Privacy Policy

App Name: RapidPeso

Publication Date: May 14, 2026

Effective Date: May 14, 2026

Preamble

RapidPeso (hereinafter referred to as "we," "us," or "the Product") is a loan service product provided by BUKAS FINANCE CORP., a company incorporated and operating under the laws of the Philippines. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our services, in compliance with the Philippines Data Privacy Act of 2012 (Republic Act No. 10173) and the rules and regulations of the National Privacy Commission.

We highly value the personal information and privacy protection of our users. This Privacy Policy is intended to clearly explain to you how we collect, use, store, transmit, share, and protect your personal information during your use of the RapidPeso loan service, as well as the rights you are entitled to. Please carefully read and fully understand all the contents of this Privacy Policy before registering for, using, or continuing to use our products.

If you have any questions, comments, or suggestions regarding this Privacy Policy, you may contact us through the contact information provided at the end of this policy. By commencing your use of our products, you are deemed to have fully understood and agreed to all the contents of this Privacy Policy, including our collection, use, storage, and sharing of your personal information in accordance with this policy. If you do not agree with any part of this Privacy Policy, please immediately cease using our products and related services.

This Privacy Policy will help you understand the following:

• Who we are and how to contact us
• What personal information we collect
• How we use the information we collect
• Third-Party SDK disclosures
• Information transmission and security protection
• Data retention periods
• Your rights and choices
• Statement on protection of minors
• Policy updates and modifications

1. Information Controllers and Contact Information

1.1 Operating Company

• Company Name: BUKAS FINANCE CORP.
• Company Registration No.: CS201901691
• Certificate of Authority No.: 1199
• Registered Address: 30th Floor Yuchengco Tower, Rcbc Plaza 6819 Ayala Avenue, Makati, Metro Manila, 1227 Philippines

1.2 Contact Information

If you have any questions, comments, suggestions, or complaints regarding this Privacy Policy, you may contact us through the following methods:

• Email Support: bukasdds@bukasfinance.com

We will respond to your requests as soon as possible within the legally prescribed timeframe.

2. Personal Information We Collect

In order to provide you with safe, convenient, and efficient loan application and review services, we may collect the following categories of personal information. We only collect information that is necessary to provide our services to you and will not collect personal information unrelated to our services.

2.1 Basic Identity Information

When you apply for a loan, we may collect the following basic identity information:

• Full Name: Used to verify the borrower's identity
• Date of Birth: Used to verify age and determine whether the user has reached the legally prescribed age of majority
• Gender: Used for completeness of the loan application form
• Marital Status: Used as a reference for credit assessment

2.2 Identity Verification Information

To complete identity verification and prevent fraudulent activities, we may collect:

• Government-Issued ID Information: Including ID card numbers, passport numbers, or other valid government-issued identification document numbers
• Facial Biometric Information: Facial recognition technology is used to verify that you are the legitimate holder of the ID document, preventing identity theft. Facial recognition data is used solely for the current identity verification and is not stored in its original form.

2.3 Contact Information

• Mobile Number: Used for account registration, login verification, loan progress notifications, repayment reminders, and other communication services
• Email Address: Used to receive loan-related notifications, bills, and statements
• Residential Address: Used to assess housing stability and to mail relevant documents

2.4 Financial-Related Information

• Monthly or Annual Income: Used to assess repayment capacity
• Employer Information: Including employer name, job title, and years of employment, used to assess income stability
• Bank Account Information: Used for loan disbursement and repayment

2.5 Device and Usage Information

To ensure account security, device identification, and service quality optimization, we may collect:

• Device Information: Including device model, operating system version, device unique identifier (IMEI/MEID/UDID), MAC address
• Network Information: Including IP address, network type (WiFi/Mobile Data), and carrier information, used to identify abnormal login behavior and for security risk assessment

2.6 Camera and Photo Album Permissions

We will request camera and photo album permissions in the following specific scenarios:

Camera Permission Use Cases:

• Uploading ID document photos: You need to photograph the front and back of your ID document using the camera to complete the identity verification process
• Facial Recognition Verification: During the identity verification step, you need to face the camera to complete liveness detection

Photo Album Permission Use Cases:

• Uploading supporting documents: You may select existing photos from your album as supplementary materials such as income proof or address verification

The above permissions are only invoked when the relevant business function is triggered. We will not activate the camera or access your photo album without your knowledge. The camera automatically closes after capturing a photo, and your album is accessed only after you manually select photos.

