PRIVACY POLICY
of
Sofi Lending Inc.

This website and other related and authorized digital media accessed through this website (collectively, the “Site”) are owned and managed by Sofi Lending, Inc. (the “Corporation”), its subsidiaries, affiliates, partners and other related entities. The site is a digital platform for providing loans to customers and showing information on the Corporation’s products and services to current and prospective customers.

The Corporation is committed to ensuring that its collection, use and other processing of the personal data, whether provided by individuals, including, without limitations, current borrowers, prospective customers, users of the Site, etc. (each a “User” and collectively, the “Users”), or third parties (sources) is in accordance with the Data Privacy Act of 2012 (“DPA”), its implementing rules and regulations (“DPA IRR”), issuances of the National Privacy Commission (“NPC”) and other applicable laws and regulations on data privacy (collectively, “Data Privacy Legislation”). This Privacy Policy is in furtherance of said commitment to the protection of data privacy rights.

In this Privacy Policy, the Corporation sets out the Terms and Conditions under which it processes the personal data of Users and how such personal data is processed (for instance, stored, used, retained, shared and accessed, among others).

This Privacy Policy is applicable in any of these events: (a) User visits the Site; (b) User submits an application to the Corporation to initiate creation of a user-account and granting a loan; (c) User has a user-account and/or a loan agreement with the Corporation; (d) The User communicates with the Corporation by phone, e-mail, chat or otherwise (irrespective of whether the User has a user-account); (e) User visits Corporation’s premises; (f) Corporation otherwise processes personal data of an individual.

The Users of the Site are required to carefully read, understand, agree and be bound by the provisions described in this Privacy Policy.

A. Identity and contact details of the personal data controller

The Corporation is the personal information controller, which controls the collection, holding, use and other processing of personal data.

Company’s contact details are as follows: telephone: SMART: 09624092454, GLOBE: 09176200773; email: info@finbro.ph; legal address: Unit 1405, East Tower, Philippine Stock Exchange Centre, Exchange Road, Ortigas Center, Pasig City, Metro Manila , website: www.finbro.ph

The Company has appointed a data protection officer (“DPO”), who can be contacted through the following e-mail: dpo@finbro.ph.

B. Sources of personal data

The Corporation collects personal data in two ways:

  1. Receiving directly from the User, when: (a) he/she submits an application for a loan or (b) provides personal data to the Corporation in a different way;
  2. Obtaining personal data from third-party sources which mainly include, but are not limited to, the following:
    1. Other lenders, credit reference and scoring bureaus/agencies,: (for instance, TransUnion; CIBI Information, Inc.; CRIF Corporation, Trusting Social, Finscore Inc., etc.);
    2. Databases maintained by providers of debt collection services;
    3. State information systems/state institutions;
    4. Philippine Lending and Financing Association, Inc. and its members;
    5. Systems created by providers of anti-fraud, anti-money laundering and prevention of terrorism financing services, identification verification services;
    6. Telecommunication companies (for instance, Globe Telecom, Inc.);
    7. Your indicated bank and online banking solutions;
    8. Social network (e.g., Facebook);
    9. Cookies and similar technologies that are used on the Site;
    10. Other personal information controllers/processors or information sources if an appropriate legal basis for acquiring from said personal information controllers/processors or information sources exist.

C. Personal data collected and otherwise processed

When a User creates an account in the Site and/or applies for a loan and/or subsequently enters into a loan transaction with the Corporation, the Corporation may collect and otherwise process the following types of personal data:

  1. Basic/identification data (e.g., full name and surname, personal ID details, date of birth, age, sex, identity document information, including a copy thereof, your photo, citizenship, nationality, place of birth) and sensitive personal data;
  2. Contact information (e.g., residence address, mobile phone number, e-mail address, home phone number, landline number);
  3. Information about employment (e.g., employer’s name and contact information; information about User’s position; length of employment; gross and net salary, employment status, working industry, information about employment capacity);
  4. Bank and bank account details; (e.g., bank name, bank account number; transaction data/history);
  5. Information about the loan/application (e.g., application ID, application date, customer segment, purpose of the loan, loan amount, payment status, term, rate, monthly amortization);
  6. Information about financial situation (e.g., information on existing liabilities and/or debts; amount of income and expenses; loan history, credit score; information on social insurance contributions; purchase history; telco score);
  7. Information about User’s device, when he/she is visiting the Site (e.g., cookie ID, IP address, device type, operating system, etc.) and other information generated from User’s accessing the Site;
  8. Information about civil status and residence status, length of stay at present residence, information about contact person;
  9. Telco Data (including information about phone number and mobile phone usage);
  10. Audio record, where the voice of the User is heard, in case the User contacts the Corporation via phone;
  11. User’s behavior and interaction with the Site (e.g., session records, typing speed, keypresses, mouse clicks, etc.);
  12. Complaint related information if the User submits a complaint to the Corporation;
  13. Video record obtained as a result of video surveillance in the Corporation’s premises;
  14. Other personal data, which is received in course of provision of Corporation’s services and/or cooperation with the User.

D. Purposes of the collection and other processing of the Users’ personal data

The Users’ personal data shall be collected, used, stored and otherwise processed for the following purposes:

  1. To verify the identity of the User and other information provided by the User;
  2. To assess User’s eligibility to use Corporation’s services or products;
  3. To enter into a loan agreement with the User;
  4. To determine whether or not to issue/prolong a loan to a User and the Terms and Conditions of such loan transaction;
  5. To assess User’s creditworthiness (ability to meet obligations under the loan agreement) and determine the credit score; to manage, assess and prevent credit risks;
  6. To contact Users in relation to their Site account, loan agreement, repayment of loan/debt;
  7. For direct marketing purposes (for example, contacting the User by phone and/or sending by e-mail discount offers/other important information about goods/services; preparation of offers addressed directly to the User; organization of the customer loyalty events; usage of cookies; targeting/retargeting; evaluation and research of the customer groups; approaching Users via social networks, etc.). Direct marketing initiatives may be related to the offers/services/products of the Corporation, its affiliates and/or partners;
  8. To analyze customer demographic and behavior for the purpose of improving upon the Corporation’s products and services or the interface and functionality of the Site;
  9. To generate a User’s internal credit score, profile and/or user-account;
  10. To handle User’s complaints;
  11. Credit scoring, data analytics, credit investigation, background check;
  12. For debt recovery purposes (including extrajudicial debt recovery) and for the purposes of assignment of claim;
  13. To comply with applicable laws as well as the orders or regulation of enforcement agencies, judicial and quasi-judicial bodies or other competent government authority;
  14. To ensure the safety of Users and employees/agents of the Corporation;
  15. To ensure security, property protection, prevention and detection of criminal offences;
  16. To ensure information security (including cybersecurity);
  17. To establish, exercise or defend legal claims;
  18. For research and statistic purposes;
  19. Improvement of quality/efficiency of Corporation’s services;
  20. To troubleshoot any problems the User may face when using Corporation’s services;
  21. For controlling content quality, service quality; for evidence storage;
  22. To prevent fraud and illegal activities (including money laundering and terrorism financing);
  23. For creation and maintenance of customer/potential customer, unwanted customer database;
  24. To fulfill the legitimate commercial objectives of the Corporation as an institution engaged in lending activities;
  25. To fulfill any purpose related to the above purposes.

E. Basis of processing

The Corporation processes personal data based on the following bases, as appropriate:

  1. Conclusion and execution of the agreement;
  2. Fulfilment of Corporation’s legal obligations;
  3. Corporate’s legitimate interests;
  4. User’s consent.

