PJF Loan PRIVACY POLICY

Effective Date: Feb 02, 2026

1. Introduction, Legal Basis, and Scope of Application

PJF LENDING INC. (“PJF Loan,” “we,” “our,” or “us”) is a lending company duly incorporated, registered, and authorized to operate in the Republic of the Philippines. Our operations are conducted in full compliance with all applicable Philippine laws and regulations, including but not limited to Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012, its Implementing Rules and Regulations (IRR), relevant issuances of the National Privacy Commission (NPC), and applicable regulations issued by the Securities and Exchange Commission (SEC) and other competent authorities.

This Privacy Policy sets out in detail the manner in which we collect, use, process, disclose, retain, and protect personal data and sensitive personal information obtained from users who download, access, or otherwise use the PJF Loan mobile application and related digital platforms (collectively, the “Services”). This policy applies to all forms of information collected directly from users, automatically through system interactions, or indirectly through authorized third-party service providers acting on our behalf.

By installing, accessing, or using the PJF Loan application, you expressly acknowledge that you have carefully read, fully understood, and voluntarily agreed to the terms of this Privacy Policy. You further confirm that you freely and expressly consent to the collection, processing, storage, and disclosure of your personal data as described herein. If you do not agree with any part of this Privacy Policy, you must immediately discontinue the use of the application and related services.

2. Categories of Information We Collect

We collect only such personal data as is reasonably necessary for the performance of our services, compliance with legal and regulatory obligations, risk management, and the protection of our legitimate business interests.

2.1 Identity and Core Personal Information

For purposes of identity verification, regulatory compliance, and fraud prevention, we may collect and process the following information:

Full legal name exactly as it appears on a valid government-issued identification document

Date of birth for age verification and eligibility determination

Gender and nationality, where required for regulatory reporting

Type, number, issuing authority, and expiration date of government-issued identification (including but not limited to UMID, passport, or driver’s license)

High-quality and legible images of the front and back of the submitted identification documents

Such information is used strictly for lawful verification purposes and is processed in accordance with data minimization principles.

2.2 Contact Details and Residential Address Information

To enable communication, verification, and service delivery, we may collect:

Current and complete residential address

Supplemental address descriptors, including street name, house or unit number, barangay, city, and province

Active mobile phone number registered under the user’s name

Valid and accessible email address used for service notifications and correspondence

2.3 Personal Background and Demographic Information

Where reasonably necessary, we may request:

Marital status

Highest educational attainment

This information may assist in internal risk profiling and service optimization but is not used as a sole determining factor in any decision-making process.

2.4 Employment, Occupation, and Income Information

To evaluate repayment capacity and financial stability, we may collect:

Current employment or business status

Employer or business name, industry, and address

Job title, role description, or nature of business

Length of employment or operational history

Salary or income disbursement schedule

2.5 Financial Background Information

We may collect limited financial indicators, including:

Existence and number of active credit cards

Declared monthly income range

Ownership status of assets or property

Current financial obligations, where voluntarily disclosed

2.6 Emergency Contact Information

For contingency and verification purposes, users may be required to provide:

Full name of at least one emergency contact

Relationship between the user and the emergency contact

Emergency contact information is used strictly for verification and risk mitigation purposes.

3. Device Permissions and Data Access

To ensure proper functionality, security, and compliance, the PJF Loan application may request access to certain device features.

3.2 Camera & Media Access

Purpose of Use:

With your explicit authorization, we may request access to your device’s camera and media storage features strictly for legitimate and necessary business purposes, including but not limited to the following:

To conduct identity verification procedures in order to confirm that the applicant is a real and lawful user, and to prevent identity theft, impersonation, or other fraudulent activities;

To capture or upload images of valid, government-issued identification documents as part of customer due diligence, identity authentication, and regulatory compliance requirements;

To allow the submission of required supporting documents related to service eligibility, risk assessment, and application processing;

To assist in verification processes or customer support inquiries where visual confirmation is necessary to resolve issues or complete service requests.

Processing Principles:

All images, photos, or media files obtained through camera access or selected from your device are collected and used solely for the specific purposes stated above and will not be used for any unrelated activities;

We do not activate or access your device’s camera without your prior knowledge and explicit consent, and no image or media content is captured in the background;

Reasonable administrative, technical, and physical security measures are implemented to protect image data during transmission and storage, preventing unauthorized access, disclosure, alteration, or misuse;

Image and media data are retained only for the minimum period necessary to fulfill business, legal, and regulatory obligations, after which such data will be securely deleted, anonymized, or otherwise disposed of in accordance with applicable laws;

You may exercise your rights under applicable data protection laws to access, correct, or request deletion of your personal data collected through camera and media access, subject to legal retention requirements.

3.3 Device and Technical Information

Collected Data Includes:

Device model and operating system version

Network carrier and technical identifiers

Encrypted device identifiers

This information supports system security, fraud prevention, and technical troubleshooting.

