Update:  January 14, 2026

 

SUNLOAN PRIVACY POLICY

 

SunLoan Lending Investors Corporation (“SunLoan”), a lending corporation organized and existing under the laws of the Philippines, operating the online lending platform “Cashify” (the “Platform”) (with SunLoan and Cashify, collectively referred to as the “Company”, “we”, “us” or “our”) takes your privacy very seriously.

 

Before availing our services in the Platform, we recommend that you read the specific content of the SunLoan privacy policy (this “Privacy Policy”) carefully to help you understand what Personal Data we will collect and how the Personal Data will be used. The Company will collect, store, share, use, process, and protect your Personal Data in accordance with this Privacy Policy and existing laws, rules, and regulations of the Republic of the Philippines such as the Data Privacy Act of 2012 (“DPA”), its Implementing Rules and Regulations (“IRR”) and various issuances of the National Privacy Commission (“NPC”). The Company values your data privacy rights and ensures that all Personal Data collected is processed in adherence to the general principles of transparency, legitimate purpose, and proportionality.

 

We may amend and update this Privacy Policy from time to time, with written notice to you, and that if material changes are required, any material revisions to this Privacy Policy shall likewise be published on the Platform.

 

By accessing or availing of our products/services, it means that you have read, understood, and accepted what is described in this Privacy Policy and agreed to abide by this Privacy Policy.

 

DEFINITIONS

 

All capitalized terms used in this Privacy Policy shall have the same meanings as those defined in the DPA and its IRR, which are hereby incorporated by reference and made an integral part of this Privacy Policy.

 

PERSONAL DATA WE COLLECT AND WHY

 

We want you to understand the Categories of Personal Data that we may collect when you apply for our products and/or services. Note that the enumerations per Categories of Personal Data are not exclusive but serve merely as examples: Identity data, Contact details data, Government-issued data, Bank/E-wallet details data, Reference data, Education data, Marital status data. Work data, Credit data, Fraud prevention data, Service requests data.

 

We collect these Categories of Personal Data for the following purposes (the “Purposes”):

  1. To identify your true identity in relation to your interactions and contract(s) with us;
  2. To take steps at your request prior to entering into a contract with you and/or to fulfill our obligation under contracts;
  3. To comply with our legal obligations under anti-money laundering, anti-terrorism, anti-terrorist financing, sanctions, and other regulations;
  4. To promote our products and services; and to measure consumer interest and satisfaction with our products and services;
  5. To communicate with you;
  6. To disburse, collect, and manage accounts in relation to our products and services you may avail from us;
  7. To implement customer verification, risk evaluation, risk mitigation, and fraud prevention;
  8. To address your service requests and queries;
  9. To implement analytics, developing data products (including training machine learning models), creating personal recommendations for our current or potential clients, and to improve our products and/or services;
  10. For data and risk analysis, identifying usage trends, and evaluating and improving our services, products and your experience, including, but not limited to, conducting studies, research, statistical, automatic, and manual profile analysis, behavior modelling (including without limitation, training and back-testing machine learning algorithms of our third-party service provider’s software) to improve efficiency and reliability of their credit scoring capabilities;
  11. To comply with relevant laws, rules, and regulations;
  12. To protect the legal and business interests of Sunloan through jucidial, quasi-judicial, administrative, civil, and/or criminal proceedings, including dispute resolution, and arbitration as well as valid court summons and court orders.
  13. To provide your desired products and services which can only be provided if your Personal Data is disclosed;
  14. To comply when we are required or it is necessary to disclose or share the aforesaid information to third parties that provide products or services on our behalf such as third-party service providers in compliance with relevant law, rules, and issuances, and data science and credit scoring service providers or those that enable us to deliver the product or service you availed or will avail, as well as for initiatives related to or connected with customer due diligence; account management; collections; marketing; data analytics and risk modeling; credit investigation, verification, and assessment; and contacting or communicating with you;
  15. To inform and comply with the due diligence requirements of our current and prospective investors;

When you visit the Platform and avail of our products and services, we will collect your Personal Data. We take the privacy of our users very seriously, and we will only collect your Personal Data if supported by a valid legal basis as provided in the DPA and its IRR. We may use of profiling, automated processing, automated decision-making, credit rating or scoring to determine whether your are fit and eligible to avail of our products and services.

 

If you are unwilling to submit your Personal Data to us for the above Purposes, we cannot provide our products and services to you.