F. Types of recipients to whom personal data may be disclosed

The Corporation, in the legitimate conduct of its business and as may relevant for the performance of such business activities, may disclose Users’ personal data to other personal information controllers and/or processors including but not limited to Corporation’s subsidiaries, affiliates, partners and related entities (the “Recipients”), for the fulfillment of any of the purposes enumerated above. Such data disclosure will be covered by an appropriate data sharing or outsourcing agreement, as applicable. Frequency of the disclosure depends on the agreement with the recipient or factual circumstances. Such Recipients include but are not limited to the following:

  1. Corporation’s employees and officials if their job/office duties are related to the personal data processing;
  2. Service providers and other third parties who provide technical, operational, logistical and other support to all functions necessary, desirable to or in any manner related to the business of the Corporation, such as remittance agents, banks and the like;
  3. Collection agencies and their agents for the purpose of collecting on a User’s loan/s and/or debts;
  4. Third-party purchasers of loans contracted with the Corporation by the Users;
  5. Courts, quasi-judicial agencies and tribunals, as a response to an order, subpoena or other legal processes;
  6. Recipients, which operate in the field of lending, credit information and/or debt collection (other lenders, debt recovery service providers, credit bureaus, credit scoring agencies, etc. (e.g., TransUnion. CIBI Information Inc., Trusting Social, CRIF Corporation, Finscore Inc. etc.), telecommunication companies (e.g., Globe Telecom, Inc.);
  7. Philippine Lending and Financing Association, Inc. and its members;
  8. Law enforcement personnel, government agencies and other state entities in the exercise of their investigative or regulatory powers; and
  9. Entities engaged by the Corporation to assist in establishing, exercising or defending legal claims or protecting the Corporation’s rights and assets;
  10. Other Recipients if there is an appropriate legal basis.

G. Storage and retention of Users’ personal data

Users’ personal data will be stored in secure online storage platforms, protected cloud infrastructure and/or on-site hard drives of the Corporation.

The Corporation will retain users’ personal data for as long as the purposes for which they are being processed are not accomplished and/or according to applicable laws.

Personal data may be transferred and/or stored outside the territory of the Philippines. In this case the Corporation will ensure that adequate safeguards are in place and that the processing of the Users’ personal data are in accordance with the Data Privacy Act of 2012, its implementing rules and regulations, National Privacy Commission issuances and applicable laws in the jurisdiction to which the personal data shall be transferred.

H. Protection of Users’ personal data

The Corporation implements the organizational, physical and technical measures provided in the Data Privacy Legislation for the protection of personal data that it processes.

However, the Corporation will not be liable for any damage or loss that the User may suffer as a result of a third party’s use of the User’s account and/or password, either with or without the User’s knowledge, if there is no fault or negligence on the part of the Corporation. The User is responsible for maintaining the confidentiality of his/her own Site account and password, as well as any and all loan applications submitted, obligations agreed to or entered into pursuant to a loan agreement and other related agreements, and all other activities engaged in by the User with the Corporation The User agrees to immediately notify the Corporation of any unauthorized use or disclosure of the User’s account or password, any unauthorized activities done using the User’s account and/or any relevant data breach.

The User may be held liable for any damage or loss incurred by the Corporation in connection with or arising from a third party’s use of the User’s account or password, if there is no fault or negligence on the part of the Corporation.

I. Dispute resolution and lodging a complaint

The Corporation wishes to resolve any dispute in a friendly manner and expects that the User will first address the Corporation, if he/she considers that the processing of his/her personal data is not in compliance with the applicable laws. The User may also submit a complaint to the National Privacy Commission, if he/she considers that the processing of personal data conducted by the Company is inconsistent with the applicable laws on data privacy.

J. Automated decision making and profiling

Before deciding on conclusion of a loan agreement with the User, the Corporation must assess creditworthiness of the User, as well as make sure that the User is not involved in fraudulent activities. In order to perform these actions as quickly, efficiently, objectively and non-discriminatory as possible, the Corporation has developed an IT solution, which allows by automated means: (a) to receive a major part of the necessary information about the User; (b) based on received information, to analyse aspects related to the User, including, to profile (for example, to assess User’s ability to fulfil the agreement and to determine the credit score, assess the reliability of the User, etc.); (c) to make a decision on conclusion/non-conclusion of a loan agreement.

