Privacy Policy — aaaph Casino

1.1 aaaph Casino is the Personal Information Controller (PIC) in respect of personal data collected through aaaph.biz and its associated services. This means aaaph determines the purposes and means by which personal information is processed.

1.2 This Policy applies to all personal data collected from:

• Registered players who hold an active or inactive aaaph account;
• Visitors who browse aaaph.biz without registering;
• Individuals who contact aaaph's customer support team;
• Individuals whose data aaaph receives from third-party sources in the course of identity verification, fraud prevention, or payment processing.

1.3 This Policy should be read alongside aaaph's Terms and Conditions and Responsible Gaming Policy, both of which are accessible via the links on aaaph.biz.

2.1 aaaph collects the minimum personal data necessary to operate a licensed online gaming platform and comply with applicable Philippine law. The categories of data we collect include:

2.2 aaaph does not collect biometric data (fingerprints, facial recognition data) through the platform, except where a player voluntarily uses their device's biometric authentication to access their account — in which case the biometric processing occurs entirely on the player's personal device and is not transmitted to aaaph.

3.1 Directly from you: When you register an account, complete KYC verification, submit a deposit or withdrawal request, contact customer support, respond to a survey, or interact with any feature of aaaph.biz that requires you to provide information.

3.2 Automatically during platform use: aaaph's systems collect technical data automatically as you navigate the platform — including session logs, device information, IP addresses, and clickstream data. This collection occurs through cookies, server logs, and similar technologies described in Section 7.

3.3 From third-party sources: aaaph may receive personal data from the following categories of third parties:

• Payment processors (GCash, Maya, BPI, BDO, Metrobank, and others) in connection with deposit and withdrawal transactions;
• Identity verification services engaged to assist with KYC and AMLA compliance;
• Fraud prevention and sanctions screening providers who check player data against watchlists and databases;
• Game providers (JILI, PG Soft, Pragmatic Play, Evolution, and others) who share session and outcome data in connection with games hosted on the aaaph platform.

4.1 aaaph processes personal data only for specific, lawful, and declared purposes. The primary purposes for which your data is used include:

• Account registration and management: Creating, maintaining, and administering your aaaph account, including authentication, account security, and profile management;
• KYC and age verification: Verifying your identity and confirming you meet the 21+ age requirement mandated by PAGCOR and Philippine law;
• Payment processing: Processing deposits, withdrawals, and internal account credits and debits;
• Anti-Money Laundering (AMLA) compliance: Meeting aaaph's obligations under the Philippine Anti-Money Laundering Act (RA 9160 as amended) and the requirements of the Anti-Money Laundering Council (AMLC);
• Fraud and security monitoring: Detecting, investigating, and preventing fraudulent activity, unauthorised account access, and other security threats;
• Responsible gaming: Monitoring gaming activity for indicators of problem gambling, applying self-exclusion restrictions, and enabling responsible gaming tools;
• Customer support: Responding to your queries, complaints, and support requests;
• Regulatory reporting: Fulfilling aaaph's reporting obligations to PAGCOR, the AMLC, and the National Privacy Commission as required;
• Platform improvement: Analysing aggregated, anonymised usage data to improve game selection, platform performance, and user experience;
• Marketing communications: Sending promotional offers, bonus notifications, and platform updates where you have provided consent for marketing communications.

5.1 Under the Philippine Data Privacy Act and its Implementing Rules, aaaph relies on the following legal bases for processing personal data:

• Consent (Section 12(a), RA 10173): For marketing communications, optional profile features, and any processing activities for which aaaph has specifically sought your consent at the point of collection;
• Contractual necessity (Section 12(b), RA 10173): For account creation, payment processing, game access, and all processing activities required to perform aaaph's obligations under the Terms and Conditions;
• Legal obligation (Section 12(c), RA 10173): For KYC, AMLA compliance, PAGCOR regulatory reporting, and any other processing required by Philippine law;
• Legitimate interests (Section 12(f), RA 10173): For fraud prevention, platform security, responsible gaming monitoring, and product improvement — where aaaph's legitimate interests are balanced against, and do not override, your rights and freedoms.

5.2 For processing of sensitive personal information (as defined under Section 3(l) of RA 10173), aaaph relies on your explicit consent obtained at registration, or on the legal obligation basis where such processing is required under PAGCOR or AMLA frameworks.

