Cashoyo App Privacy Policy

Updated Date: May 9, 2026

Philippine Cashtrout Lending Corporation, a corporation duly organised and existing under the laws of the Republic of the Philippines, doing business under the name and style of “Cashoyo” (“Cashoyo”, “we”, “us” or “our”) takes your privacy very seriously. This privacy policy (this “Privacy Policy”) describes what information we collect from you, the purposes for which we collect and process it, how we use it, who we share it with, how long we retain it, and your rights in relation to it. You should read and understand this Privacy Policy in its entirety.

This Privacy Policy applies in connection with your use of the Cashoyo mobile application (the “Cashoyo App”) and your use of our services through the Cashoyo App or otherwise, including, without limitation, the OGives small-amount, short-term cash credit facility and any other lending, financial, content, advertising, or related services that we may offer from time to time within the Cashoyo App.

1. What personal data does Cashoyo collect and process? From where does Cashoyo collect your personal information?

Cashoyo collects the following personal data (as defined under applicable law), including personally identifiable information. The collection of this data is limited to what is adequate, relevant, suitable, and strictly necessary for our declared, specified, and legitimate purposes, in adherence to the principle of proportionality as required by the Data Privacy Act of 2012 and relevant NPC issuances:

• Identification data (e.g., first name, surname, date of birth, image, biometric data such as facial geometry derived from your selfie photographs and liveness-detection captures for the purposes of identity verification, ongoing authentication, and anti-fraud control, marital status for identity verification and KYC purposes);
• Data provided by you through your responses (e.g., information and documents about your income or employment, your educational attainment, information about your mobile device necessary for assessing your financial capacity and loan eligibility);
• Contact details (e.g., address, phone number, alternate phone number, email address used for communication regarding your application, account, and for legitimate debt collection activities strictly in accordance with ethical standards and legal limits);
• Government-issued identification data and documents (e.g., SSS ID, UMID, Passport, Driver’s License, PhilSys ID collected and processed solely for identity verification, KYC, and fraud prevention as required by law);
• Mobile device specifications (e.g., IMEI, IP address, or other device identifiers, type of device, device operating system, device settings, user account information for your mobile device, the name and network information of your mobile network provider, device specifications such as screen size, resolution, CPU capacity, etc.) collected to ensure device compatibility, security, fraud detection, and to enhance user experience;
• Location data (e.g., mobile device location collected with your explicit consent for fraud prevention, risk assessment, and to tailor relevant services available in your region, limited to what is essential for these purposes);
• SMS – After your explicit authorisation, Cashoyo will collect and analyse designated financial transaction SMS messages on your device — such as bank notifications, payment confirmations, and e-wallet alerts — to evaluate your income and spending patterns for credit assessment. We access only transaction notifications from public financial service providers (identified by their registered sender names or short codes), containing details such as sender name, transaction amount, merchant name, and date. We strictly do not access personal conversations from individual mobile numbers, One-Time Passwords (OTPs), or any verification codes. The collected data will be encrypted and transmitted to https://service.cash-oyo.com. We do not share SMS data with third parties without your explicit consent. This permission is strictly optional and independent of your loan application. You may decline during the authorisation process or revoke permission at any time through Settings > Applications > Cashoyo > Permissions on your device;
• Transaction data and financial information (e.g., loans, payments, loan requests, tax information essential for providing and managing our financial products and services, including loan disbursement and repayment tracking);
• Device behavioural data (e.g., types and nature of mobile applications found on your mobile device collected to derive aggregated and anonymised insights or proportional metadata to enhance our credit scoring models, detect fraud patterns, and improve the overall security and functionality of the Cashoyo App. This data is not used to uniquely identify or profile individual users based on their specific app usage, nor for direct marketing without separate, explicit consent. We strictly avoid collecting data that is not relevant or necessary for our stated purposes);
• Cashoyo App usage (e.g., traffic (volume) data, information about your usage or non-usage of the Cashoyo App used to analyse and improve the performance and usability of the application and its services);
• Information related to your communications with Cashoyo (e.g., your communications with Cashoyo via in-app chat, email, telephone, WhatsApp, Viber, or other channels, used for customer service, application review, dispute resolution, and quality assurance);
• Information provided by you in relation to participation in special offers and promotional activities conducted by Cashoyo (e.g., promo codes, games, contests, discounts, and participation in by-invitation-only groups used solely for the administration of such activities);
• Certain third-party data (e.g., information provided to or from credit reference agencies or bureaus, external collections agencies, mobile network providers, obtained with your consent or where a legitimate interest or legal obligation applies, for creditworthiness assessment, fraud prevention, and debt collection).

