Mocasa App Privacy Policy

Statement on SMS Read Permission

Mocasa reads financial transaction SMS on your device — such as bank notifications, payment confirmations, and e-wallet alerts — to analyze your income and spending patterns.

What we access: Transaction notifications from financial service providers — such as banks, payment services, and e-wallets (identified by their registered sender names or short codes) — containing details such as sender name, transaction amount, merchant name, and date.

What we NEVER access: Personal conversations, messages from individual phone numbers, or one-time passwords (OTPs).

Why it matters: This analysis helps us determine a credit limit that matches your actual financial situation, especially for users with limited formal banking history.

Your data is encrypted and stored on https://service.mocasa.com. We never share SMS data with third parties without your explicit consent.

This permission is optional. Tap "Skip" to continue without SMS analysis, or revoke it anytime in Settings > Apps > Mocasa > Permissions.

Mocasa App Privacy Policy

Updated Date: March 2026

Philippine Cashtrout Lending Corp., a corporation organized and existing in the Philippines (“Mocasa”, “we”, “us” or “our”) takes your privacy very seriously. This privacy policy (this “Privacy Policy”) describes what information we collect from you, the purposes for which we collect and process it, how we use it, who we share it with, how long we retain it, and your rights in relation to it. You should read and understand this Privacy Policy in its entirety.

This Privacy Policy applies in connection with your use of the Mocasa mobile application found here (the “Mocasa App”) and your use of our services through the Mocasa App or otherwise.

1. What personal data does Mocasa collect and process? From where does Mocasa collect your personal information?

Mocasa collects the following personal data (as defined under applicable law), including personally identifiable information. The collection of this data is limited to what is adequate, relevant, suitable, and strictly necessary for our declared, specified, and legitimate purposes, in adherence to the principle of proportionality as required by the Data Privacy Act of 2012 and relevant NPC issuances:

Identification data (e.g., first name, surname, date of birth, image, marital status for identity verification and KYC purposes);
Data provided by you through your responses (e.g., information and documents about your income or employment, your educational attainment, information about your mobile device necessary for assessing your financial capacity and loan eligibility);
Contact details (e.g., address, phone number, alternate phone number, email address used for communication regarding your application, account, and for legitimate debt collection activities strictly in accordance with ethical standards and legal limits);
Government-issued identification data and documents (e.g., SSS ID, UMID, Passport, Driver’s License, PhilSys ID collected and processed solely for identity verification, KYC, and fraud prevention as required by law);
Mobile device specifications (e.g.,IMEI, IP address, or other device identifiers, type of device, device operating system, device settings, user account information for your mobile device, the name and network information of your mobile network provider, device specifications (such as screen size, resolution, CPU capacity, etc.)) collected to ensure device compatibility, security, fraud detection, and to enhance user experience;
Location data (e.g., mobile device location collected with your explicit consent for fraud prevention, risk assessment, and to tailor relevant services available in your region, limited to what is essential for these purposes);
SMS – After your explicit authorization, Mocasa will collect and analyze designated financial transaction SMS messages on your device — such as bank notifications, payment confirmations, and e-wallet alerts — to evaluate your income and spending patterns for credit assessment. We access only transaction notifications from public financial service providers (identified by their registered sender names or short codes), containing details such as sender name, transaction amount, merchant name, and date. We strictly do not access personal conversations from individual mobile numbers, One-Time Passwords (OTPs), or any verification codes. The collected data will be encrypted and transmitted to https://service.mocasa.com. We do not share SMS data with third parties without your explicit consent. This permission is strictly optional and independent of your loan application. You may decline during the authorization process or revoke permission at any time through Settings > Applications > Mocasa > Permissions on your device;
Transaction data and financial information (e.g., loans, payments, loan requests, tax information essential for providing and managing our financial products and services, including loan disbursement and repayment tracking);
Device behavioural data (e.g., types and nature of mobile applications found on your mobile device collected to derive aggregated and anonymized insights or proportional metadata to enhance our credit scoring models, detect fraud patterns, and improve the overall security and functionality of the Mocasa App. This data is not used to uniquely identify or profile individual users based on their specific app usage, nor for direct marketing without separate, explicit consent. We strictly avoid collecting data that is not relevant or necessary for our stated purposes.);
Mocasa App usage (e.g., traffic (volume) data, information about your usage or non-usage of the Mocasa App used to analyze and improve the performance and usability of the application and its services);
Information related to your communications with Mocasa (e.g., your communications with Mocasa via in-app chat, email, telephone or other channels, used for customer service, dispute resolution, and quality assurance);
Information provided by you in relation to participation in special offers and promotional activities conducted by Mocasa (e.g., promo codes, games, contests, discounts, and participation in by-invitation-only groups used solely for the administration of such activities);
Certain third party data (e.g., information provided to or from credit reference agencies or bureaus, external collections agencies, mobile network providers, obtained with your consent or where a legitimate interest or legal obligation applies, for creditworthiness assessment, fraud prevention, and debt collection).

