phream Privacy Policy

This Privacy Policy ("Policy") describes how phream ("phream," "we," "us," "our") collects, processes, stores, and protects the personal data of individuals ("Data Subjects," "you," "players") who access or use the phream platform at phream.app and all associated gaming services.

phream acts as the Data Controller for personal data processed in connection with player account management, gameplay, and payment processing. phream operates under a license granted by the Philippine Amusement and Gaming Corporation (PAGCOR) and is bound by the requirements of Republic Act No. 10173, the Data Privacy Act of 2012 (DPA 2012), and the implementing rules and regulations issued by the National Privacy Commission (NPC) of the Philippines.

By registering a phream account or using the phream platform, you acknowledge that you have read and understood this Policy and consent to the collection and processing of your personal data as described herein.

phream collects the following categories of personal data from players:

2.1 Registration & Identity Data

• Full legal name as it appears on your government-issued ID;
• Date of birth (for age verification — phream is 21+ only);
• Philippine residential address;
• Email address;
• Mobile phone number;
• Username chosen by the player.

2.2 Identity Verification (KYC) Data

• Copies of government-issued photo identification (PhilSys National ID, passport, driver's license, or voter's ID);
• Proof of address documents (utility bills, bank statements);
• Payment method verification documents where required.

2.3 Financial Data

• GCash mobile number, Maya account details, or bank account details used for deposits and withdrawals;
• Transaction history including deposit amounts, withdrawal amounts, dates, and payment method used;
• Account balance information.

2.4 Gaming & Behavioral Data

• Game play history, wager amounts, game outcomes, and session duration;
• Bonus claims, wagering progress, and loyalty point accumulation;
• Responsible gaming tool usage including deposit limits, session limits, and self-exclusion requests.

2.5 Technical & Device Data

• IP address and geolocation data (for Philippine residency verification and fraud prevention);
• Device type, operating system, and browser type;
• Login timestamps and session logs.

2.6 Communications Data

• Content of support chat interactions and email correspondence with phream;
• Responses to surveys or feedback forms where voluntarily submitted.

phream collects personal data through the following means:

• Directly from you: When you register a phream account, complete KYC verification, make a deposit or withdrawal, contact support, or respond to a survey;
• Automatically: Through cookies, server logs, and analytics tools as you navigate the phream website and use phream services;
• From payment providers: Transaction confirmation data received from GCash, Maya, BDO/BPI, and other payment providers when you initiate a financial transaction through phream;
• From identity verification services: Identity confirmation data from third-party KYC verification providers used to verify the authenticity of identity documents;
• From regulatory authorities: Data received from PAGCOR or other Philippine regulatory bodies as required for compliance purposes.

phream processes your personal data for the following purposes:

• Creating and managing your phream player account;
• Verifying your identity and age (21+) in compliance with PAGCOR licensing requirements;
• Processing deposits and withdrawals in Philippine Peso via GCash, Maya, and other supported payment methods;
• Detecting and preventing fraud, money laundering, and other financial crimes in compliance with the Anti-Money Laundering Act (AMLA) of the Philippines;
• Providing customer support and resolving disputes;
• Administering promotions, bonuses, and the phream VIP program;
• Monitoring gameplay for integrity, fairness, and responsible gaming compliance;
• Sending transactional communications (account confirmations, deposit receipts, withdrawal notifications) to your registered email or mobile number;
• Sending promotional communications where you have given consent, and managing opt-out requests where you have withdrawn consent;
• Complying with applicable Philippine laws, PAGCOR directives, NPC regulations, and court orders;
• Maintaining business records as required by law.

phream processes personal data under the following legal bases as recognized by the DPA 2012 and its implementing rules:

• Contractual necessity: Processing required to perform the contract between phream and the player (account management, payment processing, gameplay delivery);
• Legal obligation: Processing required to comply with PAGCOR licensing conditions, AMLA obligations, tax reporting, and NPC regulations;
• Legitimate interests: Processing for fraud prevention, platform security, and responsible gaming monitoring, where these interests are not overridden by the data subject's rights;
• Consent: Processing for marketing communications, optional surveys, and any other processing not covered by the above bases. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

phream does not sell, rent, or trade your personal data. phream shares personal data with third parties only in the following circumstances:

• Payment processors: GCash, Maya, BDO, BPI, and other payment providers receive transaction data necessary to process deposits and withdrawals;
• KYC and identity verification providers: Third-party services used to verify the authenticity of identity documents during KYC;
• Game software providers: JILI Games, PG Soft, Pragmatic Play, and other licensed game providers receive limited session and RNG data necessary to operate their game engines on the phream platform;
• Regulatory authorities: PAGCOR, the Anti-Money Laundering Council (AMLC), the National Privacy Commission, and other Philippine government bodies as required by law;
• IT and cloud service providers: Third-party infrastructure and cloud hosting providers under data processing agreements that require them to handle data in accordance with the DPA 2012;
• Legal and professional advisors: Lawyers and accountants where disclosure is reasonably necessary for legal proceedings or professional advice.