 

YOUR PRIVACY RIGHTS

 

You have the following privacy rights with respect to your Personal Data:

  1. Right to be informed (Section 16(a) & 16(b), DPA);
  2. Right of access (Section 16(c), DPA);
  3. Right to rectification (Section 16(d), DPA);
  4. Right to erasure or blocking (Section 16(e), DPA);
  5. Right to damages (Section 16(f), DPA);
  6. Right to data portability (Section 18, DPA);
  7. Right to object (Section 34(b), IRR).

 

More information about your privacy rights are available by accessing NPC Advisory 2021-01 (link: https://www.privacy.gov.ph/wp-content/uploads/2021/02/NPC-Advisory-2021-01-FINAL.pdf).

 

Inquiries and requests regarding your Personal Data including any objections to or complaints regarding our Processing of your Personal Data, can be sent to our Data Protection Officer’s email at dataprotection@sunloanlending.com.

 

If you feel that the we have not responded in an appropriate manner to your requests or complaints regarding our Processing of your Personal Data, you have the right to complain to the NPC through their website (https://privacy.gov.ph).

 

A.Personal Data provided by users while registering an account in the Platform

 

Collection and processing of your Personal Data by the Company is necessary for the provision of the Company’s products and services and to comply with applicable legal and regulatory requirements to which you and the Company are subject. Apart from such cases, we do not collect Personal Data without your specific and explicit prior consent.

 

B.Information Collected by us while users are using the Platform

 

Platform permissions shall only be done when suitable, necessary, and not excessive for the purpose of KYC verification, determining creditworthiness, preventing fraud, and collecting the debt. Once the intended purpose is achieved, the application shall be turned off and will disallow permissions.

 

  1. Image Information

We will collect photos taken by users during the loan application process and photos actively selected and uploaded by customers for KYC verification and anti-fraud inspection purposes only. We will not access, retrieve, or collect any other photos from your device's gallery.

 

We are committed to encrypting the information and ensuring its security.  This information will be encrypted.

 

  1. Camera Information

We need your permission to access your device’s camera to take documents and pictures for loan application purposes. This will also allow us to perform face recognition to authenticate your identity and ensure that you operate your account.

 

This information will be encrypted and we will ensure its security.

 

  1. APPUse Information

We need permission from APPuse information to prevent fraud.

 

We are committed to encrypting the information and ensuring its security. This information will be encrypted.

 

  1. Approximate Location Information

We collect approximate location information of your device to determine the serviceability of your loan application.

 

We are committed to encrypting the information and ensuring its security.  This information will be encrypted.

 

  1. Collection of Device Information

We collect device information in the background to help us determine whether your usage environment is your own device and prevent fraudsters from stealing your account and login unreliable devices, including your telco usage score generated by our third-party service providers engaged in data analytics and credit scoring from your telecommunications data through your telecommunications service provider (e.g. Globe Telecom Inc., PLDT, Smart Communications, and Sun Cellular), in the possession of mobile network operators, utilities companies (e.g. the MVP Group, including but not limited to Kayana Solutions Inc., PLDT Inc., Smart Communications, Inc. and its affiliates).

 

We are committed to encrypting the information and ensuring its security.  This information will be encrypted.

 

  1. SMS Information

We use SMS to auto-fill the verification code during the process of verifying the validation of your financial account when you add your beneficiary's bank account. We will send you notifications and messages through SMS. We may collect information from your SMS content relevant to your financial circumstances for the purposes of risk analysis.

 

We are committed to encrypting the information and ensuring its security.  This information will be encrypted.

 

INTERNATIONAL TRANSFERS OF PERSONAL DATA

 

Your Personal Data may be transferred to, stored, and processed in countries outside the Philippines, where our mothery company, affiliated entities, service providers, or partners operate. Such transfers are necessary for achieving the Purposes.

 

Further, we maintain your Personal Data on the cloud using services of cloud service providers such as Alibaba Cloud. Your Personal Data may be processed outside of the Philippine provided that we ensure that there are contractual obligations or other similar guarantees that your Personal Data will be Processed according to the standards and requirements of the Applicable Laws.

 

By using our services, you consent to these international transfers. We implement safeguards (e.g., contractual clauses, data encryption) to ensure your data remains protected to Philippine data protection standards. These measures comply with the DPA and its IRR.

 

DISCLOSURE AND SHARING OF PERSONAL DATA

 

In order to deliver to you world-class products and/or services, we enter into services agreements and/or partnerships with other companies. Due to our integrations and/or partnerships, the following Categories of Recipients may receive your Personal Data for external processing, or legal reasons, or when we have your consent:

  1. Our mother company, subsidiaries and affiliates;
  2. Office and real estate providers;
  3. Banks and other Covered Persons;
  4. Logistics providers;
  5. Information technology (IT) service provider for IT infrastructures;
  6. Telecommunications providers;
  7. Credit and financial score providers;
  8. Cloud providers;
  9. Insurance providers;
  10. Business partners and merchants;
  11. Collection partners;
  12. Other third-party service providers for outsourced Processes (e.g., consultants, contractors, etc.);
  13. Government institutions (e.g., Bureau of Internal Revenue, Anti-Money Laundering Council, Securities and Exchange Commission, Bangko Sentral ng Pilipinas, etc.);
  14. Transferee or assignee in case of merger or acquisition;
  15. Investors.