Mocasa collects your personal data from:

You, when you download the Mocasa App and/or indicate that you want to apply for credit, providing data directly through the application process and your interactions;
Your other interactions with us, including Information you may voluntarily share with our customer support team or other Mocasa employees or agents;
Your mobile device (through the device permissions you explicitly grant, as more fully described below);
Credit reference agencies (who may check your personal data against other databases – public and private – to which they have access) or fraud prevention agencies for credit assessment and fraud detection purposes.;
Third parties and other publicly available sources, with your explicit consent, when it is necessary for the performance of our contract with you or (e.g. we may receive Information from other disbursement channel vendors or other business partners such as telecommunications companies and credit scoring service providers that may assist us in providing services to you) when required or permitted by applicable laws and regulations;
Third parties who communicate with us through the contact information that you provided to us (e.g., character references you explicitly provided).

Collection and processing of your personal data by Mocasa is necessary for the declared, specified, and legitimate purposes of providing Mocasa’s products and services, assessing your eligibility, mitigating risks, and to comply with applicable legal and regulatory requirements (such as KYC, AML, and consumer protection laws) to which you and/or Mocasa is subject. Apart from such cases where processing is necessary due to contractual obligations, legal compliance, or our legitimate interests which do not override your fundamental rights and freedoms, we do not collect Information without your specific, informed prior consent.

2. What are the purposes for which your personal data is processed? How does Mocasa use your personal information?

Mocasa processes your personal data only for declared, specific, and legitimate purposes, necessary for the provision of our products and services, and in compliance with all applicable laws and regulations. We ensure that the processing of your data is proportional to these purposes and not excessive. Your data is processed for the following purposes:

To assess your eligibility to use our products or services: this includes, but is not limited to, comprehensive credit scoring, assessing your creditworthiness, determining your financial capacity to afford requested products or services, and evaluating your eligibility for additional benefits of an existing product. This is essential to ensure responsible lending;
To service and manage your account with Mocasa (including, but not limited to processing the disbursement of your funds, managing your loan details, and facilitating the collection of your outstanding balance in accordance with your loan agreement and applicable laws;
To verify your identity and/or other information you provided to us;
To personalize credit assessment, risk analysis, and implement control measures: This allows us to tailor financial products to your specific profile, manage potential risks effectively, and ensure the stability and security of our lending operations;
To detect, combat, and prevent fraud, attempted fraud, money laundering, and/or other illegal uses of our services: we employ robust measures to protect our users and our platform from illicit activities, safeguarding the financial ecosystem.;
To analyze customer behavior: we analyze aggregated and anonymized customer behavior patterns, including insights derived from device behavioral data (e.g., types and nature of mobile applications found on your device), solely for the purpose of enhancing our credit scoring models, improving fraud detection mechanisms, and optimizing the overall user experience and security of the Mocasa App. This analysis is done without identifying or profiling individual users based on their specific app usage, and strictly adheres to proportionality.;
To administer our systems, maintain service quality, and compile general usage statistics: this ensures the reliable operation of the Mocasa App and allows us to monitor performance;
To analyze and continually improve our services and product offerings: your usage data helps us understand how our services are used, allowing us to enhance features, improve efficiency, and develop new products that better serve your needs;
To troubleshoot any technical problems you or other customers encounter with Mocasas services: this ensures seamless operation and prompt resolution of user issues;
To comply with applicable laws, regulations, and rules: this includes, but is not limited to, fulfilling obligations related to "know-your-customer" (KYC) requirements, customer verification, transaction monitoring, anti-money laundering (AML), and reporting obligations to regulatory bodies;
To send you marketing or advertising notices or other promotional offers: to the extent you have not objected to the use of your personal data for direct marketing purposes after proper notification, we may send you relevant marketing or advertising notices or other promotional offers about our products and services. You always have the right to opt-out of such communications;
To provide service updates and important notifications: this ensures you are informed about changes to our terms, services, or any critical security alerts;
To provide staff training: where necessary and with appropriate safeguards, we may monitor or record customer interactions to ensure quality of service and for staff development;
To interface with credit reference or fraud prevention agencies, necessary for assessing your creditworthiness, reporting credit information, and preventing fraudulent activities;
To provide customer service or support and to resolve disputes and complaints, this is to address your inquiries, concerns, and resolve any issues effectively;
To contact you by telephone using autodialed or prerecorded message calls or text (SMS) messages (if applicable): as authorized for the legitimate purposes described in this Privacy Policy, including for account management, loan reminders, and important service notifications.

