ACOM Consumer Finance Corporation Data Protection and Privacy Policy
Last updated: May 11, 2026
Purpose Statement
This Data Protection and Privacy Policy explains how ACOM Consumer Finance Corporation (“ACOM,” “we,” “us,” or “our”) collects, uses, protects, and manages your personal data. It also describes your rights as a data subject and how you may exercise them. ACOM upholds the principles of transparency, legitimate purpose, and proportionality in all stages of personal data processing.
I. POLICY STATEMENT AND CORPORATE INFORMATION
ACOM Consumer Finance Corporation (“ACOM”) is a corporation duly organized under the laws of the Republic of the Philippines, with principal office at 10th Floor, 45 San Miguel Building, 45 San Miguel Avenue, Ortigas Center, Pasig City, Metro Manila. Our official website is https://www.acom.com.ph
ACOM recognizes its obligations under Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012, its Implementing Rules and Regulations, and other applicable laws. We are committed to ensuring that all personal data in our possession is lawfully collected, processed, stored, used, disclosed, and disposed of, and that appropriate organizational, physical, and technical safeguards are in place to protect such data against unauthorized access, alteration, loss, or disclosure.
By selecting the applicable consent options in the declaration page, signing electronically, or otherwise submitting your application, you acknowledge that you have read and understood this Policy and consent to the collection, use, storage, and processing of your personal data in accordance with this Policy and applicable laws.
If you provide personal data relating to another individual, you represent and warrant that such individual has been informed of, and has consented to, the collection, processing, and disclosure of their personal data in accordance with this Policy.
We may collect, process, and disclose personal data in connection with the enforcement of contractual rights, including the collection of outstanding obligations. In the event of default and inability to contact you through the details provided, you authorize ACOM to use lawful skip-tracing methods and to engage duly authorized third-party service providers for debt recovery, subject to compliance with applicable laws.
II. LEGAL BASIS FOR PROCESSING
ACOM shall process personal data where any of the following lawful bases exist, which may include but are not limited to:
1. Consent – when you have given explicit consent for the processing of your personal data for one or more specific purposes.
2. Contractual Necessity – when processing is necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract.
3. Legal Obligation – when processing is necessary to comply with obligations imposed by applicable laws, regulations, or lawful orders of competent authorities.
4. Legitimate Interests – when processing is necessary for the legitimate interests pursued by ACOM or by a third party, except where such interests are overridden by your fundamental rights and freedoms.
5. Vital Interests – when processing is necessary to protect your life or the life of another individual.
6. Public Interest – when processing is necessary to carry out a task in the public interest or in the exercise of official authority vested in ACOM, as authorized by law.
Where processing is based on your consent, you have the right to withdraw such consent at any time, without affecting the lawfulness of processing carried out prior to withdrawal.
III. SCOPE AND DEFINITIONS
This Policy applies to all personal data processed by ACOM, whether in physical or electronic form, and regardless of storage medium or location. It applies to all employees, contractors, service providers, and any other persons acting on behalf of ACOM who have access to personal data.
For purposes of this Policy:
1. Personal Data means any information, whether recorded in material form or not, from which the identity of an individual is apparent or can reasonably and directly be ascertained, or which, when combined with other information, would directly and certainly identify an individual.
2. Processing means any operation or sets of operations performed upon personal data, including but not limited to collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, consolidation, blocking, erasure, or destruction.
3. Data Subject refers to any individual whose personal data is processed by ACOM.
IV. INFORMATION WE COLLECT
ACOM may collect the following categories of personal data, including but not limited to:
• Basic Identifiers: Full name, date of birth, sex, marital status, nationality, addresses, government-issued identification details, and photographs/selfies.
• Contact Information: Mobile number, email address, landline number, office telephone number, and nominated character reference.
• Employment and Financial Data: Employer name and address, business contact details, industry, position, date of employment, and monthly salary.
• Banking and Payment Details: Bank or e-wallet (e.g., GCash) name and account number.
• Transaction Data: Loan applications, transaction history, payment reminders, billing notifications, account correspondence, and credit history.
• Device and Usage Data: IP address, device identifiers, technical specifications, and application activity logs.
• Media and Recordings: CCTV footage, call and voice recordings (with consent).
• Character Reference: Names and contact details of individuals identified by you for verification or notice in case of inability to reach you. By providing this information, you confirm that you obtained their prior consent to share their contact details with us. The sole purpose of contacting them is to help reconnect with you. No loan details, account information, or other confidential data will be disclosed to them without your authorization or as otherwise allowed by law.
• Sensitive Personal Information: Certain personal data may qualify as sensitive personal information or otherwise confidential personal information under applicable privacy laws. Data obtained through credit investigation, field collection, and lawful skip tracing, including mobile numbers, addresses, signatures, sources of funds, supporting documents, credit standing, and loan payment history. Such data is processed with higher standards of confidentiality and access control.
