Salmon Privacy Notice

(for App User - Clients)


FHL FINANCING COMPANY, INC. (“SALMON”) complies with the Data Privacy Act of 2012 (the “DPA”), its Implementing Rules and Regulations (“IRR”), and such other rules and regulations issued by the National Privacy Commission and other relevant regulators (collectively, the “Applicable Privacy Laws”) and other relevant issuances of the Philippines. SALMON is committed to respecting its customers’ privacy rights and protecting their Personal Data from misuse or unauthorized disclosure. Thus, SALMON is providing this application privacy notice (this “Privacy Notice”) in accordance with the Applicable Privacy Laws.


I. IDENTITY AND CONTACT DETAILS OF THE CONTROLLER

Controller: FHL FINANCING COMPANY, INC. (“SALMON”)

Address:12th Floor, Four/NEO Building, 4th Avenue corner 30th Street, Bonifacio Global City, Taguig City, Metro Manila

Data Protection Officer (“DPO”): [email protected]


II. DEFINITIONS

For purposes of this Privacy Notice, all of the definitions in the Applicable Privacy Laws are adopted verbatim unless otherwise provided:

a. “Applicable Privacy Laws” refers to the Data Privacy Act of 2012 (the “DPA”), its Implementing Rules and Regulations (“IRR”), and such other rules and regulations issued by the National Privacy Commission and other relevant regulators;

b. “Ambassadors” refers to brand ambassadors who are independent contractors and have signed a contract with SALMON for the promotion of SALMON’s financial products and/or services;

c. “Clients” refers to natural persons who applied for a financial product and/or service with SALMON and got approved by SALMON;

d. “Controller” or “Personal Information Controller” refers to a natural or juridical person, or any other body who controls the processing of Personal Data, or instructs another to process Personal Data on its behalf. The term excludes: (i) A natural or juridical person, or any other body, who performs such functions as instructed by another person or organization; or (ii) A natural person who Processes Personal Data in connection with his or her personal, family, or household affairs. Control is present if the natural or juridical person or any other body decides on what Personal Data is collected, or the purpose or extent of its Processing;

e. “Covered Persons” means all entities defined as covered persons under the Anti-Money Laundering Act of 2001, the Terrorist Financing Prevention and Suppression Act, the Anti- Terrorism Act of 2020, and all other related issuances;

f. “Data Subject” means refers to an individual whose Personal, Sensitive Personal, or Privileged Information is Processed;

g. “Merchants” refers to partners/merchants which signed retailer agreements with SALMON;

h. “Personal Data” refers to all types of Personal Information, including Sensitive Personal

Information and Privileged Information;

i. “Personal Information” refers to any information whether recorded in a material form or not,

from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual;

j. “Potential Clients” means a natural persons who submitted or desire to submit an application for a financial product and/or service with SALMON;

k. “Privileged Information” refers to any and all forms of data, which, under the Rules of Court and other pertinent laws constitute privileged communication;

l. “Processing” or “Process” or “Processes” refers to any operation or any set of operations performed upon Personal Data, including, but no limited to, the collection, recording, organization, storage, updating, or modification, retrieval, consultation, use, consolidation, blocking, erasure, or destruction of Personal Data. Processing may be performed through automated means or manual Processing if the Personal Data are contained or are intended to be contained in a filing system;

m. “Processor” or “Personal information processor” refers to any natural or juridical person or any other body to whom a Controller may outsource or instruct the processing of Personal Data pertaining to a Data Subject;

n. “Sensitive Personal Information”, refers to Personal Information (1) about an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical, or political affiliations; (2) about an individual’s health , education, genetic, or sexual life, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings; or (3) issued by government agencies peculiar to an individual, which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension, or revocation, and tax returns.


III. SCOPE AND APPLICATION

The Salmon Application (the “App”) is only accessible to the following users (collectively, the “App Users”):

a. Clients that have successfully availed of financial products and/or services from SALMON through its offline channels (“App User - Clients”);

b. SALMON brand ambassadors (“App User - Ambassadors”); and

c. SALMON partners/merchants (“App User - Merchants”).

This Privacy Notice specifically applies to Personal Data provided to or collected by SALMON from App User - Clients. Separate privacy notices are provided for App User - Ambassadors and App User - Merchants due to the differences in Personal Data Processed.

For the avoidance of doubt, the App does NOT allow any form of online application for loans or other financial products and/or services from SALMON.


