G-Xchange, Inc. Data Privacy Notice
The objective of this statement is to explain how we collect, use, share, retain, dispose, and protect your personal data and how we enable your rights under the Data Privacy Act of 2012 (DPA).
Who is collecting your personal data?
We at G-Xchange Inc. (GCash/GXI) are committed to ensuring that your privacy is secured and protected. We respect your right to know how we process and protect your personal data, which is why we are providing this notice.
Our reason why we collect your Personal Data…
We collect your personal data, without limiting the generality of the purpose, to facilitate your transaction needs and avail yourself of our products and services. These include the following:
- enhancing your customer experience and improving, developing, and determining tailored products to meet your preferences and needs;
- communicating relevant products or advisories to you;
- showing you relevant ads on and off our services and measuring the effectiveness and reach of ads and services;
- abiding by any safety, security, public service, or legal requirements and processes;
- processing information for statistical, analytical, and research purposes; and
- processing your requests concerning the creation, update, and maintenance of your account
Further, we collect your personal data to the extent necessary to comply with the requirements of the law and legal process, such as legal and regulatory obligations under the Anti-Money Laundering Act (AMLA) and Bangko Sentral ng Pilipinas (BSP) issuances; or to prevent imminent harm to public security, safety or order.
We also need your personal data for statistical, analytical, and research purposes to generate anonymous and aggregated reports.
We collect the following information…
The personal data we collect about you may either be personal information (PI) and/or sensitive personal information (SPI):
Our way to collect your personal data…
There are many ways by which we collect your personal data
- We collect your personal data through filled out forms which can either be printed or online or data input via our web and mobile applications (GCash App).
- We also collect your personal data when you use our services via different channels or request your account information.
- For payroll services, we may also use information from our partners and affiliates, like the Human Resource of your company when using GCash as payroll disbursement (PowerPay+ companies) to collect your personal data.
- When we receive your personal data in connection with your exercise of your right to data portability.
Collection of your personal data relies to the fullest extent possible on the original source.
Our need to share your Personal Data…
In cases where we might need to share your personal data, we do it in a secure manner and in compliance with the standard security and technical measures and requirements of the DPA. As part of our organizational security measure, we enter into data privacy agreements to ensure that recipients of your personal data implement reasonable and appropriate organizational, physical, and technical measures.
As part of our operations and the delivery of our offered products and services, there may be times when we are required to disclose your personal data to the following parties:
- GCash Group which shall refer to (i) GXI, (ii) its affiliates and subsidiaries, including Globe Telecom, Inc., Globe Fintech Innovations, Inc., and Fuse Lending, Inc.; and (iii) their respective shareholders, directors, officers, employees, agents, representatives, assigns, and anyone acting under their direction or on their behalf.
- Financial institutions, when mutually offering product(s) and service(s) such as open banking, payment services, etc.;
- Business partners, service providers, and other third-party partners who act on our behalf in helping conduct our business operations and provide you the products and services we offer; and
- Law enforcement and regulatory bodies.
How long do we store your personal data?
In accordance with law, we will use your personal data for as long as necessary to satisfy the purposes for which they were collected or to comply with applicable legal requirements. For the avoidance of doubt, we will only keep a copy of your records based on the assigned retention period per type of record below:
How do we dispose of your personal data?
Your personal data will be destroyed in an irretrievable and unusable form in adherence to our physical and technical security measures, which are consistent with industry standards. We will initiate disposal as soon as retention is no longer required by existing laws, rules, or regulations.
For paper records containing personal data, they will be securely disposed of through the process of cross-cut shredding. Meanwhile, personal data stored in tapes, hard disks, and other forms of electronic media, will be destroyed such that it will be completely unreadable and cannot be accessed or used for unauthorized purposes through secure wipe solution.
We care about the security and privacy of your personal data…
We recognize the risks involved whenever we process your personal data so that you can establish an e-wallet and avail yourself of various GCash-enabled services. These risks include account takeovers, social engineering, hacking, and others. Considering these risks, we deploy a variety of security measures to protect your personal data, whether in paper or electronic format. In particular, we take reasonable steps to secure your personal data from misuse, interference, loss, unauthorized access, modification, and unauthorized disclosure by implementing security measures within GCash, such as:
- Only authorized personnel have access to these personal data to restrict access.
- We encrypt personal data to keep your data private while being stored and in transit;
- We put in place security controls such as but not limited to the following:
- Adoption of multi factor authentication (“MFA”) which requires users to input the following security credentials in the GCash mobile application:
- One Time Password (“OTP”), which is sent via SMS or text message to the user’s Registered Number; and
- Mobile PIN (“MPIN”), for log in to the GCash application.
- Enabling Biometrics Login of GCash Users
- We conduct assessments of the personal data flows to further enhance the data protection of your personal information.
We establish and enforce additional applicable organizational, physical, and technical security measures that are aligned with industry-recognized standards.
When there is a need for us to store your personal data with a third party data storage provider, we use contractual arrangements to ensure that those providers take appropriate measures that are aligned with our Data Privacy and Information Security Policies.
In addition to the security measures we implement to protect your data, we advise you to stay vigilant and always protect your credentials. Please inform us right away if you think your credentials have been compromised or you became susceptible to the kinds of risks we mentioned earlier. Never share your MPIN or OTP. To learn more about how you can protect your GCash Account, please visit our Help Center.
Automated decision making
We may arrive at a decision by automated means without any human involvement (otherwise known as automated decision making), especially when we evaluate your information to get a sense of your profile as a customer. We perform customer profiling by way of evaluating, analyzing, or predicting your financial preferences, reliability, and behavior. This involves assessing your transaction history, repayments, and account balances in order to predict when you might want to increase an existing credit capability.
You may ask us not to make decisions about you that are based solely on automated processing by exercising your rights. If you do this, certain products and services may not be offered to you.