All third-party processors engaged by phream are contractually required to implement appropriate data security measures and to process personal data only for the specified purposes.

phream retains personal data for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable Philippine law. The following general retention periods apply:

• Account and KYC data: Retained for a minimum of five (5) years from account closure, in compliance with AMLA record-keeping requirements;
• Transaction records: Retained for a minimum of five (5) years from the date of the transaction;
• Gameplay logs: Retained for a minimum of two (2) years from the date of the gaming session;
• Support communications: Retained for one (1) year from the date of the interaction, or longer where a related dispute remains unresolved;
• Marketing consent records: Retained for the duration of the account and for three (3) years after account closure.

Upon expiry of applicable retention periods, personal data is securely deleted or anonymized in a manner that prevents re-identification.

phream implements a combination of technical and organizational security measures to protect your personal data against unauthorized access, disclosure, alteration, or destruction. These measures include:

• 256-bit SSL/TLS encryption for all data transmitted between your device and phream's servers;
• Encryption at rest for sensitive personal data including KYC documents and financial records;
• Role-based access controls ensuring phream staff access only the personal data necessary for their specific job function;
• Multi-factor authentication for phream staff access to systems containing personal data;
• Regular penetration testing and security audits of the phream platform;
• Incident response procedures for detecting, containing, and notifying breaches in compliance with NPC requirements.

While phream employs robust security measures, no system is completely immune to all threats. Players are encouraged to use strong, unique passwords for their phream accounts and to enable two-factor authentication through their account security settings.

The phream website uses cookies and similar tracking technologies to operate certain website functions and to analyze usage. The following types of cookies are used:

• Strictly necessary cookies: Required for the phream platform to function, including maintaining your login session and remembering responsible gaming settings. These cookies cannot be disabled without disrupting platform functionality.
• Functional cookies: Used to remember your preferences such as language and display settings.
• Analytics cookies: Used to measure how players interact with the phream website, which pages are visited most, and how players navigate between pages. This data is used in aggregate and anonymized form to improve the phream platform.

Players may manage cookie preferences through their browser settings. Note that disabling strictly necessary cookies will affect the ability to log in and use the phream platform.

Under the Philippine Data Privacy Act of 2012, phream players have the following rights regarding their personal data. To exercise any of these rights, contact phream's Data Protection Officer at the details in Section 14.

phream will not charge a fee for exercising your data subject rights unless a request is manifestly unfounded or excessive. phream reserves the right to request proof of identity before processing a data subject rights request.

Certain third-party service providers used by phream — including cloud hosting providers and game software providers — may process personal data on servers located outside the Philippines. In such cases, phream ensures that appropriate safeguards are in place in accordance with NPC guidelines, including:

• Data processing agreements requiring the receiving party to implement data protection standards equivalent to those under the DPA 2012;
• Transfer only to jurisdictions with adequate data protection laws, or subject to binding contractual clauses approved by the NPC where applicable.

phream reserves the right to update this Privacy Policy at any time to reflect changes in our data practices, applicable law, or PAGCOR licensing requirements. Material changes will be communicated to players via the registered account email address at least 14 days before the updated Policy takes effect.

The "Last updated" date at the top of this Policy indicates when the most recent revision was made. Continued use of the phream platform after the effective date of any revision constitutes acceptance of the updated Policy.

For questions about this Privacy Policy, to exercise your data subject rights, or to report a privacy concern, contact phream's Data Protection Officer:

• Email: [email protected]
• Subject line: "Data Privacy Request – [Your Registered Email]"
• Response time: phream will acknowledge your request within 5 business days and provide a substantive response within 15 business days.

phream's DPO is registered with the National Privacy Commission of the Philippines in compliance with NPC requirements for personal information controllers handling sensitive personal information.