G-Xchange, Inc. Data Privacy Notice
The objective of this statement is to explain how we collect, use, share, retain, dispose, and protect your personal data and how we enable your rights under the Data Privacy Act of 2012 (DPA).
Who is collecting your personal data?
We at G-Xchange Inc. (GCash/GXI) are committed to ensuring that your privacy is secured and protected. We respect your right to know how we process and protect your personal data, which is why we are providing this notice.
|“we/us” or “GCash/GXI”
||means G-Xchange Inc.
|“you” or “user”
||means GCash user or individual visiting our website and mobile app or registering a GCash Account
||means someone who is not you or us or a part of GCash or GXI
Our reason why we collect your Personal Data…
We collect your personal data, without limiting the generality of the purpose, to facilitate your transaction needs and avail yourself of our products and services. These include the following:
- enhancing your customer experience and improving, developing, and determining tailored products to meet your preferences and needs;
- communicating relevant products or advisories to you;
- showing you relevant ads on and off our services and measuring the effectiveness and reach of ads and services;
- abiding by any safety, security, public service, or legal requirements and processes;
- processing information for statistical, analytical, and research purposes; and
- processing your requests concerning the creation, update, and maintenance of your account
Further, we collect your personal data to the extent necessary to comply with the requirements of the law and legal process, such as legal and regulatory obligations under the Anti-Money Laundering Act (AMLA) and Bangko Sentral ng Pilipinas (BSP) issuances; or to prevent imminent harm to public security, safety or order.
We also need your personal data for statistical, analytical, and research purposes to generate anonymous and aggregated reports.
We collect the following information…
The personal data we collect about you may either be personal information (PI) and/or sensitive personal information (SPI):
- a.) Personal Information (PI) is any information from which the identity of an individual can be reasonably and directly ascertained, or when put together with other information would directly and certainly identify an individual, such as:
||date or birth
||place of birth
||specimen of signature
||address (present and permanent)
||source of fund or income
||employer name or nature or self-employment or business
||contact details (telephone number, mobile, and email address
|mother’s maiden name
||Device ID information
- b.) Sensitive Personal Information (SPI) is any information that falls under the category of personal information with higher security impact which we gather from the supporting documents presented, such as:
|Government-issued IDs and/or other relevant documents
||IDs issued by private companies that are duly registered with the Securities and Exchange Commission (SEC)
||Student IDs for those who are not yet of voting age (below 18 years old)
|cardholder data (card number, CVV/CVC, card expiry date)
||user credentials of the app (username, PIN/MPIN)
||originating IP address, destination IP address and device ID
Our way to collect your personal data…
There are many ways by which we collect your personal data
- We collect your personal data through filled out forms which can either be printed or online or data input via our web and mobile applications (GCash App).
- We also collect your personal data when you use our services via different channels or request your account information.
- For payroll services, we may also use information from our partners and affiliates, like the Human Resource of your company when using GCash as payroll disbursement (PowerPay+ companies) to collect your personal data.
- When we receive your personal data in connection with your exercise of your right to data portability.
Collection of your personal data relies to the fullest extent possible on the original source.
Our need to share your Personal Data…
In cases where we might need to share your personal data, we do it in a secure manner and in compliance with the standard security and technical measures and requirements of the DPA. As part of our organizational security measure, we enter into data privacy agreements to ensure that recipients of your personal data implement reasonable and appropriate organizational, physical, and technical measures.
As part of our operations and the delivery of our offered products and services, there may be times when we are required to disclose your personal data to the following parties:
- GCash Group which shall refer to (i) GXI, (ii) its affiliates and subsidiaries, including Globe Telecom, Inc., Globe Fintech Innovations, Inc., and Fuse Lending, Inc.; and (iii) their respective shareholders, directors, officers, employees, agents, representatives, assigns, and anyone acting under their direction or on their behalf.
- Financial institutions, when mutually offering product(s) and service(s) such as open banking, payment services, etc.;
- Business partners, service providers, and other third-party partners who act on our behalf in helping conduct our business operations and provide you the products and services we offer; and
- Law enforcement and regulatory bodies.
How long do we store your personal data?