6.1 aaaph does not sell, rent, or trade your personal data to third-party marketers or data brokers. Your data is shared only where necessary for the lawful purposes described in this Policy, specifically with:

• Payment processing partners (GCash, Maya, BPI, BDO, Metrobank, GrabPay, 7-Eleven CLiQQ, Coins.ph, and cryptocurrency processors) for the processing of your transactions;
• KYC and identity verification providers engaged by aaaph to assist in verifying documents and screening against sanctions lists;
• Game providers who require session data to deliver games and resolve disputes;
• IT and platform infrastructure providers who host, maintain, and support the aaaph platform under strict data processing agreements;
• PAGCOR as required under aaaph's licensing obligations;
• The Anti-Money Laundering Council (AMLC) as required under RA 9160 and related issuances;
• The National Privacy Commission (NPC) as required by RA 10173;
• Law enforcement and judicial authorities in the Philippines, where aaaph is legally compelled to disclose information in response to a valid lawful order.

6.2 All third-party processors engaged by aaaph are required to maintain data security standards consistent with RA 10173 and may only process data for the specific purposes for which they were engaged.

7.1 aaaph.biz uses cookies and similar tracking technologies to operate the platform, maintain your session, and analyse usage patterns. The following categories of cookies are used:

• Strictly necessary cookies: Required for the platform to function. These include session cookies that maintain your logged-in state, security tokens, and load-balancing cookies. These cannot be disabled without affecting core platform functionality;
• Functional cookies: Remember your preferences (language, game filters, notification settings) to personalise your experience across sessions;
• Analytics cookies: Collect anonymised, aggregated data about how pages are navigated and which features are used — helping aaaph identify and resolve performance issues and improve game selection;
• Security cookies: Used for fraud detection, bot prevention, and monitoring for unusual access patterns that may indicate account compromise.

7.2 aaaph does not use third-party advertising or tracking cookies that follow you across unrelated websites. The analytics and tracking technologies used on aaaph.biz are limited to first-party tools and vetted service providers engaged specifically for platform operation.

7.3 You may manage cookie preferences through your browser settings. Disabling strictly necessary cookies will affect your ability to log in and use the platform.

8.1 aaaph retains personal data only for as long as necessary for the purposes described in this Policy, or as required by applicable Philippine law, whichever is longer. The following indicative retention periods apply:

• KYC and identity documents: Retained for a minimum of 5 years from the date of account closure, as required under Philippine AMLA obligations;
• Transaction and financial records: Retained for a minimum of 5 years from the transaction date, consistent with AMLA and BSP record-keeping requirements;
• Gaming activity logs: Retained for 3 years from the date of the activity, used for dispute resolution and responsible gaming monitoring;
• Support communications: Retained for 2 years from the date of the communication, unless the subject matter involves an unresolved dispute or regulatory inquiry;
• Account data (inactive accounts): Accounts with no activity for 3 years will be flagged for review; data will be retained for a further 2 years before deletion, subject to legal hold requirements;
• Technical and access logs: Retained for 12 months from the date of the log entry.

8.2 Upon expiry of the applicable retention period, personal data will be securely deleted or anonymised so that it can no longer be associated with an identifiable individual.

9.1 aaaph implements a layered technical and organisational security programme to protect personal data against unauthorised access, disclosure, alteration, and destruction. Key measures include:

• SSL/TLS encryption (256-bit): All data transmitted between your device and aaaph's servers is encrypted using industry-standard TLS protocols;
• Encryption at rest: Sensitive data fields (including payment information, government ID numbers, and authentication credentials) are encrypted in storage using AES-256 or equivalent algorithms;
• Access controls: Access to personal data is restricted to aaaph staff and service providers on a strict need-to-know basis, enforced through role-based access controls and mandatory authentication;
• Two-factor authentication: 2FA is available to all players and mandatory for staff accessing systems that contain personal data;
• Penetration testing and vulnerability management: aaaph conducts regular security testing and maintains a vulnerability management programme to identify and remediate security weaknesses;
• Security incident response: aaaph maintains a documented security incident response procedure consistent with the breach notification requirements of the NPC under RA 10173.

9.2 While aaaph implements robust security measures, no online platform can guarantee absolute security. You can strengthen your own account security by using a strong, unique password, enabling 2FA, and ensuring the security of your registered Philippine mobile number and linked e-wallet accounts.

