Privacy Policy

This Privacy Policy applies to all personal information we collect or process in connection with our website, dashboards, APIs, and payment gateway services (collectively, the Services). It applies to the following data subjects:

• Merchants: Business clients and their authorized representatives, directors, officers, shareholders, and Ultimate Beneficial Owners (UBOs) who use our Services.
• Customers: End users who initiate or receive payments through our Merchants using our Services.
• Visitors: Individuals who browse our website, request information, or interact with our marketing channels.
• Counterparties: Beneficiaries, senders, agents, or other persons whose information is provided to us in connection with a transaction.

Consistent with our KYC/CDD obligations, we collect, store, and process the following categories of information:

We process personal information for the following purposes:

• Service Delivery: To onboard Merchants, process transactions, perform settlements, and operate the Swyftly payment gateway.
• Regulatory Compliance: To perform KYC and CDD, identify and verify UBOs, conduct sanctions and PEP screening, monitor transactions, file CTRs and STRs with the AMLC, and comply with directives, freeze orders, and asset preservation orders issued by the AMLC, the Court of Appeals, the BSP, and other competent authorities.
• Risk Management: To compute and update Client Risk Scores, conduct Enhanced Due Diligence (EDD) and Enhanced Ongoing CDD where triggered (e.g. by changes in entity structure, chargeback rates above 2%, unusual volume spikes, or other risk events), and detect fraud or suspicious activity.
• Customer Support: To respond to inquiries, resolve disputes and chargebacks, and communicate operational notices.
• Service Improvement: To analyze usage patterns, improve our products, and enhance the security and resilience of our platform.
• Legal Defense: To establish, exercise, or defend legal claims, and to comply with subpoenas and lawful court processes.

We rely on the following lawful bases under the Data Privacy Act of 2012:

• Contract: Processing necessary to perform our agreement with you or to take steps prior to entering into one.
• Legal Obligation: Processing required to comply with the AMLA, TFPSA, BSP regulations, AMLC issuances, FATF recommendations, and other applicable laws.
• Legitimate Interests: Processing necessary to safeguard the integrity of our platform, prevent fraud, manage risk, and protect Swyftly, its customers, and the financial system.
• Consent: Where required, processing based on your specific, informed, and freely given consent, which you may withdraw at any time without affecting prior lawful processing.

Swyftly does not sell personal data. We disclose information only as necessary to deliver the Services and to comply with our regulatory and legal obligations.

• Financial Partners: Acquiring banks, payment networks, and partners (e.g. GCash, Maya, InstaPay, QRPH) required to authorize, clear, and settle a transaction.
• Verification and KYC Vendors: Identity verification, address verification, document authentication, biometric, and fraud-screening providers engaged under written agreements with appropriate confidentiality and security commitments.
• Regulators and Authorities: The Bangko Sentral ng Pilipinas (BSP), Anti-Money Laundering Council (AMLC), National Privacy Commission (NPC), Bureau of Internal Revenue (BIR), Securities and Exchange Commission (SEC), law enforcement agencies (e.g. NBI, PNP), and courts of competent jurisdiction, in response to lawful orders, examinations, or our reporting obligations.
• Third-Party Reliance Partners: Where permitted by law, we may rely on a third party that has performed equivalent KYC/CDD, subject to a written sworn certification and our ability to obtain identification documents from them without delay. Swyftly nonetheless retains full and ultimate responsibility for identifying customers.
• Service Providers: Cloud hosting, communications, analytics, customer support, and professional advisors (e.g. auditors, legal counsel) who process information on our behalf under appropriate data processing agreements.
• Corporate Transactions: Counterparties and their advisors in connection with mergers, acquisitions, financing, or reorganizations, subject to confidentiality obligations.

Where personal data is transferred outside the Philippines, we ensure that the transfer is subject to a comparable level of protection through contractual safeguards or other appropriate mechanisms.

We implement administrative, technical, and physical safeguards to protect your data, including:

• Security Standards: Adherence to industry best practices for information security and PCI DSS-aligned controls for payment data.
• Encryption: Industry-standard encryption for data in transit (TLS 1.3) and at rest (AES-256).
• Access Controls: Role-based access control (RBAC), least-privilege provisioning, and Multi-Factor Authentication (MFA) for administrative systems and the centralized customer records database.
• Monitoring: 24/7 security monitoring, electronic AML and verification systems, anomaly detection, and regular vulnerability and penetration testing.
• Personnel Controls: Background checks, confidentiality undertakings, periodic AML/CTF and data privacy training, and an Annual Compliance Acknowledgement signed by all personnel.

In compliance with the AMLA, BSP regulations, and the AMLC's Guidelines for the Digitization of Customer Records (DIGICUR Guidelines), customer identification data, account files, and business correspondence are retained for at least five (5) years after the business relationship has ended or the account has been closed.

Records relating to ongoing investigations, pending money-laundering or terrorist-financing cases, or accounts that are the subject of a court case, are retained beyond the five (5) year period until the AMLC Secretariat or competent authority confirms that the case has been resolved, decided, or terminated with finality.

Customer records are digitized from receipt, creation, or opening and stored in a centralized "end-to-end" digital database maintained at our head office, enabling timely and secure submission to the AMLC. After the applicable retention period expires, personal data is securely destroyed or anonymized in line with applicable Data Privacy regulations.

In the event of a personal data breach that is likely to result in a real risk of serious harm, we will:

• Implement immediate containment, eradication, and forensic investigation measures.
• Notify the National Privacy Commission (NPC) and affected data subjects within seventy-two (72) hours of knowledge of the breach, in accordance with NPC Circular 16-03.
• Coordinate with the BSP, AMLC, and other regulators where required, and provide the information necessary to support their oversight.
• Implement remediation measures and post-incident reviews to prevent recurrence.

Subject to the Data Privacy Act and our legal and regulatory retention obligations, you have the right to:

• Be Informed: Know whether personal data pertaining to you is being or has been processed, and the purposes thereof.
• Access: Request reasonable access to your personal information held by us.
• Rectification: Request correction of inaccurate or incomplete personal data.
• Erasure or Blocking: Request deletion or blocking of personal data, subject to legal retention requirements (e.g. AMLA's five-year rule).
• Object: Object to processing based on consent or legitimate interests, where applicable.
• Data Portability: Receive a copy of your personal data in a structured, commonly used format, where technically feasible.
• File a Complaint: Lodge a complaint with the National Privacy Commission if you believe your rights have been violated.

Note that records required for AML/CTF reporting, including CTRs, STRs, and related investigation materials, are confidential by law and cannot be disclosed to the data subject. We are also legally prohibited from tipping off any customer about an ongoing or completed STR investigation.

For any questions about this Privacy Policy, to exercise your data subject rights, or to reach our Data Protection Officer, please contact us at dpo@swyftly.ph