To determine the credit score mainly the economic situation of the User (for instance, amount of monthly income and expenses, amount of existing liabilities, existence and the amount of debt, User credit history, etc.) is evaluated. To determine the credit score, no discriminatory criteria (for instance, gender, national or social origin) are considered.

The IT solution, mentioned above, is regularly tested and, if necessary, improved to ensure fairness, accuracy and impartiality of the decision-making and/or profiling process.

In addition to the abovementioned, automated decision making and/or profiling may be performed, when the User are processed for the purposes of direct marketing (for instance, analysing User service use tendencies, preferences and interests; implementing targeting/retargeting strategies; approaching Users via social network and other communication channels; etc.). As a result, the Corporation aims to improve service experience (for instance, by customizing the display of service on the used device, preparing offers suitable for the User, etc.) and promote its services.

K. Use of cookies

The Site uses cookies and similar technologies. A cookie is a file that is downloaded to the User's device when accessing certain web pages to store and retrieve information about the navigation that is made from that computer. Among other things, cookies and similar technologies allow the storage and retrieval of information about the decisions and habits of the User.

We use cookies and similar technologies to help us understand your preferences based on previous or current site activity, which enables us to provide you with improved services. We also use cookies and similar technologies to help us analyze and compile aggregate data about site traffic and site interaction so that we can offer better site experiences and tools, troubleshoot technical problems and otherwise improve User experience. Furthermore, cookies and similar technologies are used to set and manage our advertising (including targeting/retargeting) activities.

You can choose to have your browser warn you each time a cookie is being used, or you can choose to turn off all cookies and similar technologies. You do this through your browser settings. If you disable cookies, some features will be disabled.

L. Rights of Users as data subjects

Users who provide their personal data through the Site or whose personal data is otherwise obtained by the Corporation are considered data subjects under the Data Privacy Legislation. As data subjects, these users have the right to access the personal data they provided The Corporation, make corrections or modify such personal data, withdraw their consent to the processing of said personal data (if the processing is based on the consent), object to processing, demand that said personal data be erased/blocked, and avail of the right to data portability.

The User must consider that the abovementioned rights are not always absolute. Namely, in individual cases these rights can be limited, and exercise of certain rights depends in fulfilment of certain preconditions under the Data Privacy Act of 2012, its implementing rules and regulations, issuances of the National Privacy Commission and other applicable laws.

Users may avail of their rights by sending a written and signed letter to the Corporation’s business address at Unit 1405, East Tower, Philippine Stock Exchange Centre, Exchange Road, Ortigas Center, Pasig City, Metro Manila The Corporation shall, however, require proof of a data subject’s identity before granting access to their processed personal data. The Corporation reserves the right to take reasonable measures to further confirm a requesting data subject’s identity before granting access or otherwise making any requested changes to the personal data.

For complaints, queries or concerns regarding the processing of a User’s personal data, please do not hesitate to contact:

dpo@finbro.ph

If the Corporation has reasonable doubts about the identity of the individual, who submits any request/complaint, the Company may request to provide additional information/proof, which is necessary for confirmation of the identity of this individual.

M. Consent and Authorization

By ticking off the check box, confirming having read and agreed to the Terms and Conditions and this Privacy Policy you:

  1. Accept the Terms and Conditions and this Privacy Policy and agree to be bound by them;
  2. Acknowledge and consent that your personal data will be processed as described herein;
  3. Certify that all personal data and other information you have provide or will provide is true and correct and understand that any material misstatement and misrepresentation can be used against you and can be a valid ground for disapproval of your application;
  4. Authorize the Corporation perform to processing activities as described herein;
  5. Acknowledge and agree that the Corporation may receive personal information from the abovementioned sources and/or disclose your personal information to the abovementioned Recipients.

This Privacy Policy may be updated from time to time. Please refer to this page to be informed of any changes to this Privacy Policy.