In accordance with law, we will use your personal data for as long as necessary to satisfy the purposes for which they were collected or to comply with applicable legal requirements. For the avoidance of doubt, we will only keep a copy of your records based on the assigned retention period per type of record below:
|Type of Record/Category
|Anti-money laundering (AML) and Know Your Customer (KYC) -related records
||These are records that mainly have an impact on the organization’s compliance with BSP regulations.
||Closed accounts - 5 years from date of closure
Transaction records - 5 years from date of transaction in compliance with BSP and AML regulations
||Records containing or pertaining to information of the company’s employees. These include records of employee 201 files - personal bio, medical records, exit interview forms, etc.
||5 years after employee termination, 7 years if employee is not able to complete his/her clearance
|Cardholder data records
||Records containing cardholder data
||Can only be stored while waiting for an authorization
||Legally binding documents between the company and another party such as NDAs, Vendor Agreements, SLAs, etc.
||10 years after termination of contract
|Financial and tax records
||Documents containing financial data of the company.
How do we dispose of your personal data?
Your personal data will be destroyed in an irretrievable and unusable form in adherence to our physical and technical security measures, which are consistent with industry standards. We will initiate disposal as soon as retention is no longer required by existing laws, rules, or regulations.
For paper records containing personal data, they will be securely disposed of through the process of cross-cut shredding. Meanwhile, personal data stored in tapes, hard disks, and other forms of electronic media, will be destroyed such that it will be completely unreadable and cannot be accessed or used for unauthorized purposes through secure wipe solution.
We care about the security and privacy of your personal data…
We recognize the risks involved whenever we process your personal data so that you can establish an e-wallet and avail yourself of various GCash-enabled services. These risks include account takeovers, social engineering, hacking, and others. Considering these risks, we deploy a variety of security measures to protect your personal data, whether in paper or electronic format. In particular, we take reasonable steps to secure your personal data from misuse, interference, loss, unauthorized access, modification, and unauthorized disclosure by implementing security measures within GCash, such as:
- Only authorized personnel have access to these personal data to restrict access.
- We encrypt personal data to keep your data private while being stored and in transit;
- We put in place security controls such as but not limited to the following:
- Adoption of multi factor authentication (“MFA”) which requires users to input the following security credentials in the GCash mobile application:
- One Time Password (“OTP”), which is sent via SMS or text message to the user’s Registered Number; and
- Mobile PIN (“MPIN”), for log in to the GCash application.
- Enabling Biometrics Login of GCash Users
- We conduct assessments of the personal data flows to further enhance the data protection of your personal information.
We establish and enforce additional applicable organizational, physical, and technical security measures that are aligned with industry-recognized standards.
When there is a need for us to store your personal data with a third party data storage provider, we use contractual arrangements to ensure that those providers take appropriate measures that are aligned with our Data Privacy and Information Security Policies.
In addition to the security measures we implement to protect your data, we advise you to stay vigilant and always protect your credentials. Please inform us right away if you think your credentials have been compromised or you became susceptible to the kinds of risks we mentioned earlier. Never share your MPIN or OTP. To learn more about how you can protect your GCash Account, please visit our Help Center.
Automated decision making
We may arrive at a decision by automated means without any human involvement (otherwise known as automated decision making), especially when we evaluate your information to get a sense of your profile as a customer. We perform customer profiling by way of evaluating, analyzing, or predicting your financial preferences, reliability, and behavior. This involves assessing your transaction history, repayments, and account balances in order to predict when you might want to increase an existing credit capability.
You may ask us not to make decisions about you that are based solely on automated processing by exercising your rights. If you do this, certain products and services may not be offered to you.
Under the DPA, you have certain rights regarding the personal data that we hold about you. These rights include the following:
- You have the right to be informed about the personal data processing;
- You have the right to access to the personal data we hold about you;
- You have the right to object to any of the personal data processing provided that the basis is consent or legitimate interest;
- You have the right to suspend, withdraw, or order the blocking, removal, or destruction of your personal data;
- You have the right to claim compensation if you suffered damages if your data privacy rights have been violated;
- You have the right to file a complaint with the National Privacy Commission if you feel that your personal data has been misused or that any of your data privacy rights have been violated;
- You have the right to dispute and have corrected any inaccuracy or error in your personal data; and
- You have the right to data portability. This right allows you to obtain and electronically move, copy, or transfer your data in a secure manner.
We will process all your requests for access, correction, or data portability involving your personal data unless there are legal reasons that would prevent us from doing so. You have the right to ask for a copy of any personal data we hold about you, as well as the right to ask for its correction if you think it is wrong.
As we care about what you think, your feedback, and your requests, you can reach us via email email@example.com (Data Protection Officer) and/or phone 2882 (Customer Care).
We will update this notice from time to time so that we can give you the most up-to-date information concerning the security of your personal data, as well as to keep responsive to data privacy requirements and technology security advancements. We encourage you to check this page regularly to ensure that you remain updated and pleased with any changes we made.