Cashoyo collects your personal data from:

• You, when you download the Cashoyo App and/or indicate that you want to apply for credit, providing data directly through the application process and your interactions;
• Your other interactions with us, including information you may voluntarily share with our customer support team or other Cashoyo employees or agents;
• Your mobile device (through the device permissions you explicitly grant, as more fully described below);
• Third-party identity providers (e.g., Facebook, Google, Apple ID), where you choose to register or log in to the Cashoyo App using your account with such providers, in which case we receive limited profile information (such as your name, email address, profile image, and a unique identifier issued by the relevant provider) as authorised by you and the relevant provider, used solely for account creation, authentication, and security;
• Credit reference agencies (who may check your personal data against other databases — public and private — to which they have access) or fraud prevention agencies for credit assessment and fraud detection purposes;
• Third parties and other publicly available sources, with your explicit consent, when it is necessary for the performance of our contract with you or (e.g., we may receive information from other disbursement channel vendors or other business partners such as telecommunications companies and credit scoring service providers that may assist us in providing services to you) when required or permitted by applicable laws and regulations;
• Third parties who communicate with us through the contact information that you provided to us (e.g., character references or guarantors you explicitly provide through separate in-app interfaces, subject to the limitations in this Privacy Policy).

Collection and processing of your personal data by Cashoyo is necessary for the declared, specified, and legitimate purposes of providing Cashoyo’s products and services, assessing your eligibility, mitigating risks, and to comply with applicable legal and regulatory requirements (such as KYC, AML, and consumer protection laws) to which you and/or Cashoyo is subject. Apart from such cases where processing is necessary due to contractual obligations, legal compliance, or our legitimate interests which do not override your fundamental rights and freedoms, we do not collect information without your specific, informed prior consent.

2. What are the purposes for which your personal data is processed? How does Cashoyo use your personal information?

Cashoyo processes your personal data only for declared, specific, and legitimate purposes, necessary for the provision of our products and services, and in compliance with all applicable laws and regulations. We ensure that the processing of your data is proportional to these purposes and not excessive. Your data is processed for the following purposes:

• To assess your eligibility to use our products or services: this includes, but is not limited to, comprehensive credit scoring, assessing your creditworthiness, determining your financial capacity to afford requested products or services, and evaluating your eligibility for additional benefits of an existing product. This is essential to ensure responsible lending;
• To service and manage your account with Cashoyo (including, but not limited to, processing the disbursement of your funds, managing your loan details, and facilitating the collection of your outstanding balance in accordance with your loan agreement and applicable laws;
• To verify your identity and/or other information you provided to us, including through facial recognition, liveness detection, SMS one-time passwords, voice one-time passwords, and other appropriate authentication mechanisms;
• To personalise credit assessment, risk analysis, and implement control measures: This allows us to tailor financial products to your specific profile, manage potential risks effectively, and ensure the stability and security of our lending operations;
• To detect, combat, and prevent fraud, attempted fraud, money laundering, and/or other illegal uses of our services: we employ robust measures to protect our users and our platform from illicit activities, safeguarding the financial ecosystem;
• To analyse customer behaviour: we analyse aggregated and anonymised customer behaviour patterns, including insights derived from device behavioural data (e.g., types and nature of mobile applications found on your device), solely for the purpose of enhancing our credit scoring models, improving fraud detection mechanisms, and optimising the overall user experience and security of the Cashoyo App. This analysis is done without identifying or profiling individual users based on their specific app usage, and strictly adheres to proportionality;
• To administer our systems, maintain service quality, and compile general usage statistics: this ensures the reliable operation of the Cashoyo App and allows us to monitor performance;
• To analyse and continually improve our services and product offerings: your usage data helps us understand how our services are used, allowing us to enhance features, improve efficiency, and develop new products that better serve your needs;
• To troubleshoot any technical problems you or other customers encounter with Cashoyo’s services: this ensures seamless operation and prompt resolution of user issues;
• To comply with applicable laws, regulations, and rules: this includes, but is not limited to, fulfilling obligations related to “know-your-customer” (KYC) requirements, customer verification, transaction monitoring, anti-money laundering (AML), credit-information reporting to the Credit Information Corporation (CIC), and reporting obligations to regulatory bodies;
• To send you marketing or advertising notices or other promotional offers: to the extent you have not objected to the use of your personal data for direct marketing purposes after proper notification, we may send you relevant marketing or advertising notices or other promotional offers about our products and services. You always have the right to opt out of such communications;
• To provide service updates and important notifications: this ensures you are informed about changes to our terms, services, or any critical security alerts;
• To provide staff training: where necessary and with appropriate safeguards, we may monitor or record customer interactions to ensure quality of service and for staff development;
• To interface with credit reference or fraud prevention agencies, necessary for assessing your creditworthiness, reporting credit information, and preventing fraudulent activities;
• To provide customer service or support and to resolve disputes and complaints, this is to address your inquiries, concerns, and resolve any issues effectively;
• To contact you by telephone using autodialed or prerecorded message calls or text (SMS) messages (if applicable): as authorised for the legitimate purposes described in this Privacy Policy, including for account management, loan reminders, and important service notifications.