We process your personal data for the purposes set out above on the following lawful grounds, in compliance with applicable data privacy laws:

To carry out our obligations to you: this includes fulfilling our responsibilities as a result of any contracts or agreements entered into between you and us (i.e., where processing is necessary for the adequate performance of our contract with you and/or to take steps requested by you prior to entering into a contract with you, such as a loan application);
To carry out our legal obligations: wherein processing is necessary for compliance with a legal obligation to which Mocasa is subject under applicable law (e.g., KYC, AML laws, regulatory reporting);
In connection with our legitimate interest: where processing is necessary for the purposes of the legitimate interests pursued by Mocasa or by a third party, except where such interests are overridden by your fundamental rights and freedoms. Our legitimate interests include (1) responsibly providing you with credit and/or other financial or technological products or services, (2) operating and expanding our business effectively, (3) marketing our relevant products and services to you and others (4) administering our systems and (5) keeping our records accurate and up to date;
With your prior consent: where we have obtained your specific, informed, and explicit consent for a particular processing activity, especially for activities not covered by a contractual obligation, legal compliance, or legitimate interest. You have the right to withdraw your consent at any time, subject to legal or contractual restrictions.

3. Who do we share your personal data with?

General

Mocasa is committed to safeguarding your personal data. We will not disclose any information containing your personal data (as defined under applicable law) to any third parties unless it is necessary and/or appropriate for our declared, specified, and legitimate purposes, to provide Mocasa's products or services (provided, that, we may share limited personal data (as defined under applicable law) with select partners for research and development). We adhere to the principles of data minimization and purpose limitation when sharing your data. Whenever practically feasible, and where the purpose can still be achieved Mocasa will only share your personal data with third parties in an anonymized or de-identified format.

You understand and agree that we may, as necessary and/or appropriate for the purposes provided above, transfer and disclose your personal data to the following categories of recipients:

Employees, subcontractors, agents, service providers, or associates of the Philippine Cashtrout Lending Corp. (including directors and officers), who require access to perform their functions and responsibilities in delivering our services and operating our business;
bank partners;intermediary, correspondent and agent banks, non-banks, quasi-banks or other financial institutions, clearing houses, clearing or settlement systems, market counterparties, upstream withholding agents, licensed electronic or mobile wallet providers, remittance and transfer companies, credit reference agencies or credit bureaus, such as TransUnion, SKYPAY and its affiliate SKYBRIDGE PAYMENT INC., for purposes of facilitating transactions, assessing creditworthiness, providing customized services upon your consent and need, fraud prevention, and complying with financial regulations;
Service providers with contractual or fiduciary relationships with Mocasa (e.g., to facilitate transaction processing, fraud prevention, cloud data storage or data transfer), who are essential for the technical and operational functioning of our services.;
telecommunication companies (e.g., Globe, TM, GOMO, Smart, Talk&Text, PLDT, Sun Cellular), where necessary for services like OTP delivery, telecommunications usage data for credit assessment (with your consent), or fraud prevention;
external collection agencies (to assist in the collection of any unpaid obligations to us) we share only the necessary data required for collection efforts. Mocasa strictly prohibits external collection agencies from using your personal data, including your photo or any sensitive information, to harass, embarrass, or engage in any unfair, unethical, or illegal collection practices. All our agreements with collection agencies mandate strict adherence to the Data Privacy Act of 2012, its Implementing Rules and Regulations, and other relevant consumer protection laws.;
external counsel, external auditors, and consultants, when necessary to resolve disputes or complaints, conduct audits, or ensure legal and regulatory compliance.;
a party in connection with any merger, acquisition, or sale of all or substantially all of the assets of Mocasa and/or any company within the Philippine Cashtrout Lending Corp.;
a party in connection with any assignment of credit or the creation of a security interest involving outstanding balances owned to Mocasa, in compliance with applicable laws;
to other public or private third parties to the extent that:

(1) we have a duty to disclose or share your personal data in order to comply with any legal obligation (e.g., the Credit Information Corporation, the Bureau of Internal Revenue, Bangko Sentral ng Pilipinas, Securities and Exchange Commission),

(2) it is necessary or appropriate to enforce or apply any agreement with you including our Terms and Conditions, and/or

(3) it is necessary or appropriate to protect the rights, property, or safety of Mocasa, the Philippine Cashtrout Lending Corp., our employees, and/or our customers, including for preventing fraud or addressing security vulnerabilities.

The above parties may also process or disclose your personal data for the purposes set forth above, so long as such processing or disclosure is in compliance with this Privacy Policy, applicable laws, and subject to appropriate data processing agreements and confidentiality clauses.

Further, While we strives to select reputable and reliable partners during our recommendation or referral of third-party products, services and ensure our own practices align with data protection standards, it is important to exercise caution that these third-party products and services are operated under their own distinct privacy statements and practices, which are beyond our control. To further protect yourself, we strongly recommend reviewing the privacy policies of these third-parties before providing any personal information to facilitate their product or services. When you navigate away from our Site (which can be determined by checking the URL in your browser’s address bar), any information you consent to provide to these external sites is subject to the Privacy Policy of the respective website operator. We cannot provide any representation or warranty regarding how your information is stored or used on financial partners and third-party servers, and we are unable to take any responsibility in any form for any violation of your information conducted by such financial partners and third-party servers.

Further, Mocasa may also share your personal data with law enforcement or other government agencies (e.g., National Privacy Commission, National Bureau of Investigation, Philippine National Police) in connection with a formal request, subpoena, court order, or similar legal procedure, or when we believe in good faith that disclosure is necessary to comply with the law, prevent physical harm or financial loss, to report suspected illegal activity, or to investigate violations of our agreements with you.

4. For how long will we retain your personal data?

Your personal data will be stored or retained by Mocasa only for the period necessary to fulfill the declared, specified, and legitimate purposes for which it was collected, as outlined in this Privacy Policy. This adherence to purpose limitation and data minimization ensures your data is not kept longer than required.
We are required to retain certain personal data for a minimum period of at least five (5) years in compliance with anti-money laundering and terrorism financing prevention regulations, as well as other specific legal and regulatory obligations to which Mocasa is subject, notwithstanding deletion requests.

We may also retain your personal data:

(i) for as long as necessary to comply with any other applicable legal or regulatory obligation;

(ii) whenever such retention is expressly authorized by law; and

(iii) for the establishment, exercise, or defense of legal claims or defenses.

Information that is no longer needed for the purpose(s) for which it was collected shall be deleted or anonymized, except as necessary to comply with legal obligations.

5. Where do we process, store or transfer your personal data?

We are committed to ensuring that adequate safeguards are in place in accordance with applicable law and/or the Philippines data protection requirements. The safeguards we will use will depend on the circumstances and the party to whom we transfer your personal data. Your personal data may be processed by any of the parties described above, who are also bound by appropriate data protection commitments. Mocasa employs all reasonable and appropriate organizational, technical, and physical security measures to protect your personal data against accidental or unlawful destruction, alteration, unauthorized disclosure, access, misuse, or any other unlawful processing, as required by applicable law and industry benchmark practices.

