
The Philippine Data Privacy Act grants you specific, enforceable rights over your personal information. Here is a plain-language summary of what each right means for you as a 28ph account holder.
Request a copy of the personal information 28ph holds about you, and information about how it is used.
Request correction of inaccurate or outdated personal information we hold about you.
Request deletion or blocking of your personal data where it is no longer needed — subject to legal retention requirements.
Object to the processing of your personal data for direct marketing purposes or on specific legitimate grounds.
Receive a copy of the personal data you provided in a structured, machine-readable format where feasible.
Know whether your personal data is being processed and the circumstances of that processing at any time.
Claim indemnification for damages sustained as a result of unlawful or inaccurate processing of your personal data.
Lodge a formal complaint with the National Privacy Commission if you believe 28ph has violated your rights under the DPA.
To exercise any of your rights, send a written request to our Data Protection Officer at [email protected] with the subject line "Data Privacy Request." Include your full name, registered mobile number or email, and clearly state which right you are exercising. We will respond within 15 business days.