10.1 aaaph's primary data processing infrastructure is located within the Philippines. However, some of aaaph's service providers — including certain game providers, cloud infrastructure providers, and technical support partners — may be located or operate infrastructure outside the Philippines.

10.2 Where personal data is transferred outside the Philippines, aaaph ensures that such transfers are subject to appropriate safeguards consistent with the requirements of Section 21 of RA 10173 and the NPC's guidelines on cross-border data transfers. These safeguards may include:

• Binding contractual clauses in data processing agreements with recipient entities;
• Transfers to recipients in jurisdictions that have been assessed by the NPC as providing adequate data protection standards;
• Transfer under a valid legal basis where the data subject has been informed and has not objected.

10.3 Details of aaaph's cross-border transfer mechanisms are available on request from the Data Protection Officer.

11.1 Under the Philippine Data Privacy Act of 2012, you have the following rights in respect of your personal data held by aaaph:

• Right to be Informed: You have the right to know whether aaaph holds personal data about you, and to receive information about how it is being processed;
• Right to Access: You have the right to request a copy of the personal data aaaph holds about you, together with supplementary information about the purposes and basis of processing;
• Right to Correction: You have the right to request correction of inaccurate, incomplete, or outdated personal data in your aaaph account;
• Right to Erasure or Blocking: You have the right to request deletion or blocking of personal data where the data is no longer necessary for the purpose it was collected, where you have withdrawn consent, or where the processing is unlawful — subject to aaaph's legal obligation to retain certain data;
• Right to Data Portability: You have the right to request a structured, commonly used, machine-readable copy of your personal data that you have provided to aaaph;
• Right to Object: You have the right to object to the processing of your personal data where aaaph is relying on the legitimate interests basis, and where your individual circumstances give you grounds to object;
• Right to Lodge a Complaint: You have the right to lodge a complaint with the National Privacy Commission (NPC) if you believe that aaaph has processed your personal data in a manner inconsistent with RA 10173.

11.2 To exercise any of the above rights, please contact aaaph's Data Protection Officer using the contact details in Section 14. aaaph will acknowledge your request within 5 Philippine business days and respond substantively within 30 days, or within the period required by the NPC's guidelines.

12.1 If aaaph becomes aware that personal data has been submitted by or on behalf of a person under 21 years of age, all such data will be immediately deleted, the account will be closed, and any deposits will be returned to their source. Where aaaph has reason to believe that a minor has been assisted in circumventing age restrictions, the matter may be referred to relevant Philippine authorities.

12.2 If you are a parent or guardian and believe that your child (under 21) has registered on aaaph, please contact us immediately via the support team so the account can be closed and data removed.

13.1 aaaph may update or amend this Privacy Policy from time to time to reflect changes in our data practices, applicable Philippine law, or NPC guidance. The revised Policy will be posted on aaaph.biz with an updated effective date.

13.2 Where changes are material — for example, where we begin processing personal data for a new purpose, or where we change the category of third parties with whom data is shared — aaaph will provide advance notice via a prominent notice on the platform and, where practicable, by email to registered accounts, no less than 7 days before the change takes effect.

13.3 Your continued use of aaaph following notification of a material change constitutes your acknowledgement of the updated Policy. Where the change requires fresh consent, aaaph will seek it explicitly before the new processing begins.

14.1 aaaph has designated a Data Protection Officer (DPO) in accordance with Section 21(c) of RA 10173. The DPO is responsible for overseeing aaaph's data protection programme, acting as a point of contact for data subjects and the NPC, and ensuring compliance with this Policy.

14.2 For any privacy-related queries, requests to exercise your data subject rights, or concerns about aaaph's data practices, please contact:

• Data Protection Officer — aaaph Casino
• Email (support): [email protected] — include "Privacy / DPO Request" in your subject line;
• Live Chat: Available 24/7 on aaaph.biz — identify your query as a privacy request at the start of the chat;
• Response target: Within 5 Philippine business days for acknowledgement; within 30 days for substantive response.

14.3 If you are not satisfied with aaaph's handling of your privacy concern, you have the right to lodge a complaint with the National Privacy Commission of the Philippines (NPC). The NPC can be contacted through its official government channels.