Specifically, Mocasa implements the following security measures to protect your personal data: (a) all data transmitted between your device and our servers is encrypted using HTTPS/TLS protocols; (b) personal data stored on our servers at https://service.mocasa.com is encrypted at rest; (c) access to personal data is restricted to authorized personnel on a need-to-know basis, with role-based access controls; (d) we conduct regular security assessments and vulnerability testing of our systems; and (e) we maintain incident response procedures to address any potential data breaches in accordance with the notification requirements of the Data Privacy Act of 2012 and NPC Circular 16-03.

6. Automated decisions and profiling

To provide you with rapid, efficient, and tailored services, we may make certain decisions in relation to our provision of products and services to you by using automated decision-making (ADM) processes, which may involve profiling, in relation to our provision of products and services. These processes operate with limited to no human involvement and are based on the personal data collected about you.

Credit decisions

When you apply for credit or seek eligibility for our products and services, well use automated processing to make decisions regarding your application, including whether to lend to you and/or make other decisions about your eligibility for our products and services, based on the personal data collected. This automated processing enables us to provide rapid, responsive, and tailored credit services to customers who may not have traditional credit histories, prior bank or other financial data, or income from formal sources.

Our credit and underwriting models utilize data science and machine-learning technology to process your personal data and assess your creditworthiness. The associated processing of your personal data is automated and little to no human intervention is involved. Using such automated processes to assess your creditworthiness means we may automatically decide that you may be ineligible for our services or ineligible for credit of a particular amount or tenure. Our credit and underwriting models are regularly tested and validated to ensure they remain fair, accurate, unbiased, and compliant with all applicable laws and regulations.

Detecting fraud

Mocasa also utilizes automated processes to detect, combat and prevent fraud, attempted fraud, money laundering, and other illegal uses of our services. Our fraud models may automatically identify patterns or behaviors that indicate that a certain individual poses a fraud or money laundering risk (e.g., if our processing reveals information or behavior consistent with money laundering or known fraudulent activity, if the activity is inconsistent with prior activity on our platform or if an individual appears to be hiding their true identity). If our fraud models determine that processing a transaction or approving a certain individual creates a risk of fraud, that individual’s access may be suspended or refused.

7. Your rights as a data subject

As a data subject under the Data Privacy Act of 2012 (DPA) and its Implementing Rules and Regulations (IRR), you are afforded specific rights concerning your personal data. Mocasa is committed to upholding these rights. You may contact us to exercise your rights as a data subject at support.user@mocasa.com. Please note that there may be occasions when you wish to exercise your rights and we are unable to agree to your request (e.g., because we have compelling legitimate ground for using or processing your personal data or because we we need to retain your personal data to comply with a legal obligation).

Right to be informed

We must provide you with certain information related to how we collect your personal data, details on how we collect, use, and process your personal data (and our legal basis for doing so), who we share your personal data with, where we obtained your personal data, and your rights as a data subject. This information is provided within the Mocasa App and in this Privacy Policy in clear language.

Right to access

You may ask for a copy of the personal data (as defined under applicable law) we hold concerning you (and your Information related to such personal data), as well as information on how such personal data has been processed and obtained, the names and addresses of the recipients to whom your personal data has been disclosed or transferred, unless providing some or all of it would adversely affect the rights and freedoms of others or applicable law (such as trade secret protection or a court order) specifically requires that we do not comply with your request for certain highly sensitive or proprietary information. The right to access does not apply to analyses algorithms or methodologies made by the Mocasa with respect to your personal data, which are proprietary know-hows and trade secrets belonging to Mocasa.

Right to rectification

You may ask us to correct any personal data which you believe to be inaccurate. We will promptly update any such personal data. In connection with your request, you may be required to provide supporting evidence or other documentation so that we may verify the accuracy of the request.

Right to erasure or blocking

You may make requests to us regarding the suspension, withdrawal, blocking, removal, or destruction of your personal data from our systems under certain circumstances. You may ask us to erase your personal data in the following instances:

If you believe it’s no longer necessary for us to retain such personal data (such as a legal obligation or contractual necessity) for us to continue processing it;
If you do not believe we have legitimate ground for processing it;
If you think we are using such personal data for unauthorized purposes;

If you think applicable law or a court order requires that we do so; or
If you believe the personal data is incomplete, false, or unlawfully obtained;

To exercise your right to erasure or to request deletion of your account and associated personal data, you may: (a) navigate to Settings > Accounts & Security > Delete Account within the Mocasa App to initiate an account deletion request; or (b) contact us at support.user@mocasa.com with the subject line 'Account Deletion Request'. Upon receipt of a valid request, Mocasa will process your request within five (5) working days, subject to applicable legal retention requirements as described in Section 4 of this Privacy Policy. Please note that account deletion is irreversible and will result in the termination of all active services and outstanding loan agreements must be settled prior to account deletion.

