orionplay Privacy Policy

1. Introduction & Scope of This Policy

This Privacy Policy applies to all personal data collected by orionplay in connection with the operation of the online gaming platform at orionplay.asia, including data collected during account registration, identity verification, gaming activity, financial transactions, customer support interactions, and platform usage generally.

This Policy applies to all players and users who access or use the orionplay platform, regardless of their location, provided that orionplay's services are intended exclusively for residents of the Republic of the Philippines who are aged 21 years or older.

This Policy does not apply to third-party websites, payment providers, or game developers whose own privacy policies govern their respective data practices. orionplay is not responsible for the data practices of third parties, including those accessible through links on the platform.

For a comprehensive understanding of your rights and obligations when using the orionplay platform, please read this Privacy Policy in conjunction with the Terms & Conditions and the Responsible Gaming Policy.

2. Identity of the Data Controller

For the purposes of the Data Privacy Act of 2012 and its Implementing Rules and Regulations, orionplay is the Personal Information Controller (PIC) in respect of the personal data collected through the orionplay platform.

As a PAGCOR-licensed gaming operator, orionplay has appointed a Data Protection Officer (DPO) responsible for overseeing compliance with RA 10173 and the NPC's regulations. Contact details for the DPO are provided in Section 15 of this Policy.

orionplay's processing of personal data is registered with the National Privacy Commission (NPC) as required by applicable regulations for personal information controllers processing personal data of one thousand (1,000) or more individuals.

3. Categories of Personal Data We Collect

orionplay collects the following categories of personal data, limited to what is necessary and proportionate for the purposes described in this Policy:

4. How We Collect Your Personal Data

orionplay collects personal data through the following methods:

• Direct collection: Information you provide during account registration, profile completion, KYC document submission, deposit or withdrawal requests, support interactions, or responsible gaming tool activation.
• Automated technical collection: Data collected automatically when you access the orionplay platform, including IP addresses, device identifiers, browser type, and session activity logs, through cookies and similar tracking technologies (see Section 11).
• Payment processor data: Transaction references and payment confirmation data provided by GCash, Maya, BPI, BDO, Metrobank, and other payment service providers when you initiate deposits or withdrawals.
• Third-party identity verification services: Where orionplay uses NPC-compliant third-party KYC and identity verification providers, those providers may return verification results and document authentication outputs to orionplay.
• PAGCOR and regulatory sources: orionplay may receive information from PAGCOR or other regulatory authorities in connection with licensing requirements, player protection programs, or regulatory investigations.

5. Purposes of Personal Data Processing

orionplay processes your personal data for the following specific, legitimate purposes:

1. Account management: Creating, maintaining, and operating your orionplay player account, including authentication, password management, and account settings.
2. Service delivery: Providing access to the orionplay gaming platform, processing game outcomes, and displaying your account balance and transaction history.
3. Financial processing: Processing deposits, withdrawals, and internal account transfers; reconciling transactions; and resolving payment disputes.
4. Identity verification and KYC compliance: Verifying your identity in compliance with PAGCOR's Know Your Customer requirements and the Anti-Money Laundering Act (RA 9160 as amended).
5. PAGCOR regulatory compliance: Fulfilling all reporting, record-keeping, and disclosure obligations imposed by PAGCOR as a condition of orionplay's gaming license.
6. Anti-Money Laundering (AML) obligations: Monitoring transactions for suspicious activity and reporting covered or suspicious transactions to the Anti-Money Laundering Council (AMLC) as required by law.
7. Responsible gaming: Administering deposit limits, loss limits, session reminders, cool-off periods, and self-exclusion tools; monitoring for patterns indicative of problem gambling in accordance with PAGCOR's responsible gaming framework.
8. Security and fraud prevention: Detecting, preventing, and investigating unauthorized access, fraud, cheating, collusion, bonus abuse, and other prohibited activities.
9. Customer support: Responding to your queries, resolving complaints, and providing technical assistance.
10. Platform improvement: Analyzing aggregated, anonymized usage data to improve platform performance, user experience, and game selection — in ways that do not individually profile or identify you without consent.
11. Promotional communications: Where you have provided explicit consent, sending you information about promotions, bonuses, and new features available at orionplay. You may withdraw this consent at any time.
12. Legal proceedings: Establishing, exercising, or defending legal claims in connection with your use of the orionplay platform.

