meryph Privacy Policy

For the purposes of the Data Privacy Act of 2012 and this Privacy Policy, meryph is the Personal Information Controller (PIC) with respect to the personal data collected from users of the meryph.vip platform. meryph is the entity that determines the purposes and means of processing personal data obtained through the platform.

meryph operates under a license issued by the Philippine Amusement and Gaming Corporation (PAGCOR). Our operations are subject to PAGCOR's regulatory oversight, including its data governance requirements applicable to licensed online gaming operators.

For all data privacy-related inquiries, requests, and complaints, please refer to Section 13 of this Privacy Policy for contact information for our designated Data Protection Officer (DPO).

meryph collects the following categories of personal data in connection with the operation of the platform and its regulatory obligations. Data collection is guided by the principle of proportionality — we collect only what is necessary for the purposes identified in Section 4.

meryph collects personal data through the following means:

Data you provide directly when you: (a) register for a meryph account; (b) complete identity verification (KYC); (c) make deposits or submit withdrawal requests; (d) contact customer support via live chat or email; (e) participate in promotions or surveys; or (f) update your account profile or settings.

Data collected automatically when you access or use the meryph platform, including through: cookies and similar tracking technologies; server logs recording IP addresses, access timestamps, and device information; platform analytics tools that record gameplay behavior and navigation patterns; and fraud detection systems.

meryph may receive personal data about you from third parties where this is necessary for platform operations, including: KYC and identity verification service providers; payment processors and e-wallet providers (GCash, Maya, BPI, BDO, Metrobank, Coins.ph, 7-Eleven); and fraud screening and AML compliance services. Data received from third parties is handled in accordance with this Privacy Policy and applicable law.

meryph processes your personal data only for specified, explicit, and legitimate purposes. The following table outlines our processing purposes and the legal basis for each under the Data Privacy Act of 2012:

• Account Registration and Management: Processing is necessary to fulfill our contractual obligations to you as a registered meryph player, including managing your account, processing logins, and maintaining your gaming wallet.
• Identity Verification (KYC): Processing is required to comply with PAGCOR's Know-Your-Customer (KYC) requirements and the Anti-Money Laundering Act (AMLA), both legal obligations applicable to meryph as a licensed gaming operator.
• Transaction Processing: Processing is necessary to execute deposits, withdrawals, and all in-platform financial transactions in compliance with our contractual obligations and applicable financial regulations.
• AML and Fraud Prevention: Processing is a legal obligation under the Anti-Money Laundering Act (AMLA), PAGCOR requirements, and is also in the legitimate interests of meryph and its players in preventing financial crime and protecting account security.
• Responsible Gaming Monitoring: Processing is required by PAGCOR's responsible gaming regulations to monitor for at-risk gaming behavior, enforce self-exclusion requests, and maintain compliance with the platform's responsible gaming obligations.
• Customer Support: Processing is necessary to fulfill our contractual obligation to provide support services to registered meryph players.
• Platform Security and Fraud Detection: Processing is in the legitimate interests of meryph and its users to maintain platform integrity and prevent unauthorized access.
• Marketing Communications: Processing is based on your freely given, specific, informed consent, which may be withdrawn at any time.
• Regulatory Reporting: Processing is a legal obligation under PAGCOR's reporting requirements and the AMLA, including submission of Covered Transaction Reports (CTRs) and Suspicious Transaction Reports (STRs) to the Anti-Money Laundering Council (AMLC).

meryph does not sell, rent, or trade your personal data to any third party. Personal data may, however, be disclosed to the following categories of recipients where necessary and lawful:

meryph is legally required to disclose personal data to government authorities in the following circumstances:

• PAGCOR: As the licensing and regulatory authority for meryph's gaming operations, PAGCOR may request player data as part of its regulatory oversight and audit functions.
• Anti-Money Laundering Council (AMLC): meryph is required to file Covered Transaction Reports (CTRs) for transactions meeting or exceeding prescribed thresholds, and Suspicious Transaction Reports (STRs) as required by the AMLA.
• National Privacy Commission (NPC): In the event of a reportable personal data breach, meryph will notify the NPC within the prescribed timeframe under R.A. 10173.
• Courts and Law Enforcement: meryph will disclose personal data where required to comply with a valid court order, subpoena, or lawful request from a Philippine law enforcement authority.

meryph engages third-party service providers who act as Personal Information Processors (PIPs) under the Data Privacy Act. These providers process personal data only on meryph's instructions and for the purposes specified by meryph, and are subject to data processing agreements that impose data protection obligations consistent with R.A. 10173. Categories of service providers include:

• Identity verification and KYC providers;
• Payment processors and e-wallet platforms (GCash, Maya, BPI, BDO, Metrobank, Coins.ph);
• Cloud hosting and data storage providers;
• Customer support platform providers;
• Fraud prevention and cybersecurity service providers;
• AML screening and compliance tools.

meryph's third-party game providers (such as Pragmatic Play, PG Soft, and other studios) may receive anonymized or pseudonymized session data necessary for game delivery and technical support. These providers do not receive personally identifiable information beyond what is strictly necessary for game delivery.

meryph uses cookies and similar tracking technologies to operate the platform, authenticate user sessions, prevent fraud, and improve the user experience. The following categories of cookies are used on meryph.vip:

• Strictly Necessary Cookies: Required for core platform functionality, including secure login sessions, account authentication, and transaction processing. These cookies cannot be disabled without impairing platform functionality.
• Performance and Analytics Cookies: Used to collect anonymized data about how users interact with the meryph platform — which pages are visited, how long sessions last, and where errors occur. This data is used to improve platform performance and user experience.
• Functional Cookies: Used to remember your preferences, such as language settings and responsible gaming tool configurations, to provide a more personalized experience.
• Security Cookies: Used for fraud detection, bot detection, and to maintain the security integrity of user sessions and transactions.