Right to restrict or object to processing

Where the processing of your personal data is based on your consent or our legitimate interest, you may ask us to stop using your personal data (as defined under applicable law) when:

You think such personal data is inaccurate, incomplete, or unlawfully obtained;
you think your personal data is used for unauthorized purposes;
if you don’t want us to destroy such personal data because you need it for legal proceedings, for the fulfillment of contractual or legal obligation;
if you’ve informed us that we don’t have a legitimate reason for using it and we’re considering your request;

Right to data portability

If we’re using your personal data on the basis of your consent or because we need it to carry out our contractual obligations to you, you can ask us to give you your personal data (as defined under applicable law) in a structured, commonly-used and machine-readable format or have it transmitted to another data controller. The right to data portability is limited to data that you provided actively and knowingly, or that you provided by virtue of the use of our services.

Right to file a complaint

You have the right to file a complaint with the relevant government agencies for any violation of your rights as a data subject. Please note that there may be occasions when you wish to exercise your rights and we’re unable to agree to your request (e.g., because we have compelling legitimate grounds for using or processing your information or because we need to retain your information to comply with a legal obligation).

Mocasa is committed to transparent and responsible management of the permissions you grant us. We will only access your device permissions (e.g., SMS, camera) for the specific, legitimate purposes outlined in this Privacy Policy.

Once the specific purpose for which an application permission was granted has been fulfilled, and where there are no other applicable lawful criteria requiring continuous access to that particular permission for the provision of our services or compliance with legal obligations, the Mocasa App will:

prompt you through appropriate in-app notices (e.g., just-in-time, pop-up notifications) to inform you that access to the relevant application permission may already be revoked, and guide you on how to turn it off or disallow it through your device settings.

Where technically feasible and aligned with device operating system capabilities, the Mocasa App will automatically turn off such permissions by default after the purpose is achieved, provided it does not impair essential, ongoing services for which explicit, continued consent or legal basis exists.

8. Advertising and Marketing

If you no longer wish to receive advertising, marketing, or promotional messaging, please contact us at support.user@mocasa.com and we will remove you from such communication lists.

9. Consequences of not providing us with your personal data

You are not required to provide us with your Information or any associated personal data (as defined under applicable law) and you may withdraw your consent from the use or processing of such Information or personal data at any time. However, if you do so, we will be unable to provide our current or future products and services to you, and we reserve the right to terminate our relationship with you, as permitted under applicable law, discontinue our relationship with you as we would be unable to fulfill our contractual obligations.

Further, to the extent we have a legitimate interest in retaining your Information and/or associated personal data (as defined under applicable law), we may do so. For example, if you have requested that we erase your Information or associated personal data (as defined under applicable law), but you have an outstanding balance with Mocasa, we may retain your Information or associated personal data (as defined under applicable law), in order to continue collection efforts. We are also required to retain your personal data for a period of at least five (5) years in compliance with anti-money laundering and terrorism financing prevention regulations, notwithstanding requests for deletion.

10. Consent and Authorization

By downloading the Mocasa App and clicking “Agree” on the permissions overview screen, you:

Confirm that you have read, understood, and accept the terms of this Privacy Policy, which comprehensively outlines how your personal data is collected, used, shared, and otherwise processed;
Acknowledge and agree to Mocasa's access to necessary device permissions, as more fully described above and detailed within the permissions overview screen. You understand that access to certain device data is essential for the functionality, security, and credit assessment features of the Mocasa App;
Grant your explicit consent to Mocasa to collect, use, share, or otherwise process your personal data, which may include personally identifiable information, personal information, sensitive personal information (in each case, as defined under applicable law), for the purposes where consent is the lawful basis as outlined in this Privacy Policy;
certify that all personal data you have provided and will provide to Mocasa is true, accurate, and correct to the best of your knowledge and belief;
authorize Mocasa to verify/investigate the accuracy of your personal data through various means, as necessary for the provision of our services, credit assessment, and fraud prevention.;
acknowledge that Mocasa may be required to disclose your personal data to regulatory and governmental bodies such as the Securities and Exchange Commission, Bangko Sentral ng Pilipinas, Anti-Money Laundering Council, Bureau of Internal Revenue, Credit Information Corporation, credit bureaus and/or any other governmental body, in compliance with its legal obligations and in accordance with the principle of proportionality.