We process your personal data for the purposes set out above on the following lawful grounds, in compliance with applicable data privacy laws:

• To carry out our obligations to you: this includes fulfilling our responsibilities as a result of any contracts or agreements entered into between you and us (i.e., where processing is necessary for the adequate performance of our contract with you and/or to take steps requested by you prior to entering into a contract with you, such as a loan application);
• To carry out our legal obligations: wherein processing is necessary for compliance with a legal obligation to which Cashoyo is subject under applicable law (e.g., KYC, AML laws, regulatory reporting);
• In connection with our legitimate interest: where processing is necessary for the purposes of the legitimate interests pursued by Cashoyo or by a third party, except where such interests are overridden by your fundamental rights and freedoms. Our legitimate interests include (1) responsibly providing you with credit and/or other financial or technological products or services, (2) operating and expanding our business effectively, (3) marketing our relevant products and services to you and others, (4) administering our systems and (5) keeping our records accurate and up to date;
• With your prior consent: where we have obtained your specific, informed, and explicit consent for a particular processing activity, especially for activities not covered by a contractual obligation, legal compliance, or legitimate interest. You have the right to withdraw your consent at any time, subject to legal or contractual restrictions.

3. Who do we share your personal data with?

• General

Cashoyo is committed to safeguarding your personal data. We will not disclose any information containing your personal data (as defined under applicable law) to any third parties unless it is necessary and/or appropriate for our declared, specified, and legitimate purposes, to provide Cashoyo’s products or services (provided, that, we may share limited personal data (as defined under applicable law) with select partners for research and development). Where research, analytics, or product-development support is needed, Cashoyo shares personal data only with identified service providers or partners under an applicable lawful criterion, data processing or data sharing agreement, and purpose limitation. We adhere to the principles of data minimisation and purpose limitation when sharing your data. Whenever practically feasible, and where the purpose can still be achieved, Cashoyo will only share your personal data with third parties in an anonymised or de-identified format.

You understand and agree that we may, as necessary and/or appropriate for the purposes provided above, transfer and disclose your personal data to the following categories of recipients:

• Employees, subcontractors, agents, service providers, or associates of Philippine Cashtrout Lending Corporation (including directors and officers), who require access to perform their functions and responsibilities in delivering our services and operating our business;
• Bank partners; intermediary, correspondent and agent banks, non-banks, quasi-banks or other financial institutions, clearing houses, clearing or settlement systems, market counterparties, upstream withholding agents, licensed electronic or mobile wallet providers, remittance and transfer companies, credit reference agencies or credit bureaus, such as TransUnion, the Credit Information Corporation (CIC), SKYPAY and its affiliate SKYBRIDGE PAYMENT INC., for purposes of facilitating transactions, assessing creditworthiness, providing customised services upon your consent and need, fraud prevention, and complying with financial regulations;
• Service providers with contractual or fiduciary relationships with Cashoyo (e.g., to facilitate transaction processing, fraud prevention, identity verification, biometric face-matching and liveness detection, cloud data storage or data transfer), who are essential for the technical and operational functioning of our services;
• Telecommunication companies (e.g., Globe, TM, GOMO, Smart, Talk & Text, PLDT, Sun Cellular), where necessary for services like SMS and voice OTP delivery, telecommunications usage data for credit assessment (with your consent), or fraud prevention;
• External collection agencies (to assist in the collection of any unpaid obligations to us). We share only the necessary data required for collection efforts. Cashoyo strictly prohibits external collection agencies from using your personal data, including your photo or any sensitive information, to harass, embarrass, or engage in any unfair, unethical, or illegal collection practices. All our agreements with collection agencies mandate strict adherence to the Data Privacy Act of 2012, its Implementing Rules and Regulations, SEC Memorandum Circular No. 18, Series of 2019 (or its successor issuances), and other relevant consumer-protection laws. For debt collection, external collection agencies may contact only you and, where applicable, guarantors who have expressly consented to assume responsibility for the loan; character references are not to be contacted for debt collection.
• External counsel, external auditors, and consultants, when necessary to resolve disputes or complaints, conduct audits, or ensure legal and regulatory compliance;
• A party in connection with any merger, acquisition, or sale of all or substantially all of the assets of Cashoyo and/or any company within Philippine Cashtrout Lending Corporation;
• A party in connection with any assignment of credit or the creation of a security interest involving outstanding balances owed to Cashoyo, in compliance with applicable laws;
• To other public or private third parties to the extent that:

(1) we have a duty to disclose or share your personal data in order to comply with any legal obligation (e.g., the Credit Information Corporation, the Bureau of Internal Revenue, Bangko Sentral ng Pilipinas, Securities and Exchange Commission),

(2) it is necessary or appropriate to enforce or apply any agreement with you including our Terms and Conditions, and/or

(3) it is necessary or appropriate to protect the rights, property, or safety of Cashoyo, Philippine Cashtrout Lending Corporation, our employees, and/or our customers, including for preventing fraud or addressing security vulnerabilities.