IV. CATEGORIES OF PERSONAL DATA

SALMON may Process the following categories of Personal Data (the “Categories of Personal Data”) depending on the functionalities made available in the App. Note that the enumerations per Categories of Personal Data are not exclusive but serve merely as examples:

a. Identity data

  • Full name (First, Middle, Last)
  • Mobile Number

b. Loan data

  • Active loans or other financial products and/or services availed from SALMON;

c. Contact details data

  • Email address
  • Mobile number
  • Address
  • Push notifications

d. Security & Fraud prevention data

  • Biometric
  • Location & Time zone difference
  • Device type
  • Device model
  • Date and time
  • Content of the query (specific page)
  • Access Status/HTTP Status Code
  • Website or application from which the request originates
  • Browser
  • Operating system and its user interface
  • Language and version of the browser software
  • Cookies
  • Other internet and computer-related behavior
  • Contact lists

e. Service requests data

  • Personal Data provided when raising service requests or queries
  • Emails
  • Tickets

V. PURPOSES AND LEGAL BASIS FOR PROCESSING

SALMON may Process the Categories of Personal Data for the purposes and based on the legal bases enumerated below:

a. The identity data are Processed (i) identify you in relation to your interactions and contract with SALMON, and (ii) for market analysis. The legal basis for Processing the Personal Data under (i) are that the Processing is necessary and related to take steps at your request prior to entering into a contract with you and/or to fulfil the obligations of SALMON under the said contract (Section 12(b), DPA) and the Processing is necessary to comply with SALMON’s legal obligations under anti-money laundering, anti-terrorism, anti-terrorist financing, sanctions, and other regulations (Section 12(c), DPA). The legal basis for Processing the Personal Data under (ii) is SALMON’s legitimate interests to improve the App (Section 12(f), DPA).

b. The contact details data are Processed to (i) communicate with you about your request prior to entering into a contract with SALMON or with respect to the contract you entered with SALMON (e.g., collection, etc.), (ii) to deliver the necessary notifications, communications, and notices to you; and (iii) for marketing purposes. The legal basis for Processing the Personal Data under (i) and (ii) is that the Processing is necessary and related to take steps at your request before entering into a contract with you and/or to fulfil the obligations of SALMON under the said contract (Section 12(b), DPA). The legal basis for Processing the Personal Data under (iii) is SALMON’s legitimate interests to inform you about important updates and improve collection (Section 12(f), DPA) or your consent (Section 13(a), DPA) if used for the purpose of promoting SALMON’s financial products and/or services.

c. The security & fraud prevention data are Processed for purposes of (i) customer verification and fraud prevention, and (ii) security purposes. The legal basis for Processing the Personal Data are that the Processing is necessary and related to take steps at your request prior to entering into a contract with you and/or to fulfil the obligations of SALMON under the said contract (Section 12(b), DPA) and the Processing is necessary to comply with SALMON’s legal obligations under anti-money laundering, anti-terrorism, anti-terrorist financing, sanctions, and other regulations (Section 12(c), DPA), as well as SALMON’s legitimate interests to prevent hacking, security breaches, data breaches, fraud, and other misuse of the App (Section 12(f), DPA).

d. The service requests data are Processed for purposes of (i) customer verification, and (ii) to address your service requests and queries. The legal basis for Processing the Personal Data are that the Processing is necessary and related to take steps at your request prior to entering into a contract with you and/or to fulfil the obligations of SALMON under the said contract (Section 12(b), DPA) and the Processing is necessary to comply with SALMON’s legal obligations under anti-money laundering, anti-terrorism, anti-terrorist financing, sanctions, and other regulations (Section 12(c), DPA).


VI. SOURCES OF THE CATEGORIES OF PERSONAL DATA

SALMON may acquire your Personal Data from the following sources:

a. Directly from you via:

  • The App when you log-in;
  • Interaction with the App;
  • Your offline application for financial products and/or services of SALMON;
  • Gadget;
  • E-mails; and

b. Third-party service providers in the course of the provision of their services.


VII. THIRD PARTY CONTROLLERS

The App offers the App User – Clients the option to be redirected to third party webpages or platforms for the App User – Client’s convenience such as, but not limited to, the following (collectively referred to as, “Third Party Service Providers”):

a. Xendit Philippines Inc.;

b. Paynamics Technologies Inc.;

c. Paymongo Philippines Inc.;

When the App User – Client clicks the relevant links in the App, the App User – Client will be redirected to the Third Party Service Providers’ platform or page where the App User – Client have to read and accept the Third Party Service Providers’ terms & conditions, privacy notice, etc. The Third Party Service Providers’ platform or page is totally under the control of the Third Party Service Providers so any questions or complaint in relation to how they Process personal data using the Third party Service Providers’ platform or page should be directed to the relevant Third Party Service Provider.

