1) Purpose and Scope

This Privacy Policy explains what personal data we collect, why we collect it, how we use and share it, and how you can exercise your data subject rights under Republic Act No. 10173 (Data Privacy Act of 2012, “DPA”) and its IRR, as well as relevant NPC issuances. By using our services (including our Mobile App and electronic banking channels), you agree to this Policy.

2) Definitions

• “Bank,” “we,” “us,” “our” – Vigan Banco Rural Incorporada (“VBRI” or “VBank”).
• “Customer,” “you,” “data subject” – A natural person whose personal data we collect and process.
• “Personal Data” – Any information from which your identity is apparent or can be reasonably and directly ascertained (e.g., name, address, contact details).
• “Sensitive Personal Information” – As defined under the DPA (e.g., government IDs, health, biometric data).
• “Processing” – Any operation on personal data (collection, recording, use, disclosure, storage, erasure, etc.).
• “CIF” – Customer Information File maintained by the Bank.

3) What We Collect

Depending on the product or service, we may collect:

Identity & KYC: Full name, birth date, nationality, civil status, signatures, photos, government IDs/ID numbers, TIN.

Contact: Address, email, mobile/telephone numbers.

Employment & Financials: Employer, income, assets, liabilities, credit standing/loan history, bank reference data.

Behavioral & Demographic: Preferences, product usage, campaign responses.

Biometrics (if you opt in): Facial image, fingerprints, voiceprint (for eKYC/strong authentication).

Device & App Data (with permissions):

• Device identifiers, OS/version, IP, app interactions, diagnostics, crash logs.
• Contacts you nominate (e.g., for fund transfers or references). We never upload your full address book without your clear opt-in.
  Multimedia: Call recordings, CCTV, branch/video interview recordings (for quality, fraud prevention, and compliance).
  Third-party data: Data from credit bureaus/CIC, telecom and analytics partners (with consent), and sanctions screening sources.

4) Why We Process Your Data (Purposes) & Lawful Bases

We process personal data only as permitted by law. Our lawful bases include consent, performance of a contract, legal obligations, legitimate interests, and public interest (e.g., AML/CFT). Key purposes:

A. Account origination & servicing (KYC, onboarding, account operations, transactions, customer support). Bases: Contract; Legal obligation (BSP/AMLA).

B. Credit & risk (credit scoring, underwriting, collections, fraud prevention, sanctions screening). Bases: Legitimate interests; Legal obligation.

C. Communications (statements, advisories, service updates, incident notices). Bases: Contract; Legal obligation; Legitimate interests.

D. Marketing (optional) – Offers, promotions, personalization, surveys. Basis: Your consent (you can opt out anytime).

E. Compliance – AMLA (RA 9160, as amended), FATCA, BSP/NPC/AMLC reporting, CIC submissions (RA 9510), court orders, lawful requests. Basis: Legal obligation/public interest.

F. Analytics & improvement – Service quality, product development, security analytics. Basis: Legitimate interests.

G. InstaPay fraud-prevention – Data sharing with scheme/participants to detect and prevent fraud and unlawful access. Bases: Legitimate interests; Legal obligation.

Automated Decision-Making & Profiling (Credit Scoring): We may use automated scoring to assess creditworthiness. You may request human review, contest a decision, and express your point of view (see Section 9).

5) Where We Get Your Data

• From you (applications, KYC, app usage, communications).
• From your authorized representatives.
  
• From third parties (with authority/consent): credit bureaus/CIC, telecom partners (for credit scoring), verification vendors, fraud/sanctions lists, public databases, and partner institutions.

6) Sharing and Disclosures

We do not sell personal data. We share data only as needed, with safeguards:

A. Service Providers / Processors (on our instructions, under DPAs):
 Cloud hosting, core banking and app vendors, KYC/identity verification, AML/sanctions screening, credit scoring, analytics, customer support, mail/SMS gateways, collections, disaster recovery, and security providers.

B. Affiliates / Subsidiaries (if you are, become, or apply to be a client):
 For onboarding support, consolidated reporting (upon your request), customer info updates, and programs (loyalty/benefits), subject to law and your consent where required.

C. Credit Bureaus & CIC (RA 9510), and other authorized info sources for credit checking/scoring and updates.

D. Third-Party Partners (limited notice):
 We may inform select corporate partners that you have an account with VBank. Only your name and CIF number may be shared. No balances or transaction details are shared.

E. InstaPay ecosystem participants for fraud prevention/unlawful access detection.

F. Regulators & Authorities:
 BSP, AMLC, NPC, BIR, PDIC, courts, law enforcement, and foreign competent authorities as required by law.

We remain responsible for personal data we share with processors. All such parties are contractually bound to DPA-grade confidentiality, security, and purpose limitation.

7) International / Cross-Border Transfers

Personal data may be processed in or transferred to countries with different data protection standards. We use appropriate safeguards (e.g., contractual clauses, audits, technical measures) and ensure access is need-to-know and purpose-limited.