The above parties may also process or disclose your personal data for the purposes set forth above, so long as such processing or disclosure is in compliance with this Privacy Policy, applicable laws, and subject to appropriate data processing agreements and confidentiality clauses.

Further, while we strive to select reputable and reliable partners during our recommendation or referral of third-party products and services and ensure our own practices align with data protection standards, it is important to exercise caution that these third-party products and services are operated under their own distinct privacy statements and practices, which are beyond our control. To further protect yourself, we strongly recommend reviewing the privacy policies of these third parties before providing any personal information to facilitate their products or services. When you navigate away from our Site (which can be determined by checking the URL in your browser’s address bar), any information you consent to provide to these external sites is subject to the Privacy Policy of the respective website operator. We cannot provide any representation or warranty regarding how your information is stored or used on financial partners and third-party servers, and we are unable to take any responsibility in any form for any violation of your information conducted by such financial partners and third-party servers. For personal data that Cashoyo transfers to, or instructs a service provider, partner, or processor to process on Cashoyo’s behalf, Cashoyo remains accountable as required by applicable law and uses contractual or other reasonable means to require comparable protection of the personal data.

Further, Cashoyo may also share your personal data with law enforcement or other government agencies (e.g., National Privacy Commission, National Bureau of Investigation, Philippine National Police) in connection with a formal request, subpoena, court order, or similar legal procedure, or when we believe in good faith that disclosure is necessary to comply with the law, prevent physical harm or financial loss, to report suspected illegal activity, or to investigate violations of our agreements with you.

4. For how long will we retain your personal data?

Your personal data will be stored or retained by Cashoyo only for the period necessary to fulfil the declared, specified, and legitimate purposes for which it was collected, as outlined in this Privacy Policy. This adherence to purpose limitation and data minimisation ensures your data is not kept longer than required. We are required to retain certain personal data for a minimum period of at least five (5) years in compliance with anti-money laundering and terrorism-financing prevention regulations, as well as other specific legal and regulatory obligations to which Cashoyo is subject, notwithstanding deletion requests.

We may also retain your personal data:

(i) for as long as necessary to comply with any other applicable legal or regulatory obligation;

(ii) whenever such retention is expressly authorised by law; and

(iii) for the establishment, exercise, or defence of legal claims or defences.

Information that is no longer needed for the purpose(s) for which it was collected shall be deleted or anonymised, except as necessary to comply with legal obligations.

5. Where do we process, store or transfer your personal data?

We are committed to ensuring that adequate safeguards are in place in accordance with applicable law and/or the Philippine data protection requirements. The safeguards we will use will depend on the circumstances and the party to whom we transfer your personal data. Your personal data may be processed by any of the parties described above, who are also bound by appropriate data protection commitments. Cashoyo employs all reasonable and appropriate organisational, technical, and physical security measures to protect your personal data against accidental or unlawful destruction, alteration, unauthorised disclosure, access, misuse, or any other unlawful processing, as required by applicable law and industry benchmark practices.

Specifically, Cashoyo implements the following security measures to protect your personal data: (a) all data transmitted between your device and our servers is encrypted using HTTPS/TLS protocols; (b) personal data stored on our servers at https://service.cash-oyo.com is encrypted at rest; (c) access to personal data is restricted to authorised personnel on a need-to-know basis, with role-based access controls; (d) we conduct regular security assessments and vulnerability testing of our systems; and (e) we maintain incident response procedures to address any potential data breaches in accordance with the notification requirements of the Data Privacy Act of 2012 and NPC Circular 16-03.

6. Automated decisions and profiling

To provide you with rapid, efficient, and tailored services, we may make certain decisions in relation to our provision of products and services to you by using automated decision-making (ADM) processes, which may involve profiling, in relation to our provision of products and services. These processes operate with limited to no human involvement and are based on the personal data collected about you.