11. What device permissions does the Mocasa app access?

Depending on your Device Operating System and the version of the Mocasa app installed on your device, the following device permissions may be accessed by the Mocasa App. We encourage you to keep your Mocasa App updated to make sure you can experience the latest and most secure features.

Below are the device permissions Mocasa may access, along with their purposes:

SMS – After your explicit authorization, Mocasa will collect and analyze designated financial transaction SMS messages on your device — such as bank notifications, payment confirmations, and e-wallet alerts — to evaluate your income and spending patterns for credit assessment. We access only transaction notifications from public financial service providers (identified by their registered sender names or short codes), containing details such as sender name, transaction amount, merchant name, and date. We strictly do not access personal conversations from individual mobile numbers, One-Time Passwords (OTPs), or any verification codes. The collected data will be encrypted and transmitted to https://service.mocasa.com. We do not share SMS data with third parties without your explicit consent. This permission is strictly optional and independent of your loan application. You may decline during the authorization process or revoke permission at any time through Settings > Applications > Mocasa > Permissions on your device;
Calendar – Mocasa requests Write Calendar permission to remind you of repayment due dates on your loans. We will only add and modify calendar events related to Mocasa. Other events you have set in your device's calendar will never be read, modified, or deleted;
Camera - Mocasa will ask you to upload a photo of your ID, proof of income, or a selfie for the purpose of identification, to facilitate identity verification processes. You can choose to take photos on-site (only need Camera permission) or access media library or files to pick a photo (only need Photo permission);
Contacts – Mocasa does NOT request the READ_CONTACTS permission and does not access your device's address book or contact list. Instead, during the loan application process, you will be prompted to manually select and provide one or more personal references or emergency contacts. Only the contact information (name and phone number) that you voluntarily select and submit will be collected, transmitted, and stored. This information is used solely for credit evaluation, identity verification, and for identifying and contacting character references or guarantors for your loan application. Mocasa has no ability to access, read, or retrieve any contacts from your device beyond those you explicitly choose to provide. Meanwhile, please keep in mind that it is YOUR duty to acquire prior consent from your contact for our connection with such contact, by providing us with your contacts, we assume you have acquired such consent;
Location – This helps our fraud models verify your identity and detect suspicious activities. Mocasa also uses this information in its credit and underwriting models to determine whether you are eligible for Mocasa’s services. We also use location data for research purposes;
Read phone status and identity – We will collect and use your device ID (advertising ID, BSSID, IMEl, Android ID) to ensure the security of your transactions and payments. Granting this permission will help us check if you are performing sensitive actions on commonly used devices. This will effectively reduce the risk of your account being compromised or unauthorized access.

Third-party SDKs collect some of our non-sensitive device information (for example: IDFV, Android ID, system version, device manufacturer, brand and model, etc.) for statistical and analytical purposes to optimize our experience on Mocasa. We only allow third-party SDKs to collect non-sensitive data with your explicit consent.

Run foreground service – This permission is needed by the Mocasa app to upload photos for KYC processes, ensuring a smooth user experience;
Run at startup – This allows the Mocasa app to send notifications to your device upon restart of your device;
View and change network connectivity – This is used to notify the Mocasa app when network connectivity changes so that we can determine whether you are connected to internet or not;
View Wi-Fi connections – Mocasa uses the IP address and network type of your device to detect and prevent fraudulent activities;
Receive data from the internet – Mocasa needs this permission in order to send requests through the app and to allow the app to access the internet;
Prevent phone from sleeping – This permission is required by some of the features and services within the Mocasa App, such as in-app messaging;
Installed Application Information – Mocasa no longer requests the QUERY_ALL_PACKAGES permission within the application interface. However, with your explicit consent as provided through this Privacy Policy, Mocasa may collect and analyze non-sensitive application identifiers from your device for the purposes of fraud prevention, cybersecurity risk assessment, and credit evaluation. This process involves comparing installed application identifiers against a list of known malware or suspicious applications to detect whether your financial transaction environment is safe. Mocasa does not have access to any private content within other applications. Unmatched applications are not visible to Mocasa. The collected data is encrypted and transmitted to https://service.mocasa.com and will not be shared or sold to third parties in any form.