2.7 Calendar Permission

We will request calendar permission in the following specific scenarios:

Repayment Reminder Scheduling: With your authorization, you may add scheduled repayment dates and deadline reminders to your calendar through our app to help you keep track of upcoming payment due dates.

The above permission is only invoked when the relevant business function is triggered. We will not access your calendar without your knowledge or consent. You may disable calendar permissions in your device settings at any time.

2.8 Network Access Permission

We request network access permission for the following purposes:

• Communicating with backend servers to upload loan application materials and download review results
• Retrieving real-time loan status updates
• Sending repayment reminders and account security notifications
• Updating application versions

3. How We Use the Information We Collect

The personal information we collect will only be used for the purposes described below. We will not use your personal information for any purpose unrelated to providing our loan services.

3.1 Providing Core Loan Services

• Processing your loan application, conducting credit assessment and risk-based pricing
• Verifying your identity information and preventing impersonation and fraudulent applications
• Evaluating your repayment capacity and intent and making loan approval decisions
• Disbursing loan funds to your designated bank account
• Processing repayments and handling overdue collections

3.2 Account Security and Risk Control

• Detecting and preventing abnormal logins, account takeovers, and fraudulent activities

Comprehensively assessing transaction risks through device information, IP addresses, and other factors.

• Facial recognition technology used to confirm that the operator matches the account registrant
• Security incident investigation and emergency response

3.3 Service Optimization and User Experience Improvement

• Analyzing user behavioral data to optimize product features and operation processes
• Personalizing the display of loan amounts, interest rates, and other approval results
• Sending notifications and reminders related to loan services

3.4 Legal and Regulatory Compliance

• Complying with Bangko Sentral ng Pilipinas (BSP) regulations on Anti-Money Laundering (AML) and Know Your Customer (KYC)
• Cooperating with lawful information requests from government agencies
• Used for dispute resolution and preservation of evidence in legal proceedings

4. Third-Party SDK Disclosures

To ensure the integrity, security, and risk management capabilities of our loan services, we integrate the following third-party SDKs. You understand and agree that the following SDKs may process your relevant data in accordance with their own privacy policies.

4.1 Dyna.ai SDK

Purpose: Credit assessment and anti-fraud risk control

Data Shared: We may transmit certain of your personal information (including but not limited to mobile number, device information, and identity verification information) to Dyna.ai for credit assessment and anti-fraud verification to assist us in making loan approval decisions.

Dyna.ai Privacy Policy: Dyna.ai, as an independent data processor, will handle your data according to its own privacy policy. We strongly recommend that you review Dyna.ai's official privacy policy (https://www.dyna.ai) before use to understand its data processing methods and purposes.

5. Information Transmission and Encryption Protection

5.1 Transmission Encryption

We employ the following security measures during data transmission:

• TLS/SSL Encrypted Transmission: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher to ensure that data is not eavesdropped, tampered with, or hijacked during network transmission
• Full-Site HTTPS Encryption: All network communications of our app are conducted over HTTPS to prevent man-in-the-middle attacks
• Independent Encryption for Sensitive Data: Highly sensitive data such as ID numbers, bank account information, and facial recognition templates undergo independent encryption algorithms for secondary encryption storage and transmission

5.2 Storage Encryption

• Server-Side Encryption: Sensitive information stored in server databases is encrypted using AES-256 or equivalent-strength encryption algorithms
• Key Management: Encryption keys are stored separately from encrypted data, managed by a dedicated Key Management System (KMS) with strictly controlled access

5.3 Access Control

• Our employees' access to user data follows the Principle of Least Privilege, granting access only to the minimum scope necessary to fulfill their job responsibilities
• All data access activities are logged and subject to regular audits
• Access to highly sensitive data requires multi-level approval

6. Data Retention Periods

6.1 Retention Principles

We retain your personal information only for the period necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required by law or regulation.

6.2 Specific Retention Periods

Information Type	Retention Period	Description
Account registration information (mobile number, etc.)	5 years after account cancellation	Meeting BSP statutory requirements for customer record retention
Loan application records and review materials	5 years after loan is repaid in full	Meeting BSP requirements for loan business record retention
Identity verification information (facial recognition data)	180 days after verification completion	Only anonymized comparison results retained; original images not stored
Location information	90 days after collection	Only approximate location data retained for risk analysis
Device and operation logs	365 days	Used for security audits and anomaly analysis
Repayment and accounting records	5 years after account cancellation	Used for financial reconciliation, tax compliance, and dispute resolution
Communication records with us	3 years	Used for service quality improvement and dispute resolution

6.3 Handling After Retention Period Expires

Once your personal information exceeds the retention periods specified above, we will delete or anonymize your personal information so that it can no longer identify you, and this processing method is irreversible.