• Credit decisions

When you apply for credit or seek eligibility for our products and services, we will use automated processing to make decisions regarding your application, including whether to lend to you and/or make other decisions about your eligibility for our products and services, based on the personal data collected. This automated processing enables us to provide rapid, responsive, and tailored credit services to customers who may not have traditional credit histories, prior bank or other financial data, or income from formal sources.

Our credit and underwriting models utilise data science and machine-learning technology to process your personal data and assess your creditworthiness. The associated processing of your personal data is automated and little to no human intervention is involved. Using such automated processes to assess your creditworthiness means we may automatically decide that you may be ineligible for our services or ineligible for credit of a particular amount or tenure. Our credit and underwriting models are regularly tested and validated to ensure they remain fair, accurate, unbiased, and compliant with all applicable laws and regulations. The principal categories of data considered include identification/KYC data, transaction and repayment information, fraud indicators, and information from credit reference or fraud prevention agencies. You may request clarification about automated decisions affecting you, subject to legal limits and protection of trade secrets.

• Detecting fraud

Cashoyo also utilises automated processes to detect, combat and prevent fraud, attempted fraud, money laundering, and other illegal uses of our services. Our fraud models may automatically identify patterns or behaviours that indicate that a certain individual poses a fraud or money-laundering risk (e.g., if our processing reveals information or behaviour consistent with money laundering or known fraudulent activity, if the activity is inconsistent with prior activity on our platform or if an individual appears to be hiding their true identity). If our fraud models determine that processing a transaction or approving a certain individual creates a risk of fraud, that individual’s access may be suspended or refused.

7. Your rights as a data subject

As a data subject under the Data Privacy Act of 2012 (DPA) and its Implementing Rules and Regulations (IRR), you are afforded specific rights concerning your personal data. Cashoyo is committed to upholding these rights. You may contact us to exercise your rights as a data subject at support@cash-oyo.com. Please note that there may be occasions when you wish to exercise your rights and we are unable to agree to your request (e.g., because we have compelling legitimate ground for using or processing your personal data or because we need to retain your personal data to comply with a legal obligation).

• Right to be informed

We must provide you with certain information related to how we collect your personal data, details on how we collect, use, and process your personal data (and our legal basis for doing so), who we share your personal data with, where we obtained your personal data, and your rights as a data subject. This information is provided within the Cashoyo App and in this Privacy Policy in clear language.

• Right to access

You may ask for a copy of the personal data (as defined under applicable law) we hold concerning you (and your information related to such personal data), as well as information on how such personal data has been processed and obtained, the names and addresses of the recipients to whom your personal data has been disclosed or transferred, unless providing some or all of it would adversely affect the rights and freedoms of others or applicable law (such as trade-secret protection or a court order) specifically requires that we do not comply with your request for certain highly sensitive or proprietary information. The right to access does not apply to analyses, algorithms or methodologies made by Cashoyo with respect to your personal data, which are proprietary know-hows and trade secrets belonging to Cashoyo.

• Right to rectification

You may ask us to correct any personal data which you believe to be inaccurate. We will promptly update any such personal data. In connection with your request, you may be required to provide supporting evidence or other documentation so that we may verify the accuracy of the request.

• Right to erasure or blocking

You may make requests to us regarding the suspension, withdrawal, blocking, removal, or destruction of your personal data from our systems under certain circumstances. You may ask us to erase your personal data in the following instances:

• If you believe it’s no longer necessary for us to retain such personal data (such as a legal obligation or contractual necessity) for us to continue processing it;
• If you do not believe we have legitimate ground for processing it;
• If you think we are using such personal data for unauthorised purposes;
• If you think applicable law or a court order requires that we do so; or
• If you believe the personal data is incomplete, false, or unlawfully obtained.

To exercise your right to erasure or to request deletion of your account and associated personal data, you may: (a) navigate to Settings > Accounts & Security > Delete Account within the Cashoyo App to initiate an account deletion request; (b) use the account-deletion web resource made available on www.cash-oyo.com or identified in Cashoyo’s Google Play Data safety section, which allows you to request deletion without reinstalling the Cashoyo App. Upon receipt of a valid request, Cashoyo will process your request within five (5) working days, subject to applicable legal retention requirements as described in Section 4 of this Privacy Policy. Please note that account deletion is irreversible and will result in the termination of non-essential active services. You may request deletion without an outstanding loan. Cashoyo may retain and process personal data necessary to service, collect, establish, exercise, or defend claims, or comply with legal and regulatory obligations until the relevant obligation has been fulfilled and the retention period has expired.

• Right to restrict or object to processing

Where the processing of your personal data is based on your consent or our legitimate interest, you may ask us to stop using your personal data (as defined under applicable law) when:

• You think such personal data is inaccurate, incomplete, or unlawfully obtained;
• You think your personal data is used for unauthorised purposes;
• If you don’t want us to destroy such personal data because you need it for legal proceedings, for the fulfilment of a contractual or legal obligation;
• If you’ve informed us that we don’t have a legitimate reason for using it and we’re considering your request.