Before the sharing of your Personal Data, the Company will, if required, obtain your explicit consent whereby you will need to click on the  “Accept” option in the app, and you expressly declare that you have read understood and accepted all the content of this Privacy Policy, this act is considered as the signing of this Privacy Policy, and clicking on the "Accept" button will constitute an electronic signature in legal terms. If you do not agree with the terms of this Privacy Policy, you must click on the "Reject" button or a similar option. It should be noted that, if you choose to reject, you will not be able to access the services of the app.  After the consent is obtained, the Company may collect, store, share, use, process, protect, and transfer your Personal Data to different locations.

 

By using or availing, or attempting to use or avail, our services, and after obtaining your explicit consent, you consent to the disclosure or sharing of your Personal and other information to third parties under the circumstances described above such as but not limited to, the Securities and Exchange Commission, Anti-Money Laundering Council, Bureau of Internal Revenue, Credit Information Corporation, and such other agencies in compliance with law, rules, and issuances.

 

The Company is not responsible for any collection, disclosure and/or use of your Personal Data provided by you to any third party's website.

 

SECURITY OF PERSONAL DATA

 

We value Personal Data collected, used, retained, and stored through the Platform.

 

To protect Personal Data from unauthorized access, use, or disclosure, we use encryption methods when storing Personal Data.

 

To ensure the security of information and protect it from any form of fraud, we strive to maintain and restrict access to Personal Data through the latest technological means, physical forms, and other measures, so that your Personal Data will not be damaged or lost.

 

The insights we derive from the information we obtain through your use of the Platform and availment of our products and services help us detect and prevent security threat. If we do detect something is amiss, We will definitely let you know and guide you through steps you can take to be better protected.

 

We restrict access to Personal Data only to our employees, contractors, and agents with a need to know and who are bound by a strict contractual duty of confidentiality. We also have internal investigation and disciplinary measures to address violations or misdemeanors, if any.

 

We work diligently to protect you and our systems from unauthorized access, alteration, disclosure, or destruction of Personal Data we hold. We implement controls inspired by ISO 27001 and other industry standards such as, but not limited to, the following:

  1. Encryption of your Personal Data at rest and in transit;
  2. One-Time Password;
  3. Authentication and verification or requests;
  4. Regular review of Personal Data Processing policies and procedures; and
  5. Two-factor authentication.

 

RETENTION OF PERSONAL DATA

 

Collected Personal Data is retained for the period necessary to carry out the purposes and pursuant to the provisions of pertinent laws, rules, and regulations. We retain Personal Data, including Basic Information, APPUse Information, Camera Information, Image Information, Approximate Location Information, and Device Information, as well as transaction records.

 

We retain the user’s Personal Data for the following purposes:

  1. Information is still necessary for our services and for a reasonable time after completion of services.
  2. Information is required to comply with any legal and regulatory obligations.
  3. Disposal of Personal Data that is no longer necessary for our services will be disposed of securely and in accordance with all applicable laws and regulations.

All records of transactions, especially customer identification records, shall be retained for at least ten (10) years from the date of transactions subject to exceptions under applicable laws. With respect to closed accounts, the records on customer identification, accounts files, and business correspondence shall be retained for at least ten (10) years from the date when they were closed.

 

DELETION OF PERSONAL DATA

 

If you want to stop using our services and delete your Personal Data, you may send an email to dataprotection@sunloanlending.com.  Your Personal Data will be deleted from the Company’s system after the lapse of the retention period described above.

 

MINORS

 

Minors shall not use our products/services for any purpose. The Company does not knowingly collect Personal Data from Minors for any purpose. If you believe that the Company has Personal Data of a Minor without parental/guardian consent, please contact us and we will delete such information.

 

CONTACT US

 

For any questions, requests, or complaints concerning this Privacy Policy, you may contact the Company’s Data Protection Officer through dataprotection@sunloanlending.com.

 

COMPLIANCE & COOPERATION WITH REGULATORS

 

We regularly review the privacy notice as well as our privacy policies and procedures and make sure that We process your Personal Data in ways that comply with the same. We hold regular dialogue and interactions with regulators to ensure that We are aligned with their goals and directives.