7. Your Rights and Choices

Under applicable law, you have the following rights regarding your personal information:

7.1 Right of Access

You have the right to request access to the personal information we hold about you, including:

• What personal information we have collected about you
• How this information is being used
• Who the recipients of this information are (except where prohibited by law)

7.2 Right to Rectification

If you discover that the personal information we hold about you is inaccurate or incomplete, you have the right to request that we correct or supplement it.

7.3 Right to Erasure

Under the following circumstances, you have the right to request that we delete your personal information:

• We are using your information beyond the purposes described in this Privacy Policy
• The legal basis for our collection of your information no longer exists
• You withdraw the consent you previously gave (withdrawal of consent does not affect processing conducted based on consent prior to withdrawal)

7.4 Right to Restriction of Processing

Under certain circumstances, you may request that we restrict the processing of your personal information.

7.5 Right to Data Portability

You have the right to obtain your personal information in a structured, machine-readable format, and to transfer this information to a third party of your choice.

7.6 Right to Object

You have the right to object to our processing of your personal information based on legitimate interests or public interests, as well as to object to our processing of your information for direct marketing purposes.

7.7 How to Exercise Your Rights

To exercise any of the above rights, please contact us through the following methods:

• Email Support: bukasdds@bukasfinance.com

We will respond to your request within the legally prescribed timeframe (typically 15 to 30 business days). In certain cases, to ensure data security, we may require additional identity verification information.

8. Statement on Protection of Minors

8.1 Age Restriction

RapidPeso's loan services are only available to adults aged 18 and above. We explicitly prohibit any individual under 18 years of age from registering for, using, or attempting to use our products.

8.2 We Do Not Collect Information from Minors

We do not knowingly collect any personal information from minors under 18 years of age. If you are under 18, please do not register for our products or provide us with any personal information. If we become aware that we have inadvertently collected information from a minor, we will take immediate steps to delete such information.

8.3 Notice to Parents and Guardians

If you are a parent or guardian and believe a minor may have registered for our products, please contact us immediately using the contact information provided above. We will assist in resolving the matter.

9. Policy Updates and Modifications

We may update or revise this Privacy Policy from time to time to reflect:

• Changes in our services or data processing practices
• Changes in applicable laws, regulations, or regulatory requirements
• Business operational needs

9.1 How We Notify You of Updates

• In-App Announcements: We will publish the updated Privacy Policy within our application
• Version Update Notices: When there are material changes to this Privacy Policy, we will prompt you to review and confirm the updated policy the next time you open the app
• Effective Date: Updated Privacy Policies take effect upon the date of publication

9.2 Impact on You

For material changes (such as expanding the scope of information collection, adding new data uses, or modifying third-party data sharing arrangements), we will notify you through reasonable means prior to the effective date and obtain your explicit consent where required by applicable law. Continuing to use our products constitutes your acceptance of the updated Privacy Policy.

10. Other Important Provisions

10.1 Third-Party Websites and Services

This Privacy Policy does not apply to third-party websites, mobile applications, or service providers. You should review their privacy policies independently to understand their data protection practices.

10.2 Cross-Border Data Transfer

Should it be necessary to transfer your personal information outside of the Philippines (for example, for data backup or sharing with overseas partners), we will ensure that such transfers comply with the requirements of the Philippines Data Privacy Act of 2012 (Republic Act No. 10173) and related regulations, and that necessary protective measures are implemented.

10.3 Security Incident Notifications

In the event of a personal data breach, we will promptly notify affected users and take remedial measures in accordance with the requirements of relevant Philippine laws and regulations.

11. Contact Us

If you have any questions, comments, suggestions, or complaints regarding this Privacy Policy, please contact us through the following methods:

RapidPeso Operator

• Company Name: BUKAS FINANCE CORP.
• Company Registration No.: CS201901691
• Certificate of Authority No.: 1199
• Email Support: bukasdds@bukasfinance.com
• Registered Address: 30th Floor Yuchengco Tower, Rcbc Plaza 6819 Ayala Avenue, Makati, Metro Manila, 1227 Philippines

We value your trust and are committed to providing you with safe and transparent services.