• Right to data portability

If we’re using your personal data on the basis of your consent or because we need it to carry out our contractual obligations to you, you can ask us to give you your personal data (as defined under applicable law) in a structured, commonly-used and machine-readable format or have it transmitted to another data controller. The right to data portability is limited to data that you provided actively and knowingly, or that you provided by virtue of the use of our services.

• Right to damages

You have the right to be indemnified for damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorised use of your personal data, taking into account any violation of your rights and freedoms as a data subject.

• Right to file a complaint

You have the right to file a complaint with the National Privacy Commission or other relevant government agencies for any violation of your rights as a data subject. Please note that there may be occasions when you wish to exercise your rights and we’re unable to agree to your request (e.g., because we have compelling legitimate grounds for using or processing your information or because we need to retain your information to comply with a legal obligation).

Cashoyo is committed to transparent and responsible management of the permissions you grant us. We will only access your device permissions (e.g., SMS, camera) for the specific, legitimate purposes outlined in this Privacy Policy.

Once the specific purpose for which an application permission was granted has been fulfilled, and where there are no other applicable lawful criteria requiring continuous access to that particular permission for the provision of our services or compliance with legal obligations, the Cashoyo App will:

prompt you through appropriate in-app notices (e.g., just-in-time, pop-up notifications) to inform you that access to the relevant application permission may already be revoked, and guide you on how to turn it off or disallow it through your device settings.

Where technically feasible and aligned with device operating system capabilities, the Cashoyo App will automatically turn off such permissions by default after the purpose is achieved, provided it does not impair essential, ongoing services for which explicit, continued consent or legal basis exists.

8. Advertising and Marketing

If you no longer wish to receive advertising, marketing, or promotional messaging, please contact us at support@cash-oyo.com and we will remove you from such communication lists.

The Cashoyo App may display third-party advertisements served by third-party advertising networks, including, without limitation, Google AdMob. To enable the delivery, frequency capping, measurement, and improvement of such advertisements, these advertising networks may collect and process certain device-level data — such as your advertising identifier (e.g., the Google Advertising ID on Android, or the Identifier for Advertisers on iOS), IP address, coarse location, and basic device information. Such data processing is governed by the privacy policies and terms of the respective advertising networks. You may control or reset your advertising identifier at any time through your device settings, and on iOS-based devices you may decline tracking through Apple’s App Tracking Transparency framework when prompted. Cashoyo does not share your sensitive personal data, your loan application information, your KYC documents, or your financial transaction data with third-party advertising networks for the purpose of advertising personalisation.

9. Consequences of not providing us with your personal data

You are not required to provide us with your information or any associated personal data (as defined under applicable law) and you may withdraw your consent from the use or processing of such information or personal data at any time. However, if you do so, we will be unable to provide our current or future products and services to you, and we reserve the right to terminate our relationship with you, as permitted under applicable law, discontinue our relationship with you as we would be unable to fulfil our contractual obligations.

Further, to the extent we have a legitimate interest in retaining your information and/or associated personal data (as defined under applicable law), we may do so. For example, if you have requested that we erase your information or associated personal data (as defined under applicable law), but you have an outstanding balance with Cashoyo, we may retain your information or associated personal data (as defined under applicable law) in order to continue collection efforts. We are also required to retain your personal data for a period of at least five (5) years in compliance with anti-money laundering and terrorism-financing prevention regulations, notwithstanding requests for deletion.

10. Consent and Authorisation

By downloading the Cashoyo App and clicking “Agree” on the permissions overview screen, you:

• Confirm that you have read, understood, and accept the terms of this Privacy Policy, which comprehensively outlines how your personal data is collected, used, shared, and otherwise processed;
• Acknowledge and agree to Cashoyo’s access to necessary device permissions, as more fully described above and detailed within the permissions overview screen. You understand that access to certain device data is essential for the functionality, security, and credit assessment features of the Cashoyo App;
• Grant your explicit consent to Cashoyo to collect, use, share, or otherwise process your personal data, which may include personally identifiable information, personal information, sensitive personal information (in each case, as defined under applicable law), and biometric data (e.g., facial geometry derived from selfies and liveness-detection captures), for the purposes where consent is the lawful basis as outlined in this Privacy Policy;
• Certify that all personal data you have provided and will provide to Cashoyo is true, accurate, and correct to the best of your knowledge and belief;
• Authorise Cashoyo to verify/investigate the accuracy of your personal data through various means, as necessary for the provision of our services, credit assessment, and fraud prevention;
• Acknowledge that Cashoyo may be required to disclose your personal data to regulatory and governmental bodies such as the Securities and Exchange Commission, Bangko Sentral ng Pilipinas, Anti-Money Laundering Council, Bureau of Internal Revenue, Credit Information Corporation, credit bureaus and/or any other governmental body, in compliance with its legal obligations and in accordance with the principle of proportionality.