6. Legal Bases for Processing

Under Section 12 and Section 13 of the Data Privacy Act of 2012, orionplay relies on the following legal bases for processing personal data:

• Performance of a contract: Processing necessary to fulfill the obligations under the orionplay Terms & Conditions, including account operation, game delivery, and financial transactions.
• Compliance with a legal obligation: Processing required to comply with PAGCOR licensing conditions, the Anti-Money Laundering Act, the Data Privacy Act itself, NPC regulations, and other applicable Philippine laws.
• Legitimate interests: Processing necessary for orionplay's legitimate interests in platform security, fraud prevention, and responsible gaming monitoring, where these interests are not overridden by your rights and freedoms.
• Consent: Processing for marketing communications and optional data uses, where your freely given, specific, informed, and unambiguous consent has been obtained. You may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.
• Protection of vital interests: In exceptional circumstances, processing may be necessary to protect the vital interests of a data subject, such as in emergency responsible gaming interventions.

7. Data Sharing & Third-Party Disclosure

orionplay does not sell, rent, or trade your personal data to any third party for commercial purposes. Your personal data may be disclosed to the following categories of recipients, strictly on a need-to-know basis and subject to appropriate data processing agreements:

• PAGCOR: As orionplay's licensing authority, PAGCOR may require access to player data and transaction records as part of regulatory oversight, audits, or investigations.
• Anti-Money Laundering Council (AMLC): Covered and suspicious transaction reports as required under RA 9160 and its amendments.
• Payment service providers: GCash (G-Xchange Inc.), Maya (PayMaya Philippines Inc.), BPI, BDO, Metrobank, 7-Eleven, and other payment processors receive the minimum necessary payment reference data to process your transactions.
• Identity verification providers: Third-party KYC and identity verification service providers engaged by orionplay to process document authentication, subject to data processing agreements requiring compliance with RA 10173.
• Game software providers: Third-party game developers and live casino studios may receive anonymized or pseudonymized session data necessary for game operation and RTP certification. Full identity data is not shared with game providers.
• Legal and regulatory authorities: Philippine courts, law enforcement agencies, and other government authorities where orionplay is required by law, regulation, or valid legal process to disclose personal data.
• Professional advisers: Lawyers, auditors, and compliance consultants engaged by orionplay, subject to professional confidentiality obligations.

8. Data Retention Periods

orionplay retains personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. The following minimum retention periods apply:

Following expiry of the applicable retention period, personal data will be securely deleted or anonymized in a manner consistent with NPC guidelines on data disposal. Anonymized aggregate data from which individual players cannot be identified may be retained indefinitely for analytics purposes.

9. Data Security Measures

orionplay implements comprehensive technical, organizational, and physical security measures to protect your personal data against unauthorized access, disclosure, alteration, loss, or destruction. These measures include, but are not limited to:

• Encryption in transit: All communications between your device and orionplay's servers are protected by TLS 1.3 encryption.
• Encryption at rest: Sensitive personal data stored on orionplay's servers, including KYC documents and financial data, is encrypted using AES-256 or equivalent industry-standard encryption.
• Access controls: Strict role-based access controls ensure that orionplay personnel access personal data only to the extent required for their specific job function. Access to sensitive data is logged and regularly audited.
• Multi-factor authentication: Administrative access to orionplay's systems requires multi-factor authentication. Players are strongly encouraged to enable SMS-based two-factor authentication on their accounts.
• Network security: orionplay's infrastructure is protected by firewalls, intrusion detection systems, and regular vulnerability assessments and penetration testing.
• Data minimization: orionplay does not retain full payment card numbers or complete bank account numbers on its servers. Payment references are stored in tokenized form.
• Personnel training: All orionplay staff who handle personal data receive regular training on data protection obligations under RA 10173 and orionplay's internal data handling policies.

In the event of a personal data breach that poses a real risk of serious harm to affected data subjects, orionplay will notify the National Privacy Commission (NPC) within seventy-two (72) hours of becoming aware of the breach, and will notify affected data subjects within the timeframe prescribed by NPC guidelines.