By using the meryph platform, you consent to the use of strictly necessary and security cookies. For non-essential cookies, you may adjust your browser settings to decline cookies; however, disabling cookies may affect the availability or performance of some platform features.

meryph retains personal data for as long as is necessary to fulfill the purposes for which it was collected, to comply with our legal and regulatory obligations, and to resolve any disputes or enforce our agreements. Specific retention periods are governed by the following considerations:

• Account and KYC Data: Retained for the duration of the account relationship and for a minimum of five (5) years following account closure, in compliance with PAGCOR's record-keeping requirements and AMLA's data retention obligations for covered entities.
• Transaction Records: Financial transaction data is retained for a minimum of five (5) years as required under Philippine AML regulations and PAGCOR's record-keeping rules.
• Gaming Activity Logs: Session and gameplay records are retained for a minimum of three (3) years following the last recorded activity, or as otherwise required by PAGCOR.
• Customer Support Records: Support communications are retained for three (3) years following the resolution of the relevant query or complaint.
• Marketing Data: Marketing preference data and associated communications records are retained until consent is withdrawn, plus a reasonable period thereafter for compliance documentation purposes.

meryph implements appropriate organizational, technical, and physical security measures to protect personal data against accidental or unlawful destruction, alteration, disclosure, or unauthorized access. Our security framework includes:

• Encryption: All data in transit is encrypted using TLS 1.3 (256-bit SSL). Personal data at rest is encrypted using AES-256 encryption standards.
• Access Controls: Personal data is accessible only to authorized meryph personnel and service providers on a strict need-to-know basis. Role-based access controls (RBAC) are implemented and regularly audited.
• Authentication: Multi-factor authentication (MFA) is required for meryph operational personnel who access systems containing personal data.
• Penetration Testing: meryph's platform infrastructure undergoes regular security assessments and vulnerability scanning.
• Incident Response: meryph maintains a documented data breach response plan consistent with the NPC's requirements under R.A. 10173. In the event of a reportable breach, affected data subjects and the NPC will be notified in accordance with prescribed procedures and timelines.
• Staff Training: meryph personnel with access to personal data receive regular data privacy and security training.

While meryph takes reasonable and proportionate measures to protect your personal data, no method of electronic transmission or storage is 100% secure. meryph cannot guarantee absolute security and will notify you promptly if a breach affecting your personal data occurs.

Under Republic Act No. 10173 (Data Privacy Act of 2012), you have the following rights with respect to your personal data processed by meryph. You may exercise any of these rights by contacting our Data Protection Officer as described in Section 13.

The meryph platform is strictly for individuals who are 21 years of age or older, in compliance with Philippine law and PAGCOR regulations governing online gaming. meryph does not knowingly collect, process, or retain personal data from individuals under the age of 21.

Age verification is a mandatory step in the meryph account registration and KYC process. Any account found to belong to an individual under 21 years of age will be immediately and permanently closed, and any remaining balance will be handled in accordance with our terms and applicable regulatory requirements.

If meryph becomes aware that it has inadvertently collected personal data from an individual under the age of 21, that data will be promptly deleted from our systems, and the relevant regulatory authorities will be notified where required.

If you are a parent or guardian and believe that a minor in your care has registered on the meryph platform, please contact our Data Protection Officer immediately at [email protected].

meryph's primary operations, data storage, and processing infrastructure are based in the Philippines. However, certain service providers engaged by meryph — including cloud infrastructure providers, KYC verification platforms, and game content providers — may be located in or operate infrastructure in other countries.

Where personal data is transferred outside of the Philippines, meryph ensures that such transfers are conducted in compliance with Section 21 of R.A. 10173 (cross-border data flow provisions) and the NPC's applicable rules. Specifically, meryph will: (a) confirm that the recipient country provides an adequate level of data protection; (b) enter into binding data processing or data transfer agreements with the recipient entity; or (c) obtain your prior consent where required.

meryph does not transfer personal data to jurisdictions that are determined by the NPC to be lacking in adequate data protection safeguards without first implementing appropriate contractual or technical safeguards.

meryph reserves the right to update, revise, or replace this Privacy Policy at any time to reflect changes in our data processing practices, regulatory requirements, or platform operations. The effective date of the current version is displayed at the top of this page.

When material changes are made to this Privacy Policy — changes that meaningfully affect your rights or how your data is processed — meryph will notify registered users by email to the address on file and/or by posting a prominent notice on the meryph platform. The notification will describe the nature of the change and, where required by law, will request fresh consent.

Your continued use of the meryph platform after the effective date of a revised Privacy Policy constitutes your acknowledgment and, where applicable, your consent to the updated terms. If you do not agree to the revised Privacy Policy, you should cease using the platform and request account closure.

meryph has designated a Data Protection Officer (DPO) as required under Section 21(a) of the Implementing Rules and Regulations of R.A. 10173 for personal information controllers that process personal data of at least 1,000 individuals, and as applicable to licensed gaming operators under PAGCOR's data governance requirements.

To exercise your data subject rights, submit a privacy-related inquiry, report a suspected data breach, or file a privacy complaint with meryph, please contact our Data Protection Officer through the following channels:

• Email: [email protected] — please mark your subject line "Data Privacy Request – [Your Full Name]"
• Live Chat: Available 24 hours a day, 7 days a week, through the meryph platform (accessible after login)
• Response Time: meryph will acknowledge receipt of your request within five (5) business days and provide a substantive response within thirty (30) calendar days

For unresolved complaints or to escalate a data privacy concern, you may contact the National Privacy Commission of the Philippines at: 5th Floor Delegation Building, PICC Complex, Vicente Sotto St., Pasay City, Metro Manila, Philippines.