11. What device permissions does the Cashoyo App access?

Depending on your device operating system and the version of the Cashoyo App installed on your device, the following device permissions may be accessed by the Cashoyo App. We encourage you to keep your Cashoyo App updated to make sure you can experience the latest and most secure features.

Below are the device permissions Cashoyo may access, along with their purposes:

• SMS – After your explicit authorisation, Cashoyo will collect and analyse designated financial transaction SMS messages on your device — such as bank notifications, payment confirmations, and e-wallet alerts — to evaluate your income and spending patterns for credit assessment. We access only transaction notifications from public financial service providers (identified by their registered sender names or short codes), containing details such as sender name, transaction amount, merchant name, and date. We strictly do not access personal conversations from individual mobile numbers, One-Time Passwords (OTPs), or any verification codes. The collected data will be encrypted and transmitted to https://service.cash-oyo.com. We do not share SMS data with third parties without your explicit consent. This permission is strictly optional and independent of your loan application. You may decline during the authorisation process or revoke permission at any time through Settings > Applications > Cashoyo > Permissions on your device;
• Calendar – Cashoyo requests Write Calendar permission to remind you of repayment due dates on your loans. We will only add and modify calendar events related to Cashoyo. Other events you have set in your device’s calendar will never be read, modified, or deleted;
• Camera – Cashoyo will ask you to upload a photo of your government-issued identification, proof of income, or a selfie for the purpose of identification, identity verification, face recognition, and liveness detection in connection with our KYC and anti-fraud processes. You can choose to take photos on-site (only need Camera permission) or access media library or files to pick a photo (only need Photo permission). Biometric data derived from your selfie or liveness capture is processed solely for identity verification, ongoing authentication, and fraud prevention purposes;
• Contacts – Cashoyo does NOT request the READ_CONTACTS permission and does not access your device’s address book or contact list. Instead, during the loan application process, you will be prompted to manually select and provide one or more personal references or emergency contacts. Only the contact information (name and phone number) that you voluntarily select and submit will be collected, transmitted, and stored. This information is used solely for credit evaluation, identity verification, and for identifying and contacting character references or guarantors for your loan application. Cashoyo has no ability to access, read, or retrieve any contacts from your device beyond those you explicitly choose to provide. Meanwhile, please keep in mind that it is YOUR duty to acquire prior consent from your contact for our connection with such contact. By providing us with your contacts, we assume you have acquired such consent;
• Location – This helps our fraud models verify your identity and detect suspicious activities. Cashoyo also uses this information in its credit and underwriting models to determine whether you are eligible for Cashoyo’s services. We also use location data for research purposes;
• Read phone status and identity – We will collect and use your device ID (advertising ID, BSSID, IMEI, Android ID) to ensure the security of your transactions and payments. Granting this permission will help us check if you are performing sensitive actions on commonly used devices. This will effectively reduce the risk of your account being compromised or unauthorised access.

Third-party SDKs collect some of our non-sensitive device information (for example: IDFV, Android ID, system version, device manufacturer, brand and model, etc.) for statistical and analytical purposes to optimise our experience on Cashoyo. We only allow third-party SDKs to collect non-sensitive data with your explicit consent.

• Run foreground service – This permission is needed by the Cashoyo App to upload photos for KYC processes, ensuring a smooth user experience;
• Run at startup – This allows the Cashoyo App to send notifications to your device upon restart of your device;
• View and change network connectivity – This is used to notify the Cashoyo App when network connectivity changes so that we can determine whether you are connected to internet or not;
• View Wi-Fi connections – Cashoyo uses the IP address and network type of your device to detect and prevent fraudulent activities;
• Receive data from the internet – Cashoyo needs this permission in order to send requests through the app and to allow the app to access the internet;
• Prevent phone from sleeping – This permission is required by some of the features and services within the Cashoyo App, such as in-app messaging;
• Installed Application Information – Cashoyo does not request the QUERY_ALL_PACKAGES permission within the application interface. However, with your explicit consent as provided through this Privacy Policy, Cashoyo may collect and analyse non-sensitive application identifiers from your device for the purposes of fraud prevention, cybersecurity risk assessment, and credit evaluation. This process involves comparing installed application identifiers against a list of known malware or suspicious applications to detect whether your financial transaction environment is safe. Cashoyo does not have access to any private content within other applications. Unmatched applications are not visible to Cashoyo. The collected data is encrypted and transmitted to https://service.cash-oyo.com and will not be shared or sold to third parties in any form.