10. Your Data Subject Rights Under RA 10173

As a data subject under the Data Privacy Act of 2012, you have the following rights with respect to your personal data held by orionplay. These rights may be exercised by contacting orionplay's Data Protection Officer using the contact details in Section 15:

To exercise any of the above rights, please submit a written request to orionplay's Data Protection Officer. orionplay will respond within fifteen (15) working days of receiving a verifiable request. Some rights are subject to limitations where legal retention obligations under PAGCOR regulations or RA 9160 require data to be maintained.

11. Cookies & Tracking Technologies

orionplay uses cookies and similar technologies on the platform to enable core functionality, analyze usage patterns, enhance security, and — with your consent — to deliver relevant promotional content. The following categories of cookies are used:

• Strictly necessary cookies: Essential for platform operation, including maintaining your login session, storing preferences, and enabling security features. These cookies cannot be disabled without impacting core platform functionality.
• Analytics cookies: Used to collect anonymized data about how visitors use the orionplay platform (pages visited, session duration, error events). This data is used to improve platform performance and does not identify individual users.
• Functional cookies: Remember your preferences (language settings, responsible gaming display options) to provide a more personalized experience on return visits.
• Security cookies: Help detect and prevent fraudulent activity, protect against automated account attacks, and maintain the integrity of login sessions.

You may manage cookie preferences through your browser settings. Note that disabling strictly necessary cookies will prevent access to the orionplay platform. Our cookie notice on first visit provides options for consent to non-essential cookie categories.

12. Minors & Age Policy

The orionplay platform is strictly intended for persons who are twenty-one (21) years of age or older, as required by PAGCOR regulations for casino-category online gaming in the Philippines. orionplay does not knowingly collect or process personal data of persons under the age of 21.

If orionplay discovers or reasonably suspects that personal data of a person under the age of 21 has been collected — including through misrepresentation of age during registration — the account will be immediately closed, all funds will be returned to the payment source, and all associated personal data will be deleted, except to the extent that legal obligations (such as AML record-keeping requirements) require retention.

If you believe that orionplay has inadvertently collected personal data of a person under 21 years of age, please contact the Data Protection Officer immediately using the details in Section 15.

13. Cross-Border Data Transfers

orionplay may engage third-party service providers and processors located outside the Philippines — including game software developers, KYC verification services, and cloud infrastructure providers — whose services require the transfer of personal data across national borders.

In accordance with Section 21 of the Data Privacy Act of 2012 and NPC Advisory Opinion No. 2017-049, orionplay ensures that any cross-border transfer of personal data is subject to appropriate safeguards, which may include:

• Contractual arrangements (data processing agreements) requiring the recipient to apply data protection standards equivalent to those required under RA 10173;
• Transfer to countries or organizations recognized by the NPC as providing an adequate level of data protection;
• Other appropriate safeguards as prescribed by the NPC from time to time.

Details of the specific countries or regions to which your data may be transferred are available from orionplay's Data Protection Officer upon request.

14. Amendments to This Privacy Policy

orionplay may update this Privacy Policy from time to time to reflect changes in our data processing practices, new regulatory requirements, or improvements to our privacy program. Material changes to this Policy will be communicated to registered players via SMS to their registered Philippine mobile number at least seven (7) calendar days prior to the effective date of the change.

Non-material changes (such as clarifications or typographical corrections) may be made without prior notice. The "Effective" date and version number at the top of this page reflect the most recent revision. Continued use of the orionplay platform following the effective date of any amendment constitutes your acknowledgment of the revised Policy.

Where a change to this Policy requires fresh consent for a particular processing activity, orionplay will seek your consent through appropriate mechanisms before proceeding with the new processing.

15. Contact Information & Data Protection Officer

For any questions, requests, or concerns regarding this Privacy Policy, or to exercise your data subject rights under the Data Privacy Act of 2012, please contact orionplay's designated Data Protection Officer through the following channels:

• Live Chat: Available 24/7 via the orionplay platform — request to be connected to the Privacy & Data Protection team
• Email (plain text — not a clickable link): [email protected] — subject line: "Data Privacy Request — [Your Account Username]"

orionplay will acknowledge receipt of your privacy request within two (2) business days and provide a substantive response within fifteen (15) working days, as required by NPC regulations. Complex requests may require additional time, in which case orionplay will notify you of the extended timeline and reason.

If you are not satisfied with orionplay's response to your privacy concern, you have the right to lodge a complaint with the National Privacy Commission (NPC) of the Philippines through their official channels.