Version 2. 1.27.2023


VIII. Categories of recipients of Personal Data

Within the scope of SALMON’s activities and services, it may become necessary for SALMON to share, disclose, or transfer your Personal Data within or outside the Philippines to SALMON’s affiliates/subsidiaries, Third Party Service Providers, and government institutions which assist SALMON in carrying out its business activities in relation to the purposes indicated in Section V.

When your Personal Data is shared, disclosed, or transferred outside of the Philippines, SALMON will ensure that your Personal Data is transferred to countries that provide a level of confidentiality, and protection similar to the levels required by Applicable Privacy Law or that there are acceptable contractual guarantees in place to ensure that the Processing of your Personal Data is in accordance with the Applicable Privacy Laws’ data protection level.

Recipients of your Personal Data generally fall into the following categories of recipients:

a. SALMON’s subsidiaries and affiliates;

b. Payment Service Providers, Banks and other Covered Persons;

c. Information technology (IT) service provider for IT infrastructures;

d. Telecommunications providers;

e. Cloud providers;

f. Other third-party service providers for outsourced Processes (e.g., consultants, contractors,

collectors, lawyers, etc.);

g. Government institutions (e.g., Bureau of Internal Revenue, Anti-Money Laundering Council,

Securities and Exchange Commission, Bangko Sentral ng Pilipinas, etc.);

h. Transferee or assignee in case of merger or acquisition;

i. Investors.


IX. Security and Protection of Your Personal Data

Your Personal Data Processed internally are generally managed using SALMON’s Systems and are stored in SALMON’s private cloud hosted in servers, data centers, and/or computers located in the Philippines, or Singapore, or the European Union. Only authorized employees are given access to your Personal Data in accordance with established structure of permissions or defined security roles on a need-to-know basis and with the obligation to keep your Personal Data confidential.

SALMON implements reasonable and appropriate technical, organizational, and physical security (“TOPS”) measures for the protection of your Personal Data against any accidental or unlawful Processing, accidental loss or destruction, and unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination. SALMON has a Privacy Manual (the “Manual”) that documents all of the TOPS Measures that the SALMON has in place to protect your Personal Data.


X. Retention Period

Your Personal Data will be retained for as long as is necessary for the Purposes set out above, or in accordance with the retention period provided by law and/or SALMON’s policies, whichever is applicable. In general, your Personal Data will be retained up to ten (10) years from end of your business relationship with SALMON in accordance to SALMON’s internal retention policy unless Philippines laws require a longer period. Rest assured that SALMON’s use of your Personal Data will be limited to what is necessary to achieve the Purposes, and/or only to the exceptions permitted by Applicable Privacy Laws.

After the retention periods have lapsed, SALMON will delete or anonymize your Personal Data securely using generally-accepted industry standards.


XI. Your rights as a Data Subject (“DSR”)

a. You have the following DSR with respect to your Personal Data as provided in the Applicable Privacy Laws:

  • Right to be informed (Section 16(a) & 16(b), DPA)
  • Right of access (Section 16(c), DPA):
  • Right to rectification (Section 16(d), DPA):
  • Right to erasure or blocking (Section 16(e), DPA):
  • Right to damages (Section 16(f), DPA):
  • Right to data portability (Section 18, DPA):
  • Right to object (Section 34(b), IRR):

More information about your DSRs are available at SALMON’s Privacy Portal or at NPC Advisory 2021-01.

b. Inquiries and requests regarding your DSR, including any objections to or complaints regarding SALMON’s Processing of your Personal Data, can be sent to the DPO by raising the proper ticket using SALMON’s Privacy Portal

c. If you feel that SALMON has not responded in an appropriate manner to your requests or complaints regarding our Processing of your Personal Data, you have the right to complain to the National Privacy Commission through their website or email ([email protected]).


XII. Changing the Privacy Notice

SALMON reserves the right to modify or amend this Privacy Notice from time to time to keep up with any changes in relevant Applicable Privacy Laws or with how SALMON Processes your Personal Data. Any changes or updates will be notified to you per SALMON’s App and/or other official communication channels.