3.4 Network Connectivity Information

We may collect limited network-related data, such as connection type and signal quality, solely for service optimization purposes. We do not collect WiFi passwords or monitor specific network names.

3.5 Advertising & Analytics Identifiers

Purpose of Use:

With your explicit consent and in accordance with applicable laws and platform requirements, we may process advertising and analytics identifiers for legitimate operational and analytical purposes, including but not limited to the following:

To perform data analytics, attribution measurement, and statistical analysis related to app installation, usage behavior, and feature engagement;

To evaluate the effectiveness of marketing campaigns and promotional activities through aggregated and anonymized performance metrics;

To manage advertisement delivery frequency, reduce repetitive content, and improve the relevance of in-app promotional information;

To support internal product optimization, user experience improvement, and service performance

4. Purposes of Processing Personal Data

We process personal data for legitimate, specific, and lawful purposes, including but not limited to:

Evaluation of applications and eligibility

Credit risk analysis and repayment capacity assessment

Fraud detection, prevention, and investigation

Compliance with legal, regulatory, and reporting obligations

Improvement of application performance and service quality

Customer support, dispute resolution, and communication

Marketing and analytics activities, where consent has been obtained

5. Disclosure and Sharing of Information

We do not sell personal data. Information may be disclosed only under strictly controlled circumstances, including sharing with authorized service providers, regulatory authorities, or in connection with lawful business transfers.

6. Data Storage, Retention, and Security Measures

To ensure the security, confidentiality, and integrity of users’ personal data, we implement multiple layers of administrative, technical, and physical safeguards throughout the data storage, processing, and access lifecycle. These measures include, but are not limited to, the following:

Data Storage and Encryption:

All personal information, government-issued ID images, financial data, and transaction records submitted by users are transmitted over secure, encrypted channels (e.g., HTTPS/SSL);

Server-stored data is encrypted at rest using industry-standard encryption protocols to prevent unauthorized access and data breaches;

Access to databases and storage systems is strictly controlled and limited to authorized personnel within the scope of their duties.

Access Control and Permissions Management:

Employee access rights adhere to the “least privilege” principle, ensuring that staff can only access data necessary for their work responsibilities;

All access activities are logged for auditing purposes, allowing traceability and post-event review;

Periodic internal training and security reviews are conducted to maintain staff awareness and compliance with data protection protocols.

Physical and Environmental Security:

Data centers meet national and international security standards and are equipped with fire protection, intrusion prevention, and environmental monitoring systems;

Only authorized personnel are permitted to access data center facilities, with all entries authenticated and recorded.

Data Backup and Disaster Recovery:

Critical data is regularly backed up and stored in secure, controlled secondary systems;

A comprehensive disaster recovery plan is in place to ensure rapid service restoration and data integrity in the event of system failures or unforeseen incidents.

Data Retention and Secure Disposal:

Personal data is retained only for the minimum period necessary to fulfill the stated business purposes, comply with applicable laws, or meet regulatory requirements;

Once the retention period expires or the business relationship ends, data is securely deleted, anonymized, or otherwise disposed of in accordance with applicable regulations;

Deletion or anonymization processes follow strict protocols to ensure that data cannot be recovered.

Ongoing Monitoring and Improvement:

System security and data access activities are continuously monitored to detect anomalies or unauthorized activity;

Regular security risk assessments and compliance audits are conducted, and security measures are updated based on evolving laws, regulations, and industry best practices.

Through these measures, we are committed to safeguarding users’ personal data to the greatest extent possible, preventing unauthorized access, disclosure, loss, or misuse, and ensuring the confidentiality, integrity, and availability of all information processed by our services.

7. Third-Party Software Development Kits (SDKs)

Our application integrates third-party SDKs such as AppsFlyer, Advance.AI, and Firebase strictly for analytics, identity verification, and performance monitoring purposes. All SDKs are subject to due diligence and contractual data protection obligations.

8. Data Retention Periods

Personal data is retained only for as long as necessary to fulfill the purposes outlined in this policy or as required by applicable laws.

9. Data Subject Rights

Users may exercise their rights to access, correction, deletion, objection, and data portability in accordance with the Data Privacy Act of 2012.

10. Account Deletion

Account deletion requests may be submitted through in-app functions or customer support, subject to identity verification.

11. Children’s Privacy

Our services are intended exclusively for individuals aged 18 years or older. We do not knowingly collect data from minors.

12. Amendments to This Policy

We reserve the right to amend this Privacy Policy as necessary. Material changes will be communicated through appropriate channels.

13. Contact Information

Company Name: PJF LENDING INC.

SEC Registration No.: CS201917524

Certificate of Authority No.: 3143

Email: leakayemartinez@pjflending.com

14. User Acknowledgment and Consent

By continuing to use the PJF Loan application, you confirm your understanding of and agreement to this Privacy Policy and consent to the lawful processing of your personal data.