12. General

If you have questions about this Privacy Policy or about your rights as a Data Subject, you can contact our Data Protection Officer at:

Cansionere, Ramilia Ann — Data Protection Officer — Philippine Cashtrout Lending Corporation

4/F Kings Court 1 Building, 2129 Chino Roces Ave., Pio del Pilar, Makati City, Metro Manila, Philippines

Email address: support@cash-oyo.com

To improve and continue our services to you and to comply with data privacy regulations that may be issued from time to time, this Privacy Policy may be updated. You can check the latest version by visiting www.cash-oyo.com and clicking “Privacy Policy” at the bottom.

13. Others

When you activate the use, we will collect your device information (IDFV, Android ID, operating system, device model, device manufacturer, system version, etc.) through ThinkingData for statistical analysis of your use effect in the app.

Additionally, your personal data may be collected, used, processed, stored, accessed, updated, shared, transferred or disclosed to the credit-insights service provider/s using the subscriber data obtained from Mobile Network Operators, such as but not limited to, Globe Telecom, Inc., for the purpose of “telco score” using telecommunications usage data. The credit scoring (telco score) and analytics between Cashoyo and credit-insights service providers are conducted for the purpose of credit evaluation related to your credit application and maintenance thereof.

Statement on SMS Read Permission

Cashoyo reads financial transaction SMS on your device — such as bank notifications, payment confirmations, and e-wallet alerts — to analyse your income and spending patterns.

What we access: Transaction notifications from financial service providers — such as banks, payment services, and e-wallets (identified by their registered sender names or short codes) — containing details such as sender name, transaction amount, merchant name, and date.

What we NEVER access: Personal conversations, messages from individual phone numbers, or one-time passwords (OTPs).

Why it matters: This analysis helps us determine a credit limit or loan amount that matches your actual financial situation, especially for users with limited formal banking history.

Your data is encrypted and stored on https://service.cash-oyo.com. We never share SMS data with third parties without your explicit consent.

This permission is optional. Tap “Skip” to continue without SMS analysis, or revoke it anytime in Settings > Apps > Cashoyo > Permissions.

Statement of Applying for Installed Application Permission

Note: As of early 2026, the QUERY_ALL_PACKAGES permission has been removed from the Cashoyo App’s runtime permission requests. The following statement is retained for transparency purposes to describe how Cashoyo may process installed application information with your consent as provided through this Privacy Policy, and to ensure continuity of disclosure for users who previously granted this permission.

Please allow Cashoyo to compare the installed applications on your device with a list of suspected malware/viruses to detect whether your financial transaction or credit application environment is safe.

Therefore, Cashoyo needs to upload and analyse the NON-SENSITIVE application identifiers matched in the above process to protect Cashoyo from any cybersecurity risk. Cashoyo does not have access to any of your private content in other applications. Unmatched apps will not be visible to Cashoyo to protect your privacy. In this way, Cashoyo can warn you of the risk of privacy leakage before you enter the password or key information such as your ID number.

We strongly recommend that you agree to this authorisation. If you choose not to authorise after fully understanding, you will not be able to use Cashoyo’s core financial functions or other major functions, such as applying for credit or a loan.

After your explicit authorisation, Cashoyo will encrypt and upload the above information to https://service.cash-oyo.com securely. These data will not be shared or sold to third parties in any form.

Statement of Applying for Contacts Permission

To accurately evaluate your personal credit and to identify and contact character references or guarantors for your loan application, Cashoyo provides an in-app mechanism for you to manually select and submit one or more personal references or emergency contacts.

Cashoyo does NOT request the READ_CONTACTS permission and does not access, read, or retrieve your device’s address book or full contact list. Only the specific contact information (name and phone number) that you voluntarily select and provide through the application interface will be collected, transmitted using HTTPS encryption, and stored on our servers.

Your selected contact information will only be stored and used for credit evaluation and for identifying and contacting character references or guarantors. Cashoyo will NOT access or collect any contact data from your device beyond what you explicitly choose to submit. Your selected contacts will NOT be shared or sent to third parties under any circumstances except as otherwise explicitly consented to by you within this Privacy Policy (e.g., for data sharing with financial partners or for specific outsourced collection efforts where relevant and separately authorised).

You may choose not to provide contact references. However, please be aware that providing emergency contacts is often essential for verifying your creditworthiness and for account security. Without such information, you may not be able to use certain Cashoyo financial services, such as applying for a credit limit.

If you wish to revoke historical authorisations and erase all your personal information, please contact support@cash-oyo.com. We will process your application within five (5) working days.