REPAY DATA SECURITY POLICY

Introduction:

This RePay Data Policy is created in accordance with Republic Act 10173 (“Data Privacy Act of 2012”), its implementing rules and regulations, and other applicable laws of the Republic of the Philippines. This is to assure that all information that we receive is protected by employing different organizational, procedural and technical security measures to ensure that all personal and confidential information are protected.

What are the information that we collect:

By using and accessing our application, website, products and services, you authorize RePay to collect the following data in accordance with the Anti-Money Laundering Act of 2001 (AMLA), Bangko Sentral ng Pilipinas (BSP) Circulars, and other relevant laws:

• name
• gender
• nationality
• birthdate
• address
• civil status
• education
• contact details
• government-issued identification numbers or IDs
• employment and/or business information
• other financial information (such as assets, income, expenses, payments and transaction history)
• transaction and account activities including dealings and interactions with third parties;
• specimen signature
• biometrics;
• other pertinent data

The Use and Processing of Your Personal Data:

RePay may use your personal data for various purposes, including but not limited to: * performing Know-Your-Customer (KYC) examination/investigation or client identification related activities;

• evaluating and/or processing your applications or transactions;
• sending you notices, billings, statements, and other such documents necessary for the continued use of our products and services;
• addressing your inquiries, concerns or complaints, and providing product and/or service related support;
• managing your accounts and performing other audit, administrative and operational tasks;
• direct marketing and cross-selling, including informing you about new product/services offerings and promotions by the Company, its subsidiaries and affiliates;
• profiling, data analysis, behavioural modelling, and market research in order to understand the needs, preferences, market trends, for the purpose of reviewing, developing, improving, and/or recommending suitable products and services; * detecting, preventing, investigating, and prosecuting fraud or crime;
• complying with laws and regulations governing our products and services (e.g. AMLA, BSP Circulars, Credit Information Corporation (CIC) Circulars, etc.); * performing activities that you have consented to; and
• performing such other activities permitted by law;

Our Commitment to Data Sharing:

RePay ensures that only authorized personnel within the various units of the Company will have access to your personal data. Nevertheless, RePay may share your personal data with the following:

• relevant Government agencies such as but not limited to, The Banko Sentral ng Pilipinas (BSP), The Securities and Exchange Commission (SEC), and Bureau of Internal Revenue (BIR) as mandated by pertinent laws and regulations;
• With your consent, the Company may share your personal data to accredited third parties/vendors, guarantee institutions, private regulatory organizations and other financial institutions, and other outsourced service providers engaged by the Company for the purposes of the Company’s conduct of everyday business, and/or to fulfill the services that you wish the Company and our partners/third parties to provide you. Such data sharing activities shall be done in a manner that is compliant with the Data Privacy Act of 2012 and under an obligation of confidentiality.

Cookies and Similar Technologies:

When you access and use our websites, electronic platforms and application, we may collect and process non-personal data as follows:

• Web and data analytics tools - to collect information about the visitors accessing our websites. We collect information on the IP addresses, geolocation, frequency, pages accessed, web browser information, and previous sites accessed prior to visiting RePay’s website. The Company may use such information to improve the performance and content of its websites.
• We use strictly necessary cookies, which are needed for our website to operate as reasonably expected, and performance or analytic cookies, which collect passive information about your use of our website.
• When you install and use our mobile application, we collect relevant device information such as the device’s operating system.
• When you enable your location services in our website or application, we collect the location reported by your device to provide you with location-based services.

Data Retention Policy:

The Company may retain, process, update and/or share your personal data for as long necessary for the fulfilment of the purpose for which it was collected and such other purposes that you may have consented to from time to time, or as required by pertinent laws and regulations. Below are some relevant regulatory requirements that require the Company to retain personal data:

• Pursuant to BSP Regulations, retention period for due diligence documents shall be as long as the account exists and five (5) years from date of closure, while transaction records shall be five (5) years from the date of transaction except where specific laws and/or regulations require a different retention period, in which case, the longer retention period is observed.
• As per the BIR - for data and documents which indicate taxable transactions, data shall be preserved for ten (10) years;

Data Privacy Rights and Protection:

Under the Data Privacy Act of 2012, the rights of the data subject is specifically set forth in Section 16 of the said law. As a data subject, you are afforded the following rights in relation to your personal data under the Data Privacy Act of 2012:

• To be informed that your personal data will be collected and how it will be processed;

• To have reasonable access to your personal data held by the Company, subject to restrictions applied to us as a company operating in the Philippines by certain laws and regulations;

• To have any error in your personal data corrected or to have your personal data updated subject to the necessary controls to protect your account and personal data;

• To have your personal data erased or blocked from our system if said data is incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes or no longer necessary for the purposes for which they were collected, without prejudice to the Company’s continuous processing for commercial, operational, legal, and regulatory purposes;

• To object to the processing of your personal data;

• To lodge a complaint before the National Privacy Commission; and

• To be indemnified for damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of your personal data. If you do not consent to any of the foregoing, please notify us in writing through any of our customer service channels.

• For the purpose of Fraud prevention, user safety, and compliance the dedicated App safety SDK needs to send the following anonymous diagnostic data off the device for detection of security issues. Thus the application collects the following data:
• Category: App info and performance
  • Data Type: Diagnostics
  • Information about the integrity of the app and the operating system. For example, rooting, running in an emulator, hooking framework usage, etc...
• Category: Device or other identifiers
  • Data Type: Device or other identifiers
  • Information that relates to an individual device. For example, a device model and anonymous identifier to control that app instance executed on the original device that it was initially installed on. It is needed to combat threats like bots and API abuse.

Inquiries and Concerns

For any other inquiries or concerns about our Data Security Policy, you may send your inquiries at

solutions@repay.ph