8) Data Security

We apply organizational, physical, and technical measures consistent with the DPA and industry standards, including:

• Employee training and confidentiality; role-based access control.
• Strong authentication, encryption in transit and at rest, secure key management.
• Secure data centers, network segmentation, monitoring, and logging.
• Patch management, vulnerability testing, and incident response.
• Business continuity and disaster recovery.

If we detect a personal data breach that poses real risk of serious harm, we will notify affected individuals and the NPC in line with the DPA and NPC circulars.

9) Your Data Subject Rights

Subject to law and reasonable verification, you may exercise:

1. Right to be Informed – clear notice of processing activities.
2. Right to Object – to processing (including direct marketing) where lawful basis is not legal obligation/public interest/contract.
3. Right to Withdraw Consent – withdrawal does not affect prior lawful processing or other bases.
4. Right to Access – copy of your personal data and details of processing.
5. Right to Rectification – correct inaccurate or incomplete data.
6. Right to Erasure/Blocking – where data is outdated, no longer necessary, unlawfully processed, or you withdraw consent (and no other lawful basis applies).
7. Right to Data Portability – obtain your data in a structured, commonly used format where technically feasible.
8. Right to Damages – for violations of your data privacy rights.
9. Rights related to Automated Decision-Making – request human review, express views, and contest decisions.

How to exercise: See Section 14 (How to Contact Us). We generally respond within 30 calendar days, extendable as permitted by law for complex requests. Minimal fees may apply for access/portability (you’ll be informed upfront).

10) Retention and Disposal

We keep personal data only as long as necessary for the declared purposes (Sections 4 & 6), to comply with legal, regulatory, and audit requirements (e.g., AMLA/BSP retention), and to establish/defend legal claims. When no longer needed, we securely dispose or anonymize data in line with our retention and disposal policy.

11) Cookies and Similar Technologies

Our Site/App may use cookies or SDKs (including authorized third-party components) to operate, secure, and improve services. You can manage cookies via your browser/app settings; some features may not function without them. We do not use third-party cookies for cross-site advertising without your consent.

12) Logs and Diagnostics

When you use our services, we and/or authorized vendors may collect log data (e.g., IP address, device/OS, timestamps, app configuration, diagnostics, crash reports) to operate, secure, and improve the App and Services.

13) Mobile Permissions (You Control These)

With your explicit permission, the App may access:

• Camera/Photos/Microphone (eKYC, check deposit, QR, call verification).
• Contacts you choose (e.g., transfer beneficiaries).
• Biometrics (device biometrics for login; separate consent for Bank-stored biometrics).
   You can revoke permissions at any time in your device settings; certain features may then be unavailable.

14) Marketing Communications

We only send direct marketing with your consent (or as otherwise permitted by law). You may opt out via in-message links or App settings. Opt-out does not affect service or regulatory communications.

15) Children’s Privacy

Our Services are not directed to children. We do not knowingly collect personal data from children under 13 without verifiable parental consent. Where a data subject is a minor (under 18), parent/guardian consent and/or legal documentation may be required for account features, in accordance with law and BSP rules. If you believe a child provided data without appropriate consent, contact us and we will delete or secure the data as required.

16) Your Relationship with Subsidiaries/Affiliates & Third-Party Partners

If you are, become, or apply to become a client of our subsidiaries/affiliates, they may rely on and use relevant data we maintain to facilitate onboarding, validate/update records, provide consolidated summaries (on your request), send advisories, and run client programs, subject to law and, where required, your consent.

Limited partner notice: We may inform certain corporate partners that you hold a VBank account; partners will only receive your name and CIF number. No balances or transaction details are shared.

17) Special Note on Credit Scoring and Telco/Analytics Partners

With your express consent, we may collect or validate data from telecommunications companies, credit scoring providers, and analytics vendors (e.g., mobile number, usage-derived indicators) to support credit scoring, credit investigation, data analytics, and data profiling, including periodic updates. You may withdraw consent at any time (see Section 9).

18) Changes to this Policy

We may update this Policy to reflect legal or operational changes. Material changes will be posted in the App/Site and may be communicated by email or in-app notice. Please review periodically.

19) How to Contact Us (DPO)

Data Protection Officer (DPO)

Vigan Banco Rural Incorporada (VBRI / VBank)
Address: Metrowalk Commercial Complex, Meralco Ave., Brgy. Ugong, Pasig City

Email: helpme@vbank.ph

You may also lodge a complaint with the National Privacy Commission (NPC): [www.privacy.gov.ph] / [info@privacy.gov.ph] (replace with current NPC contact details as needed).

________________________________________________

Annex A – InstaPay Fraud-Prevention Notice (Summary)

To prevent/detect fraud and unlawful access related to InstaPay accounts and transactions, the Bank may share relevant data with InstaPay scheme participants and authorized service providers strictly for security and risk mitigation, under appropriate contractual and technical safeguards. This does not include sharing of marketing data and is separate from any partner marketing consents.