• Publicly Available Data: Information from publicly available business contact information (such as social media), lawful public records, credit bureaus, fraud prevention databases, and other lawful sources reasonably necessary for fraud prevention, contact validation, regulatory compliance, or contractual enforcement.
Photographs and Recordings:
As part of ACOM’s lawful field investigation, verification, or collection activities, photographs may be taken only where reasonably necessary for identity verification, fraud prevention, documentation of verification efforts, or evidentiary purposes.
Incidental capture of third parties shall be minimized, and their consent shall be sought where practicable. Recordings of conversations may also be made for legitimate business purposes, including verification, compliance, and service quality, with the prior consent of the data subject. Refusal to consent may limit ACOM’s ability to provide certain services. All such data will be securely stored and retained only as long as necessary for verification or dispute resolution purposes.
V. METHODS OF COLLECTION
Personal data may be obtained:
1. Directly from you, including application forms, contracts, agreements, interviews, field credit and collection activities, written correspondence, and through webforms and IT systems.
2. From identity confirmation documents presented, limited to the information required for identity verification under law and for the intended purpose of use.
3. From verification processes conducted by ACOM on the information you have provided.
4. Through our applications, including photographs or selfies for identity verification and fraud prevention.
5. Through website cookies and analytics tools, which are generally used for functionality, security, and service improvement and are not intended to directly identify users unless otherwise disclosed.
6. From your nominated character reference, who you confirm have consented to be contacted.
7. From credit databases, credit bureaus, and the Credit Information Corporation, in accordance with Republic Act No. 9510.
8. From ACOM’s own records of your previous transactions.
9. From publicly available business contact information or other publicly accessible lawful sources, such as social media accounts and public records of government agencies, to the extent reasonably necessary for fraud prevention, contact validation, or contractual enforcement.
10. From third parties, including payment partners, credit bureaus, regulators, law enforcement agencies, and other service providers.
VI. PURPOSES OF PROCESSING
Personal data is processed for the following purposes:
A. Loan and Account Processing
• To verify identity and personal or financial information.
• To evaluate creditworthiness and assess eligibility for products and services.
• To perform credit scoring and comply with know-your-customer and anti-money laundering regulations.
• To maintain account records and transaction history.
• To create and manage your ACOM user account.
• To recover debts and trace contact details in the event of default.
• To detect, investigate, and prevent fraud or other unlawful activities.
B. Payment Processing and Reminders
• To process and confirm payments through partner payment channels.
• To send payment reminders or follow-ups through lawful communication methods.
• To use publicly available or third-party contact information for debt recovery..
C. Marketing and Customer Engagement
• To inform you about products, services, promotions, or surveys (unless you opt out).
• To address service concerns, inquiries, and complaints.
D. Research and Analytics
• To conduct data analytics and profiling to improve products and services.
• To perform demographic and market research, customer trend analysis, and statistical reporting.
E. Legal Compliance
• To comply with statutory and regulatory requirements, including those of the NPC, BIR, SEC, and CIC.
• To respond to lawful orders and enforcement requests.
• To protect privacy, proof identity may be required before fulfilling a request. Responses will be provided for valid, verifiable requests.
• To participate in audits and inspections mandated by authorities.
F. Character Reference Use
• To verify application details or update contact information.
• To contact you through your nominated character reference if you cannot be reached directly.
GG. Application and Contact Information
• To process data submitted via applications and contact forms.
• To verify information, conduct credit checks, and enforce loan agreements.
Personal data shall be processed only to the extent necessary to achieve the specific purpose for which it was collected.
VII. DISCLOSURE AND TRANSFER OF PERSONAL DATA
ACOM shall disclose personal data only as necessary to fulfill the purposes stated in this Policy or as required by law. This may include transfers to, credit bureaus, service providers, government authorities, and law enforcement agencies, within or outside the Philippines, subject to applicable data protection safeguards.
All third parties processing data on behalf of ACOM are bound by strict confidentiality and data protection obligations under written contracts.
We implement measures to ensure that recipient jurisdictions have adequate personal data protection laws or that contractual safeguards are in place consistent with NPC Circular 16-03 on Cross-Border Data Transfers.
Loan performance must be reported to credit bureaus, which may affect your ability to obtain credit in the future. False or fraudulent information may be shared with fraud prevention agencies and law enforcement authorities.
VIII. DISCLOSURE ON KEEPING YOUR INFORMATION UPDATED
To comply with the Anti-Money Laundering Act (AMLA) and related regulations, and to maintain accurate records, ACOM may ask you to provide updated information periodically. This may include updated government-issued IDs, proof of income, or other supporting documents.