12. General

If you have questions about this Privacy Policy or about your rights as a Data Subject, you can contact our Data Protection Officer at:

Roson, Trisha Cassandra C.- Data Protection Officer - Philippine Cashtrout Lending Corp..

4/F King's Court 1 BLDG., 2129 Chino Roces AVE., Pio Del Pilar, Makati, Makati City, Metro Manila

email address: compliance@mocasa.com

To improve and continue our services to you and to comply with data privacy regulations that may be issued from time to time, this Privacy Policy may be updated. You can check the latest version by visiting www.mocasa.com and clicking "Privacy Policy" at the bottom.

13. Others

When you activate the use, we will collect your device information (IDFV, AndroidID, operating system, device model, device manufacturer, system version, etc.) through ThinkingData for statistical analysis of your use effect in the app.

Additionally, your personal data may be collected, used, processed, stored, accessed, updated, shared, transferred or disclosed to the credit insights service provider/s using the Subscriber data obtained from Mobile Network Operators, such as but not limited to, Globe Telecom, Inc., for the purpose of “telco score” using telecommunications usage data. The credit scoring (telco score) and analytics between the Bank and credit insights service providers are conducted for the purpose of credit evaluation related to your credit application and maintenance thereof.

Statement of Applying for Installed Application Permission

Note: As of early 2025, the QUERY_ALL_PACKAGES permission has been removed from the Mocasa App's runtime permission requests. The following statement is retained for transparency purposes to describe how Mocasa may process installed application information with your consent as provided through this Privacy Policy, and to ensure continuity of disclosure for users who previously granted this permission.

Please allow Mocasa to compare the installed applications on your device with a list of suspected malware/viruses to detect whether your financial transaction or credit application environment is safe.

Therefore, Mocasa needs to upload and analyze the NON-SENSITIVE application identifiers matched in the above process to protect Mocasa from any cyber security risk. Mocasa does not have access to any of your private content in other applications. Unmatched apps will not be visible to Mocasa to protect your privacy. In this way, Mocasa can warn you of the risk of privacy leakage before you enter the password or key information such as your ID number.

We strongly recommend that you agree to this authorization. If you choose not to authorize after fully understanding, you will not be able to use Mocasa's core financial functions or other major functions, such as applying for credit or a loan.

After your explicit authorization, Mocasa will encrypt and upload the above information to https://service.mocasa.com securely. These data will not be shared or sold to third parties in any form.

Statement of Applying for Contacts Permission

To accurately evaluate your personal credit and to identify and contact character references or guarantors for your loan application, Mocasa provides an in-app mechanism for you to manually select and submit one or more personal references or emergency contacts.

Mocasa does NOT request the READ_CONTACTS permission and does not access, read, or retrieve your device's address book or full contact list. Only the specific contact information (name and phone number) that you voluntarily select and provide through the application interface will be collected, transmitted using HTTPS encryption, and stored on our servers.

Your selected contact information will only be stored and used for credit evaluation and for identifying and contacting character references or guarantors. Mocasa will NOT access or collect any contact data from your device beyond what you explicitly choose to submit. Your selected contacts will NOT be shared or sent to third parties under any circumstances except as otherwise explicitly consented to by you within this Privacy Policy (e.g., for data sharing with financial partners or for specific outsourced collection efforts where relevant and separately authorized).

You may choose not to provide contact references. However, please be aware that providing emergency contacts is often essential for verifying your creditworthiness and for account security. Without such information, you may not be able to use certain Mocasa financial services, such as applying for a credit limit.

If you wish to revoke historical authorizations and erase all your personal information, please contact support.user@mocasa.com. We will process your application within five (5) working days.