ditowin Privacy Policy

This Privacy Policy applies to all personal data collected and processed by ditowin in connection with the operation of the ditowin online casino and sports betting platform accessible at ditowin.app (the "Platform"). It applies to all registered players, visitors to the Platform, and any individual who interacts with ditowin's customer support channels.

ditowin acts as the Personal Information Controller (PIC) with respect to the personal data of its players and users, as defined under the Philippine Data Privacy Act of 2012 (Republic Act No. 10173) and its Implementing Rules and Regulations (IRR). This means ditowin is responsible for determining the purposes and means of processing your personal data and for ensuring that such processing complies with applicable Philippine data privacy laws.

ditowin collects the following categories of personal data from players and platform users. Collection is limited to data that is adequate, relevant, and not excessive relative to the stated processing purposes.

ditowin does not collect sensitive personal information (as defined under Section 3(l) of the DPA) beyond what is strictly necessary for age verification and anti-money laundering compliance, and only with the explicit consent of the player where required.

ditowin collects personal data through the following mechanisms:

• Direct collection: Information you provide when registering an account, completing KYC verification, making deposits or withdrawals, setting responsible gaming limits, or contacting customer support.
• Automated collection: Technical data collected automatically when you access the Platform, including IP address, device identifiers, browser type, and session activity logs. This data is collected through server logs and, where applicable, cookies and similar tracking technologies (see Section 5).
• Third-party sources: Identity verification data cross-referenced through authorized Philippine government databases where PAGCOR KYC regulations require verification of government-issued identification.
• Payment processors: Transaction confirmation data from GCash, PayMaya, and partner banks sufficient to reconcile deposit and withdrawal records. ditowin does not store complete payment credential details — only the minimum reference data necessary for transaction management.

ditowin processes personal data only for specific, legitimate purposes with a lawful basis for each. The following table sets out our primary processing purposes and the applicable legal basis under the Philippine Data Privacy Act:

ditowin uses cookies and similar local storage technologies on the Platform for the following purposes:

• Essential cookies: Required for the Platform to function. These include session authentication tokens, CSRF protection tokens, and preference cookies (such as responsible gaming limit acknowledgements). These cannot be disabled without impairing core platform functionality.
• Analytics cookies: Used to understand aggregate player behavior — which game categories are most popular, where players experience navigation difficulties, and how platform performance varies across device types. Analytics data is aggregated and does not identify individual players.
• Security cookies: Used to detect and prevent fraudulent login attempts, account takeover activity, and bot access to the Platform.

ditowin does not use third-party advertising tracking cookies or behavioral advertising pixels. The Platform does not serve programmatic advertising, and no player behavioral data is shared with advertising networks.

Essential cookies cannot be disabled and are placed on the basis of contract performance. Analytics and security cookies are placed on the basis of ditowin's legitimate interests in operating a secure and well-functioning platform. Players who wish to disable non-essential cookies may do so through their browser settings; however, this may affect the performance of certain Platform features.

ditowin does not sell, rent, or trade player personal data to any third party. Personal data is shared only in the following limited circumstances:

• PAGCOR and Philippine regulatory bodies: ditowin is legally obligated to provide player data to PAGCOR, the Anti-Money Laundering Council (AMLC), and other authorized Philippine government bodies when lawfully required, including in connection with regulatory audits, player dispute investigations, or mandated suspicious transaction reports under the AMLA.
• Payment processors: Transaction data sufficient to process your deposits and withdrawals is shared with your chosen payment provider (GCash, PayMaya, BPI, BDO, Metrobank, UnionBank, 7-Eleven, Cebuana). Each processor receives only the data necessary for the specific transaction and is contractually bound by data protection obligations.
• Game providers: Limited session data (player identifier, session token, currency, balance) is passed to third-party game providers (such as JILI, PG Soft, Pragmatic Play, Evolution) to enable game functionality. Game providers receive no additional personal data and are bound by data processing agreements with ditowin that restrict use of this data to game delivery purposes only.
• KYC verification services: Where automated identity verification services are used to supplement manual KYC review, identity document images and identity data may be processed by contracted verification service providers under strict data processing agreements.
• Professional advisers: Legal counsel, auditors, and accountants engaged by ditowin may access player data to the minimum extent necessary for the specific professional service being provided, and are bound by professional confidentiality obligations.
• Law enforcement: Where ditowin receives a lawful order, warrant, or subpoena from a competent Philippine authority, the Platform will disclose the minimum personal data necessary to comply with the legal process.

Where ditowin shares player data with third-party game providers or technology partners whose operations or servers are located outside the Philippines, such transfers are conducted only under the following safeguards:

• The recipient country has been assessed to provide an adequate level of data protection comparable to Philippine standards, OR
• ditowin has entered into a data sharing agreement with the recipient that incorporates the NPC's standard contractual clauses or equivalent data protection obligations, OR
• The transfer is required for the performance of a contract to which the player is a party (e.g., enabling a live dealer game operated by an international provider).