We also ask that you inform us of any changes in your personal details, contact numbers, employment, business, or address within thirty (30) days from the time such changes occur.
Providing timely and accurate updates helps prevent delays or issues that could affect your account or loan processing.
IX. DATA RETENTION
Personal data shall be retained only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. This may include:
• The duration of your account or contractual relationship with ACOM.
• As necessary for legitimate business purposes.
• For the establishment, exercise, or defense of legal claims.
• As required by regulatory agencies, including retention of customer records for at least five (5) years from account closure, final settlement, execution of judgment, rejection of application, or such longer period as required by law, whichever is later.
Recordings and photographs shall be retained only as long as necessary for verification or dispute resolution purposes.
Data may be stored in facilities operated by ACOM or by duly authorized third-party service providers, within or outside the Philippines, subject to applicable legal restrictions.
X. DATA DISPOSAL
Where deletion is requested or required, ACOM shall retain only those records legally mandated under applicable laws, such as the Credit Information System Act, the Anti-Money Laundering Act, and other relevant regulations.
Personal data shall be securely disposed of when:
1. You have terminated your relationship with ACOM and have no outstanding obligations.
2. The data has been retained for five years or such period as may be required by law.
3. You have requested deletion, subject to legal or regulatory requirements for retention.
Requests for deletion must be sent to customer_service@acom.com.ph, accompanied by proof of identity.
XI. SECURITY MEASURES
ACOM adopts appropriate administrative, technical, and physical safeguards to protect personal data, including but not limited to:
• SSL encryption for web and mobile applications.
• Access controls and user authentication mechanisms.
• Regular security audits and vulnerability testing.
• Confidentiality undertakings for personnel.
• Data protection clauses in contracts with third-party service providers.
• An incident response plan to promptly address potential security threats or data breaches.
XII. RIGHTS OF DATA SUBJECTS
As provided under the Data Privacy Act, you have the right to:
1. Be informed of the processing of your personal data.
2. Access and obtain a copy of your personal data.
3. Correct or update inaccurate or incomplete data.
4. Object to or restrict processing, subject to legal exceptions.
5. Withdraw consent, where applicable.
6. Request deletion, subject to legal limitations.
7. Lodge a complaint with the National Privacy Commission.
Requests may be sent to::
Data Protection Officer
Email: dpo@acom.com.ph
Tel: (02) 5304-5200
For general inquiries or complaints, you may also contact customer_service@acom.com.ph.
XIII. THIRD-PARTY WEBSITE POLICY AND LINKS TO OTHER WEBSITES
Our website may contain links to other websites of interest. However, once you leave our website, please note that we do not have control over such external sites. We cannot be responsible for the protection and privacy of any information you provide while visiting those sites. You should always review the privacy statements applicable to those websites.
XIV. DATA BREACH NOTIFICATION
In the event of a personal data breach requiring notification under applicable law, ACOM shall promptly assess, contain, document, and investigate the incident before or in parallel with any required notifications:
1. Notify the National Privacy Commission within seventy-two (72) hours from knowledge of the breach.
2. Communicate the breach to affected data subjects without undue delay through email, SMS, or other available communication channels, including details of the breach, its possible impact, and measures taken to address it.
3. Undertake appropriate remedial actions to mitigate risks and prevent recurrence.
XV. COMPLIANCE WITH SEC AND OTHER REGULATORY REQUIREMENTS
ACOM complies with applicable rules, regulations, circulars, and guidance issued by the Securities and Exchange Commission, National Privacy Commission, Anti-Money Laundering Council, Credit Information Corporation, Bureau of Internal Revenue, and other competent authorities relevant to financing companies and personal data processing.
XVI. THIRD-PARTY SERVICE PROVIDER MANAGEMENT
ACOM conducts due diligence before engaging third-party service providers that process personal data on its behalf. Data protection clauses and contractual safeguards consistent with the Data Privacy Act and NPC guidelines are included in all contracts to ensure confidentiality, security, and lawful processing of personal data.
XVII. AMENDMENTS
ACOM reserves the right to amend, update, or modify this Data Protection and Privacy Policy at any time to reflect changes in applicable laws, regulatory requirements, business operations, technologies, or data processing practices. Material changes shall be published on ACOM’s official website and, where required by applicable laws or where appropriate based on the nature of the changes, may also be communicated to you through other authorized communication channels prior to taking effect.
The revised Policy shall apply from its stated effective date to all personal data under ACOM’s custody. The latest version of this Policy shall remain available on ACOM’s official website, and prior versions may be retained for legal, regulatory, audit, or record-keeping purposes. By continuing to access or use ACOM’s platforms, products, or services after the effective date of such revisions, you acknowledge and accept the updated Policy, without prejudice to any rights granted to you under applicable data privacy laws.