Players may request information about the specific safeguards in place for any cross-border transfers affecting their personal data by contacting ditowin's Data Protection Officer (see Section 15).

ditowin retains personal data for the minimum period necessary to fulfill the purposes for which it was collected, subject to the following minimum statutory retention obligations under Philippine law:

• Account and KYC records: Retained for 5 years following account closure, as required by PAGCOR licensing conditions and the AMLA.
• Financial transaction records: Retained for 5 years from the date of the transaction, in compliance with Republic Act No. 9160 (AMLA) and its implementing rules.
• Suspicious transaction reports (STRs): Retained for a minimum of 5 years from the date of filing with the AMLC, or longer if required by an ongoing investigation.
• Customer support communications: Retained for 2 years from the date of the interaction, or longer where the communication is relevant to an outstanding dispute.
• Technical / server logs: Retained for 90 days as standard, extended to 1 year where logs are relevant to a security incident or fraud investigation.

Upon expiry of the applicable retention period, personal data is securely deleted or anonymized so that it can no longer be associated with an individual player. Anonymized aggregate data may be retained indefinitely for platform analytics purposes.

ditowin implements technical and organizational security measures appropriate to the risk level associated with processing player personal data in the online gaming sector. Key measures include:

• Encryption in transit: All data transmitted between player devices and ditowin servers is encrypted using TLS 1.2 or higher (256-bit encryption). HTTPS is enforced across the entire Platform with HTTP Strict Transport Security (HSTS) headers.
• Encryption at rest: Sensitive player data stored in ditowin databases, including identity documents, financial data, and government ID references, is encrypted at rest using AES-256 encryption.
• Access controls: Access to systems containing personal data is restricted on a role-based least-privilege basis. Multi-factor authentication is required for all administrative access. Access logs are maintained and reviewed regularly.
• OTP-based login verification: New device logins require SMS OTP verification to the player's registered Philippine mobile number, adding a second authentication factor that protects against credential theft.
• Penetration testing: The Platform undergoes regular security assessments, including penetration testing by qualified security professionals, to identify and remediate vulnerabilities.
• Staff training: All ditowin staff with access to personal data undergo mandatory data privacy and security training upon onboarding and annually thereafter.

Under Republic Act No. 10173 (Data Privacy Act of 2012) and its Implementing Rules and Regulations, ditowin players who are Philippine citizens or residents have the following data subject rights with respect to their personal data:

ditowin does not knowingly collect personal data from individuals under 21 years of age. The Platform is strictly for adults who meet the PAGCOR-mandated minimum gambling age of 21 years. ditowin's account registration process includes a date-of-birth declaration and is backed by mandatory KYC age verification before real-money play is permitted.

If ditowin becomes aware that personal data has been collected from a minor, the affected account will be closed immediately, all personal data associated with the account will be securely deleted, and the matter will be reported to PAGCOR in accordance with the Platform's licensing obligations.

Parents and guardians who believe their child has registered an account on ditowin should contact ditowin support immediately via the 24/7 live chat for urgent account investigation and closure.

ditowin may send promotional communications — including bonus offers, new game announcements, and VIP program updates — to players who have opted in to receive such communications at registration or through their account settings.

You may withdraw consent to receive marketing communications at any time by: (a) updating your notification preferences in your ditowin account settings; or (b) requesting opt-out through the 24/7 live chat or by contacting [email protected]. Withdrawal of marketing consent does not affect the lawfulness of prior communications or ditowin's ability to send transactional communications (such as deposit confirmations, OTP messages, or account security alerts) that are necessary for the operation of your account.

The ditowin Platform may contain references to payment service providers and game providers that operate their own platforms and privacy policies. ditowin does not control the data practices of these third-party services and is not responsible for the content of their privacy policies. When interacting with a third-party service (such as accessing a GCash deposit interface or a third-party game lobby), you are subject to that service provider's own terms and privacy policy in addition to ditowin's policy.

ditowin reserves the right to update this Privacy Policy at any time to reflect changes in applicable Philippine law, NPC guidance, PAGCOR regulatory requirements, or ditowin's data processing practices. Material changes will be communicated to active players via in-platform notification or registered mobile number at least 14 days before taking effect.

The effective date of the current version of this Privacy Policy is displayed at the top of this page. Players are encouraged to review this Policy periodically. Continued use of the ditowin Platform following any update to this Policy constitutes acknowledgment of the updated terms.

Prior versions of this Privacy Policy are available upon request from ditowin's Data Protection Officer.

ditowin has designated a Data Protection Officer (DPO) as required under Section 21 of the Data Privacy Act of 2012. The DPO is responsible for overseeing ditowin's compliance with applicable data privacy laws and serves as the primary contact for data subject rights requests and privacy-related inquiries.

• Data Protection Officer — ditowin
• Email: [email protected] (Subject: "Privacy / DPO Inquiry")
• Live Chat: Available 24/7 via the ditowin Platform — ask to be connected to the Privacy team
• Response time: Acknowledgment within 3 business days; substantive response within 15 business days

For complaints that cannot be resolved through ditowin's internal process, players may also contact the Philippine National Privacy Commission:

• National Privacy Commission of the Philippines (NPC)
• Website: privacy.gov.ph (not a clickable link — visit directly in your browser)
• Address: 5th Floor, Delegation Building, PICC Complex, Pasay City, Metro Manila